Ransomware is of the most frequent and damaging types of malware and it presents a significant threat to organisations that rely on computer systems to function.
The Australian Cyber Security Centre (ACSC) has seen an increase in the number of ransomware incidents affecting Australian organisations. In response, it has provided information on risks, impacts and preventive actions associated with ransomware incidents intended to inform Australian small to medium businesses, industry organisations, and Commonwealth entities.
This article explores what ransomware is, common tactics used by cybercriminals, and how you can prevent ransomware and its impacts, as outlined by the ACSC.
What is ransomware?
Ransomware can encrypt all connected electronic devices, folders and files, rendering systems inaccessible. Cybercriminals then demand payment of a ransom to provide the decryption keys.
Malicious actors use various methods to infect devices, including persuading victims to visit unsafe websites or click on malicious links.
Ransomware incidents can happen to any organisation, regardless of the size or sensitivity of information held.
Ransomware innovations and common tactics
Cybercriminals are constantly innovating their ransomware tactics to increase the potential damage of their attacks and increase the likelihood of receiving ransom payments. Some even employ customer service teams to assist victims with paying in Bitcoin or other cryptocurrencies.
Many cybercriminals are sophisticated enterprises that undertake extensive reconnaissance on their targets to understand their vulnerabilities and ability to pay. Some common tactics include:
- Increasing the ransom price after a specific time period to persuade the victim to make early payment.
- Offering to decrypt a portion of the encrypted network for a reduced price to encourage the victim to pay at least part of the ransom.
- Targeting sectors such as essential or critical services who are vulnerable and likely to be under pressure to pay.
- Threatening to publicly release information if the ransom is not paid.
- Publicly advertising successful compromises prior to the ransom due date to place pressure on the victim.
Preventing ransomware and mitigating its impacts
The ACSC recommends following its Essential Eight mitigation strategies to prevent and prepare for ransomware incidents. Some of the strategies to consider implementing include:
- Back up computers, phones and other devices regularly.
- Ensure operating systems and software are regularly patched.
- Disable macros in Microsoft Office where possible.
- Have a plan ready to reduce the damage and impact of ransomware to business operations.
If an organisation becomes the victim of a ransomware attempt, it’s advised not to pay the ransom, as it does not guarantee that the cybercriminal will decrypt files, and it potentially makes the organisation vulnerable to future ransomware attacks.
Case study: Victorian health sector targeted by ransomware
A ransomware attack in September 2019 targeted several hospitals and clinics in Victoria and caused patient records and financial systems to be impacted. Medical staff had to resort to paper-based administration resulting in rescheduling appointments and surgeries.
A multi-agency response team was established, comprising of hospital officials, service providers and cyber security experts working alongside state and federal police and the ACSC. Compromised networks were fixed within a few weeks.
The incident stemmed from a shared Managed Service Provider (MSP) that had been infected with ransomware. This case highlights the importance of scrutinising the cybersecurity measures of an organisation’s MSP.
Key takeaways
Ransomware presents a growing threat to Australian organisations. Cybercriminals are constantly innovating their tactics, and it is essential for organisations to take robust measures to prevent and mitigate the impacts of ransomware. The ACSC recommends implementing their Essential Eight mitigation strategies, which include regularly backing up devices and having a plan in place to deal with ransomware incidents.