After the Colonial Pipeline attack, here’s what everyone should know about ransomware

By Robert Scammell

As the Colonial Pipeline attack has shown, almost every company and organisation in the world, no matter what business it may be in, is at risk of suffering a potentially crippling ransomware attack.

Ransomware attacks are on the rise and they are becoming more damaging for organisations. According to cybersecurity company Sophos, the average cost for a company to recover from a ransomware attack jumped to $1.85m in 2021. Attacks are increasingly having repercussions felt beyond the perimeter of an organisation, as demonstrated by Colonial Pipeline being forced to shut down operations causing fuel prices along the East Coast to jump.

But what is ransomware? What can be done to prevent such an attack and how should organisations respond if one happens?

Here’s what you need to know to protect your business against ransomware and what to do if you’ve been attacked.

Ransomware was used against Colonial Pipeline. But what is it?

Ransomware is a type of malicious software designed to lock users out of a computer system or encrypt files stored on it, such that they can never be read again without a key. Victims are instructed to make a payment, usually in the cryptocurrency bitcoin, to receive the digital key from the attacker and restore access to the compromised network. Without this key it is usually impossible to decrypt locked files. According to Sophos, the average ransomware paid is $170,404.

Sometimes ransomware gangs take copies of sensitive files as part of the attack and may also threaten to leak them unless payment is made.

The most common entry point for ransomware is via a malicious link or file, usually sent via email and opened by an unwary user within an organisation’s network. Once opened on one machine it can spread to other machines in the network, while attackers can also carry out reconnaissance to locate the most valuable data. Other entry points include compromised credentials for remote access to various systems.

There are many variations of ransomware, but the basic purpose remains the same: encrypt files and extract the highest possible ransom fee.

Who is behind ransomware attacks?

The first known ransomware incident took place in 1989 when the PC Cyborg Trojan was sent to victims on a floppy disc. Since then ransomware attacks have evolved in scale and complexity, thanks to more advanced cryptography making it more difficult to decrypt files.

Early ransomware cast a wide net against individuals. But over time cybercriminals realised there were far greater profits in targeting corporate networks. Attacks against businesses are tailored, with cybercriminals calculating an optimum ransom figure that is most likely to be paid.

Gangs including Doppelpaymer, SamSam and GrandCrab are just a few of the ransomware gangs that have raked in hundreds of millions of dollars from victims in recent years.

Increasingly, ransomware-as-a-service gangs rent out software and infrastructure to other cybercriminals, taking a cut of their earnings. Some operations have become so slick that they have dedicated customer support teams to guide their victim through the payment process.

One of the most prolific recent groups is the REvil gang, whose ransomware has hit high-profile organisations including the currency exchange Travelex, whose employees were forced to work on pen and paper at kiosks.

Not all ransomware attacks are targeted operations. In 2017 the WannaCry ransomware indiscriminately infected more than 300,000 victims in over 150 countries in what is believed to be the most destructive ransomware attack in history. Among the victims was the UK’s National Health Service, which resulted in cancelled medical procedures and operations after its computer system was compromised. WannaCry was adapted by criminals from intrusion tools used by US intelligence agencies against their adversaries, and it made use of a Windows vulnerability discovered and kept secret by the American spies – and act which attracted open criticism from Microsoft in the aftermath of the debacle.

Preparing for a ransomware attack

While it is impossible to guarantee complete protection against a ransomware attack, organisations can take a number of steps to deter would-be attackers and enable recovery.

First, organisations should make regular backups and if possible keep these in a separate offline location, one not normally accessible from the core network. For the most important files make multiple copies in multiple locations. This allows an organisation to ignore the ransomware demand while still having access to its data.

Secondly, organisations must store sensitive data securely, properly encrypted, or where relevant (as in the case of passwords) hashed and salted too. If this is done effectively attackers may be able to encrypt data over again – such that the organisation can no longer access it – but there is at least some chance that they won’t be able to take readable copies and publish them to the internet.

Then there’s the matter of keeping attackers out of the organisation network in the first place. Enterprise security tools including VPNs, antivirus, anti-malware and endpoint protection are must-haves as a first line of defence. More advanced tools can monitor for unusual network activity to detect and block attackers before they do too much damage.

IT teams should ensure that all devices are updated regularly with the latest security patches, install firewalls and filter out harmful emails.

“While there is no fool-proof way to prevent ransomware, ensuring good protocol hygiene, network segmentation, and behavioural monitoring of the environment can go a long way toward limiting the blast radius,” says Mike Campfield, head of EMEA operations at ExtraHop.

Cybercriminals target the weakest links in a system – the human element. Training staff to spot malicious emails and maintain good cyber hygiene, such as strong passwords and multi-factor authentication, is a crucial line of defence against attackers.

“Staff awareness still plays a huge part and often overlooked as a minor detail in the prevention plan,” says Jake Moore, cybersecurity specialist at endpoint protection company ESET. “However, it is vital that staff are vigilant to localised threats and continue to offer support in knowing what to look for as well as the reporting process.”

If possible, the most sensitive parts of the network should be air-gapped, which means having no direct connection to the internet or other networks. This is especially relevant for life-critical systems such as nuclear power plant controls or military systems. Segmenting the network can also prevent cybercriminals from spreading the infection to other systems.

Finally, developing and rehearsing a response strategy can ensure that employees and key stakeholders are prepared for the worst. This can include a communications plan and incident management plan.

After all – failing to prepare is preparing to fail.

Responding to a ransomware attack

No matter how big your security budget there’s no guarantee of complete protection from attack. Cybercriminals are opportunistic and will take advantage of any vulnerability possible, which is why it is best to think in terms of “when” an organisation will be hit by ransomware, not “if”.

So what should you do when ransomware strikes? First, don’t panic – that’s when mistakes are made. Ransomware plays on basic human fears. Usually, it will give a short window to pay before files are permanently deleted, sometimes presented on an alarming pop up with a clock ticking down.

“Once infected by the malware, it is a race against time so if a simulation of events has been adequately tested, this should be much more straightforward,” says Moore. “No one can make good decisions when running around like a headless chicken.”

With a calm head, the first thing to prioritise is preventing the spread of ransomware across the network. Disconnect the infected computer immediately and have your IT team trace the attack to its source and assess the damage.

How critical are the affected files? Do they contain personal data? These are some of the questions that should be answered to trigger the next stage of your response plan, such as contacting data regulators and potentially affected customers. Clear, regular and honest updates to stakeholders and the media will go a long way in mitigating damage to public image.

Reset all credentials across the company, wipe infected devices and reinstall the operating system. Once you’re certain that the network is free from malware it is time to restore files from backups.

Should you pay the ransom?

Businesses that haven’t managed to preserve a backup of their data may have a very strong need to get it back. It may also be the case that an organisation has managed to come through with its backup data intact, but nonetheless it may face a threat by the criminals to leak copies of the data onto the internet, which could be very damaging both to the organisation and its customers, users or other partners.

In these situations, the question will be asked: should we pay the ransom?

Cybersecurity professionals overwhelmingly recommend against it. There is no guarantee that the cybercriminals will hand over the encryption key once you’ve made the payment, or that they will delete or otherwise keep safe any copied data.

Paying can also make you a target for future attacks. Security researchers have discovered so-called “sucker lists” shared by cybercriminals. The thinking is simple – if you’ve paid before then you’re likely to pay again.

Companies should also remember that paying ransom demands perpetuates the cycle. Ransomware groups operate for one simple reason – it is profitable. Not only would your business be funding a criminal enterprise, but it is also creating the payday that makes the next attack possible.

It is also worth trying one of the groups providing free decryption tools, such as the No More Ransom project from allied industry and law enforcement.

However, some data is simply too valuable for a company to lose. In these cases, the cost of the ransom fee is outweighed by the cost of losing business.

The key thing is to not put yourself in this situation in the first place with robust security, regular backups and a rehearsed action plan.