There continues to be a lot of media buzz around ransomware—and with good reason. Help Net Security argues that ransomware is “the most significant cybercrime innovation in recent history.” From more minor breaches that don’t make the news to the latest attack on Colonial Pipeline, protection against ransomware remains paramount. Organizations are under constant pressure to stay ahead of these attacks, which can place immeasurable stress on daily operations. This article will break down key ransomware components to help your credit union adequately prepare and defend its assets against attacks.
What is Ransomware?
Ransomware is a type of malware that prevents a user or network of users from accessing their laptops, desktops, or servers until the ransomware owner is paid a monetary amount. Ransomware also includes malware that has the potential to lock up or destroy data unless reversed.
How Does Ransomware Spread?
Ransomware can infect your computer in several ways:
- Malicious Spam: Emails often include attachments in the form of a PDF or Word document that contain executable malware when opened. Ransomware delivered via email uses social engineering to trick users into opening attachments or clicking specific links, which seem legitimate or reasonable enough to take action. These types of emails are posed to be sent by a colleague or friend to help ease suspicion.
- Malvertising or Malicious Advertising: This method injects malware into online advertising and spreads with little to no interaction. While browsing the internet, users can be redirected to malware command and control servers monitored by criminals without ever clicking on an ad. After this exchange occurs, the server records details about the victim’s computer location and operating system to include specific vulnerabilities. It then matches and delivers the best malware suited to that user. Often, ransomware is the type of malware that is delivered.
Three Types of Ransomware
According to this Malwarebytes article, there are three main types of ransomware with different severity levels.
This type involves rogue security software and tech support scams. While browsing the web, a user might get a pop-up message saying that malware was detected on their device and the only way to get rid of it is through payment. If you decide not to act on the request, you’ll continue to receive multiple pop-up messages, but your files will essentially remain safe.
The sensible thing to note here is that a legitimate cybersecurity software program would never solicit its customers this way. If you have security software installed, you will not have to pay for infections to be removed – the software exists for this reason.
- Screen Lockers
This is a more dangerous type of ransomware that will lock you out of your computer entirely once infected. As reported in the Malwarebytes article, “upon starting up your computer, a full-size window will appear, often accompanied by an official-looking FBI or US Department of Justice seal saying illegal activity has been detected on your computer and you must pay a fine.” Remember, realistically, if you are ever caught doing something illegal, the FBI would not lock you out of your computer or force you to make a payment.
This type of ransomware is the most dangerous of them all. It involves cybercriminals confiscating your files, encrypting them, and demanding payment to decrypt and release full access. This type of ransomware is so dangerous, mainly because once cybercriminals gain access to your files, there is essentially nothing that can be done to return them to you.
Cybercriminals are constantly finding ways to enhance their attacks. While ransomware is not a new cybersecurity threat, it continues to evolve. Protecting your credit union and personal assets should always remain a top priority.
Stopping Ransomware Activity Before the Final Attack
Sophisticated ransomware attacks use multiple malware delivery methods, advanced reconnaissance, lateral movement throughout the targeted network, and compromised accounts. In some cases, this gives targeted organizations a more significant opportunity to stop the final strike, mainly because cybercriminals often stay in the network for more extended periods when carrying out these attacks.
Below is a deeper look into the main options for preventing ransomware activity before it makes a final attack:
- Once an attacker has entered your network to monitor a target environment, UEBA will assist you in detecting lateral movement or anomalous account activity. Remember, it is very likely that your attacker will get into your network and move around laterally to determine what network systems must be exploited and locked. UEBA will lay down a pattern of behavior for every system and every account on your network. It then searches 24/7 for anomalies, which provide clues to lateral movement or unusual activity by compromised accounts belonging to legitimate network users.
- Hunting for IP IoCs in firewall, endpoint, and VPN traffic is critical to determining whether one of your legitimate users has accidentally clicked on a malware command and control link or other delivery methods used by ransomware attackers. If you have a Threat Intelligence Portal that will automatically hunt your network traffic for bad IP IoCs, then you have an excellent chance of discovering a breach in progress. Crowd-sourced IP IoCs are the best way to find dangerous IPs in real-time.
Remember, the smartest ransomware intruders do not just lock up a company’s network at random in hopes of a payday. Intruders will use public records to determine the most lucrative targets to attack and digital surveillance to determine the best method for attacking vectors and targeting exploits for potential vulnerabilities. This may provide you with a critical opportunity to detect the necessary activities upfront before the final lockout.