Ransomware guide: cyberattack demons vs angels

I recently watched “Good Omens”, with a demon called Crowley and an angel called Aziraphale representing darkness and light. The series, based on the novel by Terry Pratchett and Neil Gaiman, may even be the book I would take to my desert island. Why do I tell you this? Well, I thought I would discuss ransomware channelling the demonic and the angelic.

Essentially, this is a ransomware guide. How the cyberattackers get in, how to defend yourself from malware and ransomware attacks. But a lot of ransomware guides fail to give people a proper insight into the people they’re up against. That’s why I’ve split it into two halves: playing the bad guy, then the good guy.

Apparently, it’s always more fun to play the baddy, which is why we start there.

Cyberattack demons (or ransomware attacks for beginners)

So, you’re a wannabe bad guy looking to get into cybercrime. You’ve heard of ransomware and think that sounds easy. How do you start your malware-based career? 

Well, there are now a number of cloud ransomware systems you can use. Much like buying a subscription to Microsoft 365, they will even offer tech support and specialised roles. Here are some of the most lucrative:

The Access Broker: a classic hacker, breaking into the system and then selling access. Obviously, the cost depends on the organisation. Ransomware would be the last piece of the pie, having been scavenged for every Bitcoin first. They will normally get in using weak passwords or classic phishing.

The Affiliate: having paid for access to the system, they spend time looking around for juicy data. When they’ve finished, they run the ransomware software, with the aim of doing as much damage as possible. 

The Negotiator: At this point, the ransomware creators take over and use the ‘branding’ to try and force the organisation to payout, maybe with the help of the files that were exfiltrated as well. It is likely they will employ a negotiator who speaks the language. This is almost a customer service role playing the broker.

The Accountant: Finally you will have an accountant who will make sure that the ransom when paid is divided up accordingly between the cloud ransomware syndicate, the negotiator and the affiliate.

Some of the roles above require skill, but the affiliate just requires money to buy access to the system. It’s a low-risk activity, assuming you can afford it. Ethically, however — welcome to the dark side!

This industry is almost doubling every year to 18 months. Some reports say it could be worth hundreds of billions by 2030. But you’re getting into bed with some nasty people and, at some point, it is likely that law enforcement or others may come after you, so caveat emptor!

Angelic defences against ransomware attacks

So, just what can those working for the light do about this scourge of modern connected computers? To start with, the problem is not an IT problem. I realise that most people not in IT will say “yes, it is” but my day-to-day role is as an IT manager, so hear me out.

Firstly, many people think that if it has a plug then IT must deal with it; this isn’t true.  Secondly, others will say that it’s on computers, so it’s an IT problem. I have more sympathy for this argument, but again it is false. This is a business problem meaning the response must be put in place by businesses. IT may implement some of the actions, but that is all.

Too small for cybercriminals to care

Something I have heard a lot, both from within IT and outside is the argument that “we are too small to worry about”. This is to miss the point; the most common access routes into a system by the access broker, are created by failing to patch, reusing weak passwords or phishing. Access brokers don’t only target the big boys. They don’t care: they just want in and will take what they can get.

Prepare your defences against malware and ransomware attacks

Check that you have the following documents:

• Risk register
• Disaster recovery plan
• Incident management plan
• Business continuity plan

In larger businesses, there will be many copies of these. Maybe an overarching plan that covers the entire business, with sub-versions for sites or divisions, all printed and held off-site. Printed in case you get ransomed and don’t have access to the computer system and off-site in case of fire or flood.

A risk register will list the risks that have been identified by the organisation, using quantitative (numbers) or qualitative (vague hand-wavy feelings) measures to rank the risks.  It will then contain what the risk is and any mitigation, as well as whose problem it is. This should be created across the entire organisation, not just IT.

The disaster recovery plan is will be written instructions on how the organisation can continue to work after an incident and is part of the business continuity plan, often used as a separate document. It should have written instructions about if X happens follow protocol Y. The plan will take its lead from the risk register and will contain IT references, but will also include stuff from finance, HR and marketing for example.

Incident management plans are a playbook for a particular event, such as ransomware.  They will include what to do, so may say that IT has the authority to shut everything down “now” to prevent further spread. As well as, for example, what the marketing team will say to the media. Again, these could be based on the risk register and will contain input from everyone in the organisation.

Finally to the business continuity plan. This sets out “how we carry on running” and defines the minimum level of service, informing all other plans.

While this will include tasks such as data recovery, let me reiterate; this is not just an IT problem!

The astute reader will have spotted that I haven’t mentioned costs. The jaded side of me says the cost is always too much… until the event occurs and then suddenly the money can be found.

Decryption software

There are decryptor tools for certain types of ransomware, but don’t rely on them. Most often they only work because the designers did something not recommended: rolling their own crypto. However, there is not much money in reversing the work, and many ransomware programs do the crypto correctly and don’t have a decryptor.

After the ransomware attack

Whatever the documents you have prepared say, there are only three questions to answer now the worst has happened.

1. Do you pay the ransom? This will be a top-level decision and may involve the business insurers and others. The police say not to pay, as you are funding organised crime or unsanctioned countries. The practicality is that a large percentage of firms do pay just to regain access to their data.
2. A forensic post-mortem? You should have an agreement with a specialised firm for this. I deal with smaller firms and would blast the Windows systems from low orbit and rebuild everything, but that takes planning to be able to do and back up data. Take care, you don’t want to let the bad guys back in!
3. Are you required to tell? I am sure the police would love to be told and give you a crime number, but they are unlikely to do anything more. You may have told your insurer, but you could also be legally obligated to tell others, like a regulator, or the ICO if you have lost personal details. It will want to know what you have lost so make sure that is documented.

All this doom and gloom, how can this (hopefully!) be avoided in the first place?  Well, I have mentioned the big three already, but let’s spell them out.

Patch your systems. Make sure that there is a process in place to keep things up to date. IT should have a system in place, not just for Windows (Windows update) but all the other software in use. And all of that software should be listed in a register. Okay, this is definitely an IT task!

Don’t reuse or use weak passwords. This is on everyone. Ensure that you use a long, strong password. If someone can access your account remotely, using your login details, they can potentially run ransomware on your organisation’s systems. Or at least start the nefarious process.

Finally, that annoying phishing test is there because that is how people break into systems.  Treat all emails with suspicion: this is why you get training on this stuff.  You are the human firewall and also the link that is most likely to fail. It’s easier to be invited in than to break in.  The reality is that the organisation must be right all the time, but the bad guys only have to be lucky once.