Ransomware appears to be one of the most expensive and disruptive internet afflictions. It is a type of malware that encrypts the victim's files and vital information, and hackers demand payoffs to provide the decryption keys.
While ransomware is not any new form of attack on cybersecurity, the prevalent scenario is indeed alarming; the following numbers corroborate the same-
- 66% of organizations were hit by ransomware in 2021.
- 65% of the above attacks resulted in data encryption.
- Overall, the average ransom payment came in at US$812,360.
It seems that individuals and organizations are likely to get affected by ransomware attacks even in 2023 and beyond.
Brief on Ransomware Attack
Ransomware attacks are of several types and cause the victim to suffer financial and operational implications. After paying the ransom, it might appear that businesses turn back to normal, but getting the decryption key doesn't solve it all.
Decrypting the files on compromised computer servers can take days, weeks, or months, depending on how many systems are affected.
Furthermore, even if a company pays ransom to one ransomware group, other groups might exploit the exposed vulnerabilities of the system. Therefore, the victims must take strong measures to improve their cybersecurity and technical infrastructure to prevent ransomware attacks.
The article talks about ransomware attacks- their types, implications on organizations around the globe, and preventive measures. But first, let's look at the recent ransomware attack on the ION group, which occurred on 31st January 2023.
Outline of ION's Incident
ION Group is a software company based in the UK whose products are used by banks, financial institutions, and corporations for trading, market analytics, investment management, and settlement of exchange-traded derivatives.
On 31st January 2023, ION released a statement saying, "ION Cleared Derivatives, a division of ION Markets, experienced a cybersecurity event commencing on 31 January 2023 that has affected some of its services. The incident is contained to a specific environment, all the affected servers are disconnected, and remediation of services is ongoing."
The ransomware attack took place in the early hours and took by storm ION's Cleared Derivatives division provides software for automating the trading lifecycle and the derivatives clearing process.
It clogged clearing and trading in exchange-traded derivatives at some of the world's biggest banks and financial institutions. This eventually caused problems for scores of brokers, forcing them to manually record the trades during the interruption, including manual entries in spreadsheets, setting them behind by decades.
The US Commodity Futures Trading Commission could not publish the weekly trading statistics because a few affected ION clients were not able to accumulate information fast enough to collate daily positioning reports.
The attack against ION began in the early hours of Tuesday and affected 42 of its clients, including ABN Amro Clearing (ABNd.AS) and Intesa Sanpaolo (ISP.MI), Italy's biggest bank.
LockBit, a Russian ransomware group, took responsibility for the attack and posted ION's name on its dark web "leaked site." It had set 4th February as the deadline for ION to pay the ransom and showed a timer against the deadline on its website.
However, on 3rd February, ION's name was removed from LockBit's extortion website. A representative of LockBit communicated to Reuters via its online chat account that ransom had been paid but declined to clarify who had paid the money or how much was the ransom for that matter- saying it had come from a "very rich unknown philanthropist."
Ransomware Attack And Its Types
Ransomware works by encrypting vital company data and extorting the victims for payoffs in exchange for the decryption keys. But even if hackers hand over the keys, it can still take days, weeks, or longer to undo the damage to a company's digital infrastructure.
Ransomware malware can be sent through various channels, including email attachments, damaged software, infected external storage, and compromised websites. Moreover, the easy availability of Ransomware kits on the deep web has facilitated criminals with very little or no knowledge to purchase these kits and launch attacks.
While there are a lot of Ransomware strains, they can be categorized into the following types-
1. Crypto Ransomware
Also known as Encryption Ransomware, this ransomware attack is one of the most common and disrupting variants. It encrypts important data such as files, documents, videos, and images within a system, without interfering with basic computer functions, i.e., the victim can see the files but cannot open them.
Crypto Ransomware takes the data hostage and scrambles it so that the files are not readable and thus making the content inaccessible without a decryption key. There is often a countdown attached to the ransom demand. Eventually, most of the victims give in and pay the ransom to restore their data.
2. Locker Ransomware
This type of attack blocks essential computer functions- it completely locks the victim out of their system. For instance, access to the desktop is denied, but the mouse and keyboard are active partially, only enough for the victim to interact with the ransom window access to the desktop.
The above two types of attacks can further be categorized into the following subsets-
- Leakware/Doxware is a kind of encryption ransomware that encrypts critical and sensitive data and threatens to publish it in case the victims fails to pay the ransom.
- Mobile Ransomware is non-encrypting ransomware that is delivered to mobile devices via malicious apps or downloads. However, automated cloud data backups on almost every mobile device make it easy to reverse these encryption attacks.
- Wipers/ Destructive Ransomware threatens to destroy data if the victim doesn't pay the ransom. However, in some cases, the attacker destroys the data even if the ransom is paid.
- Scareware Ransomware scares the victims into paying a ransom. It might send a message posing as a law enforcement agency, laying charges against the victim for a crime. Alternatively, it might send a fake virus infection alert, asking the victim to purchase antivirus software.
3. RaaS (Ransomware as a Service)
It is a ransomware attack where the ransomware operator allows affiliates lacking the technical skills to launch an attack. The operator provides support to the affiliates right from launching the attack to handling the payments and restoring access in return for a margin from the ransom amount.
Impacts of Ransomware Attacks
1) Financial Loss
Organizations affected by ransomware suffer substantial financial losses along with losing customers and employees.
The global cost of ransomware has increased from $325 million in 2015 to $20 billion in 2021.
2. Extended Downtime
After a ransomware attack, organizations can take weeks to months to get back to their usual productivity level. The average downtime period has increased from 15 days in 2020 to 22 days in 2022.
3. More Ransomware Attacks
One ransomware attack could lead to another in the sense that when conducting an initial attack on an organization's IT systems, attackers also find additional vulnerabilities, which they exploit later, knowing that the organization will be willing to pay a considerable ransom.
4. Damage to Reputation
Along with revenue loss, a company's reputation is also on the line because of the attack. Getting hit by a ransomware attack means a breach in cybersecurity that hampers the clients' trust in the company.
46% of organizations that experienced a cybersecurity breach suffered a significant hit to their reputation and their brand's value as a result.
What Should Organizations Do to Protect Themselves?
Conventional antivirus can protect against ransomware variants, but not all. Having next-generation antivirus (NGAV) will defend against file-less attacks, obfuscated ransomware, or zero-day malware. Modern endpoint protection platforms also provide firewalls and Endpoint Detection and Response (EDR) capabilities, which assist in detecting and blocking ransomware attacks occurring on endpoints in real time.
Continuously Data Backups
Maintaining regular backups on an external hard drive might not prevent the attack, but it prevents losing the data in case of an attack. The 3-2-1 Rule is the key here- making three backup copies on two media types with one backup kept at a different location.
It involves identifying system vulnerabilities and improving or fixing these features, initiating the updates, and validating the installation of those updates. The operating system should be kept up-to-date, and security patches should be installed to prevent attackers from exploiting the systems that are not yet patched.
Control over Applications
Having necessary device controls will ensure a limit on the number of applications installed on the device. Further, increasing browser security settings, disabling vulnerable browser plugins and macros on word processing, running AI-powered security analysis, and using web filtering would protect users from accessing malicious sites.
Organizations should conduct regular training sessions for employees and impart knowledge about the red flags of a ransomware attack and social engineering measures. It would result in timely identifying the emerging threats and communicating the situation to the right personnel.
Other measures include working in tandem with Managed Security Service Providers (MSSPs) and cybersecurity experts, implementing and enhancing email security, restricting access to virtualization management infrastructure, developing and pressure testing an Incident Response Plan, and implementing an IAM plan.
The ION ransomware attack evokes the urgency to have a robust cybersecurity system in place.
With vital IT systems being offline for days to months, ransomware attacks can cause severe operational disruption in addition to the financial losses an organization suffers. There are various types of ransomware strains and types, and it is vital to know them in depth to have a proper incident response plan, prevent the attack and mitigate it in case the attack happens.