In October 2023, 72 local authorities in southern Westphalia, Germany, suffered an IT meltdown. During the night, hackers attacked the communal IT service provider using ransomware. In addition to the administrations, the systems at schools also failed. Trade fair company Messe Essen suffered a similar attack, also threatened by ransomware: Cyber criminals hijacked the ticket store and stole personal data such as addresses and emails. An effective security network can take the fear out of serious ransomware attacks.
Ransomware - the definition?
Its name already explains what makes ransomware so dangerous: this malicious software (malware) blocks access to computer systems or files until a payment (ransom) is made. The software normally encrypts the files on the victim’s device so that they are no longer accessible. In order to get the decryption key for the captured information back, companies, authorities or organizations have to pay the hackers a ransom.
What makes ransomware so dangerous?
According to the German Federal Office for Information Security (BSI), there were more than 2,000 vulnerabilities in software products in 2023. This is an increase of 24% compared to the previous year. 66% of all spam emails were hidden cyber attacks. According to the BSI, ransomware is the top threat for companies and authorities in particular. On average, 775 emails containing malware were intercepted in German government networks every day during the reporting period. In addition, an average of 370 websites had to be blocked from access every day due to malware.
It is the mixture of financial motivation and destructive power that makes ransomware so dangerous. In addition, hackers are constantly developing ransomware attacks and increasingly sophisticated techniques are being used, including new encryption methods, anonymous payment systems such as cryptocurrencies and social engineering. You need to be prepared for these risks:
- Data breaches: Sometimes attackers threaten to release sensitive data if a ransom is not paid. This can lead to data breaches, fines and legal liability for the affected company.
- Financial damage: Ransomware attacks can affect individuals, companies and organizations financially, as they are often forced to pay a ransom to regain access to their files. Caution: There is no guarantee that the decryption key will be released or that the decryption will actually work, even if the ransom is paid.
- Disruption and loss of time: Ransomware attacks can significantly disrupt operations, resulting in downtime, loss of productivity and image reputational damage.
- Rapid spread: Ransomware can spread fast across networks and devices, infecting multiple systems within an organization or between different companies. It can affect companies, countries and critical infrastructures worldwide and cause widespread disruption.
Some examples of how ransomware infects computers are malvertising (malicious advertising on legitimate websites), phishing emails (with dangerous links or attachments) or exploit kits that automatically exploit vulnerabilities in software, operating systems or network services. There are also drive-by downloads (compromised websites that automatically download ransomware onto the systems of website visitors).
What types of ransomware exist?
There are various forms of ransomware that differ in the nature of their attack vectors and behaviors:
- Locker ransomware: With this lock screen type, access to the computer or special functions of the operating system is blocked.
- Encrypting ransomware: Files are encrypted on the infected system using strong encryption algorithms.
- Master Boot Record (MBR) ransomware: It infects the MBR of a computer, which can lead to the operating system no longer starting properly.
- Mobile ransomware: This malware targets mobile devices such as smartphones and tablets. It can distribute itself via infected apps, malicious links or drive-by downloads, encrypting personal data and blocking access.
- Network ransomware: It spreads within a network and infects multiple computers or servers. Shared network resources, vulnerabilities in network protocols or unsecured remote desktop connections are the gateway for hackers.
- Dox or leakware: Attackers threaten to publish stolen or encrypted victim data if no ransom is paid. This form of ransomware aims to blackmail victims by publishing sensitive information instead of just denying access to files.
- Ransomware as a Service (RaaS): Cyber criminals even offer ransomware kits as a subscription. Using ready-made tools, even technically inexperienced people can initiate ransomware attacks.
How do you identify and combat ransomware?
Early detection of ransomware is crucial to minimize the impact on your system and your data. You should pay attention to the key points here:
- Use reliable antivirus and anti-malware software!
- Use behavior-based detection: There are behavior-based detection techniques that identify ransomware based on its actions rather than its signature. This includes monitoring system behavior for unusual file encryption patterns or attempts to change system settings.
- Educate employees about the risks of ransomware and sensitize them to report suspicious activity on their systems. This will enable IT and security teams to respond more quickly to potential ransomware infections and reduce the impact.
- Use mechanisms to identify anomalies. This could be a sudden increase in file encryption activity, unauthorized access attempts or unusual network traffic patterns.
- Use file integrity monitoring tools to track changes to files and directories.
- Analyze network traffic for signs of ransomware communication, such as connections to known command and control servers used by ransomware operators. Intrusion Detection and Prevention Systems (IDPS) help to block suspicious connections in real time.
- Monitor user activity on your network to identify unusual actions.
- Deploy Endpoint Detection and Response (EDR) solutions that provide real-time visibility into endpoint activity and enable rapid response to potential threats.
- Implement SIEM solutions that collect and analyze security event data from multiple sources across your network. SIEM platforms can be used to correlate events, identify potential security incidents and facilitate response to ransomware attacks.