Among cyber-attacks against businesses, ransomware is causing an increasing number of damages. In the unlikely event of infection, appropriate initial response is required, so it is necessary to know what action to take. This article provides basic knowledge about ransomware, recent changes in infection routes, and what to do and how to prevent it if you are infected.
Ransomware, also known as "ransomware," is a coined word that combines the words "ransom" (meaning "ransom") and "software. It is a malicious program that locks an infected computer, encrypts files to make them unusable, and demands a ransom in exchange for their restoration. In recent years, ransomware that threatens to disclose stolen data if the ransom is not paid has also become popular.
Ransomware used to be mainly of the "distributed" type, which is sent to an unspecified number of people, but in recent years, "targeted" ransomware, which targets specific organizations, has been on the rise. A well-known representative ransomware is "WannaCry," whose attacks were reported worldwide in 2017. It spreads quickly, and infection can spread from a single infected computer via a network. Various other types of ransomware have also been confirmed, including those that target Windows vulnerabilities and those that make double threats of disclosing information as well as demanding a ransom for encrypted information.
If you are infected with ransomware, you may have to pay not only economic losses such as data recovery, cost of strengthening security measures, and business stoppage, but also loss of trust of customers and business partners, leakage of personal information, and possibly fines depending on the data you handle.
→Related Article] What Happens if Infected with Ransomware? What should companies do?
In recent years, infection from VPN devices has been the most common, followed by infection from remode desktops*. The main infection routes of ransomware, including others, are described below.
*Source: Threats to Cyberspace in 2022
https://www.npa.go.jp/publications/statistics/cybersecurity/data/R04_cyber_jousei.pdf
VPN devices can prevent outside intrusion by communicating through a virtual private line, but if security is not kept up-to-date through teleworking or other means, vulnerabilities can be exploited and ransomware can infect a user's computer. Remote desktop is also a convenient feature for teleworkers, as it allows them to access and remotely control company computers from their home computers, but security measures at home are often weaker than those at the office and are increasingly being used as an intrusion route.
URLs and attachments in e-mails are another typical infection route. They are disguised as file names or extensions that may be relevant to the business, and when clicked, the ransomware is executed and the user is infected.
Infection can also occur by browsing websites where ransomware has been planted. In many cases, the infection may go unnoticed, and the risk of infection increases when using bulletin board sites or illegal video sites outside of work.
There is also a risk of infection when installing software. There are various cases where software can be made to look like common items or installed together. Make sure that the site you are downloading from is trustworthy. Be especially careful when installing free software.
In some cases, inserting an external storage device such as a USB flash drive into a computer or other device can result in infection by automatically executing the ransomware that was hidden inside the device.
To prevent ransomware infection, it is important to ensure that each employee takes measures such as not opening suspicious emails. At the same time, companies can further enhance prevention and countermeasures by taking technical measures.
While the introduction of EPP/EDR is fundamental, now that remote work has become common, the introduction of SASE (Secure Access Service Edge), which comprehensively enhances endpoint security from a zero-trust perspective, is a trend that will become mainstream in the future.
In addition to ensuring that individual employees do not carelessly open email attachments or links, it is also important for organizations to take technical measures to prevent suspicious emails and files from being opened and to detect them if they are opened. It is also effective to introduce DMARC to quarantine spoofed e-mails, and to utilize solutions such as EDR and SWG to detect and prevent access to malicious sites.
OS vulnerabilities are often found after their release, and continuing to use an older version is the same as leaving vulnerabilities found in the past unchecked. It is very important to regularly update your software and keep it up-to-date as a measure against ransomware.
Using an EPP antivirus function or EDR is the most typical way to prevent infection. Some are available online, but make sure that the functionality is available offline, as it must be shut off from the network as soon as the infection is discovered.
There is an increasing number of ways to infect people by directing them to unauthorized sites that are designed to look just like real websites. In addition to measures such as using filtering services to restrict the sites that can be accessed in advance, it is effective to introduce EDR and SWG, which are tools and systems that detect and prevent redirects to phishing sites.
In addition to not using external memory devices of unknown origin, there have been recent reports of victims purchasing USB memory devices containing ransomware from fraudulent websites masquerading as mail-order sites. For such external devices, there are measures such as preventing intrusion with DLP (Data Loss Prevention), a security tool and system for preventing information leakage, and controlling externally connected devices with EPP/EDR security functions.
Since the initial response to a ransomware infection requires meticulous care and rapid processing, it is effective to consult not only your own security department but also an outside specialist in advance.
This section explains what to do if you are infected with ransomware.
The basic premise is to immediately disconnect the terminal from the network, as there is a risk of the infection spreading to other terminals in the network. However, this alone is not enough to deal with ransomware infection. In recent ransomware, there have been many cases of lateral movement, in which the attacker infiltrates the network, gains control of administrative privileges, and expands the scope of the attack to the domain under the network. Therefore, it is highly likely that simply disconnecting the network is not enough to control the risk, and it is appropriate to promptly request a professional to investigate the scope of the impact and the actual damage.
If an infected device or system is rebooted, there is a risk that data encryption, which was stopped by the shutdown, will resume and files on the device will not be viewable.
In addition to your own security department, promptly consult with an outside specialist. As mentioned in the section on " Disconnecting from the Network," this is essential to ascertain the extent of the damage and take appropriate action as soon as possible to minimize the damage.
FRONTEO's "Cyber Security Investigation Package" is recommended for immediate and appropriate initial response to ransomware infection, as FRONTEO boasts more than 10,600 fraud investigations and provides high-quality cyber security investigations recommended by several insurance companies. FRONTEO offers a high quality cyber security investigation package that is recommended by several insurance companies.
This is an effective solution for initial response that includes the minimum necessary investigations to be conducted in the event of a cyber attack, such as EDR investigations and dark web investigations, in a single package, and additional investigations such as penetration tests can also be conducted. For companies that do not have personnel with specialized knowledge, concerns remain about the speed and expertise of contingency response. Based on the know-how gained from our overwhelming experience, FRONTEO will support your initial response to cyber attack damage.
→ [Related Article] Cyber Security Survey Package "Cyber Security Survey Package" service website
→ Contact FRONTEO for cyber security inquiries