Ransomware, also known as extortion software, is a type of malicious code that attackers use to lock a system or device by encrypting its contents (crypto-ransomware). The attackers then demand a ransom in exchange for decryption keys that the victim can use to decrypt and unlock the system.

Starting with current statistics, ransomware attacks saw a significant increase of 60-100% in 2021 (depending on the study). During Q1 2022, the number of attacks dropped by 25-30%, likely due to Russia’s invasion of Ukraine and state-sponsored attackers’ support for Russia. Studies suggest that the majority (over 70%) of ransomware attacks originate from Russia. A shifted focus toward Russia’s interests significantly impacted the rest of the world.

In April, several significant events related to ransomware occurred, leading us to believe that attacks will rise again this month. The resurgence of Emotet and Revil, along with new actors and malware, are likely to contribute to the increase. There are also indications that some Russian attackers are shifting their focus from Ukraine to the rest of the world.

How Can Organizations Protect Themselves Against Ransomware?

Ransomware attacks often occur long after the system has been infected. In many cases, the victim is initially infected by a downloader (dropper/downloader), which the attacker uses to decide the next steps in the attack. The attacker often examines the victim’s systems to understand the network structure and then tries to escalate privileges.

Ransomware is often one of the methods used to extort money from the victim.

The key is to investigate the entry points for the malicious code. There are many ways an organization’s network can be breached, such as through USB sticks, social engineering, or supply chain attacks. However, we will focus on the two most common methods where companies are most vulnerable.

Email (Phishing)

The easiest and most common entry point is through an employee who opens an attachment, clicks on a link, or downloads the malicious code. To reduce the risk:

  • Start by testing employees’ awareness and defenses through a phishing test.
  • Educate your colleagues and spread awareness about phishing.
  • Implement access control to ensure employees only have access to the information they need.
  • Additionally, consider measures such as two-factor authentication, strong passwords, and more to close some gaps.

Network (Vulnerabilities)

All systems and devices have vulnerabilities that an attacker can exploit to gain access. This entry point is particularly common when it comes to RDP protocols (Remote Desktop Protocols) but also through known vulnerabilities (CVE).

  • Start by updating software. Software that hasn’t been updated for a while often has known vulnerabilities. New updates typically patch these old vulnerabilities.
  • Conduct a vulnerability scan or a smaller penetration test to identify and assess the vulnerabilities in the system and whether they can be exploited to gain access.
  • Work with your IT department to strengthen protections. Develop action plans so the IT department knows exactly what to do in case of an attack.
  • There are many technical solutions that can strengthen external defenses. Firewalls are a great example to help prevent cyberattacks. Try to place a firewall at vulnerable entry points (e.g., VPN).

Finally, the Most Important Step

If ransomware enters your system, you’ll want to restore it quickly. Review your backup routine and implement the 3-2-1 rule if you haven’t already:

  1. Create a primary backup and two separate copies of the backup.
  2. Store the two copies in two different locations.
  3. Keep one copy in the cloud or another remote location.