What is ransomware?
Ransomware is a type of malware – and a growing problem for businesses. It typically encrypts files, systems, or devices, or “locks” screens, rendering folders, files, or complete systems inaccessible. Users are then notified that the system has become compromised and cannot be accessed until a financial “ransom” is paid.
Ransomware can infect your network in many ways, such as a user visiting a compromised website, downloading an infected file, opening a spam email, or could result from unpatched software, leading to increased vulnerabilities across your network. Malware can also remain dormant on a network or device for an extended period, showing its difficulty to trace and eradicate.
This type of malware is often used by cybercriminals to target healthcare, financial sectors, and governments, all of which amass confidential or sensitive data to provide essential services.
In this guide, we will explain how ransomware can affect your business, the different types of ransomware, and how to prevent the threat of ransomware to your business.
Types of ransomware
Malware is an umbrella term for many types of malicious software. Types are usually defined by the deployment method or how it acts once it has accessed a network. For example, ransomware is sometimes referred to as a virus. In some cases, this is true, but viruses are just one type of malicious software characterized by the ability to replicate its code.
- Exploit kits: Exploit kits “exploit” vulnerable or compromised systems that enable attackers to gain full control of your business systems.
- Phishing: Phishing attacks are when bad actors impersonate organizations or individuals to send emails that contain malicious attachments or links.
- Malvertising: Malvertising attacks have grown in both prominence and sophistication. Attackers place infected ads on legitimate and trusted websites. Once loaded on a site page, these ads spread malware within your network – this has a particular impact on the reputation of popular websites that receive high traffic volumes.
- Drive-by downloads: Unlike other attackers which require an action to be undertaken, such as downloading an attachment or clicking a link to an infected site. drive-by downloads can be installed on a device or system without your knowledge because of weak security systems.
Why businesses need to remain vigilant
While older forms of ransomware remain, such as Phobos ransomware, new forms of ransomware are constantly being created, and the number of attacks nearly doubled in the first half of 2021. According to Cognyte, 1,097 organizations were hit by ransomware attacks in the first half of 2021 compared to 1,112 in 2020 for the entire year. The US is the most targeted country, accounting for 54.9% of the total victims.
Several factors could increase the risk of your business being targeted, including:
- Having outdated software or devices
- Unpatched browsers and/or operating systems
- Weak or non-existent backup plans to recover your data (leading to increased risk of data loss and reputational damage)
- Lack of investment in cybersecurity solutions.
Preventing ransomware from accessing your systems and defending your business at the initial stages of an attack can save your business thousands, if not millions in recovery costs. A poignant example is the CryptoLocker ransomware attack, which took more than six months to resolve.
Occurring from September 2013 to May 2014, cybercriminals developed a new botnet, named Gameover ZeuS, which formed a network of targets infected with the malware. A script was then sent to the victims via email attachment, which activated the malware once opened. The ransomware was also able to identify other connected devices on the victim’s network, fully encrypting all data or locking operating systems, and halting business operations.
The malware successfully encrypted files and informed victims that their operations were held hostage until payment of a ransom. Attackers obtained millions of dollars throughout their operations.
In the CryptoLocker attack, an asymmetric encryption tactic was also utilized. This means that the bad actor could encrypt a file with a public key, while the recipient could only decrypt the system with a private key. Without a private key, recovering the encrypted files was almost impossible.
How to prevent ransomware
While not every ransomware victim pays a ransom or incurs a cost, in 95% of cases where there were ransomware-related costs, the median loss was $11,150, according to Verizon. However, losses ranged from a low of $70 to a high of $1.2 million. Businesses that understand how to prevent ransomware can significantly reduce their online vulnerability.
Below, we outline key steps to prevent, block, and defend your operations against potential ransomware attacks.
Educate employees on risks to business security
Employees are the first line of defense to tackle various cyberthreats to business operations and should have at least a basic knowledge of cybersecurity risks, such as spam and phishing attempts, as well as other common tactics, such as:
- Spoofing: An employee will receive an email from an attacker who is impersonating an acquaintance or trusted source with the aim of sourcing confidential or sensitive data that can be used against the business (or individuals).
- Spear phishing: While phishing targets email addresses en masse, spear phishing is when the bad actor thoroughly researches your company to conduct target specific individuals or email groups.
- Social engineering: Can be used to manipulate employees to unknowingly compromise existing IT security.
A “suspicious email” policy to build employee awareness of potential threats can also be helpful, ensuring everyone follows the same procedures to reduce risk levels. Make sure you test any disaster planning policies in advance to identify any gaps or issues and ensure everyone is prepared.
Do not provide personal data to external contacts
In any potential ransomware attack, the cybercriminal will need to undertake essential research on your business – there is no better source for this information than your management team and other employees. To protect your business data, never give out sensitive information to untrusted sources.
Do not click on unverified links, attachments, apps, or pop-up installations
All parties across your business must remain cautious in responding to any files, attachments, or links, regardless of who has sent them, as such files can contain harmful ransomware, viruses, or software. Encryption can provide an algorithm to secure confidential data, which requires the receiving party to decrypt it with a decryption key. Without this key, the data is unreadable to others. Encryption keys are used to decrypt ciphertext back into readable plaintext; therefore, without this key, information is unusable and can prevent the risk of data falling into the wrong hands.
To protect your computer from ransomware, do not click on unverified links, attachments, applications, or pop-ups. When browsing on a desktop, you can check a link destination by hovering your mouse over the link – the target URL address will appear at the bottom of your browser for you to check before you click. Secured sites use ‘https’ instead of ‘http' and have a shield or lock symbol in the address bar. If the target URL is not secure or looks suspicious – for example, if it is not what you expect based on the context of the link – you should not click.
Additionally, downloading malicious apps on both iOS and Android on mobile can also encourage the spread of malware. To mitigate the threat of ransomware, only visit verified, trusted sites like Google Play Store for Android users and the App Store for iPhone users. While this is not 100% foolproof, make sure to check user reviews and number of downloads before installing any new apps, have a clean-up of unused apps every few months, and deploy a robust security solution across your mobile device to prevent the threat of a ransomware attack.
Additionally, criminals can also take advantage of weak security systems via Wi-Fi networks, or whether you click a link in a bogus text message, email, or website. The best advice: Be cautious and always play it safe.
Use mail server content scanning and filtering
Install content scanning and filtering software across your mail servers to block, detect, and prevent the risk of a ransomware attack. These extra layers of protection include:
- Sender Policy Framework (SPF): Email servers can block any unauthorized senders to your network, preventing the risk of spoofing or spam emails.
- Domain Message Authentication Reporting and Conformance (DMARC): Supporting SPF processes, DMARC can monitor existing email authentication procedures and reduce the number of spam and phishing emails by rejecting them if they are not authenticated with either SPF or a Domain Keys Identified Message.
- DomainKeys Identified Mail (DKIM): DKIM is an email authentication technique that utilizes public-key encryption. A string of characters (or hash) is attached to each email and then encrypted with the sending domain’s private key, creating a unique digital signature. When an email is received, the recipient server will check the email and domain user’s public key and digital signature to see whether it has been sent from that respective server and ensure it has not been tampered with before accepting. Any email that fails this check is automatically rejected.
Access user permissions
Restricting users’ ability and removing certain access privileges to download, run, and install software applications, known as Principle of Least Privilege (PoLP) is universally considered a best practice in significantly combating the risk of malware entering your network.
While it is not a popular solution among employees, limiting user privileges is a way to enable businesses to successfully secure sensitive and confidential data, connected devices, programs, and accounts, while remaining compliant in protecting associated information. Role-Based Access Control (RBAC) can also be a successful way to restrict system access while varying levels of permissions to those in certain roles and groups across the business.
Remove the use of external devices, such as USBs
External devices, such as USBs, can create havoc for businesses. While networks can safeguard against internal threats, an external device can be infected with malware without the user being aware. Once inserted and connected to the business network, the malware stored on an employee’s personal device, or other hardware, can spread to the wider business network. To prevent the risk of ransomware, the best defense will be to remove the use of external devices in the workplace.
Ensure all business software and applications remain up to date
To further protect your business from ransomware and other cyberattacks, you must regularly update software and applications, including patches, which are provided by cybersecurity companies to fix any known vulnerabilities on your network.
The 2017 WannaCry attack spread to more than 230,000 Windows PCs in 150 countries in just one day, impacting government agencies, medical facilities, and hospitals. The NHS in the UK was one of the services affected, with out-of-date software playing a significant role in the extent of the disruption. Bad actors were able to exploit outdated and unpatched software. WannaCry remains one of the most infamous cyberattacks to date, and since 2017, Avast has blocked over 170 million additional WannaCry ransomware attacks.
Antivirus solutions can automate patching and updates to ensure your systems are always protected from the newest cyberthreats.
Backup all important files
In the event of a ransomware attack, backups can significantly reduce the downtime required to restore operations. Backups can include the following solutions:
- Off-site storage: Businesses make regular backups, which are sent to an off-site storage facility. Depending on how frequently the backups are made and the host’s recovery processes, this can still lead to several weeks of data loss.
- Electronic vaulting: This allows backups to a remote server, although bandwidth can affect how much data can be stored and recovered.
- Disk-based storage: A point-in-time copy is made and stored both on-site and off-site.
- Cloud-based storage: Data is stored remotely and continuously updated.
Embed a recovery plan
To future proof your business in the event of a ransomware attack, you should implement a Disaster Recovery Plan and Business Continuity Plan. These will enable your business to define the processes and protocols to follow in the event of an attack. You’ll also ascertain the roles for each individual and the contacts that must be notified to support both prevention and recovery.
Implement robust security measures
The importance of installing robust security software and maintaining your system with regular security updates cannot be understated. Using multiple security tools and processes, known as a layered approach, will maximize protection from a ransomware attack.
The following will significantly strengthen your existing security strategy:
- Firewall: A firewall is an effective foundation of any security software suite by blocking unauthorized access to your devices. Without the use of a firewall, your network can become increasingly vulnerable to the risk of malware, such as ransomware.
- Antivirus software: Business antivirus can further detect, protect, and eliminate threats against your network and devices, providing updated, robust protection.
- Cloud technology: Instead of holding all your data in one physical location, cloud technology means you can access it remotely from anywhere, providing accessibility, scalability, and flexibility. The technology will also provide further capabilities for backing up data, as well as who has access to your data, and will enable you to revert to previous versions of your files if your data becomes encrypted in the event of a ransomware attack.
Multi-Factor Authentication (MFA), also known as two-factor authentication, has grown in popularity and prominence. Alongside a strong password, users are asked to provide a second piece of information or process to access their account, providing an additional layer of security.
MFA methods vary and may include:
- An answer to a question you previously cited as “something you know” and inputting the answer no one else would know
- Traditional hardware tokens, such as a FOB that delivers a new code once activated
- Software tokens, such as a secure SMS message that delivers a unique code
- A verification app that asks you to confirm access on a second device
- Biometrics, such as a fingerprint or facial recognition
Installing a Virtual Private Network (VPN) will enable you to encrypt your connection and keep your business data secure and protected while you are in public by creating a secure connection between your device and the internet, enabling you to access your data privately without risk while utilizing public networks. Find out more about how VPNs work and the various types available.
Defined as any device that is connected to your network, endpoint security can protect your business devices from malware attacks and zero-day attacks, which exploit unpatched security flaws. This can make your system increasingly vulnerable, having “zero days” warning to fix any weaknesses before an attack.
Protecting all endpoints, both physically, virtually, or cloud-based is delivered through a centralized management console, enabling administrators to routinely monitor and protect your systems in real-time.
Intrusion Detector System
Intrusion Detection Systems (IDS) routinely monitor your network for any harmful activity, including the threat of ransomware, by detecting unusual or malicious activity in real-time. This allows your business to respond to incidents quickly, with minimal operational downtime.
Review port settings
Many ransomware variants can take advantage of Remote Desktop Protocol (RDP), which allows users to connect to a device remotely. It remains a popular entry point for ransomware attacks, particularly default RDP open port 3389.
Additional Server Message Block (SMB) ports, such as port 445, also allow servers and applications on your network to communicate with one another and with other systems, providing users with the ability to share files, complete activities such as printing documents, and complete tasks successfully over the internet.
Protecting your network and connected devices from both internal and external threats, the advantages of antivirus software include:
- Reduced spam, phishing, spear-phishing attacks, as well as the threat of malvertising
- Protection from any threats from external devices, such as USBs
- Secured network data and endpoints.
Avast Small Business Cybersecurity Solutions
Keep your organization defended against ransomware and advanced cyberattacks with Avast Small Business Solutions, our all-in-one cybersecurity that delivers simple, powerful, and affordable online protection for your small business.