What is the infection route of ransomware?Explaining countermeasures, prevention, and what to do in case of infection
2023/10/27
What measures should companies take against cyber attacks?Introducing the types of techniques and damage cases
2023/10/27
Ransomware is increasingly causing damage to businesses, large and small.We will explain basic information on what ransomware is, which many companies have fallen victim to in recent years, the recent damage situation and methods, and changes and trends in infection routes.In addition to examples of damage, what to do in the event of infection, and measures to prevent infection, we will also explain points to consider when consulting with a specialized organization in case you become infected, as well as in preparation for infection.
What is ransomware?
Ransomware is a type of malicious program or malware.Ransom is a word that means ransom.Ransomware is malicious software that encrypts infected computers and data, making them inaccessible, and demands a ransom payment in exchange for decrypting the data.
Damage status, methods, and infection routes of ransomware
Let's take a look at the actual situation, such as the number and status of damage caused by ransomware in recent years, and the infection route, based on materials from the National Police Agency. In 2022, 230 cases of ransomware were reported to the National Police Agency.This is a rapid increase of 57.5% compared to the previous year. The number of attacks has continued to increase since the second half of 2020, and many companies and organizations are being targeted regardless of business size or industry.
In addition to encrypting data, the most common method used is double extortion, in which the data is exploited and the data will be made public unless a ransom is paid.The most common route of infection is through VPN devices.Next, intrusions from remote desktops and devices used for telework are characteristic.
[Source] National Police Agency material “Regarding the threat situation surrounding cyberspace in XNUMX”
https://www.npa.go.jp/publications/statistics/cybersecurity/data/R04_cyber_jousei.pdf
Typical ransomware
The mainstream type of ransomware was the so-called ``distributed'' type, which was sent to an unspecified number of people, but in recent years, ``targeted'' ransomware that targets specific organizations has been increasing.A well-known example of ransomware is "WannaCry," which was reported to have caused damage around the world in 2017.The virus spreads quickly, and the infection spreads from a single infected computer through the network.Various other types of ransomware have been confirmed, including those that target vulnerabilities in Windows, and those that not only demand a ransom for encrypted information but also threaten to make the information public.
Impact of ransomware damage on businesses
We will explain what kind of impact is likely to occur if a company is attacked by ransomware, as well as the details and effects of ransomware damage.
Increase in damage response costs and human resources
If you are infected with ransomware, you will need to hire a professional to recover your data and strengthen your security measures.If you include the human cost involved in dealing with the problem, such as in-house security personnel, the damage would be enormous.
Sales decrease due to loss of social trust
If there is an incident where important customer information is leaked due to ransomware, there is a risk that companies will suffer huge losses, such as heightened public distrust and damage to their image, as well as a decrease in sales.The best way to restore trust in a company is to promptly investigate, disclose the facts to the public, and take measures to prevent it from happening again.
Suspension of corporate activities due to system failure
If a system goes down or fails due to ransomware infection, corporate activities may come to a halt.In addition to making all internal and external procedures difficult, including placing orders with business partners, it also directly affects users on e-commerce sites.
Occurrence of legal risks such as compensation for damages
For example, if information leakage causes damage to a customer, the victim may be held liable for damages.If the compensation amount is large enough to affect business operations, the company may be forced into bankruptcy.
Examples of damage caused by ransomware to domestic companies
We would like to introduce some cases of damage caused to domestic companies by ransomware from the computer virus/unauthorized access cases reported by the Information-technology Promotion Agency (Information-technology Promotion Agency) Security Center.
[Source] Information-technology Promotion Agency, Japan “Reported Cases of Computer Viruses and Unauthorized Access”
https://www.ipa.go.jp/security/todokede/crack-virus/ug65p9000000nnpa-att/000108764.pdf
Unauthorized login to VPN device with administrator ID, files on server encrypted
Because the company's shared server was unavailable, an outside organization was asked to investigate, and it was discovered that the files on the server had been encrypted using LockBit 3.0.As a result of the investigation, it was confirmed that unauthorized operations such as uninstalling security software, encryption of an external hard disk for backup acquisition, and unauthorized login to the VPN device using an administrator ID were performed.Most of the data could not be successfully restored, and measures to prevent recurrence included changing the ID of the VPN device and entering into a maintenance contract with the vendor.
Hundreds of thousands of customers' personal information and credit card information leaked due to unauthorized access to e-commerce site
An external investigation revealed unauthorized access to a company's e-commerce site and leakage of over 10 pieces of personal information and credit card information.The cause was cross-site scripting, which exploited a security vulnerability in the site and inserted a malicious script into the HTML from an external source, making it possible to gain unauthorized access to the management screen under certain circumstances.The servers were discarded and relocated, and the operation and management system was reviewed, and regular vulnerability assessments and penetration tests were conducted.
Measures against ransomware infection
In order to prevent ransomware infections, it is important for each employee to take thorough measures such as not opening suspicious emails, and at the same time, it is important for the company to further enhance prevention and countermeasures by implementing technical measures.
The introduction of EPP and EDR is basic, but now that remote work has become commonplace, the introduction of SASE (Secure Access Service Edge), which comprehensively enhances endpoint security, will become mainstream from a zero trust perspective. You could say it's a flow.
Quarantine suspicious emails and attachments, and prevent and detect any unauthorized access.
In addition to individual employees being aware of not opening email attachments or links carelessly, it is also important for organizations to prevent suspicious emails or files from being opened, and to take technical measures to detect when they are opened.It is effective to introduce DMARC to quarantine spoofed emails and to utilize tools and systems called EDR and SWG to detect and prevent access to malicious sites.
Always keep your OS and software up to date
Many ransomwares exploit known vulnerabilities to gain entry. You can prevent ransomware attacks by regularly updating your OS and software and fixing security vulnerabilities.
Prevent and detect access to unauthorized sites
There are also an increasing number of ways to infect users by redirecting them to fraudulent ransomware-enabled websites that look exactly like genuine websites.Individual employees need to be aware of not using bulletin board sites, illegal video sites, etc. unnecessarily.In addition to measures such as restricting the sites that can be accessed in advance using filtering services, it is also effective to introduce EDR and SWG, which are tools and systems that detect and prevent redirects to phishing sites.
Be careful when connecting external memory
There is a risk of ransomware infection from external memories such as USB memory or external HDD, so it is important not to carelessly connect a USB or external HDD of unknown origin.In addition, in addition to preventing intrusion into these external devices using the security tool system DLP (Data Loss Prevention) to prevent information leaks, we also take measures such as controlling externally connected devices using the security functions of EPP/EDR. there is.
Carry out employee training
There are many cases where accidents occur due to the slightest carelessness on the part of employees.In addition to raising awareness about information security, regularly conducting employee training that includes correct knowledge and the latest information will help avoid damage.
Consult with a cybersecurity expert in advance
When it comes to cybersecurity, it is a good idea to consult not only your company's security department but also a specialized research company during normal times.Even if an infection occurs, it is possible to minimize the damage by taking appropriate measures as soon as possible.
What to do when infected with ransomware
Although it is important to be careful and take precautions to prevent ransomware infections, there are some unforeseen incidents that are difficult to avoid.In the unlikely event that your computer is infected with ransomware, we will introduce what to do.
disconnect from network
Since there is a risk of the infection spreading to other devices within the network, it is important to immediately disconnect the device from the network.However, this alone is not enough to deal with ransomware infections.In recent ransomware, we often see a method known as lateral movement, in which the ransomware infiltrates the network, seizes administrative privileges, and expands the attack range to include domains.Therefore, there is a high possibility that risks cannot be suppressed simply by disconnecting the network, and it is appropriate to promptly request an expert investigation to investigate the extent of the impact and the actual state of damage.
Do not shut down equipment
Be careful not to shut down the device itself even if you disconnect it from the network.Saved log information may be deleted.It is important to keep it running without restarting or powering it off.
Request an investigation from a cybersecurity specialist
It is important to take appropriate measures as soon as possible, as delaying response increases the possibility of greater damage.Promptly contact your company's security department and request an investigation from a cybersecurity specialist. As mentioned in the section of ``Disconnecting from the network'', in order to minimize the damage, it is necessary to conduct a detailed investigation of the infection route, damage situation, leaked data, etc., take appropriate measures as soon as possible, and to minimize the damage. Consultation is appropriate.This is also necessary to ensure that future preventive measures are in place.
For response in case of ransomware infection and cybersecurity investigation, contact FRONTEO
In recent years, ransomware damage continues to increase, and the methods used are becoming more complex and difficult to understand.In addition to keeping up with the latest information on ransomware that is updated daily and taking all possible measures, professional support is essential in order to respond quickly in the event of an emergency.
FRONTEO offers FRONTEO's "Cybersecurity Investigation Package", which compiles the minimum necessary investigations in the event of an emergency. The "Cyber Security Investigation Package" is a high-quality investigation package necessary for initial response for companies dealing with damage from cyber attacks.Based on our track record of conducting many investigations, we accelerate the efficiency and speed of investigations through packaging.This will lead to quick and accurate solutions in the event of an emergency.FRONTEO's Cybersecurity Research Package is the best way to prevent ransomware infections.
It is necessary to acquire knowledge about cybersecurity within your company, but what is even more important is to have preventive measures in place and countermeasures in place after the fact.It is wise to understand the risks your company faces and leave it to a company with specialized knowledge. By establishing a collaborative system with FRONTEO, you can identify security risks that you would not be aware of on your own and proceed with thorough security measures.
