overvew

1-all you need to know

*Definition: Malware
*Different types of malicious software
2-companies are targeted with malware
3-Ransomware attack risks
*Risks and impact of a ransomware attack
4-approach tomanage ransomware risk
5-Interesting statistics about Ransomware
 Malware
The term "Malware" is a contraction of "malicious" and "software", to designate a "malicious program".

Malware is a common name for any software or code that uses unauthorized
and harmful actions onto your devices, operating systems, and your
cybersecurity.

Malicious software encompasses many types of attacks such as spyware,

ransomware, command and control, and many more. The most common way
we are confronted with malware is typically viruses or worms.

The objectives of malware can be varied. The most widespread ones are:
acquiring confidential and sensitive data such as financial, commercial,
banking, political or intellectual property information, often for financial gain,
or simply damaging your operating system just for fun.
Different types of malicious software:
● The Trojan Horse is inspired by Greek mythology. The legend goes that Odysseus' idea
to hide Greek soldiers in a wooden horse covered with gold to take the city of Troy by the
ruse.

In computing, the principle is the same. The malware disguises (exploiting social
engineering) as a useful and secure program to convince the recipient to install it on his
computer environment. You get Trojans horses by downloading them thinking you are
downloading something else like an attachment of an email or software like a browser
extension.

Once the program is downloaded, the cybercriminal can access confidential data
contained in the computer or network, launch an attack, spy on activities or steal data.

Remote Access Trojan (RAT) is a popular Trojan attack that permits the attacker to
control the victim’s device. RATs are popular because they are easy to create and
spread. Millions of Trojans are created every month and the anti-malware writers are
having a hard time fighting them
 Different types of malicious software:
● A computer Virus works as a real infectious agent. It is code that infects a software program.
“Virus” is the most common word known to the public when it comes to malware, but all
malware are not viruses and that is a good thing since viruses are difficult to get rid of.

After a virus is activated, it will replicate and spread to files and programs on the victim’s device.

Viruses are hard to clean up because this must be done by a legitimate program and the result is
often an elimination of the whole file since antivirus software has a hard time setting apart the
virus from the actual file.

● Spyware does not spread from host to host like a virus. It spies on the user's web browsing,
hidden in third-party software.
Spyware is often a program installed on your computer without you being aware of it. The
program enables its user to monitor your activity, behaviour, data you send and receive from and
on the device. The purpose of spyware is often to provide information to a third party. This kind
of activity is often used in law enforcement.
The presence of spyware means there is a weakness in your security system and you should run
a security check on your device/program to make sure not to let through other threats.
 Different types of malicious software:

● Scareware is a scam preying on the fears of the Internet user. It scares

them with fake alarming warning windows such as “warning you have a virus”
popping up in the middle of the screen.

When you click on the fake warning, you are redirected to an infected web
page. These unethical advertising practices are used to frighten users into
purchasing or downloading rogue applications unknowingly.

● A botnet is defined as a network of infected/hijacked computers remotely

controlled by a hacker, usually to launch group attacks for financial gain.

The botnets (the infected computers) will react to the malware depending on
the command-and-control (C&C) server’s instructions.
 Which companies are targeted with malware?

Most affected companies are the ones having vulnerabilities in their security
system. Those are often SMBs that overlook cyber security when it comes to
budget or SMBs thinking hackers are only interested in targeting bigger
organizations.
Since SMBs are usually not experts in cyber attacks and do not really measure
the importance of the information hackers obtain, they become easy targets
for cybercriminals.
According to the National Crime Agency report, the financial attacks have
become more advanced and less visible, affecting the banking systems.
Not only the traditional computer devices get attacked. Mobile devices and
social media as a whole – a place designed as much for individuals as for
companies– are getting more and more targeted. Cybercriminals are
increasingly exploiting the environments of familiarity on social media
platforms.
Ransomware attack risks
Ransomware attacks and the

potential threat to your company

Ransomware attack risks
Organizations of all sizes and across industries continue to be challenged with
managing the risk and impacts
of ransomware attacks. Developing a methodical approach to strategize, plan,
prevent, identify, research, resolve, recover, and report ransomware attacks is
critical to effectively mitigate the inherent risks and impacts posed by
ransomware. One of the greatest challenges ransomware attacks present is the
wide range of possible attackers because the attacker can be anyone using any of
the many different attack vectors.
 66%
of companies estimate Gartner finds that
2020 survey3 found
that 95 percent of
organizations
it would take five or downtime can be globally experience
more days to fully as much as outages and the
recover from a
$300,000
117
average outage lasts
ransomware attack if
they didn’t pay the per houron
ransom.1
average
minutes
Ponemon Institute4 has estimated that the
average cost of an unplanned outage is nearly $540.000
What is ransomware?
Ransom malware, or ransomware, is a type of malware that prevents users from accessing their system or personal files using
encryption and demands ransom payment in order to regain access.

Once the files or data under attack are encrypted, a

user is shown instructions on how to pay the ransom in order to receive the decryption key. However, one of the

major risks that result from ransomware is that paying

the ransom does not always guarantee the successful restoration of the data encrypted during the attack. Whether

the key is received from the attackers or not, having your data impacted by an attacker ultimately draws into

question the integrity of the data. An organization who has not considered the risks and impacts that result from

ransomware attacks may not only be more vulnerable to

an attack, but also may suffer a greater impact than an organization that prepared for ransomware attacks.
It is critical for the organization to proactively consider
and plan for potential ransomware attacks because a
lack of resilience to an attack could lead to significant
business interruption that can have a direct impact to the
organization’s top and bottom lines.
 How is ransomware delivered?
Some common ways ransomware is introduced
to an environment are through social engineering attacks, drive-by downloads, remote desktop

protocol, pirated software, and removable media. Commonly, ransomware is spread through social
engineering attacks, which include phishing or whaling attacks
that contain malicious links or attachments. When
the attachments are opened by the user, the malware automatically downloads and installs, typically
without the user even being aware. Ransomware can also be introduced into an organization’s

environment through drive-by downloads. A drive-by download occurs when a user visits a web page
and unknowingly downloads and installs malicious code. Remote desktop protocol is a secure

network communications protocol that allows IT admins to gain access to systems remotely. These
methods typically take advantage of, or exploit, browsers (and their plug-ins), applications, or

operating systems that are out of date or unpatched in order to infect users. The malware then

propagates through the network to maximize the amount of data impacted.

Risks and impact of a ransomware attack

Misunderstanding cyber security insurance policies

Loss or reduction in productivity due to the

can lead to a greater financial impact to the

inability to access data or systems

organization if claims are denied

Restoring data from an older recovery point can result Any data touched by cybercriminals or malware
in a significant amount of lost business transactions or will bring into question the integrity of the data
other critical data

Legal and other professional fees may be required

Data encrypted during the attack may not be able to

in order to investigate and prosecute responsible

be recovered, resulting in a significant loss of data

parties

Paying the ransom can lead to being targeted Paying the ransom may not restore and/or
more in the future decrypt the data files

Significant financial liability can result from inability to

Reputational risk to the organization
perform business functions
 Who is responsible for preparing for, and responding to, ransomware attacks?

In order to reduce the impact of a ransomware attack, it

is critical for an organization’s IT Operations, IT Risk appropriately covered by cyber security insurance and

and Compliance, Internal Audit, and legal counsel have the necessary controls or requirements in place to

functions to be involved and work together in all aspects be eligible for coverage. The Internal Audit function

of ransomware preparation and response. Although IT should play an active role in reviewing the response

Operations is responsible for implementing the technical

playbook developed and should participate in any

controls and performing immediate response to an

tabletop exercises or simulations performed in order to

attack, IT Risk and Compliance needs to play a major

provide constructive feedback on the design,

role in challenging the organization’s current state and

implementation, and operating effectiveness of controls.

ultimately the organization’s preparedness for

Additionally, Internal Audit should periodically test

ransomware vulnerabilities. IT Risk and Compliance

should identify emerging risks related to ransomware
controls implemented around preventing, detecting, and

and work with IT Operations to ensure the responding to ransomware attacks. Lastly, all three

risk is assessed and treated appropriately. IT functions should coordinate in planning and executing

Operations tabletop exercises to ensure the plan is feasible and

and IT Risk and Compliance should work with their that all parties know their responsibilities.
organization’s legal counsel in order to ensure they are


1 Step 1 Step 2 1

approach to manage ransomware risk

Plan and Prevent and
A three-phase approach can be used to

strategize enhance
effectively manage and address the risks

that result from potential ransomware

Step 3
attacks:
Identify and
respond

1
 Ransomwar Strategy and

e planning
simulations

Step 1
Security

Disaster
Plan and strategize
configuration

recovery and
remediation and monitoring
Step 3 Step 2

Identify and Prevent and

respond enhance
Case and

Data access

incident

and log sources

tracking

Digital

forensics
1 Plan and strategize

Implement and routinely test and enhance robust resiliency plans specific to ransomware attacks
to optimize the organization’s response in the event of a threat or attack. Resiliency plans should
be focused around an organization’s critical data sets.
1 Plan and strategize

Implement and routinely test and enhance robust resiliency plans specific to ransomware attacks
to optimize the organization’s response in the event of a threat or attack. Resiliency plans should
be focused around an organization’s critical data sets.

Develop a detailed recovery playbook for ransomware attacks to recover more

efficiently with the following considerations:
– Identification and notification– Identification of a clean backup for restoration
– Initial steps– Steps on restoring data
– Identification of most common ransomware – Contact information and details around how
scenarios applicable to the organization to to work with legal counsel to engage with
proactively build responsescyber security insurance providers and what
– Assessment of impact and magnitude information needs to be available
of incident– Resolution steps
– Steps to determine if the organization should – Postmortem review process.
pay the ransom
1 Plan and strategize

Implement and routinely test and enhance robust resiliency plans specific to ransomware attacks
to optimize the organization’s response in the event of a threat or attack. Resiliency plans should
be focused around an organization’s critical data sets.

Develop a detailed recovery playbook for ransomware attacks to recover more

efficiently with the following considerations:
– Identification and notification– Identification of a clean backup for restoration
– Initial steps– Steps on restoring data
– Identification of most common ransomware – Contact information and details around how
scenarios applicable to the organization to to work with legal counsel to engage with
proactively build responsescyber security insurance providers and what
– Assessment of impact and magnitude information needs to be available
of incident– Resolution steps
– Steps to determine if the organization should – Postmortem review process.
pay the ransom

Work with your organization’s legal counsel to purchase and routinely review cyber security
insurance for the organization
 2 Prevent and enhance

A combination of preventive and detective controls should be employed in order to prevent an attack from
occurring while also being able to detect or identify possible attacks quickly in order to resolve the incident
and greatly reduce the overall impact to the organization. Typical controls for preventing and detecting

ransomware include:

Implementation of data classification policy:

Classifying an organization’s applications and associated data in a policy assists the organization
in determining the level of security and controls needed for various IT assets.

Email protection:
Implementing email protection controls, including email filtering and sandbox, can help prevent
employees from being exposed to phishing attempts to greatly reduce the risk of ransomware being
introduced into the environment.

Patching:
Arguably the most important method of preventing ransomware is by having an established
software patching process and applying software patches in a timely manner to protect your
organization from known exploits.
2 Prevent and enhance (continued)

Endpoint protection:
Endpoint protection controls including antivirus and scripting can help prevent ransomware from
being introduced into the environment while also helping to quickly detect an attack.

Data backups and testing:

Implementing automated data backups that are performed on a frequent basis (daily or weekly) can

minimize the data lost during an attack with multiple recovery points being available. Periodically

testing the availability of the backup ensures an organization is able to effectively use and recover from
the backups.

Multifactor authentication:
Implementing multifactor authentication controls to help protect against the compromise of
passwords for privileged accounts.

Data resiliency tools:

Data resiliency tools (i.e., Commvault, Cohesity, Rubrik, Veeam, etc.) can be deployed to help
identify potential ransomware incidents and alert relevant parties in a more timely and
efficient manner.

WORM and immutable file system controls:

Implement write once, read many (WORM) and immutable file system data storage technology in order
to ensure that data backups cannot be rewritten or edited.
2 Prevent and enhance (continued)

Network segmentation and file share management

Logically or physically segment your network in order to inhibit the spread of ransomware.

Tabletop exercises/simulations:
Routinely perform tabletop exercises or simulations in order to identify key gaps in the plan and
to ensure preparedness of all participants who play a key role in the plan.

Training on cyber security threats for all employees:

Routine training on cyber security threats and industry leading practices for employees can
significantly reduce the risk of ransomware being downloaded or ingested into the environment. The
training should also be reviewed and updated on an ongoing basis as new cyber security threats
arise.

Policies:
The organization’s IT policies should outline the requirements for the above control considerations
and should routinely be reviewed and updated.
 3 Identify and respond
In case of an attack, the following steps are recommendations in order to help identify, research, resolve,
recover, report, and review an attack, which can be detailed in the recovery plan and made available to

personnel:

Step 1:
Upon identification, immediately escalate to senior management to initiate incident response plan.

Step 2:
Actively research the magnitude and breadth of the incident and take action to stop the spread
of malware in the environment.

Step 3:
Work with legal counsel to determine whether insurance providers need to be contacted, what their
requirements are, and whether they are required to be involved in ransomware negotiations.5

Step 4:
Resolve the incident according to the organization’s plan while being in constant contact with
legal counsel and insurance providers.

Step 5:
Determine appropriate notification to clients based on contractual requirements in
collaboration with legal counsel.

Step 6:
Perform a detailed postmortem review in order to enhance and optimize control framework.
 Interesting statistics about Ransomware
Let’s take a look at the latest interesting statistics of Ransomware attacks:

Graph One
The average ransom payment has increased gradually over the years, and interestingly,
hackers tend to duplicate successful attacks and hit the victims repeatedly.
 Graph Two
Most companies have experienced data loss and major downtime due to ransomware

attacks. The overall cost of Ransomware has doubled in recent years.

Graph Three
Most sophisticated strains are raised.
Graph Four
There is a rise in attacks on SAS-based applications.
 Graph Five
Windows OS are being targeted frequently. As windows are primarily used more and

necessary updates are not done, that leads to vulnerable sections.

 Graph Six
Emails are the primary method for all types of cyberattacks, and people are still falling

victim to your malicious social engineering and lack of training in basic cybersecurity

practices, use of weak passwords, lack of proper access management, and poor

awareness.
 Graph Seven
Even the countries with access to the most advanced security technologies with

considerable higher awareness are also falling victims to these kinds of digital extortion.
 Graph Eight
Individual users and businesses will continue to be targeted, and URLs embedded in emails

will remain the number one way for computers to become infected.