Defending Against Ransomware: Insights into the Evolution, Tactics, and Best Practices for Protection

Versi Bahasa Indonesia dapat dibaca di sini.

Every day, countless individuals, businesses, and even government entities find themselves caught in the crosshairs of malicious actors wielding the powerful weapon of ransomware. Gone are the days when cyber attacks were merely a nuisance or inconvenience. Ransomware, with its insidious nature and destructive potential, has elevated the stakes to unprecedented levels. It has become a weapon of choice for cybercriminals, capable of wreaking havoc on an unimaginable scale.

Ransomware attacks are becoming increasingly common worldwide, and Indonesia is not immune to this trend. Over the past few years, the country has experienced several noteworthy ransomware incidents, which include:

1. In May 2023, Bank Syariah Indonesia (BSI), the largest Islamic bank in the country, experienced a ransomware attack, resulting in service disruptions for several days. The hacker group LockBit claimed responsibility for the attack and demanded a ransom of US$20 million, which the bank refused to pay.
2. In 2022, Bank Indonesia, the central bank of the Republic of Indonesia, confirmed that it had been targeted by a ransomware attack. Fortunately, the bank clarified that the attack had no impact on its operations and did not compromise any critical data. The bank took immediate mitigation measures to address the incident.
3. In June 2021, Rumah Sakit Dharmais, a hospital in Indonesia, fell victim to a ransomware attack that encrypted its systems and demanded a ransom payment. The hospital made the decision not to pay the ransom and instead collaborated with cybersecurity experts to restore its systems. The attack caused disruptions to the hospital’s services, including its patient database and medical record system.

What is Ransomware?

Ransomware is a malicious software that blocks users from accessing their computer resources and personal data. It encrypts files, including external hard drives and network shares, and demands a ransom for the decryption key. While it aims to restrict access rather than cause damage, it displays a ransom note on the victim’s screen and provides instructions for payment. Ransomware can spread to connected devices and is often used by perpetrators who seek anonymous payment methods like prepaid cash cards and cryptocurrencies to evade detection.

The Evolution of Ransomware

Throughout its history, ransomware has evolved significantly. The first documented instance, known as the AIDS Trojan, emerged in 1989 when Dr. Joseph Popp distributed it to researchers at an AIDS conference. Disguised as an AIDS risk analysis program on labeled floppy disks, the malware activated after the victim’s computer was rebooted 90 times. It encrypted all the user’s files using a simple encryption algorithm and demanded a $378 ransom for a license to recover the files. The payment was requested via a cashier’s check to a post office box in Panama. However, difficulties and time delays in paying the ransom hindered the attack’s profitability.

Ransomware discoveries

In 2005, modern ransomware gained momentum with the launch of Gpcoder. This ransomware followed a similar pattern by encrypting select files and demanding a ransom for decryption. However, the encryption was not as secure, and antivirus companies swiftly developed decryption solutions. Additionally, the attackers’ traceability was increased since they sought payment through platforms like PayPal or credit cards.

The mid-2010s witnessed an unprecedented surge in ransomware attacks, earning 2017 the moniker of the “golden year of ransomware.” This was attributed to high-profile incidents like WannaCry/WCry and the disclosure of NSA-leaked tools, which facilitated the global spread of ransomware by exploiting unpatched vulnerabilities in the Windows operating system.

Attackers Tactics

Attackers employ various tactics to distribute ransomware, including:

1. Social engineering, such as through social media, SMS, and phishing attacks, is a prevalent method of ransomware infection.
2. Phishing attacks often rely on social engineering techniques to deceive users into interacting with malicious links or downloading infected attachments.
3. Exploit kits are also commonly utilized by attackers to exploit software or operating system vulnerabilities and inject malware onto targeted computers. An infamous example is the “WannaCry” ransomware attack in 2017, which rapidly spread across networks by exploiting a Microsoft Windows vulnerability
4. Additionally, criminals frequently exploit Remote Desktop Protocol (RDP) to gain unauthorized access to systems and propagate ransomware within networks

Mitigation and Attribution

In order to effectively mitigate and attribute attacks, it is crucial to understand the tactics, techniques, and procedures employed by the attacker. The MITRE ATT&CK® framework provides valuable insights in this regard:

1. Tactics outline the strategic objectives pursued by adversaries, such as gaining initial network access.
2. Techniques encompass the general methods used by threat actors to achieve their goals, such as employing spear-phishing for network entry.
3. Procedures detail the precise steps taken by adversaries when employing a technique or sub-technique, such as attaching a weaponized MS Office document in a spear-phishing email.

More detail on TTP could be read in the MITRE ATT&CK website.

What Systems can be Attacked?

Ransomware by Operating Systems

The most popular Operating Systems

Ransomware is a threat that can affect devices across different operating systems, and it is notable that Windows systems have faced a higher number of attacks compared to Android, despite Windows having a smaller installation base. This observation raises questions about the security of Windows systems in comparison to other operating systems.

While there is currently no definitive explanation for the higher number of ransomware attacks on Windows systems compared to Android, one possible speculation is the availability of more ransomware attack tools specifically targeting Windows. This could be due to factors such as the widespread use of Windows in business environments. However, further analysis and research would be needed to determine the exact reasons behind this discrepancy.

Best Practices

Finally, below is the best practices to protect against ransomware attacks:

1. Keep software up-to-date: Regularly update operating systems, applications, and firmware to address known vulnerabilities and ensure systems are protected.
2. Backup data regularly: Implement a regular backup schedule with frequent testing of backup data storage and restoration processes.
3. Use anti-virus/malware software: Install and regularly update anti-virus/malware software across all devices, including laptops, desktops, and mobile devices.
4. Limit access to sensitive data: Restrict access to sensitive data and systems to authorized personnel only and ensure that access controls and permissions are set appropriately.
5. Employ least privilege: Implement a least privilege model to limit the level of access that users have to systems and data.
6. Use multi-factor authentication: Use multi-factor authentication to ensure that only authorized users are permitted access to sensitive systems and data.
7. Be cautious of phishing emails: Train employees to be cautious of phishing emails, links, and attachments that may contain malicious content and to report suspicious emails to IT personnel.
8. Establish an incident response plan: Have an incident response plan in place to ensure a quick and effective response to a ransomware attack, including plans for restoring data from backups and communicating with stakeholders.
9. Regularly test cyber incident response plans: Regularly test and update cyber incident response plans to ensure their effectiveness.

If you have any doubts or questions, feel free to post them in the comment section below.