Ransomware Attack Protection: How It Spreads and How to Stay Safe

Cyber attacks are growing in quantity and severity

The number and severity of cyberattacks keep increasing every year. According to the Clusit Report, ransomware is one of the most widespread threats, responsible for a large share of global incidents. For companies and individuals, understanding how these attacks spread and how to implement effective ransomware attack protection is essential.

The main attack technique: Ransomware

Ransomware is a type of malware that prevents access to data and demands a ransom to restore it. Some well-known outbreaks, such as WannaCry in 2017, showed how quickly these attacks can spread and disrupt entire organizations.

The idea of infecting a PC to encrypt the data inside and ask for a ransom dates back to 1989. The biologist Joseph Popp spread the AIDS Trojan which, after encrypting files on hard disk, displayed a message to inform the victim that a hypothetical software had an expired license and was asking to pay $ 189 to unlock the system.

But the attack that made the Ransomware technique known to the whole world was WannaCry. In May 2017, over 230,000 computers in nearly 100 countries were infected and blocked. WannaCry spread via a Windows vulnerability in the handling of the SMB protocol, related to file exchange over the network. The bug in question was called EternalBlue and is thought to have been developed by the NSA and then stolen by a group of hackers called “The Shadow Brokers”.

How it spreads

Although WannaCry did not spread via an email message, most Ransomware attacks start with an email message that carries a virus. These emails may contain a link to a website controlled by an attacker where the user unintentionally downloads the virus. Other times the email contains a malicious attachment which, once opened by the user, downloads the virus on the computer.

How cybercriminals work

The task of the virus is to give criminals access to the system. In this way they can study their victim individually and then determine which type of Ransomware is most appropriate to carry out. Based on the size of the victim – or his ability to pay a more or less high ransom – they decide how to intervene:

• Automatic mode: the virus that has already infected the victim’s PC downloads a software that automatically encrypts the data. A message is then displayed with the cost of the ransom.
• Manually: if the data is large and valuable, the attackers take steps to take a copy out of the company (exfiltrate it). Then they disable or delete the backups and conclude by encrypting the victim’s remaining data or deleting it directly. The only way to recover the data is through the copy that the attackers took outside the perimeter (by paying a ransom).
• An advanced version of the Ransomware attacks also consists in a prolonged stay of criminals within the victim’s systems. In this way they can steal information for a long period of time.
• The payment of the ransom is in some cases asked to prevent the dissemination of stolen data. Attackers, who have previously performed the exfiltration, may threaten to disclose confidential and / or sensitive data. See the attack on the Italian SIAE which, having chosen not to pay, saw its data made public.

What are the tools and techniques to defend against a Ransomware attack?

There is no single tool but a series of techniques and technologies to avoid risk as much as possible. We mention a few:

• A backup system that makes the data unchangeable and / or stored outside the company.
• A Firewall system to protect the perimeter of the company capable of detecting any anomalous outbound traffic.
• A software that protects all devices used by users (Endpoint Protection).
• A good Email Security system to protect corporate email accounts.
• Make users aware of the risk through a training course.

For the management of your business emails we suggest evaluating the services offered by Qboxmail

Qboxmail is a cloud business email management service that provides a suite of complete tools to manage emails anywhere. It includes an advanced Email Security system and Mail Time Machine, the automatic backup service.

For more information contact us, we will be happy to explain our services in detail.

If you want to take advantage of the free trial of all our services
for 30 days sign up here

Clusit, has been founded in 2000 at the Computer Science Department of the University of Milan. It is the largest and most authoritative Italian association in the field of information security. Today it represents over 600 organizations, belonging to all sectors of the Country-System. Qboxmail has been a partner since 2021. More information on clusit.it.