Home Blog An Analysis of Ransomware Attacks and a Cyber Specialist’s Path to Recovery

An Analysis of Ransomware Attacks and a Cyber Specialist’s Path to Recovery

September 09, 2021
Cyber hacker wearing hoodie with code overlay

Ransomware is the most prominent type of malware used in cyber attacks. It uses encryption to make an organization’s internal data and files inaccessible to its owners, thus effectively holding the data at ransom. Usually, hackers will demand a payment or sensitive information to provide the key to unlock the encryption and access the data or system again.

Recent statistics show ransomware attacks have increased by about 148% due to COVID-19, and the largest ransomware payout recently made by an insurance company was $40 million. With these attacks occurring almost six times per minute, cyber-protection strategies are increasingly important, whether it’s for a large corporation (like a hospital system), a small business, or a nonprofit with access to sensitive data.1

Here, we’ll analyze the causes, effects, and potential routes to recovery for a ransomware attack.

How Ransomware Attacks Happen

The first indication that you’re the victim of a ransomware attack is that systems or files on your network become inaccessible. The data you try to access are encrypted, and you will likely be prompted to contact someone if you want to get your access or data back.

But how was the hacker able to gain entry in the first place? To put it simply, it was probably due to lax security or some other vulnerability. To give you a better idea of such vulnerabilities, here are a few examples.

Phishing Attacks

Perhaps the most common way to exploit security vulnerabilities is through an email phishing campaign. Hackers use botnets to send emails containing a malicious link or attachment. If clicked on or opened, a ransomware virus is installed on the user’s machine and any machine connected to the network, creating a ripple of defects. The organization is then held at ransom to resolve the issue.

Open Remote Desktop Ports (RDP)

Remote Desktop Connections allow users to work remotely and are intrinsic to the expansion of an organization. However, if the ports are left open, it’s much like not locking up after leaving the building—very dangerous. Cybercriminals can install ransomware and other malware at their convenience or “unlock” several other doors for further access. To prevent this, closing the RDP ports on servers and endpoints is a necessary component of cybersecurity.

Compromised Passwords

If users are still relying on old or weak passwords, or simply reusing familiar passwords for multiple accounts, it puts an entire system at risk. Like phishing attacks, the principal vulnerability here is human error. A successful cyber-protection strategy will proactively fight this by training all staff members, not just the IT team, on solid security habits.

Options for Recovery

Though it might seem daunting at first, recovering files from ransomware is possible. Before giving in to a ransom demand, consider whether your data can be recovered by some other means. There are a few options, but it all depends on your organization’s practices and habits.

Option 1: Recover data from a digital backup in one of the forms below.

Local Backups

If they’re set up, the hacker would most likely include deletion of local backups as part of their attack. But don’t worry too much yet; they may have missed some. Additionally, some servers use removable backup disks, and many organizations alternate between two disks so that there’s always a relatively recent backup in a secure physical location.

Cloud Backups

If your organization keeps off-site backups on the cloud, these will have escaped the attack and can be used for safe recovery.

Windows Shadow Copies

It’s likely that the hacker would also have deleted any Shadow Copies when deploying the ransomware attack, but again, don’t assume; check to see if they missed any that are accessible.

Database Mining

It is also possible that only a portion of your database was actually encrypted by the ransomware attack. So, another option is to see how much data you can retrieve and whether you can piece it together to fill in the gaps.

Option 2: Re-enter the data from a physical backup.

If your organization keeps paper copies of your files in a physical filing system, this can be used to recreate the digital data files. Although time-consuming, it may save you from paying the ransom. Email trails can also be a source of data, and, once compiled, you may only need to fill in the missing pieces.

Option 3: Try to break the encryption.

This option is severely limited, since most ransomware encryption is difficult to crack. The algorithms and keys may take many years to unlock, if successful at all. But again, it’s possible that the hacker is inexperienced, or that there are flaws or vulnerabilities in the ransomware that can be exploited by a recovery specialist. Recovery specialists are trained to advise you on how to decrypt files encrypted by ransomware.

If none of these recovery methods work, your only remaining option may be to pay the ransom. Often, in addition to the ransom encryption, the ransom demand will include a time limit, so there is always the risk that time will run out. Consider the pros and cons before exploring the payment options or giving in.

The Role of a Ransomware Recovery Specialist

When you encounter one of the ransomware events mentioned above, a ransomware recovery specialist can analyze a security breach and investigate what options are available, if any, before paying a ransom. Since they likely will have access to sensitive data and inside knowledge of security protocols, these specialists should be as transparent as possible. They should be able to answer questions about how they will recover the data, whether they have experience with the type of attack being discussed, and how much it will cost.

A professional ransomware recovery specialist can:

  • Describe the ransomware variant you’ve encountered and what you can expect in terms of recovery and the possibility of breaking the encryption.
  • Explain what vulnerability was exploited and how future attacks can be prevented.
  • Facilitate and ensure compliance if a digital currency payout is required.
  • Estimate what percentage of recovery to expect.

The recovery process should also include a comprehensive strategy for preventing future attacks by training staff and improving organizational security.

Stay Ahead of Cybercrime

The stability of the global economy and the privacy of personal data are at stake. Even as cybersecurity improves, criminals are devising new ways to breach those protections. To successfully meet the threat of ongoing attacks, Yeshiva University's Katz School of Science and Health offers courses that include detailed training and up-to-the-minute cybersecurity protocols and procedures.

The pace, curriculum, and structure of the program appeals to both professionals who want to enhance their current abilities and those who are just looking to start a career in cybersecurity. No matter your skill level, we’d love to welcome you to the program to help combat the growing risk of ransomware and other forms of cybercrime.

  1. Retrieved on August 16, 2021, from varonis.com/blog/ransomware-statistics-2021