We look at the basics of ransomware and offer some important advice to ensure your charity stays protected
Ransomware is a type of malware that infects end user computers, as well as organisations’ servers. Once ransomware gets on to a computer, it silently encrypts all the files on the computer or just certain types of files such as databases, spreadsheets, and documents.
Once this process is complete the ransomware locks the computer and all the encrypted files become inaccessible. The ransomware presents a ransom note demanding a payment in cryptocurrency for the decryption key needed to restore access to all the encrypted files.
Most ransomware also seeks out network connections from an infected computer to other computers, so that a single infection can lead to a large number of an organisation’s computer becoming infected very quickly.
Ransomware exploded onto the computing scene in the mid-2000s and every year the ransomware problem gets worse. Cyber criminals behind ransomware attacks netted about $20 billion in ransoms in 2020, almost double the amount the previous year, according to cyber security company Crowdstrike.
But these figures are just the tip of the iceberg as far as ransomware is concerned, because many organisations choose not to pay the ransoms that are demanded. Instead they seek to disinfect their computer systems and recover their data from backups, often suffering severe disruption to their operations for days or even weeks.
In total, ransomware attacks costs American small businesses more than $75 billion per year in recovery costs and getting their activities up and running again, according to Datto, a security software company.
The UK, according to Serbus, was the second most-attacked country in the world last year for ransomware attack, costing UK businesses a total of £365 million for the year.
Most ransomware uses established modern encryption algorithms to encrypt data on infected computers.
These algorithms are extremely effective, meaning that there is no known method of decrypting data once it has been encrypted without knowing the decryption key.
Since there are a huge number of possible keys, it would take millions or even billions of years to have a reasonable chance of guessing the decryption key even if you could make millions of different guesses every second.
The good news is that a minority of ransomware authors are not good at implementing encryption correctly into their malware. As a result, it is occasionally possible to decrypt encrypted files without the decryption key.
What’s more, some ransomware writers use the same decryption key every time their ransomware infects a computer. If your computer is infected with one of these strains of ransomware then it is possible to obtain the decryption key from a repository such as NoMoreRansom or Heimdal Security’s decryption tool directory.
Unfortunately, these flawed strains of ransomware are becoming less common, in part due to the rise of Ransomware as a service (RaaS). This involves a few skilled ransomware writers creating ransomware and renting it to cyber criminals to use to infect computers and collect ransoms.
RaaS offerings enable non tech-savvy criminals to enter the ransomware racket easily by accessing well-written ransomware. The cyber criminals can use ransomware to infect computers in any way they like, and it can be customised to change the language of the ransom note and the amount of the ransom.
At the end of 2020, the average ransom demand was more than $150,000, according to ransomware recovery specialists Coveware.
The ransomware writers provide their malware to cyber criminals in a variety of ways including:
RaaS offerings usually provide criminals with dashboards showing them how many computers the malware they are using has infected, how many ransomware demands have been issued, and how many payments have been received.
Data that has been encrypted by ransomware cannot generally be accessed from that computer without paying the ransom, and even paying the ransom does not guarantee recovery will be possible.
That’s because up to 40% of organisations that pay a ransom do not get a decryption key in return, according to Coveware. Even when a decryption tool is supplied by the criminals, organisations still lose more than 5% of their data, the company found.
But it is still possible to access the data that has been encrypted if a backup copy of this data has been made and is stored on another storage device – either attached to a seperate computer or in the cloud – that has not also been infected with the ransomware.
That means that the best defence against ransomware is to ensure that all your data is backed up regularly. Ideally, separate backups should be made to a local device (such as another computer or a USB drive) as well as to a storage service in the cloud.
One of the most common ways for malware to get onto charity networks is for an employee to click on a malicious link or open a malicious attachment in a phishing email. Ensuring that all charity staff members are trained to help them spot phishing emails is the best way to prevent ransomware infections in the first place.
All charity computers should be running endpoint security software, but it pays to make sure that the endpoint protection software you have chosen is designed to spot the tell-tale signs of ransomware in operation and stop it.
These signs include large numbers of file deletions, accessing of dummy files, and unexpected encryption activity.
Ensure all your charity’s operating systems and applications are patched and updated in a timely fashion to prevent ransomware exploiting known vulnerabilities. This is important because many ransomware services are not particularly innovative and rely on using unpatched vulnerabilities to infect machines.
Cyber insurance can help your charity mitigate the financial risks of ransomware, but be sure that you are fully insured for the losses that may be incurred.
There are a number of straightforward steps you can take, including: