Ransomware

Refers to extortionate malware. Cybercriminals use ransomware to make files, hard drives, computers or entire networks inaccessible to their legitimate users and demand a ransom to release the files, etc. The term is made up of the English words “ransom” for ransom and “-ware” as a word part of software, i.e. program.

What does ransomware mean in detail?

Ransomware attacks are currently on the rise. Cybercriminals have identified companies, authorities and administrations as worthwhile targets for themselves. Increasingly, complex, individualized attacks on companies are being observed. Cybercriminals take a targeted and often multi-stage approach. With seemingly everyday cyber incidents such as spam , they gain access to the corporate network. Then they research the IT infrastructure in order to encrypt particularly important or sensitive data in a targeted manner – or the entire system, including connected backups. This approach allows the extortionists to exert greater pressure on the affected companies and demand higher ransoms. Paying the ransom is the desired endpoint of the cybercriminals’ activities.
Whether they release the encrypted data or systems afterwards is therefore always uncertain. Some ransomware programs don’t have any intended decryption, which means that the data remains encrypted even after a ransom payment is made.
In the case of the well-known WannaCry ransomware, ransom payments could not be assigned due to a programming error. As a result, no corresponding decryption of the data took place.
A second, higher ransom demand can also be part of the cybercriminals’ concept.
Technically, ransomware is a Trojan. Ransomware can be transmitted in several ways, including via infected email attachments, compromised websites, infected USB sticks and hard drives, network security vulnerabilities, and drive-by downloads.

Where do I encounter the topic of “ransomware” in my everyday work?

Potentially, you will encounter it with every email with an attachment, with every email with a link and in many other places in your everyday work. For example, in the case of seemingly lost or forgotten USB sticks, when transferring data to customers’ external hard drives, when downloading a supposedly important update to be able to watch a video on the Internet. In all these places, you can keep great damage away from your company with your prudence.

What can I do to improve my security?

Within the framework of this glossary, we can only provide suggestions and insights. Please discuss and create a comprehensive procedure with your IT department or with an external IT security service provider such as Perseus.

Preventive

Nearly all measures to reduce your organization’s cyber risk also reduce the risk of ransomware attacks. These measures include, but are not limited to:

• Always keep all programs and components of the network up to date, e.g. through automatic updates
• Use of a reliable, always up-to-date virus scanner
• Consider the use of a reliable firewall
• Well thought-out network structure, in which, for example, particularly sensitive areas or departments receive an independent network
• Traffic monitoring
• Sensitization of your employees: Through their attention and prudence, your employees can avert damage even where technology cannot. For example, you can detect and treat an email with a previously unknown Trojan as suspicious.
• When taking security measures, also consider so-called shadow IT (e.g. also privately used employee smartphones) and IoT devices (e.g. fitness trackers, digital surveillance cameras).
• A well-thought-out backup strategy is also recommended. This ensures that you can recover as much of your data as possible, even in the worst case. When it comes to ransomware, some things you should consider include:
  • Backups connected to the system can also be encrypted by ransomeware. Therefore, frequent backups are recommended, which are also physically disconnected from the system after creation.
  • A ransomware that is not yet active can also be stored on your backup and encrypt it after it has been installed. Therefore, make sure that as many previous backups as possible are stored. Also make sure that they are saved in “read only” mode. Then these backups can no longer be changed afterwards, not even by ransomware. Discuss the right course of action in an acute case with your IT department or with an external IT security service provider such as Perseus.
  • Practice it – also with your employees – and write it down. In acute cases, it is important to react quickly and correctly, and you can create the best conditions for this by taking preventive measures.

After a seemingly “normal” cyber incident

• Have your system carefully checked for deeper compromises and arrange for particularly close monitoring of incoming and outgoing data traffic
• If you haven’t already, discuss the topic of ransomware and security measures with your IT department and/or an external IT security service provider such as Perseus now.

In acute cases

ATTENTION: These instructions are general. In acute cases, stick to the procedure discussed with your IT department or with an external IT security service provider such as Perseus. Only this is tailored to your company-specific IT infrastructure!

• Disconnect the affected device or system from the network, the Internet, and power as soon as possible. With luck, you can stop the encryption process before it is completed. Do not be deterred, not even by messages to the contrary on the screen of an infected computer.
• Not all devices can be disconnected from the power supply, e.g. laptops or tablets with built-in batteries. If possible, remove them. If not, shut down the device as soon as possible.
• Alert experts for further action.
• Usually, backups are now created of the infected systems. On the one hand as a digital forensic record and on the other hand a lot of encrypted data can be restored.
• Report this cyber incident to the police, the BKA and the Reporting Office for Cyber Security in Germany. This can help to catch the perpetrators and warn other companies.
• Don’t pay a ransom. There is no guarantee that your device or system will be decrypted afterwards, and in some cases, this possibility is not even provided for in the ransomware’s program. There’s even a chance that you’ll face a second ransom note after making a payment. Furthermore, it is possible that the cybercriminals compromise the payment method and means of payment and thus obtain sensitive credit card information, for example.

Further information and tips for acute cases from the Police Crime Prevention:https://www.polizei-beratung.de/themen-und-tipps/gefahren-im-internet/ransomware/