Ransomware, what is it really? You may have heard it on the news or at the office. The truth is, that ransomware has gained popularity due to a gradual but steady increase in attacks over recent years. In 2022 Australia reported over 500 ransomware attacks with many instances not being reported.

“In 2022 in Australia, over 500 reports of ransomware and malware attacks were made to the Australian Competition and Consumer Commission by people in New South Wales, resulting in close to 47 thousand Australian dollars in money lost. In Victoria, over 120 thousand Australian dollars were reportedly lost to malware and ransomware attacks.” (1) It is also likely that ransomware remains significantly underreported, especially by victims who choose to pay a ransom.

It is reported that one cybercrime report is made approximately every eight minutes in Australia. This is a result of the working-from-home transition. The reason behind it was the lack of remote work cyber security practices and policies for employees by the organisations. Hence, cyber criminals have been using this opportunity to exploit vulnerabilities in small and medium businesses.

Let’s have a brief look at what is ransomware attack, how it works, and how it can be removed from an infected system.

Ransomware is an advanced malware program that encrypts and locks the files of a victim’s computer system. Afterwards, the cyber attacker demands a ransom amount from the target to restore their access to the files after receiving payment.

In a recent global survey, it was found that over 60% of Australian Businesses would pay a ransom following a successful ransomware attack. But possibly more alarming than business intentions for the future, 72 per cent of Australian respondents said they have paid a ransom in the past. However, despite paying, only 14 per cent of organisations were able to successfully recover their data despite paying a ransom.

And, increasingly, threat actors are targeting data backups as well.

“Organisations are struggling to keep their heads above water against the rising tide of cyber attacks,” said Scott Magill, A/NZ managing director at Rubrik, in an announcement. “Almost every Australian respondent (98 per cent) had seen malicious actors attempt to impact their data backups during a cyber attack. Alarmingly, 87 per cent said the attackers were at least partially successful in these attempts.” (2)

According to the ACSC, the professional, scientific and technical services sector and the health sector reported the most ransomware-related cyber security incidents. The top five reporting sectors for ransomware-related incidents accounted for approximately 50 per cent of all ransomware-related incidents reported to the ACSC in 2021.

The victim of the cyber attack is given payment instructions to get the decryption key. Usually, the payment has to be made in cryptocurrency, preferably bitcoin, since it’s not possible to trace the receiver. 

Some types of ransomware attacks can even freeze your entire computer system until the ransom is paid. It can affect both organisations and individuals alike, and can cause serious financial damages to a business in addition to downtime and recovery costs. 

In 2021–22, ransomware actors continued to incorporate additional extortion tactics in their operations to more effectively extract payment from victims. This is often referred to as ‘multifaceted extortion’. Examples of additional extortion tactics include convincing third-party stakeholders to pressure victims into negotiation, and sustained DDoS attacks against the victim’s network during ransom negotiations.

In 2021, self-reported financial losses due to cybercrime in Australia-based cybercrime reports totalled more than $33 billion (AUD). Small businesses made a higher number of cybercrime reports than in the previous financial year; however, medium businesses had the highest average financial loss per cybercrime report.

The following are some of the defenses you can use to prevent yourself from potential ransomware infections. These are general security best practices, and following them can protect you against a range of cyber-attacks. 

• Conduct regular penetration testing and vulnerability assessments to look for potential vulnerabilities in your system. Take help from professional vulnerability assessment services for detailed accurate results. 
• Don’t install unknown software programs or give administrative privilege to any software unless you are sure of its authenticity.
• Always update your operating system and install all latest patches to decrease vulnerabilities in your system.
• Install antivirus and whitelisting software to detect malware and prevent unauthorized apps from running in your system.
• Keep a backup of your files and perform the backup regularly. This step cannot stop ransomware attack but it can help you recover your data without paying huge ransom amounts.
• Follow Ransomware Prevention and Protection Guide best practices for keeping passwords including strong passwords, creating a different password for every account, and preferably using a password management tool. 
• Train your employees about safe online behavior such as using the web and email safely. Also teach them about phishing scams and why they should never click on links or download attachments received in email from unknown addresses, even if they seem very appealing.
• Disable Macros in Microsoft office. Macros are useful for making simple MS Office tasks automatic but can also be used for malicious purposes. 

To protect your organisation from a Ransomware attack, you should have at least one type of immutable or air-gapped backup repository so you are able to recover your data.  Immutable (or unchangeable) backups are copies of files and data that cannot be altered or tampered with for a preset period of time.  While primary storage systems must be open and available to client systems, your backup data should be isolated and immutable. It’s the only way to ensure recovery when production systems are compromised. An immutable backup is immune to subsequent ransomware infections.

After ensuring that your back up repositories are less likely to be disrupted, the next step is ensuring that clean data can be restored back to the production environment. This is accomplished by first restoring to a sandbox or an isolated area, to test the safety of the data prior to reintroducing it to the  production environment.

This best practice of isolation and “staged restore” and proactively testing the recoverability of data with automated verifications of real restores, means that you wont have to rely on backup logs or media tests.

If your computer becomes infected

If your computer is already infected with ransomware and you don’t have a backup while also being locked out of your machine, here are some steps you can try taking to regain control of your system on windows 10 operating systems:

• Reboot your windows to safe mode
• Install anti-malware program in your windows
• Scan your system to locate the ransomware
• Restore your machine to a previous date

While these steps will help you take back control of your machine and remove the ransomware, it will not help you decrypt the already encrypted files. The files have already become unreadable and the decryption key only lies with the attacker. In fact, you should take this step only if you plan on not paying the ransom to the attackers, since by removing the malware you exclude the probability of restoring your files.

Consistent with global trends, ransomware remains one of the most disruptive threats to Australian organisations. Ransomware can cripple organisations that rely on computer systems to function by encrypting devices, folders and files and rendering systems inaccessible. At the same time, cybercriminals have moved towards stealing data, including intellectual property and the personal information of employees and customers. The criminals then demand payment in return for decrypting and restoring access to the victim’s network, and not publicly releasing the stolen information.

One of the most noteworthy ransomware attacks In September 2022 was the Optus attack affecting 9.8 million customers.  Cybercriminals believed to be working for a state-sponsored operation breached Optus’ internal network, compromising personal information impacting up to 9.8 million customers. According to Optus CEO Kelly Bayer, the oldest records in the compromised database could date as far back as 2017.  It’s speculated that the criminal group gained access through an unauthorized API endpoint, meaning a user/password or any other authentication method wasn’t required to connect to the API.  If the cybercriminals are confirmed to be state-sponsored, the breach was likely caused by a ransomware attack – a style of attack referenced by such well-financed hacker groups for its high success rates and significant dividends.

In 2021, an Australian university’s technology environment was compromised as a result of a targeted ransomware cyber attack infiltrating the university’s infrastructure and applications. This led to the unprecedented decision by the university to shut down the network, ensuring the potential for further propagation was contained and critical learning and teaching could continue as scheduled.

This incident highlights that compromising systems with malware can significantly disrupt an organisation’s services. The malicious cyber actors have used education sector networks to pivot to other networks, such as other universities, research centres and government agencies. Once on a network, cyber actors can easily exploit trusted relationships by using compromised accounts to spear phish individuals from other organisations of interest and maximise the spread of ransomware or gain access to sensitive information, such as intellectual property.

Maintaining Good Cyber Practices

The best approach to maintaining good cyber practices and preventing ransomware attacks is to have a proactive approach towards them. KMT’s cyber security vulnerability assessment is designed to evaluate your organisation’s vulnerability to potential ransomware attacks. Book a FREE Cyber Security Vulnerability Assessment with us today to determine the likelihood of a ransomware incident, its potential impact on your organisation, and how quickly you are likely to recover. 

Reference

1. ACSC Annual Cyber Threat Report 2020-2021.  Source:  https://www.cyber.gov.au/acsc/view-all-content/reports-and-statistics/acsc-annual-cyber-threat-report-2020-21#summary