Anatomy of a data breach, Part 1: Ransomware

An executive at his work station sees a message in his in-box from a familiar name. “Can you believe the nerve of this guy?” the subject reads. A short sentence directs him to click a hyperlink. Curious, the executive does. With that, life gets very unpleasant, for himself, many of his co-workers and the organization that employs them. He has just activated malware specifically designed to encrypt data and extort his business by holding it hostage.

For such a massive problem with such devastating implications for its victims, ransomware attacks often begin in the most unsuspicious of ways.

How a ransomware attack begins

Ransomware is by far the most common type of data breach, in which a computer system is deliberately infiltrated by an individual or group in order to gain control of data, sometimes even an organization’s entire system. Those targeted are then extorted for payment.

Most often, a ransomware attack succeeds because a business failed to take simple precautions. In this case, as in so many others, the business’s own Active Directory (AD) is used by the attacker to distribute the malware-infected message across lists of contacts. According to Frost & Sullivan, “Many ADs are rarely properly secured, making privileged access escalation easier to achieve for skilled cyber criminals.” ¹

In the example given above, the ransomware attack is in its most common form, that of “phishing.” Phishing involves the use of email sent under a false identity to either trick the recipient into giving out sensitive information or (in the above example) to deploy malware on an organization’s infrastructure. Phishing attacks can be highly sophisticated and targeted to specific individuals, but they may also be cruder and wider in their targeting.

Other ransomware delivery methods include “drive-by downloading,” where the malware is attached without the victim’s knowledge while they search the web; cracking passwords; exploiting legacy and/or outdated software issues; and even an intentional infection by someone inside an organization.

Ransomware continues to explode in 2022

According to a recent Cisco report, “Ransomware has quickly become the most profitable type of malware ever seen, on its way to becoming a $1 billion annual market.”²

Other reports confirm this. Ransomware attacks were estimated to cost victims over $406 million in 2020.³ Attacks reportedly rose 105% from 2020 to 2021.⁴ In the first quarter of 2022, double the number of ransomware detections were tallied as in the whole of 2021.⁵

The other major loss is productivity. For organizations, the average time lost to an individual ransomware incident is 12.1 days.⁶

Cybercrime observers have identified several distinct ransomware categories, with three among the most common:

- File encryption, where system data is enciphered and all access denied until a ransom is paid. The oldest and most commonly reported type of ransomware attack, it preys on victims more willing to pay a substantial amount of money than seek help from law enforcement.
- Device lockdown, where access to system data is blocked until ransom is paid. This has been known to occur on a massive scale; in early 2021, a pipeline exposed to such an attack resulted in fuel shortages across the eastern United States.
- Exfiltration, where system data is stolen and threatened to be leaked unless a ransom is paid. Data may contain sensitive medical records or a psychiatrist’s notes, endangering the physical and mental well-being of patients and violating their privacy.

In 1989, the first ransomware attack utilized a floppy disc and post office box in Panama. Today, it is a flashing message on a screen explaining exactly how long the victim has until their data is lost for good unless payment is made via an untraceable cryptocurrency payment. Sometimes the attacker includes instructions on how a cryptocurrency novice can convert the necessary funds.

How ransomware attacks can be thwarted

The Federal Bureau of Investigation recommends five best practices for avoiding ransomware attacks:

1. Back up your data, system images and configurations, test your backups and keep the backups offline.
2. Utilize multi-factor authentication.
3. Update and patch systems.
4. Make sure your security solutions are up to date.
5. Review and exercise your incident response plan.

In addition, educating employees about ransomware is critical. Employees need to know what pitfalls are out there, how to protect themselves, the organization and, perhaps most important, who to inform if they think there is a breach.

One recent ransomware ploy is to pose as a chief executive at a target company and instant-message selected employees demanding immediate access. This ploy will fail far more often than it succeeds, but it only takes one person choosing to be helpful rather than be careful for a breach to occur.

Taking a proactive approach

The challenge of ransomware keeps evolving, especially as work-from-home and hybrid-office situations become standardized parts of a typical work environment.

Ultimately, staying safe against such a rampant and growing problem as ransomware requires a proactive approach. “The focus must be taken away from a victim mentality, and must be refocused on prevention strategies,”⁸ urges Frost & Sullivan. It also requires better monitoring and security perimeters at the edge of an organization’s network, where most of the vulnerabilities to ransomware attacks exist.

Securing the network edge in today’s fluid environment is not easy, but it is critical. That’s why you need the help of technology partners like Spectrum Enterprise, which offers Managed Security Service and Managed Network Edge that secure the organization’s infrastructure and provide a custom-fit solution for its clients to responsibly and profitably navigating tricky waters.

The right technology partner is equipped to help you establish protective perimeters and better manage future breaches should they occur. Please know: Breaches can be mitigated and even stopped before they spread across your network, but only if you put the right partners, tools and procedures in place.

And when they are not in place? The executive who got phished would eventually recover his encrypted data, but only after paying $500 and facing some embarrassment with his employers. He did have this consolation: He was far from alone in his experience, and had gained some hard-earned wisdom.

Ransomware is just one of the many types of data breaches impacting both the private and public sector. Next, we will take a closer look at data theft, another type of data breach that can undermine operations at the consumer level.

Learn how to secure your business from ransomware attacks and other cybercrime threats with Spectrum Enterprise solutions.

¹ “Insights for CISOs: Ransomware” Frost & Sullivan, December 2021, pg. 4
² https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-networks/ransomware-defense/at-a-glance-c45-737465.pdf?dtid=osscdc000283
³ Ransomware 2021: Critical Mid-year Update [REPORT PREVIEW] - Chainalysis
⁴ https://www.helpnetsecurity.com/2022/02/18/rise-ransomware-attacks/
⁵ https://www.securitymagazine.com/articles/97908-ransomware-in-q1-2022-doubled-total-2021-volume
⁶ https://www.coveware.com/blog/q3-ransomware-marketplace-report
⁷ “Insights for CISOs: Ransomware” Frost & Sullivan, December 2021, pg. 9