Ransomware attacks: You don´t have access to your corporate data or your system functions? Your customer data cannot be opened anymore? This is a „worst case“ scenario- you could observe many similar scenes during the last ransomware attacks worldwide in many different companies and institutions.
How much would it be worth to your company to get access to your own data again? 15,000 Euro or even 150,000 Euro? Ransomware attacks are based on a polymorph virus which spreads very quickly and which encodes the data of a system. In order to provide a decryption key, the attackers demand a ransom sum from the victims. But even if a company pays the money, they do not always get the control over all data back. Sometimes, the information are finally lost because of the encryption.
You should know these ransomware attacks:
Ransomware attacks caused by WannaCry
In the middle of 2017, the ransomware attacks from WannaCry created much publicity. Great international concerns were affected by the blackmail trojan. Safety inspectors recognized ransomware attacks in more than 150 countries. Affected companies were automobile producers and hospitals in Great Britain.
Even in Germany parts of the IT systems of the Deutsche Bahn were affected by the ransomware attacks. There were message boxes with white letters on a red ground instead of information for the customers. When the headline „Ooops, your files have been encrypted!“ occured, even the customers knew that this wasn’t a common disturbance but a new ransomware attack.
The original ransomware attacks caused by WannaCry were mainly carried out via email: The defective supplements arrived at the inbox of the affected companies. In the further process WannaCry identified the network level asa possible attacking vector.
In this context a security hole in systems of Windows – especially in the network protocol – served as additional weak spot for the ransomware attacks. Via the terminal-service RDP provided by Windows, WannaCry could spread very quickly.
This security vulnerability is known under the name of EternalBlue, which was used for compromising unpatched Windows systems. This means, that this exploitisn’t unique to WannaCry. Through this way other krypto-trojans could be infiltrated into the system.
The security weaknesses of systems or single solutions are sometimes even traded in the darknet. This is why cyber criminals can coordinate ransomware attacks especially targeting the weak points of the destination systems.
Petya – A modification leads to worldwide ransomware attacks
In the end of June distributed the modified form of the popular ransomware Petya. At the end of June 2017, the modified Petya ransomware “NonPetya” quickly spread. Predominantly affected of the Petya ransomware attacks were Russia, the Ukraine as well as certain companies in Europe including German companies. Similiar to WannaCry two months before, NotPetya also took advantage of the error in safety EternalBlue via SMB weakness. The modified version distributed via an already affected computer system in the network of the company.
In this version of ransomware attacks, the polymorph virus utilizes an expansion of the Common Information Models as well as PsExec to execute instructions on other systems. This step demands special administration rights. Login credentials are requested through the working storage and the local system to obtain these rights. Hornetsecurity Advanced Threat Protection noticed this ransomware type reliable within 56 seconds with the help of the sandbox engine.
Ransomware attacks caused by Jaff
The malware Jaff was responsible for different kinds of ransomware attacks, too. Disguised as a pdf bill, Jaff enters the local computer via email. The recipient is encouraged to open the attached pdf invoice. At first, the opening of the pdf-file doesn’t have any negative impact on the system of the recipient.
After confirming a dialog window, however, the user initiates the malicious process. A .doc file is unpacks in a temporary folder. The pdf-file then allows the privileged opening of the word-file with the defective macros. This is initiated through java-scripts when opening the pdf-file.
As a consequence, the defective source code gets downloaded via office-macrofunction, which then blocks the access of employees on files and services in the company. This kind of a ransomware attack was the first to utilize a pdf format.
Ransomware attacks caused by Locky
Locky appeared at the beginning of 2016 for the first timeand mainly place in the European Union. The ransomware was also planted through a modified word-file in an email attachment – similiar to Jaff.
Based on activated office-macros or rather automated program statements, Locky has the opportunity to execute the malicious code on the destination system. Once activated, Locky encrypts either local files or even whole data sets in the network of a company.
The special thing with Locky is that the infection of the system can be carried out in many ways. Cyber criminals don’t limit themselves to emails as the primary gateway to the system. More and more often, third parties are instructed to tie-in the ransomware attacks directly on-site onto the network of the company. This course of action of cyber criminals needs special IT-security-concepts that notice and block such processes in the beginning.
How do you protect your company in reality from ransomware attacks?
As soon as the “worst case” has happened, the data is immediately affected by the ransomware and is rendered useless. As a company, you have to protect yourself from such ransomware attacks. Here you can find some basic tips on how you can avoid damage caused by ransomware attacks.
1. Backup all data to protect them from ransomware attacks
In order to neutralize successful ransomware attacks, you frequently need to save the data of your company, as you can always import the backup The best backup solution would be cloud-based.
2. The view on hidden file extensions
Ransomware attacks heavily use email as a medium. Disguised as a .pdf, .exe or .jpeg file, they reach the destination system of the employee at the affected company. Most email clients deactivated the display of file extensions. This is why most users cannot immediately capture the format of a file. The infected data is opened and the ransomware initiates its mailicous work.. Therefore, it is important to activate the view of file extensions in your settings.
3. Filtering filename extensions
You can also avoid ransomware attacks with the help of a spam filter solution. This service prevents receiving files with certain file extensions using a specific filter function. You can implement rules for the filtering and grant exemptions for single file extensions. You can define these rights for each single user.
4. Deactivate Remote Desktop Protocol to protect against ransomware attacks
Microsoft’s Remote Desktop Protocol serves as weak point. With the approval of RDP, ransomware can be distributed within the local network. The malware can gain unauthorized access to the target system and encrypt data.
5. Advanced Threat Protection to protect against ransomware attacks
Ransomware attacks can shut down the network of a whole company. The consequence is damage that sums up to a six or seven digit number. For an effective protection against ransomware attacks, you need a sustainable IT-security concept. This will protect you against complex attacks.
Hornetsecurity Advanced Threat Protection (ATP) notices ransomware attacks reliable as well as other kinds of malware. The solution offers a wide range ofprotection measurements – including URL-rewriting and URL-scanning.
6. Regular system updates to protect against ransomware attacks
Older IT systems offer a good opportunity for invaders to implement ransomware. This applies to all operating systems. The older the system is, the higher the possibility of a weak point. The best example is the WannaCry attack. The reason for its success was the security weakness EternalBlue. It was ignored by many companies – updates and patches were not executed. Therefore, many successful ransomware attacks occured.
In the end, it is difficult to notice ransomware attacks promptly. An early detection is important to keep the damage as tiny as possible. Preventive measures like back-up-solutions are perfect to protect against ransomware attacks effectively.
Protect your company with Hornetsecurity Advanced Threat Protection against ransomware:
Request a quote!
Would you like to find out how much Hornetsecurity Advanced Threat Protection costs? Then ask us for a no-obligation quote now. You can also try out our service for 30 days free of charge. Simply make use of our fully automated onboarding option.
Try out our product now!
By providing just a few details, you can also try out Advanced Threat Protection right now for 30 days with no obligation. Simply create an account and in just a few minutes your employees and IT systems will enjoy additional protection.