Here's how the attack worked. First, the software used, DarkSide, is malware that's offered as a service to crooks via an affiliate program. Yes, ransomware these days is a franchise operation.
Like other ransomware programs, DarkSide encrypts all your files. It uses Salsa20 or RSA-1024 encryption. This locks up your data, and there's not much you — or anyone else — can do to bring it back on your own. Both can be cracked, but it is not easy. That means if you don't have an up-to-date backup, you're pretty much out of business. Your other choice is to pay for a decryption key.
That's what Colonial Pipeline did; it wound up paying almost $5 million. Guess what? The decryption key works so slowly that sources say Colonial Pipeline ended up using its own backups to restore business systems anyway.
Ransomware attackers can also threaten to release your sensitive data to the public —and won't your customers just love that! They'll also threaten to publicize that they've got your business data. Since you almost certainly don't want to reveal that you've been cracked, that's an effective threat. If they can't get you to pay for the data itself, the goal is to blackmail you.
You can get infected by DarkSide malware and other ransomware programs in several ways. These include, according to security firm Intel471, "exploiting vulnerable software like Citrix, Remote Desktop Web (RDWeb), or remote desktop protocol (RDP)" and, of course, phishing. There's always phishing.
Adding insult to injury, according to Cybereason researchers, the ransomware then stops backup, shadow copy, and antiviral services. On Windows systems, it also uses a PowerShell command to delete all your existing volume shadow copies.
This is only going to get worse. Security company Check Point reports ransomware attacks have increased 102% since 2020. That's an average of more than 1,000 organizations attacked every week.
How to prevent ransomware attacks
So, what can you do? For starters, you must practice all the usual good security techniques. That means keeping all programs and operating systems up to date with the latest patches, constantly checking and rechecking your systems for possible infections, using two-factor authentication, and making certain employees know what phishing attacks look like and how to avoid them.
You also need to constantly make complete backups and ensure they work. If you can't restore your systems, it doesn't matter how recent your backups are.
Check Point also warns that attacks seem to happen more often on holidays and weekends — especially before three-day weekends. So, don't leave the office until you're sure your systems are safe and fully backed up.
You should also invest in anti-ransomware software. It's a constant battle between attackers and defenders, and for now, the attackers are in the lead. That said, at least programs such as Bitdefender Antivirus Plus, Check Point ZoneAlarm Anti-Ransomware, Kaspersky Security Cloud, and Sophos Intercept X Endpoint give you a fighting chance. If it's too late, and you've been attacked, you can try NeuShield Data Sentinel to recover data.
You could try getting business insurance for ransomware attacks. But it may not be available for long. Multinational insurance firm AXA Group has said it will stop writing ransomware policies in France. I expect this to be the beginning of a nasty trend.
The FBI and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) have their own list of things you should and shouldn't do to ward off ransomware. It's a good list.
Having said that, there's one recommendation I don't completely agree with. They suggest you don't pay ransomware criminals: "Paying a ransom may embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or may fund illicit activities. Paying the ransom also does not guarantee that a victim's files will be recovered."
But if your only other option is going out of business, there's not much you can do except bite the bullet, buy the Bitcoin, and pay up.
Don't think that's the easy way out. It's not. First, the average ransomware payout, according to security company Sophos, is $170,404. Worse, even if you pay the jerks, Sophos' survey found only 8% of organizations managed to get back all of their data. (Only 29% got back half their data.)
Oh, and by the way, if you do get back your data on your own, Sophos estimates restoring your business to normal will cost an average of $1.85 million.
What you really need to do is take the time now to prevent ransomware from ever hitting your company in the first place. And, if it does, make sure your backups are set and ready to go.
Yes, that's a lot of work. But the alternative is much worse. |
