The reality of ransomware damage, case studies of Japanese companies and countermeasures

Damage caused by ransomware is increasing for companies of all sizes. This report provides basic information on ransomware, which has been victimized by many companies in recent years, including the recent damage situation, the modus operandi, and changes and trends in infection routes. In addition to damage cases, how to deal with infection, and measures to prevent infection, the report also explains what to look for when consulting a specialized institution in case of infection as well as in the event of infection.

What is ransomware?

Ransomware is a malicious program and a type of malware. Ransom is a word meaning ransom. Ransomware is malicious software that makes infected computers and data inaccessible by encrypting them, and demands payment of a ransom in exchange for decrypting the data.

Damage, modus operandi, and infection routes of ransomware

Let's take a look at the number of ransomware victims, the actual situation, and infection routes in recent years, based on data from the National Police Agency. 230 cases of ransomware damage were reported to the National Police Agency in 2022, a 57.5% increase over the previous year. Since the second half of 2020, the number of victims has continued to grow, and many companies and organizations, regardless of business size or industry, have been targeted.

The M.O. is not limited to data encryption, but often involves double extortion, in which the data is exploited and "ransom is paid or the data will be released. The most common infection route is via VPN devices. This is followed by remote desktop infiltration and infiltration from teleworking devices.

Source: National Police Agency, "Threats in Cyberspace in 2022,"
https://www.npa.go.jp/publications/statistics/cybersecurity/data/R04_cyber_jousei.pdf

Typical Ransomware

Ransomware used to be mainly of the "dissemination" type, which is sent to an unspecified number of people, but in recent years, "targeted" ransomware, which targets specific organizations, has been on the rise. A well-known representative ransomware is "WannaCry," whose attacks were reported worldwide in 2017. It spreads quickly, and infection can spread from a single infected computer via a network. Various other types of ransomware have also been confirmed, including those that target Windows vulnerabilities and those that make double threats of disclosing information as well as demanding a ransom for encrypted information.

Impact of Ransomware Damage to Businesses

This section describes the possible effects of a ransomware attack on a company, as well as the nature and impact of ransomware damage.

Increased damage response costs and human resources

When a company is infected with ransomware, it is necessary to ask a specialized company to recover data and strengthen security measures. The cost of human resources, including those in charge of internal security, can be enormous.

Decreased sales due to loss of public trust

If important customer information is leaked due to ransomware, the public's distrust of the company will increase, leading not only to a loss of image but also to a decrease in sales, and the company risks incurring enormous damage. The best way to restore corporate credibility is to promptly conduct an investigation, disclose the facts to the public, and take measures to prevent recurrence.

Suspension of corporate activities due to system downtime

System downtime or system failure caused by ransomware infection can bring corporate activities to a halt. In addition to making it difficult to place and receive orders from suppliers and carry out all internal and external procedures, e-commerce sites will be directly affected by the outage.

Occurrence of legal risks such as compensation for damages

For example, if an information leak causes damage to a customer, the victim may hold the company liable for damages. If the compensation is large enough to affect the business, the company may be forced into bankruptcy.

Examples of Damage Caused by Ransomware to Japanese Companies

The following are some examples of damage to Japanese companies caused by ransomware, based on reports of computer viruses and unauthorized access filed by the Security Center of the Information-technology Promotion Agency, Japan.

Source: Information-technology Promotion Agency, Japan, "Notification Cases of Computer Virus and Unauthorized Access"
https://www.ipa.go.jp/security/todokede/crack-virus/ug65p9000000nnpa-att/000108764.pdf

Unauthorized login to VPN equipment with administrator ID, files on server encrypted

The company's shared server had been disabled, and upon requesting an investigation by an outside organization, it was discovered that the files on the server had been encrypted by LockBit3.0. As a result of the investigation, it was confirmed that unauthorized operations such as uninstallation of security software, encryption of external hard disks for backup acquisition, and unauthorized login to the VPN device with an administrator ID had been performed. Most of the data could not be successfully recovered, and measures to prevent recurrence included changing the ID of the VPN device and a maintenance contract with the vendor.

Unauthorized access to an e-commerce site resulted in the leakage of hundreds of thousands of customers' personal and credit card information.

An external investigation revealed unauthorized access to a corporate e-commerce site and the leak of more than 100,000 pieces of personal and credit card information. The cause was cross-site scripting, in which an external malicious script was inserted into the HTML by exploiting a site security vulnerability, allowing unauthorized access to the administration screen under certain circumstances. The server was destroyed and relocated, and the operation and management system was reviewed, and periodic vulnerability assessments and penetration tests were conducted.

Countermeasures against ransomware infection

In order to prevent ransomware infection, it is important to ensure that each employee takes measures such as not opening suspicious e-mails, and at the same time, it is important for the company to further enhance prevention and countermeasures by implementing technical measures.

While the introduction of EPP and EDR is basic, now that remote work has become common, the introduction of SASE (Secure Access Service Edge), which comprehensively enhances endpoint security from a zero-trust perspective, is likely to become the mainstream trend in the future.

Quarantine suspicious e-mails and attached files, and prevent and detect access in case of emergency.

In addition to ensuring that individual employees do not carelessly open email attachments or links, it is also important for organizations to take technical measures to prevent suspicious emails and files from being opened and to detect them if they are opened. It is effective to introduce DMARC to quarantine spoofed e-mails, and to utilize tools and systems called EDR and SWG to detect and prevent access to malicious sites.

Keep OS and software up-to-date.

Many ransomware attacks have the characteristic of exploiting known vulnerabilities to gain entry, and regular updates of operating systems and software to fix security vulnerabilities can help prevent attacks from ransomware.

Prevent and detect access to unauthorized sites

Ransomware is increasingly being used to infect people by directing them to unauthorized sites that are designed to look exactly like real websites where ransomware is planted. Individual employees need to be made aware of the need to avoid unnecessary use of bulletin board sites and illegal video sites. In addition, it is effective to introduce EDR and SWG, which are tools and systems that detect and prevent redirects to phishing sites, in addition to measures such as using filtering services to limit the sites that can be accessed in advance.

Be careful about external memory connections.

Since there is a risk of ransomware infection from external memory devices such as USB flash drives and external HDDs, it is important not to carelessly connect USB or external HDDs of unknown origin. For such external devices, measures include preventing intrusion with a security tool/system DLP (Data Loss Prevention) to prevent information leakage and controlling externally connected devices with the EPP/EDR security function.

Provide employee training.

Accidents often occur due to minor carelessness on the part of employees. Raising employee awareness of information security, as well as providing regular employee training that includes correct knowledge and the latest information, can help avoid damage.

Consult cyber security experts in advance.

Cyber security should not only be handled by your own security department, but it is also advisable to consult with a professional investigation company in normal times. If an infection does occur, appropriate action can be taken as soon as possible to minimize the damage.

What to do when infected with ransomware

While it is important to take precautions to avoid ransomware infection and to take measures in advance, there are some unforeseen incidents that are difficult to avoid. Here are some tips on what to do in the unlikely event that you are infected with ransomware.

Disconnect from the network

The basic premise is to immediately disconnect the device from the network, as there is a risk of the infection spreading to other devices in the network. However, this alone is not enough to deal with ransomware infection. In recent ransomware, there have been many cases of lateral movement, in which the attacker infiltrates the network, gains control of administrative privileges, and expands the scope of the attack to the domain under the network. Therefore, it is highly likely that simply disconnecting the network is not enough to control the risk, and it is appropriate to promptly request a professional to investigate the scope of the impact and the actual damage.

Do not shut down equipment

Even after disconnecting from the network, be careful not to shut down the equipment itself. The stored log information may be deleted. It is important to keep the equipment up and running without rebooting or turning it off.

Have a professional cybersecurity firm investigate.

It is important to take appropriate action as soon as possible, as any delay in response will increase the likelihood of more damage. Contact your company's security department and ask a cybersecurity specialist to investigate. As mentioned in the section on "Disconnecting from the Network," it is appropriate to consult a specialist to conduct a detailed investigation of the infection route, damage, and leaked data, and to take appropriate action as soon as possible to minimize the damage. This action is also necessary to ensure that preventive measures are taken in the future.

Contact FRONTEO for cyber security investigation and response to ransomware infection

In recent years, the number of ransomware victims continues to increase, and its methods are becoming more complex and difficult to understand. In addition to following the latest information on ransomware, which is updated on a daily basis, and taking all possible countermeasures, expert support is indispensable in order to respond quickly in the event of an emergency.

FRONTEO offers FRONTEO's "Cyber Security Investigation Package," which is a set of minimum necessary investigations in the event of a contingency. The Cyber Security Survey Package is a high-quality survey package for companies responding to cyber attack damage, and is necessary for initial response. Based on our experience in handling many investigations, the package accelerates the efficiency and speed of investigations. It leads to quick and accurate resolution in the event of a contingency. FRONTEO's "Cyber Security Investigation Package" is the best countermeasure against ransomware infection.

While it is necessary to develop cyber security knowledge within your company, it is even more important to have a complete set of preventive measures in place in advance and after-the-fact response measures. By working with FRONTEO, you can identify security risks that you may not be aware of on your own and take all the necessary security measures to ensure your company's security.