Ransomware is one of the most terrifying possibilities in the modern threat landscape. This is a specialized form of malicious attacks that first forces victims to encrypt files and then demand payment for a decryption key to restore access to data. In addition to costs ranging from several hundred to several million dollars, organizations are exposed to problems related to the inaccessibility of files. Even if the request is paid, the victim has no guarantee that the promised key will be delivered. Ransomware blocks access to data, which makes it a much greater threat than simple file theft. This clearly shows that protection against ransomware should be a priority in every company's cybersecurity.
Ransomware attacks everyone
In 2022, many organizations have been attacked by malware. Enterprises from almost every economic sector fell victim to it. Here are the most spectacular ransomware attacks in the past year:
In May, Costa Rican President Rodrigo Chaves declared a state of emergency in the country due to the Conti ransomware that attacked numerous public institutions, including the Ministry of Finance, Ministry of Science and the Costa Rican Social Security Fund.
In January, Puma was informed of a ransomware attack on Kronos, a provider of personnel management solutions. More than 6,600 employees' data was compromised and encrypted, but none of it was released. Kronos regained access to this classified information moments after he awarded two years of free Experian Identify Works to affected employees as compensation. The package included i.a. credit monitoring and additional insurance.
In August, criminals used the LockBit ransomware to exfiltrate data in the French hospital Center Hospitalier Sud Francilien. In response to the unpaid ransom, the hackers released patient data and other medical records. The attack caused disruption in the hospital's operations, and the facility was forced to transfer patients to other centers or even cancel or postpone treatments and operations.
Another French hospital, André Mignot in Versailles, was also targeted in December. As part of maintaining security, the facility was forced to turn off its network. André Mignot reduced the admission of new patients and transferred some of them to other centers.
How do ransomware attacks work?
Ransomware attacks can be initiated in many ways. One of its most common forms is phishing: a user receives an email with a file that appears to be safe and legitimate, and when they open it, malware hijacks the victim's device. It can even gain administrative access through sociometric techniques. In such a situation, ransomware is able to spread from one computer to another and eventually infect the entire network. The most aggressive forms of ransomware, such as Petwrap/Petya, completely bypass the user and hijack devices through existing vulnerabilities.
Once the computer is infected, the malware encrypts all the user's files and forces the system to reboot. This is followed by information about the exploit and the requested ransom, usually in the form of an unidentifiable Bitcoin payment, and about the due date. If the company decides to pay the stated amount, a decryption key will be provided. If not, the data will be permanently encrypted and inaccessible.
Any organization can fall victim to this type of attack. However, ransomware targets are chosen based on factors such as vulnerability, data sensitivity, and the desire to avoid publicity. For example, universities tend to have a low level of protection against ransomware and other threats, while they have a high level of file sharing, which makes them easy targets for phishing attacks. Government organizations or cities have computer systems that rely on critical public services such as law enforcement, emergency response, public transportation, and the judiciary, making lost data recoverable almost immediately. For hospitals and medical facilities, this information can literally be a matter of life and death. In contrast, banks, corporations or law firms may have to pay to avoid being linked to a ransomware attack and have the financial resources to do so.
Ransomware attacks can pose a greater threat than simple data theft. Theft is costly and embarrassing for the victim, but the data remains available to the organization. However, in the event of an attack by this malware, companies lose access to all information and files.
Ransomware continues to evolve in terms of technology and technique. Cybersecurity experts report that there is a convergence of ramsomware with data theft and data exfiltration to create a particularly harmful threat.
Traditional exfiltration is a combination of extortion and data theft. Hackers breach enterprise security and take important information – business data, intellectual property or financial records. The criminals then value the stolen records on the black market and contact the victim to demand payment. Otherwise, the data will be sold. The attackers in this case benefit from the reputational damage, potential regulatory acts, and other effects of disclosing classified information, while still being available to the organization.
Some ransomware variants such as Maze or DopplePaymer have been used to add a data exfiltration threat. If victims are hesitant to pay the ransom, hackers share some of the data to increase the pressure and release the exploit. Combining the loss of reputation resulting from data theft or exfiltration with operational disruption caused by a ransomware attack, this type of attack can be dangerously effective in countering the use of data backups as a defense against ransomware.
How does the A10 protect against ransomware?
Effective protection against ransomware depends on full visibility of encrypted traffic and stopping any stealth attacks at the network edge. A10 Networks Thunder SSL Insight (SSLi) enables SSL decryption and SSL inspection to enhance the effectiveness of your existing security infrastructure and detect ransomware, malware and other exploits hiding in encryption traffic.
If you want to learn more, we encourage you to contact our Business Development Manager who will provide you with all the information.
VAT ID 6762466740
ph. +48 12 340 90 30