[Webinar] Document Preservation Obligations for US Litigations Part 1
2023/10/25
Explaining the actual state of ransomware damage, examples of Japanese companies, and countermeasures
2023/10/27
Among the types of cyber-attacks against companies, damage caused by ransomware is increasing.In the unlikely event that you are infected, you will need to take appropriate initial responses, so you need to know what kind of response you should take.In this article, we will explain basic knowledge about ransomware, recent changes in infection routes, and what to do and preventive measures if you are infected.
What is ransomware?
Ransomware is a coined word that combines the word ransom (ransom) and software (software), and is also referred to as a "ransom-demanding malicious program."A malicious program that locks an infected computer or encrypts files, making them unusable and demanding a ransom in exchange for their restoration.In recent years, ransomware that threatens to release stolen data unless a ransom is paid has become popular.
Typical ransomware examples
The mainstream type of ransomware was the so-called ``distributed'' type, which was sent to an unspecified number of people, but in recent years, ``targeted'' ransomware that targets specific organizations has been increasing.A well-known example of ransomware is "WannaCry," which was reported to have caused damage around the world in 2017.The virus spreads quickly, and the infection spreads from a single infected computer through the network.Various other types of ransomware have been confirmed, including those that target vulnerabilities in Windows, and those that not only demand a ransom for encrypted information but also threaten to make the information public.
What happens if you get infected with ransomware?
If you are infected with ransomware, you will not only suffer financial losses such as data recovery costs, the cost of strengthening security measures, and business suspension, but also fines depending on the data you handle, such as loss of trust with customers and business partners and leakage of personal information. There is a possibility that it will happen.
[Related article] What happens if you get infected with ransomware?Measures companies should take
Main infection routes of ransomware
In recent years, infections from VPN devices are the most common, followed by remote desktops*.We will explain each of the main ransomware infection routes, including others.
*Source: Regarding the threat situation surrounding cyberspace in XNUMX
https://www.npa.go.jp/publications/statistics/cybersecurity/data/R04_cyber_jousei.pdf
Infection through VPN devices and remote desktops
VPN devices can prevent intrusion from outside by communicating over a virtual dedicated line, but if security is not kept up to date due to telework, etc., vulnerabilities can be exploited and ransomware can occur. .Remote desktop is also a useful feature for telework, as it allows you to access and remotely control your work computer from your home computer, but security measures at home are often weaker than those at work, making it an easy route for intrusion. I am putting it away more and more.
Infections from email attachments and links
URLs and attachments in emails are also typical infection routes.It is disguised as a file name or extension that seems to be related to work, and if you click on it, the ransomware will run and infect you.
Infection by browsing websites
You can also become infected by visiting a website infected with ransomware.In many cases, you may not notice that you have been infected, and if you use bulletin board sites or illegal video sites outside of work, the risk of infection increases.
Installing and downloading software and files
There is also a risk of infection when installing software.There are various cases where the software appears to be a generic version or is installed together.Make sure that the site you are downloading from is a trustworthy site.Be especially careful when installing free software.
Infection from USB memory or external memory
When you insert an external storage device such as a USB memory into a computer or other device, the ransomware hidden inside may be automatically executed and infected.
Prevention and countermeasures against ransomware infection
In order to prevent ransomware infections, it is important for each employee to take thorough measures such as not opening suspicious emails.At the same time, companies can further enhance their prevention and countermeasures by implementing technical measures.
The introduction of EPP/EDR is basic, but now that remote work has become commonplace, the introduction of SASE (Secure Access Service Edge), which comprehensively enhances endpoint security, will become mainstream from a zero trust perspective. You could say it's a flow.
Quarantine suspicious emails and attachments, and prevent and detect any unauthorized access.
In addition to individual employees being aware of not opening email attachments or links carelessly, it is also important for organizations to prevent suspicious emails or files from being opened, and to take technical measures to detect when they are opened.It is also effective to introduce DMARC to quarantine spoofed emails and utilize solutions such as EDR and SWG to detect and prevent access to malicious sites.
Always update your OS and software to the latest version
Vulnerabilities are often found in OSs after they are released, and continuing to use older versions is the same as continuing to use vulnerabilities found in the past.It is very important to regularly update and keep it up to date as a ransomware countermeasure.
Introduce EPP (antivirus function)/EDR and manage it appropriately
Using EPP's antivirus function and EDR are the most common ways to prevent infection.There are some that can be used online, but if an infection is detected, you will need to immediately disconnect it from the network, so check the functions that are available offline.
Prevent and detect access to unauthorized sites
There is also an increasing number of techniques that lead people to fraudulent websites that look exactly like genuine websites and cause infection.In addition to measures such as restricting the sites that can be accessed in advance using filtering services, it is effective to introduce EDR and SWG, which are tools and systems that detect and prevent redirects to phishing sites.
Be careful about the safety of USB memory and external memory
It goes without saying that you should not use external memory of unknown origin, but recently there have been reports of people purchasing USB memory with ransomware stored on fraudulent sites masquerading as online shopping sites.For these external devices, in addition to preventing intrusion using the security tool system DLP (Data Loss Prevention) to prevent information leakage, there are measures such as controlling externally connected devices using the security functions of EPP/EDR. .
Consult a cybersecurity expert for countermeasures
The initial response to a ransomware infection requires careful attention and prompt processing, so it is effective to consult not only your own security department but also an outside specialist in advance.
What to do when infected with ransomware
We will explain what to do if your computer is infected with ransomware.
disconnect from network
Since there is a risk of the infection spreading to other devices within the network, it is important to immediately disconnect the device from the network.However, this alone is not enough to deal with ransomware infections.In recent ransomware, we often see a method known as lateral movement, in which the ransomware infiltrates the network, seizes administrative privileges, and expands the attack range to include domains.Therefore, there is a high possibility that risks cannot be suppressed simply by disconnecting the network, and it is appropriate to promptly request an expert investigation to investigate the extent of the impact and the actual state of damage.
Do not restart the device
If you restart an infected device or system, there is a risk that the data encryption that was stopped due to shutdown will resume, making files on the device inaccessible.
Consult with a cybersecurity specialist
In addition to consulting with your own security department, you should promptly consult an outside specialist. "disconnect from networkAs mentioned in the previous section, this is essential in order to confirm the scope of the damage and take appropriate measures as soon as possible to minimize the damage.
Please contact FRONTEO for response to ransomware infection damage and cybersecurity investigation.
We recommend FRONTEO's "Cybersecurity Investigation Package" to quickly and appropriately respond to ransomware infections. FRONTEO, which boasts a track record of over 10,600 fraud investigations, provides high-quality cybersecurity investigations that are recommended by multiple insurance companies.
It is an effective solution for initial response that includes the minimum necessary investigations in the event of a cyberattack, such as EDR investigation and dark web investigation, in one package, and additional investigations such as penetration testing can also be conducted.For companies that do not have human resources with specialized knowledge, there are concerns about the speed and professionalism with which they respond to emergencies.Based on the know-how gained from our overwhelming track record, FRONTEO supports the initial response to cyber attack damage.
