Computers and electronic devices with sophisticated functions for different uses have become ubiquitous and critical in the 21st century owing to the improvement in science, technology and human life. The ability for these standalone devices to communicate with each other over networks like the Internet spanning wide areas is outstanding. This improvement, however, is developing a paradox between itself and information security.
In recent years, there has been an upsurge in the deployment of ransomware as an attack vector against corporate institutions, individuals and nations. Cybersecurity Ventures predicts there will be ransomware attacks on businesses every 14 seconds by the end of 2019; annual global damage cost of ransomware are expected to hit $11.5 billion dollars by end of year 2019, and ransomware will worsen and account for a high proportion of cybercrimes by 2021. The statistics excludes individuals who are even more susceptible. This makes the issue of ransomware imperative to discuss.
Ransomware belong to a group of software called Malware ― Malicious Software. Malware are software designed with the intention to cause damage or disruption to computer systems, that is, PCs, mobile phones, tablets, etc. and networks. There are different motives for which they are designed: it could be financial, ideological, criminal or even theft.
Some other types of malwares are Computer worms, Rootkit, Spam, Virus, Trojan, Bots etc. Malwares are created by different interested parties – criminals, individuals or nations for their interests and deployed to their targets to achieve an aim.
Usually, ransomwares are created and deployed by organized or independent criminals against users solely for financial gains but nations also use it as an offensive and defensive defense tool against each other. The name ransomware comes from the combination of two English words ransom and software to depict the characteristic of the software.
Those who create ransomwares create it to deny legitimate users i.e. businesses, individuals and sometimes nations’ rightful access to their data, devices and networks until they pay a specified ransom. Where it is used as a national defense tool – offensive or defensive, by a nation, ransoms might not be demanded but the target of it will be to deny or disrupt an activity.
There are different kinds of ransomwares from the different actors, however, they are all deployed in two major ways to achieve their end. They are either deployed to encrypt your user interface and deny you access to your device or identify critical files using file extensions and encrypt the files – so you have access to the device but not the data. All of these methods will require a ransom be paid before the decryption key is given to unlock your device or the files.
March 2016 saw the burst of the Petya ransomware onto the scene. This malware encrypted the Master Boot Record of the infected computer and demanded a ransom to be paid, by bitcoin. Petya infected systems through an email attachment of a false job applicant’s resume and picture – pdf packages.
Once the attachment was clicked, it activated Microsoft windows user access control, to seek administrative control and goes on to execute the payload. When that’s done, the computer restarts and the Master Boot Record is encrypted in the background.
The master boot record is a setting in computer hardware which holds information about the hard drive and the file systems on the computer. It is part of a set of loaders that run basic programs and data in ROM to have access to the hard drive from which the operating system is then loaded into RAM for normal functioning of the computer.
So, what Petya did was to lock the master boot record which controlled access to the hard drive and by extension the operating system so legitimate users are now stuck to a screen demanding ransom payment before the hard drive could be decrypted for the user to access the windows operating system and their files. It had far reaching consequences including shipping giants Maersk who projected their loss to the attack at $300 million dollars.
Fast-forward to May 2017, the world woke up to another devastating ransomware called WannaCry. It was a ransomware whose kind of impact has never ever been seen in the world before. It was a combination of locker and worm malwares fused into one software. WannaCry exploited two particular vulnerabilities ― EternalBlue and DoublePulsar vulnerabilities within various versions of windows operated systems to gain access, duplicate itself to other systems with the network and encrypt files.
In the short period of 4 days, it has affected over 300,000 computers and 200,000 victims across 150 countries worldwide and its impact was felt across industries, and the attackers demanded a ransom of $300 within 3 days and $600 with 7 days for decrypting the locked data. Refusal to pay the ransom meant that your data was going to be locked forever. After the situation had calmed and cost was counted, the ransomware caused victims collectively $4 Billion whiles the attackers made away with $143,000 in ransom payments.
One can argue that the criminals did not get enough financial reward from the buzz and unprecedented potency of their attack ― which is true. But when you toss the coin and count the cost which victims incurred to restore systems and recover operations, a lot of money was lost.
The latest happened in March 2019 when Norwegian aluminum giant Norsk Hydro’s systems were intruded and interrupted with a malware suspected to be LockerGoga. It encrypted files and asked for a ransom. Although the company reported that they had good backups to restore data and will not pay the ransom demanded by the attackers, they estimated their loss to be $41 Million.
Effects of Ransomware
Loss of data: Ransomware have major effects on data. Data is the prime target of attackers, no matter their motives. When they are successful in deploying their malware into your environment whatever happens next most at times becomes iffy ― What if we pay the ransom and our files are not restored? What if we pay the ransom and lost data anyway?
When data is lost, the victim: business, individual or nation will suffer to great depths and sometimes might not recover until years on. Data has become a critical part of human life in the 21st century due to its application in new technologies like Artificial Intelligence and Internet of Things across different spectrums. These developments make every tiny piece of data useful.
Loss of funds: Funds are lost the moment a ransomware has been successfully exploited against your environment. This is because when successful, the orchestrators may, depending on their motives―most will demand money for their financial gratification to unlock your files for you. When you don’t badge, you’ll then embark on a cleanup exercise of your environment yourself which will still cost you anyway. So either way, you lose a lot of funds. However, how much you lose depends on which approach you take and the size of the environment affected: the bigger, the environment, the more it costs.
Loss of productivity: When systems are disrupted, the victim suffers downtime and this causes loss in their productivity. The larger the environment affected, the bigger the loss in productivity.
Reputation damage: In the world of fast pace decision making and increased collaboration, the last thing any entity will wish for itself is to have a doubtful reputation. When victims especially businesses get hit with ransomware attacks, customers and shareholders begin to cast doubt on the business’s ability to deliver its core product. They begin to be skeptical which goes to affect the company’s shares on the stock, if it is listed on any stock exchange. It can cause the company’s valuation plummet to plummet.
Also, because attacks like ransomware can escalate to breaching individual privacy like contact details and trade secrets, customers and shareholders tend to shy away from companies who suffer these attacks and this further sinks the reputation.
Solutions to Ransomware
Train Employees: Employees are very important part of the safety equation. Employees are the ones who handle the insane amounts of data on daily basis as well as the critical ones. They must be trained to be fully aware of the schemes by which ransomwares can be deployed, the potential of its damage and how to detect a potential ransomware payload.
This is the first security shield any entity can provide itself because, human resource is the most important asset of any entity. When they are aware and awake to the threats, fighting off threats becomes easier―especially ones like ransomwares that demand some level of human interaction almost always. Training and educating them sharpens their judgments in ambivalent situations.
Backups: Every entity, including businesses, individuals and nations that handle data must of necessity have a backup. Backups are duplications of the live data environment. It must be regular, separate, secured and remote from the live environment. This is done with the aim of helping recover data in the event of a disaster like a ransomware. When the principle of backing up data is strictly adhered to – regular, separate, secured and remote, no matter the interruption of the live environment, entities can recover 99% of their data back without paying the ransom.
Protecting the live data environment. By protecting the live data environment, entities must install system patches and updates regularly. These patches and updates are security layers which OEMs – Original Equipment Manufacturers and software vendors provide regularly to offset the ever evolving threats like ransomware. Policies that govern the use of computer systems, file downloads and uploads, etc. within the live data environment must be constantly revised to suit evolving trends to offset new threats.
Develop a cybersecurity policy: Ransomwares are mostly deployed through cyberspace. To effectively counter ransomware threats, entities must develop very concrete, effective and efficient cybersecurity policies to govern cyberspace activities of users in the live data environment. They should ensure good cyberspace hygiene so users don’t fall prey to cyberspace tricksters who may deploy ransomwares into their environment. Such policy should be constantly revised to adapt to changing trends.
In conclusion, ransomware threats are real and efforts must be made by every user―individuals, businesses and governments to protect their computer systems and working environments from being interrupted.