Ransomware

Ransomware is extortionate malware. Through ransomware, cyber criminals make files, hard drives, computers or entire networks inaccessible to their legitimate users and demand a ransom to free up the files, etc. The term consists of the word “ransom” and “ware” as part of software, so it’s a program.

What does “ransomware” mean in detail?

Ransomware attacks are on the rise. Cyber criminals have recognized companies, governments and administrations as worthwhile goals. Increasingly, elaborate, individualized attacks on companies are being seen. Cyber criminals act in a targeted and often multi-level way, with seemingly innocuous cyber incidents, such as spam, for example, that gives them access to the corporate network. Then they explore the IT infra structure to encrypt particularly important or sensitive data, or even the entire system including backups. By doing so, blackmailers can put more pressure on the affected companies and demand higher ransoms. The payment of the ransom is the desired end point of the cyber criminals’ activities.

Whether they will release the encrypted data or systems afterwards is therefore always uncertain. For some ransomware programs there is no intended decryption, meaning the data remains encrypted even after a ransom payment.

In the known ransomware WannaCry, ransom payments could not be properly assigned, due to a programming error. As a result, no corresponding decoding of the data occurred.

A second, higher ransom demand can also be part of the cyber criminals’ plan.

Technically, ransomware is Trojan. Ransomware can be transmitted in several ways, including infected email attachments, compromised web pages, infected USB sticks and hard drives, network vulnerabilities, and so-called drive-by downloads.

Where might I encounter the topic ransomware in everyday work?

It could potentially come with every email with an attachment, every email with a link, and many other places throughout the workday. For example, in seemingly lost or forgotten USB flash drives, with data transfers from a customer’s external hard drive, when downloading a supposedly important update, to watching a video on the Internet. Being prudent in all these areas can keep a lot of damage away from your business.

What can I do to improve my safety?

Within this glossary, we can only offer suggestions and insights. Please discuss and develop a comprehensive approach with your IT department or with an external IT security service provider, such as Perseus.

Preventive

Nearly all your cyber risk reduction measures also reduce the risk of ransomware attacks. These measures include, among others

• Keep all programs and network components up to date, such as with automatically updates
• Use of a reliable, always up-to-date virus scanner
• Considerate use of a reliable firewall
• Sophisticated network structure, in which, for example, particularly sensitive areas or departments get an independent network
  Monitoring traffic
• Sensitization of your employees. Their attentiveness and prudence allow your employees to avoid damage where technology cannot, such as, as an example, being able to identify and treat an email with a previously unknown Trojan as suspicious.
• When it comes to security measures, keep in mind the so-called shadow IT (eg, privately used employee smartphones) as well as IoT devices (eg, fitness trackers, digital surveillance cameras).
• In addition, a well-thought-out backup strategy is recommended. This will ensure that you can recover as much of your data as possible in the worst case scenario.

Regarding ransomware, you should consider, among others:

• Backups attached to the system can also be encrypted by ransomware. Because of this, frequent backups are recommended that also physically disconnect from the system after creation.
• Inactive ransomware can also be stored on your backup and then encrypt it after importing. Make sure you save as many previous backups as possible. Also, make sure they are stored in "read only" mode. Then these backups cannot be changed afterwards, not even by ransomware. Discuss the proper response in case of an emergency with your IT department or with an external IT security service provider, such as Perseus.
• Practice it – with your employees, too – and write it down. In an active case, a quick and correct response is essential. Prevention is the best defense!

After a seemingly “normal” cyber incident

• Be very careful to check your system for deeper compromises and very closely monitor inbound and outbound traffic
• If you have not already done so, discuss the issue of ransomware and security with your IT department and/or an external IT security provider, like Perseus.

In an active case

ATTENTION: These instructions are general. In the event of an emergency, follow the procedure discussed with your IT department or with an external IT security service provider, such as Perseus. Only this is tailored to your company-specific IT infrastructure!

• Disconnect the affected device or system from the network, the Internet and, if possible, power, as quickly as possible. With luck, you can stop the encryption process from completion. Do not be fooled, not even by different messages on the screen of an affected computer.
• Not all devices can be disconnected from the power, such as laptops or tablets with built-in batteries. If possible, remove them. If not, shut down the unit as soon as possible.
• Notify experts for further action.
• Usually, backups are now created of the infected systems, on the one hand for digital forensics and on the other hand, a lot of encrypted data can be restored.
• Report this cyber incident to the police, the BKA and the Cyber Security Office in Germany. This will help get the perpetrators caught and other companies warned.
• Do not pay a ransom. There is no guarantee that your device or system will be decrypted afterwards. For example this possibility may not even be provided in the ransomware program. There is even the possibility of being confronted with a second ransom demand after a payment. Worse, it’s possible that the cyber criminals have compromised the payment method and means of payment and thereby will gain sensitive credit card information.

Further information and tips for an active case from the Lower Saxony police:www.polizei-praevention.de/themen-und-tipps/pc-gesperrt-ransomware.html BSI warning against more targeted ransomware attacks on companies: www.allianz-fuer-cybersicherheit.de/ACS/DE/_/infos/190424_Ransomware_Angriffe.html

The German registration office for cyber security:www.allianz-fuer-cybersicherheit.de/ACS/DE/Meldestelle/meldestelle.html

Detailed situation dossier of the BSI on ransomware, including measures for the prevention and for an active case: www.allianz-fuer-cybersicherheit.de/SharedDocs/Downloads/DE/BSI/Cyber-Sicherheit/Themen/Lagedossier_Ransomware.pdf