Dealing With Evolving Ransomware During the Pandemic

Cyber criminal groups are turning more and more to COVID-19 themed emails to carry out phishing attacks and plant ransomware, in an attempt and employees’ worries over the pandemic and the safety of the people they care about.


Moreover, remote working significantly increases the chances of a ransomware attack’s success. This can be attributed to the combination of having weaker security measure in place on home networks, as well as a greater chance that users will be tempted to click on COVID-19 themed ransomware lure emails due to the general anxiety they feel.


Today, ransomware lures cover the full spectrum of COVID-19 themes, including scams claiming to offer financial assistance from government during the ongoing lockdowns, information on safety gear and vaccines, downloads for free collaboration tools such as audio and video conferencing platforms, and urgent updates to these and other tools.


The infosec community has also seen bad actors coming up with new and creative ways to extort their victims, including moving from data encryption to data exfiltration, and a new scourge called ‘double extortion’, where ransomware encrypts data and forces the victim to pony up a ransom to get it back, then sends the target’s data to other attackers who threaten to release the sensitive data unless an additional ransom is paid.


Unfortunately, during these trying times, businesses are facing several challenges at once. Firstly, the evolving threat landscape we mentioned that uses the pandemic as a lure for ransomware attacks. Secondly, the fact that security tools and solutions may not be as stringent to allow more flexible working practices as users are stuck at home. Finally, security teams having to manage a vast attack surface way beyond the company’s perimeters, and having to deal with incidents in WFH conditions they are unfamiliar with.


So what is the solution? Preparation is always the best defense. Understand which actions are a priority and need attention in the first critical hours following a ransomware incident, and whether or not lockdown has changed these or not. Know who is tasked with doing what. Make sure the business has the support it needs, and that lockdown isn’t a hurdle to its ability to respond.


Although the security team is the first line of defense, users will always be at the front line, and the weakest link in the security chain, so education, training and awareness matter. The majority of ransomware enters the network via phishing attacks. In the past, these emails were relatively easy to pinpoint, however, they are coming more and more sophisticated, with some nearly impossible to tell apart from the genuine article. Concurrently, threat actors are no longer adopting a ‘mud against the wall’ approach, and sending out hundreds of mails in the hope that one or two stick, they are targeted and slick, often appearing to come from a colleague. Organisations need to train their employees how these scams work, and how to identify and avoid them.


There are other steps organisations should take to defend themselves against ransomware. Always take regular, full system backups of all servers, databases and files. It is also worth considering an additional archive copy of key servers and data sets that are stored off-line or in a form that cannot be tampered with by an attacker who gets his or her hands on administrator logins. Another must, is having a good anti-malware solution in place, ad keeping all software updated and patching critical vulnerabilities with an emphasis on browser and productivity application vulnerabilities.


Being prepared is also critical. Carefully consider how your organisation would handle a ransomware incident, particularly during these times of WFH, when physical lockdown restrictions may impact the way an event is handled. Make sure the incident response team has the necessary permissions to be able to travel to gain access to key sites and servers during lockdown, and think about supplementing the team if any core members are ill or in isolation.


Finally, be realistic when it comes to timelines for the full restoration of services, which might take a few weeks instead of a few days. Collaborate with the business continuity professionals to find ways to mitigate and work around limitations which might impact on customer service.