Ransomware is a type of malicious code that threatens to publish or encrypt data of the victim, unless a payment, often in the form of cryptocurrency, is made. Some types of ransomware merely lock the victim’s system, but more advanced ransomware will encrypt it, making all data inaccessible.
A ransomware attack is often carried out by an attachment to a phishing email, in the form of malware. This malware performs the job of locking the system or encrypting the data. An alert will be given to the user of the system, which shows an option to pay the ransom. The payment options are often transferring cryptocurrencies, which are hard to trace, thereby making it more difficult to catch the perpetrators. After the ransom payment has been made, the key to unlock the system or decrypt the data will be sent by the attacker so that the user regains access and/or control.
Ransomware attacks are becoming more frequent and costing organisations more than in previous years. 66% of the organisations surveyed by Sophos reported that they were hit with ransomware in 2021. This is an increase from 37% in 2020. The average payout is $1.4 million (USD). Even if the ransom is paid, organisations still suffer from disruptions to their operations and have reported loss of revenue because of the attack.
Many organisations are now looking towards cyber insurance to help them overcome the risk of ransomware attacks. One thing that you should always remember is that it’s not advised to pay the ransom. This only motivates them to perform more attacks and there is no guarantee you won’t be hacked again, or by another hacker using the same security vulnerability.
Over 30 years of ransomware – here are some notable attacks
The first ransomware attack occurred in 1989 by the AIDS Trojan. It infected computers, hid files on the hard drive and encrypted their names, not the data. This perpetrator was found and the file names could be decrypted, but ransomware would develop and become more dangerous in the future.
An example of a recent ransomware attack is the Kaseya VSA ransomware attack that affected Visma in July of 2021. In this attack perpetrated by the REvil group, a software update of the Kaseya cash register management system was infiltrated by malware, which made payment handling impossible for the Swedish supermarket chain Coop. This led to them having to close their 800 stores. The system was rebuilt from scratch, but the attack had significant effects on 800 to 1,500 businesses that also used the system.
Ransomware Mitigation
There are multiple ways to mitigate a ransomware attack, which deal with different aspects of the consequences as well as the attack. If an attack is identified before encryption has taken place (which takes some time), the malware can be removed. However, files that have already been encrypted will be lost, as the key to decrypt these will most likely be unknown. Many antivirus programs have a library with known ransomware malware programs and will be able to remove them. That’s why it is important to update these programs regularly, as then you will have the most complete protection.
Within Visma, additional systems are used, such as advanced antivirus and detection mechanisms. These allow for better protection, but also monitoring of nefarious actions. Additionally, there are mandatory updates for operating systems, making sure that they are as safe as possible. This protection is not 100%, however, as new programs are continuously being developed by cybercriminals. That is why additional mitigation measures are necessary.
A good way of mitigating the costs and risks associated with ransomware is to make sure that files are not only stored locally, but also in a safe space, such as in the cloud. Care must be taken to ensure that the files in the cloud can’t be affected by an attack themselves.
A more preventive way of ransomware mitigation is to promote cyber hygiene. As mentioned earlier, ransomware attacks can often take place because of successful phishing attacks. Promoting awareness around these attacks and emails for employees can prevent an attack from even taking place, thereby reducing costs and risks.
Visma’s measures to stop ransomware in its tracks
Visma deals with mitigating ransomware attacks at all levels. In order to protect files we use Google Suite, which ensures that there are fewer physical files on computers that can be held ransom. Even if an attack were to take place, the system allows for a “history”, meaning that the files can be rolled back without losing the data. The spam filters of Gmail stop an attack from happening in an even earlier phase, by blocking spam with malware from reaching our employees and thereby preventing the malware from being installed on Visma computers. The last line of defence is our own employees, whom we train and educate. By raising awareness about these topics, such as during European Cyber Security Month, you can be a part of the solution as well.
Visma not only works using preventive measures against cyber attacks but is also proactive and reactive against cybercrime. Within Visma there is zero tolerance against these cyber attacks, which is why we continually check within the company for threats. Visma also works together with public and private institutions and law enforcement to be both proactive and reactive against cybercrime, by identifying and documenting information that can be used to prosecute the criminal counterpart.