BLOG HOME > Cybersecurity > How to Prevent Ransomware Attacks

How to Prevent Ransomware Attacks


By: David Ellis
VP, Investigations
CISSP, QSA, PFI


The SecurityMetrics Forensics Team has investigated more than 1,000 data breaches at entities in both the public and private sectors. Our investigations include government agencies, airports, universities, major corporations and franchises, as well as mom-and-pop stores with a single computer. 

Help Net Security recently reported that ransomware continues to be the number one cyber threat to small businesses, with managed security providers revealing that 60% of their SMB clients were hit with ransomware in 2019. They also reported that the cost of downtime is now 23 times greater than the average ransom request of $5,900.

Just a few years ago, the majority of our data breach investigations were cases where hackers attacked brick-and-mortar stores to harvest customer credit card account information. While those types of attacks still occur, other types of attacks have risen in popularity. Attackers today have truly diversified their toolbox of illicit schemes, where we regularly see anything; from the more common ecommerce attacks that target credit cards to phishing attacks that target account credentials, to ransomware that actually doesn’t specifically target anything at all–except for as much of the victim’s hard earned cash that they can get away with. 


What is ransomware? 

Ransomware is a type of malware. Malware means “malicious software” or “malicious executable.” On the evil scale, ransomware is near the top. It’s nasty stuff that you don’t want any part of. 

Essentially, ransomware is a method of extortion. The attacker gets into your system, and either locks you out of your systems or locks you out of your files by encrypting them. The attacker will then contact you and demand a ransom in exchange for the pass code to unlock your files/systems. 

Think You've Had a Data Breach?

Click for Incident Response

What types of businesses do threat actors target with ransomware?

Hospitals and healthcare organizations have traditionally been the number one ransomware target of attackers because they know that, for hospitals, maintaining access to their files could literally be a matter of life and death. The success of ransomware against healthcare organizations has led to the targeting of all types and sizes of organizations. Similar to healthcare institutions, the value of retaining immediate access to their systems and files has forced city and state governments, airlines, and major corporations to pay attacker ransoms. Even two-laptop businesses have been hit with ransomware.

When a ransomware attack happens, it feels like you have to choose between something that is bad, and something that could be worse. Pay tens of thousands of dollars, or risk losing all of your key files. And if the situation seems like it couldn’t get worse, oftentimes after paying the ransom the attacker either fails to deliver the decryption keys or the keys provided fail to decrypt the files. 


Should you pay the ransom for ransomware? 

In short, no. If you’re located in the United States, paying ransomware is now illegal. Criminals want to take your money and they can’t be trusted. In addition, there is conflicting data on whether paying a ransom will unlock files. We have seen it go both ways. Generally, we see that in about two-thirds of the cases where the victim pays the ransom, the criminals send legitimate decryption keys, but you never know what will happen if you pay.

In some cases everything goes well and the decryption keys function as hoped. In other cases, they receive a key that only decrypts some of the files, and the attacker then demands more money for the additional decryption keys.

The smaller your business is, the less likely your ransom will result in your files being unlocked. For one small business owner, who settled on a ransom of $250, the cybercriminal they paid turned out to not even be the holder of the encryption key. Once the sum was paid, the criminal admitted he had nothing to do with the original attack and was a secondary attacker (a “man in the middle”) who happened to seize an opportunity. 

Another problem occurs when an organization pays up, their files are decrypted, but the vulnerabilities that led to the infection in the first place are still present. At that point they are not only vulnerable, but they are known as an organization that will pay. In a recent case, one municipality was infected with ransomware again, two weeks after paying the original ransom. The second attack was a slight variation on the first. As a result, none of the intel gained from the first attack investigation was of use. 

In yet another twist, during the distraction of paying the ransom and having files decrypted, a business may find that an attacker left behind a “malicious payload,” such as a keylogger or a backdoor into their system. The attacker can now get back into their system anytime he chooses and launch a different type of attack–possibly capturing credit card information, downloading personal information or even another ransomware attack. Attackers have also been known to sell attack vector information (meaning, “how” they got into your systems) on the dark web. 


If you shouldn’t pay the ransom, what can you do to get your files and systems back? 

If you are infected with ransomware, you should hope that you have reliable backups of your data. And if you do have good backups, you also need an understanding of what it takes to restore your systems from the backups. 

One recent case illustrates why organizations need offline backups. A pharmacy fell victim to ransomware. They had backups, but when we arrived on site we found that their external backup drives were connected at the time of the ransomware attack. So when their systems and files were encrypted, their backups were encrypted right along with them. 

It's important to test your ability to effectively respond to a ransomware attack through drills and tabletop exercises. Over the course of your drills, be certain to ask yourself; what would it take to restore from our backups? 

A few years ago, a large franchise experienced a ransomware attack that affected over 800 retail locations. They planned to avoid paying the ransom and restore from their backups. The only problem was their backups were stored on tapes, and they were unfamiliar with restoring from this medium. It took three days to restore the data, during which time their systems were locked preventing them from processing credit cards, and they lost millions in revenue. 

It seems to be a foreign concept at some organizations to not only keep adequate backups, but to practice restoring data and restarting systems. But it’s a key step because if you cannot restore from your backups, they are essentially worthless. 


Training employees to avoid ransomware

Much of what you can do to prevent ransomware is just that–prevention. The training and exercises you do ahead of time are critical. One very important piece of training is educating your employees to spot phishing emails. 

In past years, phishing emails amounted to a sloppy letter wherein the author claimed to be a deposed Nigerian prince with $2 million in escrow who simply needed your bank account number to transfer you the money. It didn’t take long for us to figure out that these emails were not legitimate. 

Phishing emails have become extremely sophisticated. Often, an attacker will perform extensive reconnaissance into a business to the point where they can craft an email to appear perfectly legitimate and relevant. These emails may address an employee by name, appear to come from a coworker, supervisor, CEO, or even HR. Teach your employees that they should not click on links within an email. If the email is directing them to a known site, they should access that site from a known trusted path outside of the email. All emails directing them to send funds anywhere out of the norm should be verbally confirmed via a phone call.

Download Our Incident Response Plan White Paper

Download Here

Recently, at a finance company in San Francisco, an employee received an email that appeared to be from the CEO. The email was regarding moving funds around, which was a typical subject for such emails. It looked legitimate. The employee clicked a link, and moments later the company was locked down with ransomware. 

Those in the banking industry are reporting they are experiencing a significant increase in the number of phishing attempts since COVID-19. Anytime you have an elevated sense of urgency or anxiety, which oftentimes prompts people to make hasty decisions, phishing emails are certain to follow. This is also a good time to remind employees to take a step back and investigate any email links. They can always contact the person who appeared to send the email to make sure it’s legitimate. 

One common phishing attack to be aware of is an email that contains an apparent link to a voicemail. They will typically include a partial transcription of the voicemail and are trying to get you to click on a link to hear the entire voicemail (which usually doesn’t exist). In this case, you will want to double check the email address of the sender. Is it legitimately from your phone service provider? If you do a little more research, you may find that it’s a “look-alike” email address, and quite possibly originated from Russia. 


What is a good response to ransomware? 

If a company has a successful response to a ransomware attack or infection, they would be less likely to contact us. But in the cases where we are called in and can achieve a good outcome–what did we do? 

Our first step is typically to try to identify the type of ransomware that was used and research to see if there is any publicly available information about that type of ransomware. If we’re lucky, we can find a previously published key that works to decrypt a particular company’s files (since hackers are throwing out these attacks in hundreds, even thousands of directions, it’s not a surprise that they reuse keys).

If that fails, the likely next step is to explore an organization's ability to restore from backups. If that is not an option (such as when the backups were also maliciously encrypted), we begin the process of trying to recover data from deleted files because these will not be encrypted and we can restore a lot of usable or valuable information. 


What can be done to prevent ransomware? 

Most of what you can do to fight ransomware should be done before an actual attack happens. For example, email scanning software is very useful. Email content scanners are able to flag emails it considers suspicious, often saving you from the malicious effects of an attack. 

Right now, with people working from home and taking their machines back and forth to the office, we worry about people not using VPNs or other security protocols. Their computers are exposed to any website–and many are malicious–that they visit in their home environment, and then they take that same computer back to their work network, possibly introducing malware. We’ve seen many high-profile cases where malware was installed at home and brought back to the corporate network. 

One solution is to make sure that employees use a VPN at home. This helps insulate your computer from all the different malicious bugs and malware that can come from social media quizzes, games, or other malicious sites. 


How social media and games contribute to malware and data breaches

Social media quizzes and games are designed to elicit personal responses from users. These games look fun, but many times they are capturing sensitive information that can be used to make phishing emails look legitimate. Quizzes or trendy posts with titles like “10 Things You Don’t Know About Me” are often attempts to skim personal information that can be used to social engineer phishing campaigns, answer login security questions, and even steal sufficient personal information to create false identities. 

Compounding this problem is that people are feeling isolated. They are turning to social media in search of connections. Their friends are not the only people taking notice. It’s a hard balance to maintain. We want to share information about ourselves on social media, but everyone needs to understand the risks of sharing personal information, like the name of your first pet and your wedding anniversary date–just resist and say, no. 

Yes, there are legitimate games and apps out there. But there are ancillary things that sometimes go along with the game, like chat groups. I recently saw an example of this with a game my kids have been playing. A chat post told players to visit a site, subscribe to five things, and they would receive unlimited coins and lives. I investigated these subscriptions and found that all of them involved installation of backdoors. So it’s critical that you watch what your kids are doing on your devices and that you don’t trust anyone directing you to an unknown site or subscription. 


Does antivirus help prevent ransomware? 

With work devices going back and forth to the office, if they haven’t been on a VPN and have been vulnerable to attacks–can antivirus help offset some of these risks? 

A good, robust antivirus is a basic security measure and can be helpful. If it also includes intuitive content scanning or filters, it may be able to identify links in emails that are malicious and that you should avoid. Ensure that you keep your antivirus updated because these threats frequently change and antivirus is signature-based, meaning it's looking for something that has been previously reported by developers. If your antivirus isn’t up-to-date, you could miss the defenses against the most current attacks.


David Ellis (GCIH, QSA, PFI, CISSP) is VP of Forensic Investigations at SecurityMetrics with over 25 years of law enforcement and investigative experience.

Join Thousands of Security Professionals and Subscribe

Subscribe