Alix Kwak, writing with TNK2 co-founders Jay Jeong and Elston DSouza and Upling co-founder Peter Thomas.
Ransomware: expensive, disruptive, and possibly disastrous.
If you’ve ever seen this, we empathise.
Because you are one of the unfortunate people who’ve experienced one of the most disturbing, disruptive and possibly expensive cybersecurity phenomena: ransomware.
If you haven’t, think yourself lucky.
But your luck may run out soon. Read on to learn more about what ransomware is, how it works and what you can do about it.
Most people have a basic idea about what ransomware is. The clue is in the word, of course: ransom.
Typically a user downloads a malicious file to their device, or for an organisation, a computer somewhere on their network. The software then encrypts data so it can’t be accessed. Cybercriminals or other malicious actors then ask for a ransom for the data to be decrypted. The ransom is usually paid in the form of an untraceable cryptocurrency.
Ransomware has been in the news recently because of the high profile cases of JBS and Colonial Pipeline, which shut down systems and encrypted data with costs to the companies in the millions.
As we have talked about before, those that hold companies and individuals to ransom are not only technologically sophisticated but highly skilled in the science of human behaviour.
Ransomware breaches usually take the form of a benign-looking email inviting a user to download a file or click on a link. Once clicked, it takes seconds for a computer — or many computers — to be rendered useless.
The consequences can be disastrous, and the disruption caused is extensive. It’s a problem because almost every business’ lifeblood is data — from the small business’ customer database to the multinational’s extensive enterprise software systems.
And the trend is disturbing: ransomware is now one of the top priorities on the minds of Chief Information Security Officers (CISOs) everywhere.
The video above shows one example of Ransomware, Petya.
It first surfaced in 2016 and targeted companies and institutions in India, Spain, France, the United Kingdom and beyond. It affected power companies, airports, public transit systems and the Danish shipping company Maersk. (You can read a detailed account of Petya in this Wired article that called it “the Most Devastating Cyberattack in History”).
As you can see, the infected computer displays a flashing red screen and the text “You became victim of the PETYA RANSOMWARE. The harddisk of your computer has been encrypted with military grade encryption algorithm. There is no way to restore your data without a special key. You can purchase its key on the darknet page shown in step 2”.
Unlike the Wannacry example shown at the top of this story, Petya was more sophisticated and more successful. It also had a variant, NotPetya, which was circulating in 2017. As Wired noted in the middle of the outbreak in 2017: “The amateurish mistakes that marked that earlier outbreak limited both the scope and the eventual payouts collected; WannaCry even included a “kill switch” that shut it off entirely and that security researchers used to control its spread. Petya doesn’t seem to have a kill switch function — which means there’s no way to stop it yet.”
The Petya virus arrived via links in phishing, spam emails and infected Word documents and was made worse because users and network administrators hadn’t installed security updates, allowing it to spread.
Petya and NotPetya, in the words of Charles Carmakal, senior vice president and CTO at Mandiant quoted in this article, “changed the world’s perception of destructive cyberattacks and is one of the only cyber activities that is considered to be an act of war…the world is still susceptible to the same techniques employed in the attack.”
If you want to find out just how prevalent ransomware and other cybersecurity incidents are, you can read a roundup here which says, “The year 2020 broke all records when it came to data lost in breaches and sheer numbers of cyber-attacks on companies, government, and individuals.”
But we are learning the playbook for dealing with ransomware, and both governments and a growing cybersecurity protection industry are trying to keep up with the cybercriminals.
Typically there are four essential steps.
The first is do not pay the ransom. As everyone knows from watching Hollywood kidnap or extortion movies, paying the ransom is no guarantee that the criminals will leave you alone: there’s no saying that data will be decrypted and that there will not be subsequent demands or more malicious software installed. Yet, with businesses on their knees due to the scale of disruption due to a ransomware attack, many choose to do just this, even if their insurers may subsequently refuse to cover them. The ABC in Australia recently reported that “Australian organisations are quietly paying hackers millions in a ‘tsunami of cyber crime’…an open secret within the tight-lipped world of cybersecurity.”
The second step is to disconnect. To avoid the chances of further infiltration, any infected device should be isolated to anything it can connect to. This stops the spread of ransomware across networks, a problem in the Petya outbreak.
Step three is to ask for help. Certainly, if you are part of an organisation, the IT function should be made aware immediately, and they will have a well-defined sequence of steps to support anyone who is a victim of ransomware.
Finally, the fourth step is to report. The only way to build up knowledge about the evolving landscape of cybersecurity risks is to report, certainly to your organization and to government bodies such as the Australian Cyber Security Centre’s ReportCyber scheme that tracks cybersecurity breaches and may pursue and bring charges against malicious actors.
Of course, there are many resources out there now to inform, educate, remedy and combat ransomware, from well-known cybersecurity software giants like Kaspersky and McAfee to government bodies like the Australian Cybersecurity Research Centre or the UK’s National Cyber Security Centre.
As this piece from the US ABC news notes, the cybersecurity industry can barely keep up with the sheer number of incidents. As they say, “a once-quiet epidemic, ransomware has emerged in 2021 as a major national security issue”. Schools, hospitals, multinational companies, small businesses and individuals are all in the firing line.
But, as we have pointed out before, many ransomware incidents, just as many cybersecurity incidents overall, come back to people. The human factor is key, and being more aware of the role that people play in ransomware, and all cybersecurity incidents, is critical.
That’s why we are focusing on the human factors of cybersecurity — those things that make us vulnerable in the face of a troubling and growing phenomenon.
Come back to the TNK2 publication to read more stories, including:
All too human
An overview of why the difficult challenges of cybersecurity are human, not technological. Peter Thomas, co-founder of Upling, writing with TNK2 co-founders Elston DSouza, Alix Kwak and Principal Researcher Jay Jeong.
Class is not dismissed
We take a look at the education sector and particularly K12 schools. In the light of several recent high-profile security breaches, we look at why schools are so vulnerable and what we might do to change that. By Peter Thomas for TNK2.
The state of cybersecurity
We know that cyberattacks are on the rise. Cybercrime is up 600%. We go behind the numbers to look at trends and patterns — and the rise of cybercrime-as-a-service. By Elston DSouza, Alix Kwak, Peter Thomas and Jay Jeong for TNK2.
To err is human
We look at the science of errors, how it relates to cybersecurity and how unintentional actions make us less secure — from downloading a malware-infected attachment to failing to use a strong password. By Jay Jeong for TNK2.
And coming soon:
Why small business is big business for cybercriminals
A cybersecurity incident that impacts a small business can be devastating. Why are small businesses vulnerable? We look at some of the reasons — and what we might do about them. By TNK2.
You can learn more about our work by visiting tnk2.com.au and read more about our approach to the human factors of cybersecurity.
