Malware and Ransomware Mitigation
Protect your organization from malware and ransomware attacks. Learn how these attacks work and how to respond with the right ransomware mitigation solution.
Executive Summary
Malware is typically defined as a program that is inserted into a system, usually covertly, with the intent of compromising the confidentiality, integrity, or availability of the victim’s data, applications, or operating system or of otherwise disrupting the victim. From spyware and adware to trojans, rootkits, bots, and keyloggers, malware is constantly evolving. Emerging strains are becoming more sophisticated, fooling users, security administrators, and anti-malware products.
Ransomware is a sophisticated form of malware attack that is a serious and costly threat to virtually every enterprise organization, regardless of size or vertical. Ransomware attacks can put critical data at risk of theft or destruction while rendering IT systems inoperable. Enterprise malware and ransomware attacks have been increasing in volume and sophistication for years, and detecting them on the network is becoming more difficult.
In 2021, ransomware attacks increased 13% over the year before – as much as the previous five years combined. According to the annual Verizon Data Breach Investigations Report, ransomware accounted for 25% of all breaches in North America.
While most ransomware attacks don’t result in financial losses, the ones that do cause significant damage. In 2021, the U.S. Treasury's Financial Crimes Enforcement Network (FinCEN) reported $590 million in losses from ransomware-related activity – nearly 50% more than the $413 million in losses for all of 2020. Beyond the financial impact, ransomware attacks are causing damage to energy supplies (Colonial Pipeline), food production (JBS USA), schools, health services, and municipal government operations from Florida to Oregon to Massachusetts.
Organizations hit by ransomware suffer untold losses in business disruption, being effectively disabled on average for about 22 days. While email-based spear phishing has long been a favorite vector of ransomware attackers, attacks are increasingly occurring on social media accounts, mobile chat, and collaboration applications.
Ultimately, the way organizations work today puts them at greater risk than ever. This multichannel business communication environment has quickly become embedded in enterprise operations, from Microsoft 365 email to collaboration apps like Microsoft Teams, Slack, Zoom, and messaging apps like Telegram. Today, every business needs malware and ransomware mitigation solutions.
-
Ransomware attacks increased by 13% in 2022 – as high as the previous five years combined. (Verizon DBIR 2022)
-
About 4,000 ransomware attacks are estimated to happen every day. (Theiia 2022)
-
60% of organizations reported being hit with ransomware in 2022. (2022 Ransomware Survey)
-
75% of companies experience malware activity that spreads from one employee to another. (Malware Statistics and Facts 2022)
-
80% of ransomware victims experience a second ransomware attack. (Cybereason 2022)
-
Businesses spend an average of $1.85M to recover from a ransomware attack, yet less than 10% of victims get all of their files back. (Sophos 2022)
-
Global ransomware damage will total about $265B by 2031. (2022 Cybersecurity Almanac)
Malware and ransomware attacks have become a pervasive problem since these threats began 15 years ago.
-
Email gateways are becoming overwhelmed by huge, botnet-driven campaigns, polymorphic malware, and URLs escaping attachment detection techniques.
-
The growth of the cloud workspace, driven by a massive increase in use by enterprises and individuals across the globe, has dramatically expanded the threat surface. There are far more attack vectors today than just a few years ago. Phishing attacks – the main source of ransomware attacks – occur far more than attempts at stealing personal credentials.
-
Defenses for collaboration channels and mobile enterprise apps are relatively weak compared to the $3 billion email security industry. Today, cybercriminals have a higher probability of success by attacking social collaboration channels rather than email.
-
The easy accessibility of technologies to develop malware has lowered the entry barrier. Today, there are numerous ransomware kits that even low-skilled threat groups can license. With ransomware being basically free to access and use, far more cybercriminals are getting involved.
-
Organizations are more interconnected than ever, so a single ransomware trojan can flow like poison through an entire organization in days or even hours.
-
With ransomware, victims who do pay are frequently targeted again.
The tools and solutions designed to enhance communication and collaboration both internally and externally for organizations have expanded organizations’ threat surfaces. These channels are exposed to serious risk without ransomware mitigation solutions capable of contextual analysis and Natural Language Understanding (NLU).
Collaboration platform Slack boasts many individual and business adopters, and attackers take this as a signal to create malware and extort its users. Threat actors have leveraged Slack’s chat capabilities to trick users into opening malicious payloads and deploying various remote-access trojans (RATs) and info-stealers.
For example, in 2021, Cisco’s Talos cybersecurity team reported that threat actors have been abusing Slack, tricking users into opening malicious attachments that contain RATs like Agent Tesla, AsyncRAT, Formbook, and other stealers. According to the report:
“By leveraging these chat applications that are likely allowed, they are removing several of those hurdles and greatly increase the likelihood that the attachment reaches the end user.”
The need for security measures to tackle Zoom ransomware threats is urgent, particularly since Zoom’s meteoric rise in adoption has made it an attractive target for malware and ransomware groups.
Case in point: The Federal Bureau of Investigation (FBI) warned users of Zoom and other video conferencing tools. They have discovered that business email compromise (BEC) attacks are spreading to virtual meetings. Using deepfake technologies, attackers have been posing as executives and scamming employees to perform unauthorized fund transfers, sensitive information pullouts, etc.
Microsoft has always been adept at providing certain levels of security across its suite of applications. However, Microsoft 365 and Teams users still suffer from vulnerabilities to malware attacks.
Some examples are the FakeUpdates malware campaign that infected Teams accounts in 2020 and the Lockbit ransomware attack against train operations company Merseyrail, which compromised their Microsoft 365 account. Companies must leverage enhanced enterprise visibility and security solutions to mitigate malware and ransomware across all instances.
As the largest professional online network, LinkedIn has experienced its fair share of cyberattacks and data breaches, often as the ‘middle’ platform where threat actors initiate reconnaissance and contact with victims through social engineering.
Case in point: the Lazarus APT group has been creating fake ‘recruiter’ profiles targeting technical support professionals and engineers from the US, UK, and India. Encouraging them to “apply for an open position at one of several legitimate companies,” these scammers then infect their victim’s devices with malware-ridden payloads under the guise of sending them ‘job requirements’. Even one of our executives became the target of a similar LinkedIn scam!
Ransomware on Facebook and Messenger is becoming much more common; some of the most used search queries on Google are “how to fix malware on Facebook” or “how to remove malware on my Facebook account.”
Beyond social media ransomware and Facebook Messenger malware, the platform’s users also fall victim to various scams. One example is the Bearded Barbie. This phishing attack targets unsuspecting Israeli men using a fake Facebook profile of an attractive woman. Once the attacker earns the victim’s trust, the actor moves the conversation to WhatsApp “for more privacy.” From there, the threat actor sends two pieces of malware which give them the ability to spy on and maintain persistence on the victim’s device and steal data.
Since its release, Telegram has been recognized as one of the most secure messaging apps in the world. But in the past few years, APTs have found a way to steal credentials and resources from the platform.
Exhibit A is the malware proliferated in Telegram, discovered by the SafeGuard Cyber security team in June 2022. According to the report, this remote-access Trojan (RAT) “was meant to target new or unsuspecting users of the channel and is used to steal cryptocurrency keys.” Another example would be the DarkCrystal RAT (DCRat) malware that stole various types of data such as logins, credit card info, browser histories, and account credentials.
Companies planning to secure Telegram for business use should deploy a robust cybersecurity system that protects their systems from these threats.
WhatsApp is the most popular global mobile messenger app worldwide, with approximately two billion monthly active users. Unfortunately, threat actors also use the channel to infect unsuspecting people with malware.
One example is the Triada malware, which was first spotted in 2016 and has resurfaced inside an advertising component of a modified version of WhatsApp called FM WhatsApp. This malware acts as a payload downloader, injecting up to six additional trojan applications onto Android phones that can do several malicious actions.
Another instance is a slew of attacks in 2022 by Russian threat actors. In this campaign, the scammers spoofed voicemails to make it seem like they came from WhatsApp. The victim is prompted to click on the ‘voicemail’, a malicious link that sends them to a website and downloads the JS/Kryptik trojan horse onto their device.
Three main vectors can deliver malware and ransomware inside a device or system. These include:
-
Email Phishing.
Most ransomware attacks in recent history started with phishing emails. These emails trick users into opening a malicious attachment or clicking a malicious URL that activates the ransomware, infecting the recipient’s computer or device and spreading throughout the entire IT infrastructure.
Emails and software updates are the most common deployment systems for malware today. Malicious emails are highly effective, especially when they appear to be from legitimate contacts and parties the recipient trusts. Part of the scammer’s sophisticated approach is to craft convincing emails that contain authentic-looking email addresses, logos, and other elements like specific text types and the tone of the message.
-
Social Media Phishing.
Ransomware attacks caused by social media malware – rather than email – make up an increasing proportion of overall attacks. Social media ransomware attacks mimic their email counterpart: threat actors send malicious links via direct message. Usually, these links spoof an actual login page and steal credentials. Phishing links sent via direct message tend to be opened even more than those sent over email. People are generally wiser to email threats but open messages without thinking.
-
Exploit Kits.
Exploit kits are automated programs attackers use to exploit known vulnerabilities within systems or applications. A user will visit a particular website or use a specific piece of software, and the exploit kit will silently download ransomware onto the user’s device and execute it. Certain types of software, such as Adobe Flash and Oracle Java, are known to contain vulnerabilities. The CVE Program, which identifies, defines, and catalogs publicly disclosed cybersecurity vulnerabilities, has more than 188,000 listings in its database, and the number of vulnerabilities continues to climb.
For example, WannaCry ransomware in 2017 infected an estimated 230,000 computers across 150 countries in just hours, taking advantage of the Eternal Blue exploit. One of the most devastating ransomware in history, WannaCry, used a Microsoft exploit stolen from the National Security Agency (NSA).
You might wonder which type of device is the top target for malware and ransomware incidents. The answer? All of them.
Malware and ransomware attacks have most frequently affected desktops and laptops because they’re often delivered through email. But, as threat actors have adapted to the boom in social media and the proliferation of mobile chat and digital communication channels, every device is now susceptible - including smartphones, tablets, and even smartwatches. Ransomware mitigation, therefore, needs to be device-agnostic and capable of ensuring security across all devices.
All ransomware attacks restrict access to files or data that are valuable to the user and then demand payment for the user to recover access. But the question remains: how many types of ransomware are there? In general, there are seven broad categories of ransomware.
The most popular form of ransomware, and extremely damaging, crypto-malware gets inside a system and encrypts all the files and data contained within. Access is impossible without the malefactor’s decryption key.
Once executed, scareware automatically locks a user’s computer and displays a message claiming that it has detected a virus or an error. The scareware instructs the victim to pay a specific amount to “fix” the issue. Some forms of scareware don’t technically encrypt files, but flood the screen with pop-up messages that make using the system impossible.
Rather than encrypting select files, lockers lock victims out of their systems completely, preventing them from accessing anything. Locker-based attacks include a screen display that tells the victim the ransom demand, and often includes a countdown timer, intended to induce panic and force victims to pay without attempting to find another solution.
This type of ransomware claims and encrypts a certain sort of data. It then threatens to release victims’ personal (in the case of an individual) or sensitive (in the case of a business) data to specific parties or the general public. Victims of doxware/leakware are driven to pay the ransom for fear of highly private data being exposed.
For parties that want to initiate ransomware attacks but don’t have the time, the tools, and/or the expertise, the cybercriminal market has a solution. People can reach out to a professional hacker to do the job for them. This hacker will carry out the attack and receive a portion of the ransom reward in exchange for their services. These hackers, often referred to as “affiliates”, allow ransomware developers to focus on their weapons while they concentrate on infecting more people and generating more revenue.
In order for the affiliate model to work, developers generate specific code within the ransomware with a unique identifier embedded within. This code splits the ransom payout between the developer with the unique ID and the affiliate that infected the victim.
For most ransomware attackers, extortion is now “big business.” According to Recorded Future, attackers and their affiliates commit extortion by threatening to release exfiltrated files unless a victim pays a ransom. This is partly because extortion cases garner media attention, something many cybercriminals crave.
Publicity aids the sales of these Ransomware-as-a-Service (RaaS) offerings, but the seemingly lucrative payout is more enticing to these criminals. In fact, in Russia, the average payout per infected host is about $300 against 30 ransomware payouts a month. One ransomware group called DarkSide has an affiliate program where payouts to affiliates can range from 75-90% of the total ransom, depending on the attack’s success.
This is a targeted, complex, low-volume, high-return form of ransomware attack. The attacker gains entry, makes lateral movements to observe the network, then gains access to exfiltrate files and deploy the ransomware. Big game hunters are patient. It typically takes days for an attacker to understand the network, gain the proper access, and deploy.
Spear-phishing techniques deployed in the cloud workplace are similar in nature and involve an element of social engineering to enable the initial compromise to succeed. The attacker can often perform their target recon on the app itself (e.g., LinkedIn) and then simply request a connection to the target to establish the trust relationship. The more connections the attacker makes within the organization, the greater the established sense of trust.
At this point, the attacker is in an excellent position to launch the attack by sending a malware-laced attachment or link to the targeted victim, under the pretext of a legitimate purpose. For example, cybercriminals might adopt the guise of a recruiter, and will send a malware-laced file link under the cover of a job description. Once the victim clicks through on the document, the host device can be compromised with a first-stage malware payload.
In an enterprise attack, this step is typically only the first stage and would be unlikely to contain ransomware. Longer-term, the objective is to drive lateral movement within the enterprise for long-term persistence and to establish command and control for data exfiltration and, ultimately, ransomware deployment.
Given the nature of these “Big Game Hunting” scenarios where ransomware is often delivered as part of a multi-stage attack process, and may occur on any one of several attack surfaces, it is important to coordinate defensive counter-measures across all of these vectors. For example, detecting a malware attack on a social media app could also be an indication of a broader attack front across multiple attack surfaces such as email and remote access management tools.
Malware and ransomware attacks are frighteningly successful. The techniques used to deliver malware are constantly evolving, and once encryption takes place it can be tough to reverse. In practice, most enterprises pay up when affected with a sophisticated ransomware attack.
For this reason, the absolute best course of action against ransomware is to mount proactive defenses combined with constant data backup. Some best practices on how to mitigate malware and ransomware include:
-
Test Backup and Recovery Procedures.
The most important part of a ransomware security strategy is the use of regular data backups. Enterprises should perform these as often as possible, and they should be combined with backup and restore drills. Both processes are important, but recovery drills. Both processes are essential, but recovery drills are the only way to know if a backup plan is good. If a team can recover from a recent backup, they might not need to pay to regain their data.
-
Enhance Powers of Detection.
Effective malware and ransomware mitigation tools can proactively monitor all digital communications and immediately detect and quarantine potentially problematic links, attachments, and URLs. Traditional antivirus software doesn’t provide enough protection; enterprises need Unified Visibility — next-gen solutions leveraging machine learning — to detect known and unknown ransomware forms, and protect communication channels, including collaboration, chat, conferencing, social media, mobile chat, and email.
-
Educate Employees on Cybersecurity Best Practices.
Most employees don't know how to respond to ransomware attacks. All employees should gain a basic understanding of what ransomware is, how it usually arrives, and what the warning signs are. They should know who to report suspicions to, and what to do in the event that their actions trigger the execution of ransomware.
-
Constantly Update and Patch Operating Systems and Software.
Attackers work relentlessly to discover vulnerabilities that can be exploited. Avoiding malware and ransomware requires IT professionals to be equally rigorous in return. Common vulnerabilities and exposures are always being patched, but updating systems and patching software from legitimate sources, can help significantly reduce exposure to vulnerabilities.
-
Deploy Frictionless Solutions with Rapid Detection and Response.
Modern ransomware mitigation solutions are capable of contextual analysis and can leverage Natural Language Understanding (NLU) to analyze context and intent. This allows them to detect attack campaigns through cross-channel event correlation. Moreover, some of these advanced tools have cloud-native deployment and scaling, with API-first integration for agentless security. With these solutions, IT teams can automatically identify, assess, and proactively respond to threats, and stop any ransomware spread before it begins.
-
Monitor the System for IOAs (Indicators of Attack).
A dedicated cybersecurity solution set offers extended detection and response (XDR). These solutions can closely monitor activities across all endpoints and beyond and capture raw events deemed suspicious. These solutions can deliver unhindered environment visibility for proactive threat recognition and response at the endpoint level.
When it comes to malware and ransomware, avoiding becoming a victim is better than the cure. While reducing the risk of incidents is a priority for many businesses, but if an organization does fall prey to ransomware, the following steps should be followed:
-
Remove the Device from the Network.
Malware or ransomware on one device is bad, but if attacks proliferate through a network of devices it can be catastrophic. Employees should be trained to immediately disconnect their device from the network if they see a ransomware demand displayed on their screen. They should also do the same if they observe unusual behavior, such as an inability to access their own files. Employees must not attempt to restart the device; it should be sent immediately to the IT department.
-
Notify Law Enforcement.
Ransomware is a crime. Theft and extortion rolled into one make it a law enforcement concern. Organizations should immediately contact the FBI, CISA, or the U.S. Secret Service if they fall victim to a ransomware attack.
-
Use Device-Agnostic Risk Analytics to Establish the Scope of the Attack.
In the wake of a ransomware attack, security teams need to gather as much intelligence as they can, as fast as they can. This will help both internal IT teams and law enforcement agencies formulate a response. Enterprises should strive to figure out the nature of the attack: who is behind it, what tools they used, who they targeted, and why.
Device-agnostic, contextual risk analysis helps enterprises gain visibility into these suspicious communication patterns, which helps answer these questions. This way, IT managers and network administrators determine the extent of the attack, disrupt future attacks earlier, and speed up MTTD and investigation time going forward.
-
Consult with Stakeholders to Develop the Proper Response.
Enterprises suffering a ransomware attack need to answer a host of questions: Can they afford to lose access to the targeted files, either because they have been backed up, or because they are not of the highest priority? Can the organization afford the ransom? Is there any room for negotiation? All stakeholders, from shareholders to legal counsel, should be consulted.
-
Get the Post-Mortem Right.
The best way to resist a ransomware threat is to have learned from the last one. After an attack, enterprises should task their IT technicians, network administrators, and cybersecurity teams with a thorough review of the breach. A meticulous assessment of an organization's infrastructure, practices, and processes is required to discover flaws in security, and reinforce an enterprise against existing and future threats.
The threat of ransomware continues to grow, and attacks are becoming more costly. The average ransomware payment increased by 78% to $541,010 in 2021, according to the Ransomware Threat Report from Palo Alto Networks, and the average ransom demand increased by 144% to $2.2 million.
What’s more concerning is that some high-ranking personnel intentionally put themselves at risk. For example, numerous US government, military, and private sector employees have been found to use their LinkedIn profiles to promote their access to top-secret, high-value information. They are accepting connection requests from complete strangers with no questions asked. This is essentially an open invitation for threat actors to perform cybersecurity attacks on them, especially malware and ransomware attacks.
Moving forward, more companies should proactively secure their data by following the best practices mentioned above and continue to resist being strong-armed by ransomware attackers. When cyber extortion loses its profitability, organizations win.
With the right solution, organizations can detect and nullify ransomware threats before they become an issue. The SafeGuard Cyber platform can keep pace with the scale and velocity of modern business communications with our patented Natural Language Understanding engine that analyzes context and intent across 30+ communication and collaboration platforms. Detect and correlate risk events across channels, disrupt attacks earlier, and quicken MTTD and investigation time. Ensure malware and ransomware mitigation across your full suite of communication channels.
Secure Human Connections
Ready to see how SafeGuard Cyber secures modern communication apps wherever they exist?
Expert Insights on Cloud App Risks
Stay up-to-date on the latest social engineering, insider threats, and ransomware vulnerabilities.