A Personal Brush with Ransomware Disaster

Several years ago, a friend who managed a budding business shared a nightmarish story. He started his morning like any other but was greeted with a chilling message on his computer screen: "All your files are encrypted. Pay to get them back." The looming threat of ransomware had hit close to home. As business leaders in today's interconnected world, understanding ransomware and its recovery services isn't just beneficial – it's imperative.

What is Ransomware - The Invisible Burglar

When we think of kidnappers, we often visualize shady figures in dark alleyways, armed and menacing. Ransomware, on the other hand, operates in the vast, intangible realm of the internet. It’s a silent attacker, stealthy and invisible, yet its impact can be as devastating as any physical threat.

How Does Ransomware Operate? The Digital Modus Operandi

Ransomware attack doesn't kick down your door; it sneaks in, often through seemingly harmless emails or software downloads. A single click on a malicious link and the software discreetly begins its mission: encrypting files, databases, and sometimes entire networks. What starts as an unnoticed process soon snowballs into a full-blown digital lockdown.

Before you know it, your screen displays the dreaded message, usually accompanied by a timer. 

The message is clear: Pay up, or risk losing everything.

The Currency of Choice: Why Cryptocurrency?

Cryptocurrencies, with their anonymous nature, are the preferred payment method for these digital culprits. Traditional banking systems leave trace footprints that can be followed. Cryptocurrencies, however, offer a cloak of invisibility. This makes tracking the perpetrators an uphill battle, further encouraging their endeavours.

The Emotional Toll of Ransomware Attacks

Beyond the immediate financial implications, there's an emotional and psychological toll to consider. As a business owner, I recall a colleague's sheer panic when his company's years of research and development were held ransom. It's the feeling of helplessness, of being violated in a space you considered safe. It's the stress of facing the potential loss of trust from clients and stakeholders and damaging the company's reputation.

Why Business Leaders Should Care

For many executives, the concept of ransomware might initially seem like just another IT issue – something that the tech team deals with. However, in today's interconnected digital landscape, the implications of a ransomware attack extend far beyond the server room.

1. The Ripple Effect on Business Operations

Imagine starting your workday to find out that you cannot access any of your company's data. Everything is frozen. Projects get delayed, customers grow frustrated because their orders aren't fulfilled, and your sales team is paralyzed. The immediate financial hit can be substantial, but the long-term effects might be even more damaging. Once an organization gains the reputation of being "the company that got hacked", it's a tough image to shake off. This can be catastrophic for businesses that rely heavily on trust – such as HR, telecommunications, finance or healthcare.

2. The Stakeholder Trust Equation

Every business, regardless of its size or industry, relies on a foundation of trust. Customers trust you with their data and their money. Investors trust you with their capital. Employees trust you with their livelihoods and career growth. A ransomware attack, which results in significant data loss or leakage, can erode that trust rapidly. For executives, rebuilding this trust requires time, effort, transparency, and, most importantly, a demonstrable commitment to preventing future breaches.

3. Navigating the Regulatory and Legal Minefield

Post-attack, companies often find themselves under the scrutiny of regulatory bodies. Depending on the nature of your business and the data that's been compromised, you might be facing hefty fines for non-compliance with data protection regulations in the US, Canada, or the EU. Moreover, there's the looming threat of lawsuits. Customers, partners, or shareholders might seek compensation for any losses due to the attack.

4. Making the Tough Decisions

One of the most challenging decisions post-attack is whether to pay the ransom or not. On the one hand, paying is the quickest way to restore operations. On the other, there's no guarantee that the attackers will hold up their end of the bargain. Plus, paying up might paint a target on your back, signalling to other cybercriminals that you're willing to pay.

Having been in boardroom meetings, I know firsthand that these decisions aren't taken lightly. No executive wants to be able to weigh the company's financial health against its ethical stance. Yet, with the rise in ransomware attacks, it's a decision that many business leaders are now forced to confront.

Decoding Ransomware Recovery Services

• Ransomware Removal: Just as you'd call the police when faced with a physical break-in, ransomware recovery services remove the malicious software and reclaim your data.
• Data Recovery: Sometimes, it's about more than just unlocking the data but restoring it. Skilled professionals use advanced tools to recover as much data as possible, ensuring your business operations can resume promptly.
• Future-Proofing: These services don't stop at recovery. They assess vulnerabilities and reinforce your digital infrastructure, protecting you from future attacks.

Top Questions Executives Often Ask

• Is paying the ransom a good idea? Not always. There's no guarantee the attacker will release your data. Plus, it paints a target on your back for future attacks.
• How long does recovery take? It varies, but with professional ransomware recovery services, the timeline is significantly reduced compared to handling it in-house.
• What about my backups? Backups are a lifeline, but they need to be secure and updated. Attackers often target backup systems, knowing their value to your business.

A Personal Note on Preparedness

Back to my friend's ordeal. The silver lining was that he had engaged with a cybersecurity firm just months before the attack, which offered ransomware recovery services. Experts were working on his case within hours, and his operations were back online by the next day. His experience was a testament to the importance of being prepared and aligning with experts.

Embracing the Future with Vigilance

In our digitally driven age, threats like ransomware are the shadows in our alleyways. As business leaders, understanding these threats and partnering with ransomware recovery services can mean the difference between a minor disruption and a crippling blow. Stay informed, stay vigilant, and steer your ship through the stormy waters of the digital realm.

Navigating the Digital Seascape with Caution

As we chart our course through the expansive digital seascape, it's crucial to recognize the undercurrents and potential whirlpools that lurk beneath. Each technological advancement, while opening doors to new opportunities, also introduces fresh vulnerabilities. Having a proactive mindset, constantly adapting, and staying ahead of potential threats will ensure your business remains resilient amidst the ever-evolving challenges.

Building Stronger Digital Fortresses

Just as medieval cities had walls and watchtowers, today's businesses must build robust digital fortresses. These fortifications go beyond mere firewalls and antivirus software. It's about cultivating a culture of cybersecurity awareness within the organization, where every team member is a vigilant gatekeeper. Investing in regular training sessions, threat simulations, and fostering open communication channels can empower employees to recognize and report potential threats, fortifying the business from within.

Bonus Chapter - Ransomware Recovery Checklist for Business

1. Immediate Actions

• Isolate Infected Systems: Disconnect affected devices from the network to prevent the spread of ransomware.
• Alert IT and Security Teams: Inform your IT and cybersecurity teams immediately about the suspected ransomware incident.
• Activate Incident Response Team: If you have a dedicated incident response team or plan, activate it immediately.

2. Assessment and Documentation

• Identify the Ransomware Variant: Determining the specific type of ransomware can aid in the recovery process.
• Document Everything: Log all actions taken, ransom notes, payment demands, and any communication from attackers.
• Engage Legal Counsel: Due to potential regulatory implications, engage your legal team early in the process.

3. Communication

• Notify Stakeholders: Inform internal stakeholders about the breach without causing unnecessary panic.
• External Communication: If client data is at risk, communicate with your clients and partners transparently, ensuring compliance with any notification requirements.
• Contact Law Enforcement: Notify appropriate authorities about the incident.

4. Recovery Efforts

• Evaluate Backups: Check the integrity of your backups to ensure they are free from ransomware.
• Begin Data Restoration: Use clean backups to restore systems. Ensure that the ransomware is completely removed before restoration.
• Seek Expert Assistance: If necessary, consider hiring external cybersecurity firms to assist with data recovery and system restoration.

5. Decision on Ransom Payment

• Weigh the Pros and Cons: Understand the implications of paying the ransom, including the ethical dilemma and the lack of guarantee that data will be returned.
• Consult Experts: Engage with cybersecurity consultants and law enforcement for guidance on the decision.

6. Post-Recovery Actions

• Strengthen Security Protocols: Implement stronger cybersecurity measures to prevent future attacks. This might include multi-factor authentication, regular software updates, and advanced threat detection tools.
• Employee Training: Regularly train employees on the importance of cybersecurity and how to recognize potential threats.
• Regular Backups: Schedule frequent backups of critical data and test the integrity of those backups regularly.
• Incident Debrief: Conduct a post-incident analysis to identify what went wrong and areas for improvement. Adjust your incident response plan accordingly.

7. Ongoing Vigilance

• Monitor Systems: Continuously monitor systems for any signs of unusual activity.
• Stay Updated: Keep abreast of the latest ransomware threats and trends in the cybersecurity world.
• Cybersecurity Audits: Regularly conduct cybersecurity audits to identify vulnerabilities and patch them.

In the face of a ransomware attack, preparation and quick action are key. Following this checklist can help businesses navigate the challenging aftermath of an attack and return to normal operations more swiftly.

Facing a ransomware crisis? 

Let The Driz Group be your lifeline. Our dedicated team promises swift recovery in 72 hours or less. For expert ransom brokering and resource-saving solutions, trust our certified professionals. Secure your free consultation now and reclaim your peace of mind.

The Dawn of Ransomware - A Personal Prelude

Back in the late '90s when the digital world was still blossoming, I remember encountering a peculiar virus on a friend's computer. It was one of the early forms of ransomware. We were both flabbergasted, unable to access our saved college assignments. We never paid the ransom; instead, we spent a sleepless weekend rewriting our projects. Fast forward a few decades, and now, as the president of a cybersecurity company, My team and I deal with far more sophisticated ransomware attacks daily. But the underlying emotion remains - the need to protect and safeguard.

Understanding the Ransomware Menace

Ransomware has rapidly emerged from the shadows of the dark web, transforming into one of the most notorious and prevalent cyber threats facing organizations today. This isn't your everyday malware; it's a digital extortion tool. Once activated, ransomware locks down vital data, rendering systems unusable and halting business operations in their tracks. For companies unprepared for such attacks, the consequences can be paralyzing. 

While the modus operandi is simple—encrypt, demand, and wait—the strategies behind these attacks are increasingly sophisticated. Cybercriminals frequently exploit vulnerabilities in outdated software, craft deceptive phishing emails, or use brute force attacks to gain unauthorized access. And, with the rise of Ransomware-as-a-Service (RaaS), even individuals with minimal technical know-how can launch attacks, renting the malicious software and services from seasoned criminals.

The choice of cryptocurrency as the preferred mode of ransom payment isn't coincidental. Cryptocurrencies, like Bitcoin, offer anonymity to the perpetrators, making tracing and apprehending them considerably more challenging. Moreover, the demands aren't always purely financial. Some attacks carry with them a message, perhaps political or ideological, further complicating the situation.

But here's the real kicker: Paying the ransom doesn't guarantee safety. There's no binding contract in the underbelly of cybercrime. Even after parting with substantial sums, businesses might not receive the decryption key or could find themselves targeted again, trapped in a vicious cycle of cyber blackmail. Thus, prevention, preparation, and education have become the triad of defense against this relentless digital menace.

The Stakes Have Changed

Back in college, the biggest threat to our digital assignments was an accidental delete or a sudden system crash—mostly self-inflicted and remedied with a quick call to the IT department or a desperate, all-nighter re-write. The idea of someone holding my thesis for a ransom was, frankly, laughable. But times have dramatically changed. In the high-stakes environment of modern business, there's much more on the line than a semester's grade.

Imagine waking up one day to find that every piece of your company’s proprietary data—years of research, intricate designs, strategic plans, and customer information—is encrypted and entirely out of your reach. The implications of such a breach are devastating. It's not just the potential financial loss that's concerning; it's the trust of your customers and partners, the reputation you've painstakingly built over the years, and the morale of your employees. In a matter of hours, the very foundation of your company can be shaken to its core.

Moreover, with businesses increasingly moving towards digital transformation, the volume of data they generate and store multiplies exponentially. This data isn't just numbers on a server—it's the lifeblood of the organization. It provides insights, drives decisions, and empowers innovation. Losing access to this data or, worse, having it fall into the wrong hands, can stifle a company's growth and innovation. The ripple effect of a ransomware attack extends far beyond the initial incident, affecting business partnerships, customer relationships, and market standing for years to come.

A Glimpse at the Stats

Considering the relentless nature of cyber-attacks, the trajectory from 2021 into 2023 has been alarming. Recent reports suggest that by 2023, the frequency of ransomware attacks has skyrocketed, now happening almost every 10 seconds. This escalation underscores an even greater urgency for businesses and industries at large. The projected financial impact has surged, with estimates indicating a staggering $25 billion in damages for 2023 alone. Alarmingly, sectors once deemed less susceptible are now finding themselves in the crosshairs, including education, retail, and even non-profit organizations. With attackers diversifying their targets and refining their techniques, the message is clear: Complacency is no longer an option, and a proactive approach to cybersecurity has never been more crucial.

The Million-Dollar Dilemma: To Pay or Not?

Navigating the turbulent waters of a cyber-attack is an intricate affair. Often, the dilemma stretches beyond the immediate financial implications. For business leaders, there is a deeper moral quandary at play. Paying a ransom might provide a quick resolution, but does it indirectly fund and embolden criminal enterprises to continue their nefarious activities? Moreover, succumbing to the demands of cybercriminals can paint a company as an 'easy target,' potentially inviting more attacks in the future.

Furthermore, the message a company sends during these challenging times is under intense scrutiny. Stakeholders, employees, clients, and the general public closely observe the company's response. Ethical considerations intertwine with reputational risks. A firm's choice in these moments can deeply influence its brand image, either reinforcing trust or eroding it swiftly. Transparency in communication and a demonstration of resilience and responsibility can play a pivotal role in safeguarding the company's long-term reputation. In an era where consumer loyalty is often tied to corporate values, the strategic handling of such crises can make all the difference.

A Personal Memory

I recall a conversation with a client, a CEO of a budding e-commerce company. They had just faced an attack. The desperation in his voice was evident: "Should I pay? What guarantees that my data will be safe? What if they come back?" It was reminiscent of the confusion my friend and I felt all those years ago, but the stakes were much higher now.

Strengthening Defenses - A Proactive Approach

Building the Digital Fortress

In the vast world of cyberspace, our data infrastructure can be likened to a medieval fortress. The walls, moats, and sentries are our firewalls, security protocols, and vigilant cybersecurity teams. Just as ancient castles were constructed with a keen understanding of the potential threats of the day—be it a battering ram or a siege tower—our digital defences must be designed with the threats of our digital age in mind.

Ransomware attacks are akin to stealthy infiltrators who find a weak point in the defences, exploiting them before the sentries are any wiser. But by constantly monitoring, updating, and patching our systems, we are effectively reinforcing the walls, ensuring there's no vulnerable crevice or overlooked backdoor for these digital marauders to exploit.

A Proactive Approach is Paramount

It's often said in the world of cybersecurity that it's not about 'if' but 'when' an attack will happen. And while that might sound pessimistic, it is a call to always be on guard and proactive. Relying on reactive measures is like only preparing for a storm when it's already overhead. By continually educating ourselves and our teams, staying updated about the latest ransomware tactics and techniques, and fostering a cybersecurity awareness culture, we can anticipate potential threats. It’s akin to having scouts always on the lookout, signalling at the first sign of an approaching adversary. This proactive approach ensures that we're not just waiting for the next attack but actively thwarting potential breaches before they materialize.

Employee Education

The human element plays an instrumental role in the cybersecurity landscape. An organization can invest millions in state-of-the-art security infrastructure, but a single misinformed click by an employee can render those defenses useless. Thus, fostering a culture of cybersecurity awareness is paramount.

The landscape of cyber threats is ever-evolving. With each passing day, cyber adversaries craft new tactics, techniques, and procedures to bypass conventional security measures. It's no longer sufficient to have annual or quarterly training; continuous education is vital. Regular updates on emerging threats, simulated phishing exercises, and open forums for employees to discuss and ask questions about suspicious emails or links can make a marked difference.

Moreover, incorporating cybersecurity best practices into onboarding procedures ensures that from day one, every member is primed to act as a vigilant guard. Emphasizing the importance of strong, unique passwords, the use of multi-factor authentication, and the dangers of using unsecured networks for official tasks can go a long way.

In essence, while technology is a powerful tool in the fight against cyber threats, empowering employees with knowledge and fostering a proactive security mindset is equally, if not more, vital. After all, a well-informed team acts as both a shield and a sensor, detecting anomalies and preventing breaches before they escalate..

Backup, Backup, Backup!

A secure and regularly updated backup acts as a treasure vault, ensuring that your precious data remains shielded from prying eyes and malicious intents.

Why is it a Silver Bullet?

• Immediate Restoration: Ransomware attacks aim to hold your data hostage, demanding hefty ransoms for its release. But with a recent backup at hand, you can promptly restore your systems and operations, rendering the attacker's leverage obsolete.
• Financial Savings: Negotiating and paying ransoms can be a costly affair, both in terms of the actual ransom amount and potential legal implications. A backup eradicates the need for such expenditures.
• Operational Continuity: Time is of the essence in business. A prolonged negotiation or downtime due to data loss can severely disrupt business continuity. With a backup, provided that it’s tested regularly, you can swiftly resume operations, ensuring minimal disruptions.

Best Practices for Backups

• Off-Site Storage: Storing backups in a different location from your primary data centers adds an extra layer of security. Natural disasters, fires, or on-site breaches won't jeopardize your primary data and backups.
• Encryption: Encryption converts your data into a code, preventing unauthorized access. Even if your backup data were to fall into the wrong hands, without the decryption key, it remains a jumbled, unreadable mess.
• Regular Updates: A backup is as good as its last update. Regularly updating your backups ensures that even the most recent data is safe. Automate this process to ensure consistency and avoid human errors.
• Testing: Periodically test your backups to ensure they're working correctly. There’s nothing worse than thinking you're protected, only to find out during a critical moment that your backup is corrupted.
• Versioning: Maintain multiple versions of your backups. If one version becomes compromised or has an issue, you can revert to a slightly older yet still relevant version.

In conclusion, while the threats in the digital realm continue to evolve, having a secure and updated backup remains a timeless defence strategy. It provides peace of mind and empowers businesses to stand resilient against cyber adversaries.

The Legal Side of Ransomware

The Complex Legal Landscape of the US and Canada

As ransomware incidents surge, the legal frameworks in both the US and Canada are adapting to meet the challenge. Companies on either side of the border must be acutely aware of how regulations vary yet intersect, especially if they operate transnationally. While ransom might not be illegal, the intricacies lie in who receives the payment. For example, the ramifications can be severe if a business inadvertently funds a group or entity sanctioned under US or Canadian law. It becomes paramount, then, for businesses in these regions to consult with their IT departments and engage legal teams familiar with the evolving cybersecurity legislations in both countries.

Bridging Efforts Across the Border

Recognizing that geographical boundaries do not confine cyber threats, the US and Canada have shown an inclination towards collaborative efforts in battling ransomware. These mutual efforts, which range from intelligence sharing to joint cybersecurity drills, signify a unified front against a common digital adversary. Regardless of their size, businesses should be proactive in understanding these collaborative efforts, ensuring that they leverage resources, insights, and best practices shared by both nations. The synergy between the US and Canada is a testament to the importance of collective resilience in the digital age.

A Glimpse of Hope - Cyber Insurance

Cyber Insurance: A Safety Net, Not A Cure- All

The allure of cyber insurance has increased, with businesses viewing it as a financial safety cushion against cyber threats. However, it's imperative to recognize that insurance is not a panacea for all cybersecurity woes. Instead, it serves as a fallback mechanism should all else fail. While a policy might provide a financial respite in the aftermath of an attack, it does nothing to prevent the potential loss of customer trust, reputation damage, or operational downtime. Furthermore, the nuances of these policies can be intricate. For instance, while some might offer coverage for ransom payments, others might not. Diving deep into the fine print becomes crucial to gauge what protection is truly being extended.

The Marriage of Security Protocols and Insurance

The cyber insurance industry is astute. Coverage isn't handed out generously; insurers often require businesses to demonstrate that they've implemented robust security controls before qualifying for a policy. For businesses operating in the US and Canada, this often means adhering to a mix of recommended best practices from both nations. Insurance providers understand that the best way to minimize payouts is to ensure that their clients are fortified against threats in the first place. Hence, cyber insurance acts as a safety net and a motivator, urging businesses to maintain stringent security postures. This interplay between insurance and cybersecurity best practices emphasizes that in the modern digital landscape, preparedness and prudence always go hand in hand.

Concluding Thoughts

The world of ransomware is dynamic. What was true a year ago might not be the case today. As someone who's witnessed the evolution firsthand, I cannot stress enough the importance of staying updated, vigilant, and proactive.

As executives, the decision to pay a ransom or not is daunting. But with the proper measures in place, informed choices can be made. After all, as the saying goes, "Forewarned is forearmed."

Ready to Fortify Your Defenses?

In the ever-evolving battlefield of cyber threats, standing resilient is not just about preparation—it's about partnering with experts who can guide, defend, and recover. Whether you're aiming to bolster your defences against ransomware attacks or seeking adept brokering assistance after a breach, The Driz Group stands ready to be your trusted ally.

Don't let cyber adversaries dictate your next move. Contact us today and reclaim control. Your cybersecurity future starts now with The Driz Group by your side.

These days, our data is under constant threat. One of the most pressing dangers is ransomware, a type of malicious software that locks up and encrypts a victim's data, demanding payment for its release. The antidote? Regular data backups. But as ransomware grows more sophisticated, it has also learned to target backup files, rendering many traditional backup strategies ineffective.

Enter the concept of "immutable backups." They are your secret weapon against these cyber threats. This article will take you on a journey, explaining what ransomware is, the importance of data backups, the power of immutable backups, and how to implement them to fortify your data security. Let's dive in and outsmart ransomware together.

Understanding Ransomware

Ransomware is a type of malicious software or malware. It encrypts a user's data and then demands a ransom payment, usually in the form of cryptocurrency, to unlock and restore access to the data. As these attacks have grown in frequency and sophistication, they've also grown in their potential for damage - affecting individuals, businesses, and even entire infrastructure sectors.

Let's break down the anatomy of a ransomware attack:

The Infection

Ransomware often infiltrates systems through phishing emails, malicious downloads, or exploit kits that take advantage of system vulnerabilities. Once inside, it begins its silent work.

The Encryption

Without alerting the user, the ransomware encrypts files on the system. This can include personal files, system files, and in more aggressive cases, entire network shares or cloud storage spaces.

The Ransom Demand

When the encryption is complete, the ransomware reveals itself, displaying a message to the victim with instructions on paying the ransom in exchange for the decryption key.

To paint a picture of the real-world impacts of ransomware, let's look at a few case studies. 

Remember the infamous WannaCry ransomware attack in 2017? It affected over 200,000 computers across 150 countries, with total damages estimated in the billions. In another instance, the city of Atlanta was hit by the SamSam ransomware in 2018, crippling municipal operations and costing over $2.6 million to recover.

Understanding ransomware and its methods is the first step in developing a robust defence strategy. Let's move to the next piece of this puzzle - data backups.

The Importance of Data Backups

Imagine losing all your digital photos, documents, emails, or business data in a blink. Sounds terrifying, right? This is where data backups come to the rescue. Data backups act as a safety net, preserving your important files and enabling you to restore them in case of data loss events like hardware failures, accidental deletions, or ransomware attacks.

Types of Data Backups

There are primarily three types of data backups:

• Full backups involve copying all data from a system. While these are the most comprehensive, they require the most storage space and time to create.
• Incremental backups only back up the changes made since the last backup (either full or incremental). They are faster and use less storage, but restoring from them can be more complex.
• Differential backups also back up changes made since the last full backup but do so every time a backup is made without considering the incremental backups. They strike a balance between full and incremental backups.

The Limitations of Traditional Backup Strategies

While backups are invaluable in recovering from data loss, traditional backup strategies have shown limitations in the face of ransomware. Sophisticated ransomware variants are designed to infect not just the primary data but also connected backups or to delete shadow copies created by the system.

This has created a need for a more robust solution. Enter immutable backups. In the next section, we'll delve deeper into what immutable backups are and how they serve as an effective defence against ransomware attacks.

What are Immutable Backups?

In the simplest terms, immutability means something cannot be changed or altered. When applied to data backups, this means that once data is written, it cannot be modified, deleted, or encrypted by anyone - not even the system administrator. This is particularly crucial when defending against ransomware.

The Power of Immutable Backups

Immutable backups provide a robust safeguard against ransomware attacks for several reasons:

• Unchangeable: Since the backups cannot be altered, they are immune to ransomware encryption, ensuring you always have an untouched version of your data.
• Permanent: Unlike traditional backups, immutable backups cannot be deleted until a predefined retention period has passed, ensuring data remains safe and retrievable.
• Secure: Because not even system administrators can alter these backups, they provide a higher level of security, reducing the risk of external threats and internal vulnerabilities.

In short, immutable backups serve as a time capsule for your data, ensuring that you will always have a secure, untouched copy to restore from no matter what happens to your live data. But how do you make your backups immutable? Let's explore this in the next section.

Making Your Backups Immutable

Achieving immutability in your backups involves combining technical strategies and choosing the right tools. Below is a step-by-step guide to creating immutable backups.

Choose the Right Backup Software or Service

Not all backup software or services support immutable backups. Look for solutions that offer data immutability as a feature. Providers such as Amazon S3 offer object lock features that can be used to create immutable backups.

Set Retention Periods

Determine the retention periods for your backups based on your business needs and compliance requirements. Once set, the data cannot be deleted until the end of this period.

Test Your Backups

A backup is only good if it can be successfully restored. Regularly test your backups to ensure they can be retrieved and successfully restored.

Monitor and Audit

Regularly monitor and audit your backup processes. Look out for any failed backups or irregular activities. Some backup services provide automatic monitoring and alerting features, making this easier.

Train Your Team

Last but not least, train your team. Everyone should understand the importance of backups, the threats of ransomware, and the function of immutable backups. This ensures that everyone plays their part in maintaining a strong line of defence against ransomware attacks.

Remember, creating immutable backups should not replace your regular backup processes but rather augment them. It's always best to have multiple layers of defence when it comes to data protection.

Next, look at real-world examples of organizations that have successfully leveraged immutable backups to counter ransomware attacks.

Case Studies

Learning from others' experiences can be the best way to understand the potential impacts of ransomware and the effectiveness of immutable backups. Here, we examine two such instances.

Case Study 1: A Mid-Sized Business and the Power of Immutable Backups

In 2022, a mid-sized business in the healthcare sector fell victim to a ransomware attack. The attackers demanded a substantial ransom to unlock the encrypted data. Fortunately, the business had been maintaining immutable backups of its critical data.

They could reject the ransom demand, restore their operations from the unaltered backups, and suffer minimal downtime. The incident highlighted the role of immutable backups as a vital line of defence against increasingly sophisticated cyber threats.

Case Study 2: A School District's Close Call

In another case, a school district in Texas faced a ransomware attack that compromised their main servers and attempted to encrypt their backup files. But because they had recently switched to a backup system with immutable snapshots, the attackers could not encrypt these backups.

The school district restored their data from the immutable backups without paying the ransom. This incident served as a wake-up call to other educational institutions, showing the importance of adopting robust data protection strategies, including using immutable backups.

These cases underline the fact that no sector is immune to the threat of ransomware, and every organization can benefit from making their backups immutable. Let's conclude our journey in the next section.

Conclusion

Navigating the ever-evolving landscape of cybersecurity threats can feel like a daunting task. Yet, as we've learned throughout this article, adopting sound strategies such as immutable backups can significantly strengthen our defences against potent threats like ransomware.

Immutable backups offer a powerful safeguard, ensuring that no matter how advanced ransomware becomes, there is always a secure, untouched version of our data that we can turn to. They act as our secret weapon, a time capsule that ransomware cannot touch, giving us the confidence and peace of mind to focus on our primary business operations.

But remember, creating immutable backups is not a one-and-done task. It's a continual process that requires ongoing vigilance, monitoring, and adjustments to stay ahead of the evolving threat landscape. Make an effort to educate your team, choose the right tools, set appropriate retention periods, and regularly test and monitor your backups.

The fight against ransomware is one we must all engage in. Using the power of immutable backups, you can ensure that you're always one step ahead, turning the tide in this battle to outsmart ransomware.

Ready to Fortify Your Cybersecurity?

There's no better time than now to bolster your defences against ransomware. If you have questions or need expert assistance implementing immutable backups for your business, The Driz Group is here to help. With our experience and dedication to cybersecurity, we can guide you on the path to a more secure future.

Don't leave your data unprotected for another day. Contact The Driz Group now, and let's turn the tables on ransomware together. Contact us today to learn more about our services. Your peace of mind is just a call away.

Recent statistics have a chilling story to tell about ransomware attacks. An organization becomes a victim of ransomware every 11 seconds. Further, by the end of 2022, ransomware's damage is expected to reach $21 billion.

The rise in cybersecurity crime has many businesses on edge. In fact, even start-ups invest in cybersecurity from day one to ensure it does not disrupt their business or even shut them down completely.

Another recent statistic suggests that one out of every eight small businesses will need to file for bankruptcy this year because they fell victim to a cyberattack.

The best way to defend your business from ransomware attacks is with education. When you understand what it is and how it happens, you can create the necessary security measures to prevent them.

Here is what to know about ransomware and cybersecurity.

What Are Ransomware Attacks?

From crypto-virology, ransomware is a kind of malware. The ransomware threatens a victim with publishing their personal data. They also threaten to permanently block a user’s access unless the user pays a ransom fee.

Some forms of ransomware may not damage files, but only lock the user’s system. There is more advanced malware on the attack today that uses a technique technology experts call cryptoviral extortion.

There are many ransomware variants, including:

• DearCry
• Lapsus$
• Lockbit
• Maze
• REvil (Sodinokibi)
• Ryuk

The way ransomware implements itself varies. However, they attack at these common core stages.

First, they will infect and disrupt vectors. Next, they will encrypt the files on your machine. Last, the cybercriminal demands a ransom.

How to Stop Ransomware Attacks

The best thing to do about ransomware attacks is to stop them before they start. You want to leverage best practices with proper preparation. This will not only decrease how a ransomware attack with impact your company, but it will decrease the cost that is associated with fixing cyberattacks.

There are plenty of security benefits when you follow these best practices.

Educate Employees on Cyber Awareness

The primary source for ransomware to be attacked is a user receiving a phishing email. Employees need to identify a phishing email and not click on its content. A phishing email will ask the user to click on a malicious link, so avoiding such links will prevent ransomware attacks.

Backup Data Often

The way ransomware works are that it will restore a user’s access if they pay a ransom. However, if you back up your data often, you can recover your data following an attack with minimal data loss and you do not need to pay the ransom. Regular backups must be routine.

Patching

Cybercriminals will find vulnerabilities in a system and target it before a developer can create a patch. That is why patches are so important and your technology team must keep up to date with them. When they apply patches to your systems, it reduces potential vulnerabilities.

User Authentication

Weak passwords create vulnerabilities. First, it is important to choose a strong password that another person cannot guess; but second, it helps to add two-factor authentication.

Two-factor authentication requires two factors to verify your identity. You would need two of the following three factors to gain access to your account:

• Something you know (this could be a passcode)
• Something you are (this could be a fingerprint
• Something you have (this could be a key)

Essentially, two-factor authentication goes beyond just the username and password.

How Can You Remove Ransomware?

If a ransom message appears, this means that ransomware was successful in infecting your machine. When you experience an active ransomware infection, you will need to respond to it. You must decide whether or not you will pay the ransom.

Mitigate the Infection

Often, a user will only detect ransomware after data encryption completes. You will know because you will see a display of the ransom note. While you cannot recover your encrypted files, there are still steps you can take to lessen the potential damage.

First, place the machine with the infection in quarantine. Ransomware usually attempts to spread to other machines and connected drives. That is why it is important to stop the spread by quarantining.

Next, it may tempt you to turn the computer off, especially because it will appear unstable. However, this will decrease the likelihood of recovery, including a loss of volatile memory. Leave your computer on while you sort this out.

Backups and Decryption

Then, create a backup. It is possible sometimes to decrypt the files even when you do not pay the ransom. Grab a removable media and make a copy of your encrypted files, particularly in case a future decryption attempt fails.

If you want to try to decrypt your files, you can check out the No More Ransom Project. They may have a decryptor available for free. Another option is to seek the help of a digital forensics expert.

Finally, you will want to wipe and restore your machine. You can use an operating system installation or a clean backup. This way, the malware will be removed from your device completely.

Investing in Cybersecurity

Choosing a trusted partner to help you with compliance and cybersecurity will reduce risks and improve your infrastructure. Discover the security benefits of working with The Driz Group!

Unfortunately, no business is immune to cybersecurity challenges when you have digital assets. That is why you need a partner to help you solve complex information security problems.

The professionals at The Driz Group help their customers every day to prevent and mitigate ransomware attacks by proactively managing their cybersecurity programs.

Prevent data breaches before they happen and contact The Driz Group today!

More and more hackers are using distributed denial-of-service (DDoS) attacks to hold businesses to ransom.

In June 2021, the Canadian Centre for Cyber Security issued an alert to raise awareness of increased DDoS extortion activity. One notable case occurred in September of that year, with ITWorld Canada reporting that a voice-over-IP provider in Canada had been targeted.

The perpetrator was believed to have demanded one bitcoin (equal to around $45,000) as payment to end the assault. Numerous other companies have been hit since.

With ransom DDoS incidents becoming more common, it’s crucial that organizations understand how serious this threat is, how it could affect them, and what defensive measures they can use to stay safe.

But before we explore what a ransom DDoS attack is and how you can stop it, we’ll cover the basics.

What is a DDoS Attack?

A DDoS attack floods a specific network, server, website, or application with an overwhelming amount of traffic. This disrupts the normal flow of traffic and prevents the target from operating as it should.

Perpetrators tend to use botnets to launch DDoS attacks. A botnet is a network comprising many connected systems, all of which have been infected with malware, to generate disruptive traffic. These devices may be computers, IoT (Internet of things) gadgets, or mobile devices.

A hacker can leverage these “zombie” systems to attack their target with enough traffic to cause serious problems. Attackers may aim to:

• Cause communication problems and leave a business unable to interact internally or with external contacts, such as customers or suppliers.
• Bring a company’s website offline to get a competitive advantage, either for their own gain or an employer’s.
• Disrupt a business’s operations to the extent that customers cannot get the products or services they pay for — ultimately chasing them away and causing reputation damage.

But with ransom DDoS attacks, hackers are driven more by greed than anything else.

What is a Ransom DDoS Attack?

A ransom DDoS attack (often referred to as a RDDoS attack) is essentially the same, but with a few key differences. The attacker’s goal is to extort money from the target through threats and even brief demonstrations of their power.

A hacker may launch a DDoS attack against a business then contact the victims to demand payment. They will expect the target to pay the ransom, and if they remain unpaid, the attacker will continue the DDoS assault.

Alternatively, hackers may threaten the target before they begin the attack. Their objective will be to inspire panic in the potential victims and receive money without needing to act.

However, an inexperienced or unequipped perpetrator may lack the resources or knowhow to follow through on their threat. In this case, an organization could emerge from the incident unscathed even if they refuse to pay the ransom.

How Does a Ransom DDoS Attack Disrupt Businesses?

A ransom DDoS attack could disrupt your business in various ways, assuming the perpetrator launches the attack instead of simply issuing a threat.

• Your website may become inaccessible, preventing existing and prospective customers from purchasing products, subscribing to services, or enjoying your content. This downtime can equate to lost sales and revenue.
• A DDoS attack could leave your workers unable to complete crucial tasks, leading to a drop in productivity that creates backlogs and delays.
• Your search engine rankings may drop if your website is inactive for any reason or runs slowly. That can harm your online visibility.
• Customers, affiliates, and suppliers may worry that your business is unreliable, and that any data you have that relates to them is unsafe.
• If you pay the ransom, your finances could take a significant hit — and there’s no guarantee that the hacker will end the attack.

Preventing an attack, and being prepared to handle one just in case, is vital to reduce your risk of experiencing these issues.

What Can You Do To Prevent a Ransom DDoS Attack?

Keep the following measures in mind to help prevent a ransom DDoS attack against your organization:

Refuse to Pay the Ransom

Your first instinct may be to pay the ransom, but you have no way of knowing whether that will stop the attack. It may continue, or the perpetrator could retarget your business again because they know you’re likely to pay a second time.

Train Employees to Handle Threats Responsibly

Educate your workers on what a ransom DDoS attack involves, how they usually unfold, and what actions to take if they receive a threatening message. They should know who to report an incident to and how to recognize early signs of an attack.

Look Out for Warning Signs of Impending Attacks

Common early signs of a DDoS attack include:

• Servers slow down and become less efficient.
• Significantly more spam emails littering your inbox.
• Your website takes longer to load.
• One or more computers slow down or show unusual signs of impaired performance.

These could indicate other problems, too, such as outdated equipment. However, it may be best to have any of these signs investigated by cybersecurity specialists just in case.

Ensure Your Security Measures are Updated and Effective

If you haven’t updated your firewalls and other IT security measures in a while, review them to identify potential weaknesses. Outdated cybersecurity software may lack the features to protect your business.

Work with Professional Cybersecurity Specialists

Reviewing, updating, and testing your cybersecurity setup is complicated. But it’s critical to reduce your risk of being affected by a ransom DDoS attack. For many companies in Canada, the simplest way to combat threats is to work with a team of cybersecurity professionals.

At The Driz Group, we’re dedicated to providing unparalleled cybersecurity solutions for businesses in all sectors.

Our experienced, trained, reliable team will perform a comprehensive IT audit and vulnerability assessment to accurately determine your unique security requirements. And we’ll implement the best security available to always defend your organization.

Start protecting your business — schedule your free consultation with The Driz Group today.

Ransomware Attack Shuts Down Several Toronto Transit Commission (TTC) Services

Toronto Transit Commission (TTC), the public transport agency that provides public transportation services to commuters in Toronto and from surrounding municipalities, is still reeling days after a ransomware attack hit the agency’s computer network.

In a statement released last October 29th, TTC said that last October 28th, it learned it was the victim of a ransomware attack. The agency said TTC IT staff detected "unusual network activity" and attackers "broadened their strike on network servers."

TTC said the impacted services and systems include:

• Loss of the TTC's Vision system, used to communicate with vehicle operators
• Next vehicle information on platforms screens, through trip planning apps and on the TTC website is unavailable
• Online Wheel Trans bookings are unavailable
• Internal TTC email service is offline

In the absence of the TTC's Vision system, operators have been forced to communicate with Transit Control with radios. Customers of Wheel Trans van service who couldn’t book online were asked to phone to reserve pickup. And without email service, customers are asked to call.

Shabnum Durrani, TTC head of corporate communications, told IT World Canada that she couldn’t say what ransomware strain attacked TTC. She couldn’t say also if the attackers were able to copy emails of employees, nor could she say if any corporate data was copied. When asked whether TTC has been in contact with the ransomware attackers, Durrani said, “I cannot comment on that at this time.”

As of November 3, TTC spokesperson Stuart Green said that Wheel Trans online booking system is now up and running.

Ransomware Attacks on Public Transport Systems

In December 2020, Metro Vancouver's transportation network TransLink confirmed that it was a victim of a ransomware attack.

“We are now in a position to confirm that TransLink was the target of a ransomware attack on some of our IT infrastructure,” TransLink CEO Kevin Desmond said in a statement. “This attack included communications to TransLink through a printed message.” 

The ransomware attack on TransLink led to multi-day transit payment problems.

Back in 2016, the San Francisco Municipal Transportation Agency (SFMTA) confirmed that it was a victim of a ransomware attack. SFMTA said the ransomware attack affected approximately 900 office computers, and SFMTA's payroll system was temporarily affected. The transportation agency said no data was accessed from any of its servers.

What Is Ransomware?

Ransomware is a type of malicious software (malware) that encrypts victims’ files, preventing victims from accessing their files. Ransomware attackers demand ransom payment from victims in exchange for the decryption tool that promises to unlock the encrypted files.

A few years back, there was no transparency on whether ransomware attackers also steal data from victims. Today, ransomware attackers are open that aside from encrypting files, they also steal data from victims. The acknowledgment that ransomware attackers steal data from victims gives rise to double extortion, and lately triple extortion.

In triple extortion, ransomware attackers demand ransom payment for each of these attack tactics:

1. File Encryption

Ransomware attackers first demand ransom payment for the decryption tool that promises to unlock the encrypted files.

2. Data Theft

Ransomware attackers now acknowledge that before encrypting files, they exfiltrate or steal data. Many ransomware attackers now maintain a website that names ransomware victims. These victims are threatened that stolen data from their computer networks will be published online if payment for the non-publication of the stolen date won’t be paid.

3. Distributed Denial-of-Service (DDoS) Attacks

What used to be a stand-alone attack, Distributed Denial-of-Service (DDoS) has been made part of the whole attack process of some ransomware attackers. Darkside, the group behind the Colonial Pipeline ransomware attack has been known to add DDoS attack to their attack tactics.

In a DDoS attack, attackers overwhelm the target or its surrounding infrastructure with a flood of Internet traffic. One example of a DDoS attack is flooding a corporate website with malicious Internet traffic, preventing legitimate users from accessing the corporate website.

Adding DDoS on top of encryption and stealing data, adds pressure to IT staff who are already overwhelmed with the encryption and stolen data issues.

Security researchers also refer to ransomware triple extortion as an expansion of demand payments to victims’ customers, partners, and other third parties. Vastaamo, a Psychotherapy Center in Finland with nearly 40,000 patients, declared bankruptcy after attackers breached for nearly a year the Center’s computer network.

Attackers demand from Vastaamo to pay nearly half a million US dollars in Bitcoin. Patients’ personally identifiable information, including the actual written notes that therapists had taken, was stolen by the attackers. A few years after the breached period, attackers started sending extortion messages to the patients, asking them to pay a certain amount of money to prevent their data from being published. The attackers already leaked online the private data of hundreds of patients.

Cybersecurity Best Practices

Here are some cybersecurity best practices against ransomware attacks:

• Implement the 3-2-1 backup rule which means that 3 copies of important data must be kept, 2 copies in different media formats, and one copy off-site for disaster recovery.
• Keep all software up to date.
• Practice network segmentation, that is, subdividing your computer network into sub-networks so that in case one network encounters a problem, the other sub-networks won’t be affected.
• Use an automated DDoS solution.
• Raise your organization’s security precautions during weekends and holidays – data shows that ransomware attackers are likely to attack during these times.

How to Implement Best Cyber Defense Against BlackMatter Ransomware Attacks

Three U.S. government agencies, the Cybersecurity, and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA), recently issued a cyber security alert and defense tips against BlackMatter ransomware attacks.

What Is BlackMatter Ransomware?

BlackMatter is a relatively new ransomware. It was first observed in the wild in July 2021. This new ransomware exhibits the typical features of a modern-day ransomware, including the double extortion modus operandi.

In double extortion, the ransomware group steals data from victims. After stealing data, the attackers then encrypt victims’ data, preventing victims from accessing their data. After data encryption, attackers demand from victims ransom payment in exchange for a decryption tool that purportedly would unlock the encrypted data.

In double extortion, failure on the part of the victims to pay the ransom payment for the decryption tool leads to the activation of the second ransom demand, that is, victims are named on a leak site as victims of ransomware attacks. These victims are then threatened that their data will be published in case they won’t pay ransom.

Some ransomware actors still demand the second ransom payment – for the non-publication of the stolen data – despite the payment of the first ransom payment, that is, payment for the decryption tool.

Like other modern-day ransomware, BlackMatter ransomware is operated under the scheme called ransomware-as-service (RaaS). In RaaS, the ransomware developer (the one who creates the ransomware custom exploit code) works with affiliates – a different kind of cyberattackers who have existing access to corporate networks.

In a public advertisement posted on the underground forum Exploit, BlackMatter said it wants to buy access to corporate networks in the U.S., Canada, Australia, and Great Britain.

The group further said that it’s willing to pay $3,000 to $100,000 per network, provided the network passed the following criteria:

• Corporate revenue is $100 million or more
• Corporate network contains 500-15,000 devices
• Network hasn’t been previously targeted by other threat actors.

To signify that it's serious about its offer, BlackMatter has deposited 4 bitcoins ($256,000) on the forum Exploit.

“The [BlackMatter] ransomware is provided for several different operating systems versions and architectures and is deliverable in a variety of formats, including a Windows variant with SafeMode support (EXE / Reflective DLL / PowerShell) and a Linux variant with NAS support: Synology, OpenMediaVault, FreeNAS (TrueNAS). According to BlackMatter, the Windows ransomware variant was successfully tested on Windows Server 2003+ x86/x64 and Windows 7+ x64 / x86,” Recorded Future reported. “The Linux ransomware variant was successfully tested on ESXI 5+, Ubuntu, Debian, and CentOs. Supported file systems for Linux include VMFS, VFFS, NFS, VSAN.”

On BlackMatter website, the group said it doesn't attack hospitals, critical infrastructure, oil and gas industry, defense industry, non-profit companies, and government sector.

According to the joint cybersecurity advisory by CISA, FBI, and NSA, since July 2021, BlackMatter ransomware has targeted multiple U.S. critical infrastructure entities, including two food and agriculture sector organizations in the U.S., and have demanded ransom payments ranging from $80,000 to $15,000,000 in cryptocurrencies Bitcoin and Monero.

In September 2021, BlackMatter attacked the U.S. farmers cooperative NEW Cooperative and demanded from the victim $5.9 million for the decryptor and for the non-publication of the stolen data. 

"Your website says you do not attack critical infrastructure,” a NEW Cooperative representative told BlackMatter during a negotiation chat (screenshots of the said negotiation chat were shared online). “We are critical infrastructure... intertwined with the food supply chain in the US. If we are not able to recover very shortly, there is going to be very very public disruption to the grain, pork, and chicken supply chain."

BlackMatter Ransomware Tactics, Techniques, and Procedures

The CISA, FBI, and NSA advisory said that sample of BlackMatter ransomware analyzed in a sandbox environment as well from trusted third-party reporting showed that BlackMatter ransomware uses the following tactics, techniques, and procedures:

• BlackMatter harvests credentials from Local Security Authority Subsystem Service (LSASS) memory using procmon.
• BlackMatter uses Lightweight Directory Access Protocol (LDAP) and Server Message Block (SMB) protocol to discover all hosts in the Active Directory (AD).
• BlackMatter uses NtQuerySystemInformation to enumerate running processes.
• BlackMatter uses EnumServicesStatusExW to enumerate running services on the network.
• BlackMatter uses srvsvc.NetShareEnumAll MSRPC function to enumerate and SMB to connect to all discovered shares, including ADMIN$, C$, SYSVOL, and NETLOGON.
• BlackMatter uses legitimate remote monitoring and management software and remote desktop software, often by setting up trial accounts, to maintain persistence on victim networks.
• BlackMatter exfiltrates data.
• BlackMatter remotely encrypts shares via SMB protocol and drops a ransomware note in each directory.
• Rather than encrypting backup systems, BlackMatter wipes or reformats backup data stores and appliances.

Cybersecurity Best Practices

The CISA, FBI, and NSA advisory recommends the following cybersecurity defense tips against BlackMatter ransomware attacks:

• Use strong passwords for service account, admin accounts, and domain admin accounts.
• Use multi-factor authentication (MFA) for vital services, including webmail, virtual private networks (VPNs), and accounts that access critical systems.
• Keep all software up to date.
• Eliminate unnecessary access to administrative shares.
• Use a host-based firewall – a firewall installed on a server to monitor and control incoming and outgoing network traffic.
• Implement network segmentation to prevent the spread of ransomware.
• Disable command-line and scripting activities and permissions.
• Keep all backup data offline, encrypted, and immutable.
• Disable the storage of clear text passwords in LSASS memory.
• Disable or limit New Technology Local Area Network Manager (NTLM) and WDigest Authentication.

Rise of Ransomware Attacks in the Education Sector

The National Cyber Security Centre (NCSC), an organization of the UK Government that provides cybersecurity guidance and support, recently reported that it has continued to respond to an increased number of ransomware attacks against schools, colleges and universities in the UK.

“As of late May/June 2021, the NCSC is investigating another increase in ransomware attacks against schools, colleges and universities in the UK,” NCSC said. The NCSC previously highlighted an increase in ransomware attacks on the UK education sector during August/September 2020 and again in February 2021.

Ransomware and Its Impact

Ransomware is a type of malicious software (malware) that’s traditionally known to encrypt victims’ files, preventing victims to access these files. After file encryption, a ransom note is shown on the compromised computer informing the victim to pay a certain amount, typically in the form of cryptocurrency, for the decryption tool that would unlock the encrypted files.

More recently, ransomware operators threaten victims to release files stolen from the victim’s network in case of refusal to pay the ransom for the decryption tool. More ransomware operators have recently employed the double ransom tactic, in which, a victim is asked to pay two ransom payments.

The first ransom payment is for the decryption tool while the second ransom payment is for the non-publication of the files stolen from the victim’s network. Ransomware operators maintain “name and shame” websites on the darknet to name and shame ransomware victims who continue to refuse to pay ransom.

“In recent incidents affecting the education sector, ransomware has led to the loss of student coursework, school financial records …,” NCSC said. According to the NCSC, ransomware attacks in the education sector can have a devastating impact on organizations, with victims requiring a significant amount of recovery time to reinstate critical services, and these events can also be high profile in nature, with wide public and media interest.

Attack Vectors

An attack vector refers to the path or means in which an attacker gains access to an organization’s network to deliver a malware, in this case, a ransomware. According to the NCSC, ransomware attackers can gain access to a victim’s network through remote access systems, phishing emails, and other vulnerable software or hardware.

Remote Access

According to the NCSC, attackers gain access to victims’ networks through remote access systems such as remote desktop protocol (RDP) and virtual private networks (VPN). RDP is a proprietary protocol developed by Microsoft that allows employees working from home to access their office desktop computers or servers from another device over the internet.

The shift towards remote learning over the past year as a result of COVID-19 restrictions resulted in many organizations deploying VPN access as VPN is viewed as a secure way of accessing company networks and private resources. In recent years, multiple security vulnerabilities have been discovered in RDP and in a number of VPN appliances such as Citrix, Fortinet, Pulse Secure and Palo Alto. 

Phishing

According to the NCSC, phishing emails are frequently used by attackers to deploy ransomware. An attacker sends a phishing email – disguised as coming from a legitimate sender – to trick the email receiver to click a link or download an attachment, enabling the deployment of the ransomware into the email receiver’s computer.

Other Vulnerable Software or Hardware

According to the NCSC, unpatched or unsecure devices have commonly been used by ransomware attackers as an easy route into networks. An example of a software vulnerability exploited by ransomware attackers to install ransomware on a network is the vulnerability in Microsoft Exchange Servers.

The NCSC added that ransomware attackers have recently been observed sabotaging backup devices in order to make recovery more difficult; encrypting the entire virtual servers, and using scripting environments, for example, PowerShell, to easily deploy the ransomware.

Cybersecurity Best Practices

Here are some cybersecurity best practices as recommended by the NCSC that can be employed by organizations in the education sector in order to prevent and mitigate the effects of ransomware attacks:

Keep up-to-date and tested offline backups.

As ransomware attackers have been known for sabotaging internet-exposed backup devices in order to make recovery more difficult, it’s important to keep offline backups to recover from a ransomware attack.

Secure remote access systems (RDP and VPN) via strong passwords, multi-factor authentication (MFA), and applying patches in a timely manner.

Implement effective vulnerability management and patching procedures.

Implement the following mechanisms to prevent phishing attacks: making it harder for email from your domains to be spoofed by employing the anti-spoofing controls, filtering or blocking incoming phishing emails, training your users particularly in the form of phishing simulations, and building a culture where users can report phishing attempts.

Cybersecurity Best Practices Against DarkSide Ransomware

The ransomware called “Darkside” wreaked havoc lately, with Colonial Pipeline, which operates the largest fuel pipeline in the U.S., as its latest high-profile victim.

Colonial Pipeline became aware of the ransomware attack last May 7, forcing the company to shut down its operations. The company was able to restart its operations last May 12.

A report from Bloomberg showed that Colonial Pipeline paid within hours after the attack the group behind Darkside ransomware nearly $5 million. According to the Bloomberg report, once nearly $5 million was paid, the group behind Darkside ransomware gave the decryption tool for Colonial Pipeline to restore its disabled computer network.

The decryption tool, however, was so slow that the Colonial Pipeline continued using its own backups to help restore the system, the report said. 

What Is DarkSide Ransomware?

DarkSide ransomware is a ransomware-as-a-service (RaaS) in which the ransomware developers receive a share of the proceeds from the cybercriminal actors who deploy the ransomware, known as “affiliates.”

This ransomware was first observed in the wild in August 2020 and has been known to target high-revenue organizations. Similar to modern ransomware, DarkSide ransomware encrypts victims’ files and demands from victims ransom payment in exchange for the decryption tool that would unlock the encrypted files.

Aside from data encryption and decryption, DarkSide ransomware also carries out data exfiltration and threatening victims that non-payment of ransom could lead to the public exposure of stolen data. In addition, the group behind DarkSide ransomware is also willing to carry out a Distributed Denial of Service (DDoS) attack against victims.

Tactics Used by DarkSide Ransomware Attackers

Researchers at FireEye in the blog post “Shining a Light on DARKSIDE Ransomware Operations” and researchers at McAfee in the blog post “DarkSide Ransomware Victims Sold Short” found that the group behind the DarkSide ransomware employed the following tactics:

. Password Spraying Attack Against Corporate VPN

To gain initial access to their victim’s network, the group behind DarkSide ransomware used password spraying against corporate VPN. In password spraying, an attacker circumvents the account lock-out countermeasures by trying the same password across many accounts before trying another password.

. Exploitation of CVE-2021-20016

To gain initial access to their victim’s network, the attackers exploited CVE-2021-20016, a SQL-Injection vulnerability in the SonicWall product that allows a remote unauthenticated attacker to perform SQL query to access username password and other session-related information.

. Phishing Emails

To gain initial access to their victim’s network, the attackers also used phishing emails to deliver the SMOKEDHAM – a malicious software (malware) that supports keylogging, taking screenshots and executing arbitrary .NET commands.

. Exploitation of Remote Desktop Protocol (RDP) Vulnerabilities

To gain initial access to their victim’s network, the attackers also exploited RDP, a proprietary protocol developed by Microsoft that allows users the ability to connect to another computer over the internet. In the past few years, a handful of security vulnerabilities on RDP had been identified and patched. Many, however, fail to apply the latest RDP patch.

. Leveraging TeamViewer

To establish persistence within the victim environment, the attackers also leveraged TeamViewer – a legitimate software that allows access to computers and networks remotely.

. Leveraging Mimikatz

To gain more privileges on the victim’s network, the attackers also used Mimikatz for credential harvesting.

. Leveraging NGROK

To bypass firewalls and expose remote desktop service ports, like RDP and WinRM, to the open internet, the attackers used the publicly available NGROK. 

. Leveraging Cobalt Strike BEACON

To maintain a foothold on the victim’s network, the attackers used Cobalt Strike BEACON. Cobalt Strike is a commercially available penetration testing tool. The group behind Cobalt Strike describes BEACON as a tool to “egress a network over HTTP, HTTPS, or DNS.”

Cybersecurity Best Practices

Below are some of the cybersecurity best practices in order to reduce your organization’s vulnerability to ransomware such as DarkSide and reduce the risk of severe business degradation once impacted by ransomware:

Use multi-factor authentication as an added protection to the single-factor authentication: the traditional username and password combination.

Filter emails to prevent malicious executable files from reaching end users.

Filter network traffic to prevent inbound and outbound communications with known malicious IP addresses.

Keep all software up to date by applying the latest patches in a timely manner.

Protect RDP with strong passwords, multi-factor authentication, VPN other security protections.

Implement application allow listing, allowing the systems to execute only software programs that are known and permitted by the security policy.

It’s important to note that the tactics above-mentioned aren’t just used by the group behind DarkSide ransomware. The said tactics are widely used as well by ransomware groups and other malware operators. As such, the cybersecurity best practices above-mentioned also apply to other forms of attacks.

To date, the group behind the Darkside ransomware has gone dark, making it unclear whether the group has ceased, suspended operation, or has changed its operations or maneuvering an exit. Since March 13, all the dark websites used by the group behind Darkside are down. These sites were used by the group to communicate with the public.

Investigation Shows Ryuk Ransomware Attack Caused by Pirated Software, Lack of Network Protection

Sophos recently revealed that a cyberattack involving Ryuk ransomware targeting a European biomolecular research institute was caused by a pirated software and lack of network protection.

According to Sophos, its Rapid Response team was called in to respond to a Ryuk ransomware attack targeting a European biomolecular research institute – an organization that partners with local universities and works with students on various programs.

The Ryuk ransomware attack on the European biomolecular research institute, Sophos reported, costs the institute a week’s worth of vital research data, as even though the institute had backups, these backups weren’t up to date. The operation of the institute was also impacted since all computer and server files were required to be rebuilt before the data could be restored.

Initial Compromise

A review of logs and historical data available traced the initial compromise of the Ryuk ransomware attack on the European biomolecular research institute to the moment when one of the institute’s partners, an external university student, installed a pirated data visualization software on the said student’s laptop.

The investigating team found that the institute allowed people outside the organization to access its network, with partners such as university students allowed to access the institute’s network via remote Citrix sessions without the need for two-factor authentication using their own personal computers.

The investigating team found that the partner-student of the institute who installed the pirated software posted a question on an online research forum asking if anyone knew of a free alternative of the data visualization software, of which an original software costs hundreds of dollars a year. When the partner-student of the institute didn’t find a free version, a pirated version was used instead.

According to Sophos’ Rapid Response team, the pirated software was a pure malicious software (malware) that immediately triggered a security alert from Windows Defender. In order to install the pirated software, the partner-student of the institute disabled Windows Defender as well disabled Windows Security Firewall.

The installed pirated software-malware capabilities include logging keystrokes, stealing browser, cookies and clipboard data. The pirated software-malware also enabled the attackers to steal the student’s access credentials for the institute’s network.

According to Sophos’ Rapid Response team, 13 days after the installation of the pirated software-malware, a remote desktop protocol (RDP) connection was registered on the institute’s network using the student’s credentials, and 10 days after this connection was made the Ryuk ransomware was launched. The investigating team added that the institute’s RDP connection triggers the automatic installation of a printer driver, enabling users to print documents remotely.

“It is unlikely that the operators behind the ‘pirated software’ malware are the same as the ones who launched the Ryuk attack,” said Peter Mackenzie, manager of Rapid Response at Sophos. “The underground market for previously compromised networks offering attackers easy initial access is thriving, so we believe that the malware operators sold their access on to another attacker. The RDP connection could have been the access brokers testing their access.”

Cybersecurity Best Practices

The Ryuk ransomware attack that targeted the European biomolecular research institute is a hard-earned lesson for the community.

While the partner-student of the institute is clearly at fault for using pirated software, the said cyberattack exposed the institute’s network weaknesses. Here are some of the cybersecurity best practices in order to fortify your organization’s network against cyberattacks such as Ryuk ransomware attack:

• Use two factor-authentication as this is an added layer of security
• Enable Windows Defender as well Windows Security Firewall
• Keep backups up to date
• Practice Network Segmentation
• In network segmentation, your organization’s network is divided into sub-networks so that in case one sub-network is compromised, the other sub-networks won’t be affected.
• Implement Least Privilege Access
• The least privilege concept restricts access to your organization’s network to only those who are required to perform routine, legitimate activities.
• Secure Remote Desktop Protocol (RDP) Connection

RDP is a proprietary protocol developed by Microsoft that allows users the ability to connect to another computer over the internet. In the blog post "Cybercriminals Actively Exploiting RDP to Target Remote Organizations", McAfee Labs said that as a result of the COVID-19 restrictions, organizations wanting to maintain operational continuity have allowed their employees to access networks remotely via RDP with minimal security checks in place, giving cyber attackers easy access to these networks.

In the past few years, a handful of RDP security vulnerabilities have been identified and patched by Microsoft. Organizations that lagged behind in applying these RDP patches are vulnerable to attacks.

In the blog post “Data science for cybersecurity: A probabilistic time series model for detecting RDP inbound brute force attacks,” Microsoft said that RDPs that are not protected by strong passwords, multi-factor authentication, virtual private networks (VPNs), and other security protections are vulnerable to brute force attack – a type of cyberattack that uses the trial-and-error method in guessing the correct username and password combination.