(NO) FEAR OF RANSOMWARE?

What is ransomware? An overview

Ransomware is malware with the aim of blackmailing the victim (ransom = extortion, ransom). The attacker encrypts important files, for example, or prevents access to systems. These can only be accessed again after payment of a sometimes very high amount.

The BSI assesses the threat situation regarding ransomware as very high in the 2022 situation report. There are a large number of ransomware groups, some of which are very professionally organized. In 2022, internal information from the “Conti” group was published, suggesting that this group is structured like a start-up with various roles such as main managers, technicians or HR managers. The “employees” were paid in different ways: HR managers received a fixed “salary”, while technicians were paid depending on the success of a campaign. Some ransomware groups also offer their capabilities as a “service”, which is referred to as a “cybercrime-as-a-service” model.

Forms of ransomware

There are various forms of ransomware. Attackers sometimes copy files before encrypting them. This allows them to analyze the importance of the data or the financial strength of a company and make the ransom dependent on this. In addition, a second extortion is often carried out in this case by threatening to publish the previously collected data after the victim has paid and the data has been decrypted (“double extortion”). Third parties who are also dependent on the data or access to it may also be identified. This can result in additional extortion (“multiple extortion”).

Points of attack for ransomware attacks

There are a variety of attack vectors and entry points for ransomware groups. The most common are probably the sending of malicious emails (phishing) and the mass search for vulnerabilities on publicly accessible systems. Phishing involves sending an email designed to trick the recipient into performing an action that causes damage. This can include opening a malicious attachment or following a link. If the recipient follows the link, they are directed to a website where they are asked to enter their login details. The website imitates trusted websites such as the Microsoft 365 login page. If an attacker has gained knowledge of login credentials in this way, they may be able to use them to log in to publicly accessible systems themselves and use this access as an entry point.

After the publication of critical vulnerabilities, a random search for these can often be seen on publicly accessible systems. If a system is found where the vulnerability has not been closed, the attacker can carry out various actions such as leaving a backdoor as an entry point or directly placing ransomware. The possible actions depend on the vulnerability.

Known cases of ransomware attacks

A large number of companies and public institutions are affected. Current examples from 2023 are:

• The POS system manufacturer NCR
• The IT service providers Materna and Bitmarck - some of the service provider’s customers are also affected. For example, the Vodafone Callya online portal had to be shut down as a result
• The Neue Zürcher Zeitung newspaper publishing group with all affiliated publishing houses
• The health insurance company BIG direkt
• The hardware manufacturer MSI
• A SpaceX partner company with access to strictly confidential design plans
  These are just a few prominent recent cases. There are many more publicized cases and still some cases that remain unpublicized for various reasons.

Impact of ransomware attacks

The effects for companies can generally be very diverse and sometimes threaten their existence. For example, the bicycle manufacturer Prophete had to file for insolvency as a result of a ransomware attack. The reason for the enormous impact on business is that a successful attack could potentially disrupt the entire IT system. For example, production may come to a standstill and ERP systems may also be inoperable.

In some cases, core systems can be quickly restored through a backup. However, if an attacker has been in the environment long enough, these backups may also be compromised or encrypted. It is also sufficient if a system is still compromised, as an attack can be carried out again from this system. Therefore, in most cases, the IT environment must be completely rebuilt to ensure that no attacker has access to the environment.

Such effects on a company can have a significant impact on the core business, for example by interrupting production. While short-term interruptions can often be compensated for, longer interruptions can sometimes threaten a company’s existence, depending on their actual duration.

The outflow of data can also lead to a variety of problems. Here are some examples:

• If contracts with suppliers or customers are published, this could constitute a breach of contract. Confidential terms and conditions and purchase quantities become public knowledge.
• If personnel information is involved, data protection is affected. Depending on the scope and type of information, this can lead to severe penalties. In addition, publication of the information can lead to further negative consequences for each individual person concerned (e.g. through publication of private account information).
• If confidential or strictly confidential information (e.g. construction plans, recipes) is published, this enables competitors to use this information. A competitive advantage would be lost and there is a risk of long-term consequences for the entire company.

A possible loss of reputation should not be neglected. A loss of trust could occur both on the customer side (e.g. through non-delivery or unreliable deliveries) and on the supplier side (e.g. through disclosure of conditions or personal data of the supplier). Such a loss of trust is also very likely to have a long-term impact on the company and can only be mitigated at great expense, for example through targeted marketing or discount campaigns or financial concessions for suppliers.

Preparations for ransomware attacks

A ransomware attack cannot be ruled out even with the best measures. Nevertheless, there are various ways of minimizing the risk of such an attack and making additional preparations to mitigate the impact of an attack.

IT has the main task here. A multi-stage plan for protection against ransomware should be drawn up, which also takes into account the various measures already taken. To do this, it may be necessary to first identify all systems and data that are critical for the company and its core tasks. It has proven to be a good idea to evaluate each company value on the basis of the known protection goals of confidentiality, integrity and availability using a simple points system. The higher the points for a value, the more important it is for the company. It often happens that only one protection objective, e.g. of a system, is rated as critical - in this case, such a system is still considered critical.

In the next step, various technical and organizational measures can be taken for protection. A basic protection (“baseline”) is defined here, which always applies. Examples of this are:

• the introduction of multi-factor authentication for accounts,
• the blocking of potentially malicious e-mail attachments,
• protecting the network through segmentation and the use of firewalls with strict rules for each segment,
• the use of an anti-virus solution at system level and an independent AV solution at network level,
  Establishing or adapting approval processes so that security-relevant approvals can never be given by just one person (dual control principle with independent teams),
• Backups with a retention period to be defined and semi-annual recovery tests,
• the introduction of vulnerability scans and penetration tests,
• the definition of target times for patching, e.g. in the case of a critical vulnerability, a maximum of 24 hours after the release of a patch,
• the system hardening of assets, e.g. with CIS benchmarks or
• logging, evaluation and correlation of security-relevant events (SIEM).

Extended protection can also be defined for critical systems. Possible measures for this include:

• the tightening of the AV policy (possibly at the expense of system performance),
• further segmentation of critical systems, possibly microsegmentation or the creation of a Zero Trust network,
• the creation of a P-A-P structure for access to network areas containing critical systems,
• longer retention times for backups and the outsourcing of backup media (offline backups),
• the introduction of very restrictive authorization management, possibly with dedicated accounts that are used exclusively for direct access to critical systems, or
• the implementation of IOC scans (indicators of compromise).

This list is only a small part of possible measures. An attack simulation to test the existing measures may also be conceivable. However, the company should examine various possible measures in detail and present them in a security concept with roadmap. This should take into account whether the costs of each individual measure and of the overall package are reasonable or exceed any damage that may be caused. It should also be checked whether sufficient personnel and appropriate expertise are available.

As mentioned at the beginning, phishing is one of the biggest risks in general and ransomware in particular, so all employees need to be involved. The aim here is to increase awareness of security risks. The best way to do this is to establish a security awareness program involving selected people from the various departments. In addition to IT security specialists, a member of the management as executive sponsor, marketing and people from the HR department should also take part. The aim of this team is the continuous development of awareness measures such as training in dealing with emails, the implementation of flyer or poster campaigns and scenario training. By involving the specialist departments, the individual needs of these departments can also be defined and trained.

In order to minimize the impact of an attack, emergency and recovery plans should also be drawn up. The various specialist departments should also be involved here and these plans should be developed jointly. For example, external communication should be prepared with the marketing and press departments in order to be able to react quickly. Communication plans also include internal emergency communication in the event of an attack (who should be contacted when, by whom and how?) as well as communication with employees. The recovery of the environment is also linked to priorities and dependencies; the list of critical values and specific feedback from the individual departments can help here.

The emergency and restart plans should be regularly reviewed and tested. Various strategies are conceivable here, starting with a “read-through test” (i.e. the purely theoretical step-by-step discussion of the plans) through to a “full-interruption test”.