Ransomware 2020

Since its first appearance, ransomware has undergone an evolutionary journey — from piecemeal tools created by isolated enthusiasts to a powerful underground industry reaping vast rewards for its creators. What’s more, the cost of entry to this shadowy world is getting lower.

Nowadays, would-be cybercriminals no longer need to create their own malware or even buy it on the dark web. All they need is access to an RaaS (Ransomware-as-a-Service) cloud platform. Easy to deploy and requiring no programming skills, such services enable just about anyone to use ransomware tools, and that has naturally led to increasing numbers of ransomware cyberincidents.

Another worrying recent trend is the transition from a simple ransomware model to combined attacks that siphon off data before encrypting it. In those cases, nonpayment results not in the destruction of information, but in its publication in open sources or sale at (closed) auction. In one such auction, which took place during summer 2020, databases from agricultural companies, stolen using REvil ransomware, were put up for sale with a starting price of $55,000.

Unfortunately, many victims of ransomware feel compelled to pay despite knowing it’s no guarantee they’ll get their data back. That is because hackers tend to target companies and organizations with a low tolerance for idle time. The damage caused by a production stoppage, for example, can run into millions of dollars per day, whereas an incident investigation could take weeks and not necessarily bring everything back on track. And what about medical organizations? In urgent situations, some business owners feel they have no option but to pay.

Last fall, the FBI issued a special clarification on ransomware, recommending unequivocally that no one pay hackers any money. (Paying encourages more attacks and in no way guarantees the recovery of encrypted information.)

Top headline-grabbers

Here are just a few incidents from the first half of this year that point to the growing scale of the problem.

In February, Danish facility services company ISS fell victim to ransomware. Cybercriminals encrypted the company’s database, which led to hundreds of thousands of employees across 60 countries being disconnected from corporate services. The Danes refused to pay up. Restoring most of the infrastructure and conducting an investigation took about a month, and total losses were estimated at $75–$114 million.

Ransomware hit US multinational IT service provider Cognizant in the spring. On April 18, the company officially admitted to being the victim of an attack by the popular Maze ransomware. The company’s clients use its software and services to provide support for remote work to employees, whose activities were disrupted.

In a statement sent to its partners immediately after the attack, Cognizant listed Maze-specific server IP addresses and file hashes (kepstl32.dll, memes.tmp, maze.dll) as indicators of compromise.

Rebuilding much of the corporate infrastructure took three weeks, and Cognizant reported losses of $50–$70 million in its Q2 2020 financial results.

In February, Redcar and Cleveland Borough Council (UK) suffered an attack. British newspaper The Guardian cited a board member as saying that for three weeks — the time they required to effectively rebuild the IT infrastructure used by hundreds of thousands of local residents — the council had been forced to rely on “pen and paper.”

How to protect yourself

The best strategy is to be prepared. Equip mail services, which are potential gateway to unauthorized access, with spam filters to block or quarantine executable attachments.

If despite your preparation, an attack succeeds, minimize idle time and potential damage by keeping regularly updated backups of all business-critical information. Store your backups in a secure cloud.

In addition to the above-described digital hygiene products, use specialized solutions such as Kaspersky Anti-Ransomware Tool. Using cloud and behavioral analysis, the Kaspersky Anti-Ransomware Tool keeps ransomware from penetrating systems by detecting suspicious application behavior, and for systems that are already infected, the tool can roll back malicious actions.

Our integrated solution, Kaspersky Total Security for Business, offers much broader protection against all types of threats. In addition to the features of Kaspersky Anti-Ransomware Tool, Kaspersky Endpoint Security for Business contains a full range of Web and device controls, the Adaptive Anomaly Control tool, and recommendations for configuring security policies to arm the solution against even the latest types of attacks, for example, those using fileless malware.