Ransomware on the rise
Currently, the news about successful ransomware attacks does not stop. It doesn't matter whether it's a large US pipeline, a globally active producer and trader of meat, developers of video games, government agencies or ministries. Everywhere there are active attacks and reports of successful attacks come in almost daily.
But what is ransomware anyway?
Ransomware is malware that encrypts either selected data or entire systems and then leaves a message asking the victim to pay a ransom. This is often based on the size of the company and the encrypted data.
However, data is also increasingly exfiltrated. That is, copied and downloaded onto the perpetrators' systems. This is then used to blackmail the victim by publishing this data.
Since more and more companies have functioning backup concepts, fewer and fewer were willing to pay the ransom. But now, when the fact that important internal documents could be published suddenly comes up, many companies are prepared to pay the ransom.
However, there is no certainty that the perpetrators will stick to their statements and not publish the data anyway.
It is important to ensure that this does not happen.
How can you protect yourself against ransomware?
- Anti-virus protection on as many systems as possible. Ideally combined with an EDR system. Fortinet, for example, offers a high-quality endpoint protection solution with DER functionality with FortiEDR. This allows attacks to be detected at an early stage and damage can even be reversed.
- Reduction of the attack surface; having an overview of one's own network has become almost impossible. This is where professional pentesters or vulnerability management solutions can help. We work with the German manufacturer Greenbone for vulnerability scanners.
- Segment networks! Even though it counts towards reducing the attack surface, it is mentioned separately. Far too few companies
- With rights management, you can ensure that not every employee works with local administrator rights. This means that any malware can only work with the rights that are available. This severely restricts the ability of malware to act, or even makes it impossible, depending on the malware.
- Sensitisation of employees. This is often underestimated. We all know the saying that a chain is only as strong as its weakest link. If an employee thinks twice about opening the attachment of this unexpected email or why macros should be activated in Microsoft Office documents, then a lot has already been gained.
What should one do if it has come to this?
The BSI makes the following suggestions:
- Do not pay. This is intended to demotivate the perpetrators to continue their business. Especially since there is no guarantee that they will receive a tool for decryption and that the stolen data will be destroyed.
-
File a criminal complaint with the police. Forensic experts and investigators may be able to rescue the data or at least track the perpetrators in order to prosecute them and ultimately bring them to justice.
You can find a contact point for the responsible state criminal investigation offices on the website of the Alliance for Cyber Security. - Isolate affected systems so that they cannot compromise other systems. Leave these systems in a compromised state until forensic experts have been able to examine them to secure evidence and gain insights into how the system was penetrated and whether there are signs that other systems have been affected.
-
Restore backups. If there are secure backups that have not been compromised, they can be used to restore the system. In any case, the system should be completely restarted and it should be ensured that all data on the system has been deleted before restoring the backup.
If you do not have an IT security team / computer emergency response team in your company, the BSI can recommend companies that can provide the necessary support.
If you are interested in securing your company network, we can advise you. You are welcome to contact us via e-mail, telephone or our contact form.