Ransomware 101: What to Know and Expect

Ransomware attacks are on the rise, impacting employers daily. From the compromise of the Colonial Pipeline to the attack of Kaseya to the global WannaCry incident, it’s not uncommon for employers to find themselves in the middle of a ransomware situation. These types of attacks quickly become destructive and have a costly impact on organizations, so it’s important to understand the basics to help mitigate your risk. Continue reading to learn more about the evolution of ransomware attacks and potential consequences.

What is a ransomware attack?

First, let’s start by defining this security term. Ransomware is a type of malicious software, also known as malware, that threatens to publish or blocks access to data or a computer system. Typically, this is done by encrypting the data until the target pays a ransom fee to the attacker. When encryption is complete, attackers commonly leave notes on the organization’s computers demanding a form of payment to unencrypt the data and not leak what’s been stolen. To recover the data, victims will be asked to pay in cryptocurrency because it allows for anonymity, making transactions difficult to track.

How do ransomware attackers get into organizations?

There are several ways a ransomware attack can initiate. Here are the top three ways attackers use to get access to an organization’s data:

• Brute-force. This is essentially password guessing. Brute force is likely to occur when members have easy-to-guess passwords or passwords discovered in other unrelated breaches.
• Exploit a vulnerability in the technology’s software. When administrators fall behind on patching, a potential entry point is created. Attackers will exploit these entry points to gain a foothold in the employer’s network.
• Phishing. Unfortunately, this is probably the easiest way to get a foothold into an organization. Scammers will use communication methods, such as email or text messages, posing as a reputable source to trick individuals into giving them sensitive information, such as passwords and credit card information. Phishing occurs when a link or attachment is opened or acted upon.

The time of day an attack happens is also intentional. Attackers often choose times where activity is least likely to be monitored, such as the middle of the night or weekend. Once in the system, attackers map out the network and begin to fully understand the lay of the land. Sensitive information and system backups are the main targets. This is what is used to recover a machine when it breaks down. A company is more likely to pay the ransom if it doesn’t have adequate backups or these become encrypted by the attackers.

What is a ransom and is it effective?

Attackers can demand payment because organizations want to protect their valuable and confidential data. When an employer’s data is at risk of being shared, the company is forced to make a difficult decision because the chance of leaking confidential information could be highly destructive. On average, a ransomware attack will impact an organization’s ability to do business for two weeks or more.

Unfortunately, it is difficult for companies to distinguish if the attacker can be trusted when determining whether to pay the ransom. At times, even a payment doesn’t result in decryption. Attackers are known to disappear after a payment is made or provide a faulty decryption key. In addition, decryption can often be too slow to recover the stolen data in a reasonable time.

Premise Health’s Security Posture

Premise Health upholds a strong security posture given the nature of our business. As a healthcare organization, we are the keepers of a significant amount of sensitive information, which makes it critical that we hold ourselves to the highest security measures. To mitigate our risk against ransomware attacks, it starts with strong support from the top down. Leadership buy in allows our IT security team to implement defense-in-depth strategies including:

• Strict web filtering policies to block traffic from regions known to distribute malware
• Endpoint protection to limit what an attacker can do in a system
• Email gateway filter which blocks and helps mitigate phishing emails
• Strong incident response team that responds to incidents that get past our controls
• Internal phishing program that leverages current trends and sends practice phishing emails to everyone in the company

In addition, Premise makes a priority to have strong backups that are regularly tested to put us in a good position to recover from an attack.

In part two of our ransomware series, you’ll learn more about why ransomware attacks are so destructive and tips employers can use to prevent them.