Ransomware, what is it really? You may have heard it on the news or at the office. The truth is, that ransomware has gained popularity due to a gradual but steady increase in attacks over recent years. In 2022 Australia reported over 500 ransomware attacks with many instances not being reported.
“In 2022 in Australia, over 500 reports of ransomware and malware attacks were made to the Australian Competition and Consumer Commission by people in New South Wales, resulting in close to 47 thousand Australian dollars in money lost. In Victoria, over 120 thousand Australian dollars were reportedly lost to malware and ransomware attacks.” (1) It is also likely that ransomware remains significantly underreported, especially by victims who choose to pay a ransom.
It is reported that one cybercrime report is made approximately every eight minutes in Australia. This is a result of the working-from-home transition. The reason behind it was the lack of remote work cyber security practices and policies for employees by the organisations. Hence, cyber criminals have been using this opportunity to exploit vulnerabilities in small and medium businesses.
Let’s have a brief look at what is ransomware attack, how it works, and how it can be removed from an infected system.
What is Ransomware?
The ACSC assesses that ransomware remains the most destructive cybercrime threat.
All sectors of the Australian economy were directly impacted by ransomware in the last financial year.
Kaine Mathrick Tech provides tailored advice on ransomware mitigation for businesses.
Ransomware is an advanced malware program that encrypts and locks the files of a victim’s computer system. Afterwards, the cyber attacker demands a ransom amount from the target to restore their access to the files after receiving payment.
In a recent global survey, it was found that over 60% of Australian Businesses would pay a ransom following a successful ransomware attack. But possibly more alarming than business intentions for the future, 72 per cent of Australian respondents said they have paid a ransom in the past. However, despite paying, only 14 per cent of organisations were able to successfully recover their data despite paying a ransom.
And, increasingly, threat actors are targeting data backups as well.
“Organisations are struggling to keep their heads above water against the rising tide of cyber attacks,” said Scott Magill, A/NZ managing director at Rubrik, in an announcement. “Almost every Australian respondent (98 per cent) had seen malicious actors attempt to impact their data backups during a cyber attack. Alarmingly, 87 per cent said the attackers were at least partially successful in these attempts.” (2)
According to the ACSC, the professional, scientific and technical services sector and the health sector reported the most ransomware-related cyber security incidents. The top five reporting sectors for ransomware-related incidents accounted for approximately 50 per cent of all ransomware-related incidents reported to the ACSC in 2021.
The victim of the cyber attack is given payment instructions to get the decryption key. Usually, the payment has to be made in cryptocurrency, preferably bitcoin, since it’s not possible to trace the receiver.
Some types of ransomware attacks can even freeze your entire computer system until the ransom is paid. It can affect both organisations and individuals alike, and can cause serious financial damages to a business in addition to downtime and recovery costs.
In 2021–22, ransomware actors continued to incorporate additional extortion tactics in their operations to more effectively extract payment from victims. This is often referred to as ‘multifaceted extortion’. Examples of additional extortion tactics include convincing third-party stakeholders to pressure victims into negotiation, and sustained DDoS attacks against the victim’s network during ransom negotiations.
In 2021, self-reported financial losses due to cybercrime in Australia-based cybercrime reports totalled more than $33 billion (AUD). Small businesses made a higher number of cybercrime reports than in the previous financial year; however, medium businesses had the highest average financial loss per cybercrime report.
How Ransomware Works
Ransomware can enter your computer in several ways. The most common method is via a phishing scam. This is commonly an email posing as a person or organisation you trust and asking you to download an attachment. Once the target opens and downloads the attachment, the attacker takes over their computer. Other sophisticated strains of ransomware such as NotPetya exploit vulnerabilities in computer systems and infect them without the need to trick a user.
There are many things ransomware can do once it infects a victim’s computer, but the most common action is to encrypt the user’s files. Once encrypted, it’s not possible for the files to be decrypted without a key known only to the attacker.
In some instances, the attackers pretend to be from law enforcement agency and claim to shut down the victim’s computer because of illicit material or pirated software. They then demand the victim to pay a “fine” to make them less likely to file a report against the attack.
Another variation, called doxware or leakware, threatens publicising the victim’s sensitive data. However, since finding this kind of information is not easy, encryption ransomware is still the most commonly preferred method by hackers.
How to Protect Yourself from Ransomware
The following are some of the defenses you can use to prevent yourself from potential ransomware infections. These are general security best practices, and following them can protect you against a range of cyber-attacks.
- Conduct regular penetration testing and vulnerability assessments to look for potential vulnerabilities in your system. Take help from professional vulnerability assessment services for detailed accurate results.
- Don’t install unknown software programs or give administrative privilege to any software unless you are sure of its authenticity.
- Always update your operating system and install all latest patches to decrease vulnerabilities in your system.
- Install antivirus and whitelisting software to detect malware and prevent unauthorized apps from running in your system.
- Keep a backup of your files and perform the backup regularly. This step cannot stop ransomware attack but it can help you recover your data without paying huge ransom amounts.
- Follow Ransomware Prevention and Protection Guide best practices for keeping passwords including strong passwords, creating a different password for every account, and preferably using a password management tool.
- Train your employees about safe online behavior such as using the web and email safely. Also teach them about phishing scams and why they should never click on links or download attachments received in email from unknown addresses, even if they seem very appealing.
- Disable Macros in Microsoft office. Macros are useful for making simple MS Office tasks automatic but can also be used for malicious purposes.
Key attributes of a successful Ransomware remediation strategy
To protect your organisation from a Ransomware attack, you should have at least one type of immutable or air-gapped backup repository so you are able to recover your data. Immutable (or unchangeable) backups are copies of files and data that cannot be altered or tampered with for a preset period of time. While primary storage systems must be open and available to client systems, your backup data should be isolated and immutable. It’s the only way to ensure recovery when production systems are compromised. An immutable backup is immune to subsequent ransomware infections.
After ensuring that your back up repositories are less likely to be disrupted, the next step is ensuring that clean data can be restored back to the production environment. This is accomplished by first restoring to a sandbox or an isolated area, to test the safety of the data prior to reintroducing it to the production environment.
This best practice of isolation and “staged restore” and proactively testing the recoverability of data with automated verifications of real restores, means that you wont have to rely on backup logs or media tests.
If your computer becomes infected
If your computer is already infected with ransomware and you don’t have a backup while also being locked out of your machine, here are some steps you can try taking to regain control of your system on windows 10 operating systems:
- Reboot your windows to safe mode
- Install anti-malware program in your windows
- Scan your system to locate the ransomware
- Restore your machine to a previous date
While these steps will help you take back control of your machine and remove the ransomware, it will not help you decrypt the already encrypted files. The files have already become unreadable and the decryption key only lies with the attacker. In fact, you should take this step only if you plan on not paying the ransom to the attackers, since by removing the malware you exclude the probability of restoring your files.
Recent Ransomware Attacks
Consistent with global trends, ransomware remains one of the most disruptive threats to Australian organisations. Ransomware can cripple organisations that rely on computer systems to function by encrypting devices, folders and files and rendering systems inaccessible. At the same time, cybercriminals have moved towards stealing data, including intellectual property and the personal information of employees and customers. The criminals then demand payment in return for decrypting and restoring access to the victim’s network, and not publicly releasing the stolen information.
One of the most noteworthy ransomware attacks In September 2022 was the Optus attack affecting 9.8 million customers. Cybercriminals believed to be working for a state-sponsored operation breached Optus’ internal network, compromising personal information impacting up to 9.8 million customers. According to Optus CEO Kelly Bayer, the oldest records in the compromised database could date as far back as 2017. It’s speculated that the criminal group gained access through an unauthorized API endpoint, meaning a user/password or any other authentication method wasn’t required to connect to the API. If the cybercriminals are confirmed to be state-sponsored, the breach was likely caused by a ransomware attack – a style of attack referenced by such well-financed hacker groups for its high success rates and significant dividends.
In 2021, an Australian university’s technology environment was compromised as a result of a targeted ransomware cyber attack infiltrating the university’s infrastructure and applications. This led to the unprecedented decision by the university to shut down the network, ensuring the potential for further propagation was contained and critical learning and teaching could continue as scheduled.
This incident highlights that compromising systems with malware can significantly disrupt an organisation’s services. The malicious cyber actors have used education sector networks to pivot to other networks, such as other universities, research centres and government agencies. Once on a network, cyber actors can easily exploit trusted relationships by using compromised accounts to spear phish individuals from other organisations of interest and maximise the spread of ransomware or gain access to sensitive information, such as intellectual property.
Top five reporting sectors for ransomware-related cyber security incidents
- Number of reported ransomware and malware attacks in Australia in 2022, by location
- Ransomware: Two-thirds of Aussie businesses would pay up, new survey finds – Cyber Security Connect
- ALERT: Ransomware attack affects over 300 Australian Businesses
- ACSC Essential Eight Cyber Security Guidelines & the Maturity Model
- ACSC issues alert to Australian Businesses to adopt a cyber security strategy
- Top 11 Cybersecurity Frameworks for Australian Businesses in 2022
Maintaining Good Cyber Practices
The best approach to maintaining good cyber practices and preventing ransomware attacks is to have a proactive approach towards them. KMT’s cyber security vulnerability assessment is designed to evaluate your organisation’s vulnerability to potential ransomware attacks. Book a FREE Cyber Security Vulnerability Assessment with us today to determine the likelihood of a ransomware incident, its potential impact on your organisation, and how quickly you are likely to recover.