Ransomware is a type of malicious software that denies someone access to their files or computer system unless they pay a ransom.
Like most cyber attacks ransomware is financially motivated. Attackers often target a business and set the ransom demand based on what they believe the business would be willing to pay to recover their encrypted data.
CERT NZ does not recommend paying the ransom. It will not guarantee your files will be returned and it can make you a target for further attacks.
Alongside the initial financial demands, ransomware can be damaging in a number of ways like locking employees out of systems and significantly disrupting day-to-day operations and services.
Although there are different types on ransomware, most attacks follow one of a few predictable pathways. The upside of this means there are preventative steps all businesses can take to protect against an attack. These steps act as roadblocks which we call security controls. These controls can be as simple as applying software updates or turning on two-factor authentication (2FA). Other steps are more technical and best discussed with your IT provider.
The diagrams below outline different ransomware attack pathways and illustrate where relevant security controls work to protect or stop an attack.
The common attack paths of a human-operated ransomware incident based on examples CERT NZ has seen
Lifecycle of a ransomware incident [PDF, 28 KB]
Working from left to right the attacker starts with one of the four entry of attack channels and follows the pathway across until it reaches a point where it can demand a ransom. We break these down step by step.
Defending against ransomware doesn’t need to be complicated. By analysing the pathways that attackers follow, we have shown which security controls stop a ransomware attack. No single tool or control can be relied on stop all attacks, but in combination these controls put you in a good position to protect against any attack (not just ransomware) you are likely to face.
How to protect your business against a ransomware attack
Lifecycle of a ransomware incident (with controls) [PDF, 30 KB]
There are lots of points where security controls can stop an attack. When combined you can make a strong defence that can protect you against a variety of cyber security incidents—no matter how it starts or what the end goal of the attacker is. Some of these controls might be easy for you to do, for example applying updates on all your devices - where others may require support from an IT provider.
By using this diagram you can step through the pathways and discuss with an IT provider how to implement the relevant security controls for your business and know what sort of questions to ask.
One security control that appears a lot along the pathway is logging and alerting. This is because the first step in responding to a security incident is being able to detect it and investigate. Having good logging and alerting is one of the key ways that your IT provider can spot something happening before it gets too serious.
Learn more about setting up logs for your website
Learn more about how logging and alerting works
Initial access
In the initial access phase an attacker is trying to find a way into your computer networks and systems. The most common ways the attackers get in are:
- getting usernames and passwords to log in to your computer,
- exploiting weaknesses in systems that are exposed to the internet such as email or remote access systems, and
- sending malware via malicious email attachments.
By making these methods more difficult, you reduce the likelihood of an attacker being able to get onto your computers and carry out their attack. The best place to stop an attack is before it begins. Here’s how you can stop each of those methods.
- Attackers use phishing or password guessing to get valid username and password combinations and use that information to log in to systems such as email or remote access systems. To protect against an attacker logging in to your remote access system use long, strong, unique passwords and turn on 2FA. This will make it very difficult for an attacker to get access.
Find out how you can manage passwords and authentication in your business
Create a password policy for your business
Turn on two-factor authentication - By keeping all your operating systems and software up-to-date you limit the number of weaknesses an attacker could exploit to gain access to your computers. You should identify any systems that might be exposed to the internet and lock these down, you might need some help from an IT provider to do this. Internet-exposed systems are much easier for an attacker to access so having your internet firewall blocking that access helps keep you safe.
- The other common thing attackers might try is sending a document or spreadsheet that, if opened, will try to load malware onto your computer without you knowing. Stopping the attack here can be achieved by using modern endpoint protection software, for example your IT provider might talk about Endpoint Detection and Response (EDR) tools they support. This replaces traditional anti-virus software, and is better suited to stopping these modern threats.
Consolidation and preparation
In this phase the attacker will look to move from the initial computer they compromised, and gain administrative access to all the computers and devices in your business.
Taking control is where an attacker will load malware on to the compromised device. This allows them to maintain their access (for example if you restart the computer), and issue commands for the computer to access other devices in your network. Once again EDR tools are one of the best defences to stop the attack.
Once the attacker has established their ability to take control and deploy additional malware, they look to expand their access and gain full administrative access to all the devices in your network. Locking down use of administrative accounts as well as using network controls like firewalls can help you stop an attacker from being able to move from one device to another. Limiting the attacker to only a subset of your business devices can limit the damage and might allow you to keep operating even if some of the devices have been encrypted.
Impact on target
At this phase the attacker has gained access to the different systems in your business and is now ready to carry out the most damaging part of the attack.
Attackers will often steal your business’ sensitive data and demand payment in order to not release or sell that information. They also delete backup copies of your data and finally, encrypt your data and systems to disrupt your operations.
If you have good logging on your network infrastructure (for example, firewall), you might be able to detect data being copied out of your network which could be a sign of malicious activity.
To get your business back up and running quickly it’s important to have robust and tested backups. These should be kept offline and/or disconnected from your computers so that an attacker can’t delete them.
Just as important as protecting your network from attacks, is being prepared to recover from one if it occurs. The best way to prepare to deal with a ransomware incident is having an incident response plan, to detail what to do when things have gone wrong and your computers aren’t working. Keep a printed copy of this along with key contacts so you have it to refer to even if your business documents have been encrypted.
Being prepared with incident response plan
For IT specialists, you can find more detailed information about the security steps to block each ransomware pathway.
If you think your business has been impacted by ransomware, please report it to CERT NZ