Man looking at code and thinking
© wutzkohphoto/Shutterstock.com

In 2021, 14 of 16 of the U.S. critical infrastructure sectors were attacked. Australia and the U.K. reported similar trends. In February 2022, the  Cybersecurity and Infrastructure Security Agency (CISA) and other international authorities published a ransomware advisory that outlines the growing concern surrounding increased ransomware attacks worldwide. The advisory highlights 2021 ransomware trends: criminals are more organized and attacks more sophisticated.

In 2016, the international initiative No More Ransom (NMR) was founded by the Dutch National Police, Europol, Kaspersky Lab, and Intel. The initiative offers a new option for ransomware victims: free recovery tools for victims without paying a ransom.

VPNOverview interviewed Jornt van der Wiel, a Security Researcher for the Global Research and Analysis Team at Kaspersky, a founding partner of NMR, to explain the challenges ransomware poses to individuals and businesses.

Ransomware: A Growing Problem Since 1989

Ransomware is not “new” by modern standards. The first ransomware report was in 1989 when American evolutionary biologist, Joseph Popp, distributed 20,000 floppy disks with the AIDS Trojan (PC Cyborg). Popp wasn’t a programmer, so most victims retrieved files with relative ease.

“In the beginning, when ransomware became popular, [cybercriminals] were attacking everything and everybody. They were sending spam messages or emails to corporations or individuals,” says van der Wiel. “It didn’t matter. You could get infected.”

Ransomware might find its way to a device via a phishing scam, an infected USB stick, or a compromised Wi-Fi connection at your local coffee shop. Weaknesses such as out-of-date software and weak usernames and passwords can give ransomware a chance as well. Once it’s there, the data is encrypted. Often, victims must pay a ransom to get the key that decrypts their device or files or risk losing them for good.

Criminals cost countries billions of dollars

Thirty-three years since the first ransomware event, criminals are more organized, methods are more strategized, and technology is more advanced. These days, anyone is at risk, but professional criminals tend to target “big game.” These are large companies with hundreds of users and computers.

“They don’t just encrypt one computer, but they try to encrypt all the computers, including the backups,” explains van der Wiel. After an attack, cybercriminals force companies to pay large sums of money. “If they don’t, they’re out of business for a certain amount of time,” adds van der Wiel. “Which might cost more than just to pay the criminals.”

According to a 2021 Sophos report, ransomware costs businesses in 30 countries on average $1.85 billion U.S. dollars. The costs include ransom dollars paid, downtime, and device and network costs. In many cases, victims are left without access to their systems, files, or devices for weeks. According to Coveware, the average downtime for a ransomware attack is 21 days. In a 2021 global study by Kaspersky, 56% of ransomware victims opted to pay the ransom to prevent further damage or cost.

Advanced Ransomware Challenges Law Enforcement

One of the biggest problems victims face when recovering from ransomware is that they don’t know whom to turn to. Law enforcement and cybersecurity policies struggle to adapt to mounting digital crime cases. Online crime spans international borders. Cybercrime policies are in their infancy; the overall analysis by researchers is that local and national authorities are unequipped to handle ransomware attacks quickly, if at all.

“These gangs are really well organized,” van der Wiel warns. “Better than some legitimate companies, with really well-defined procedures. They’re professionals, which makes it difficult to protect against them.” No More Ransom seeks to mitigate this issue by bringing together public and private organizations in the same space. With their efforts combined, NMR and its partners give resources and decryptor tools to victims for free.

Bringing together 170 public and private organizations to address ransomware

NMR brings together public and private companies and law enforcement authorities as a cohesive force against ransomware attacks. Van der Wiel says that, before working with Kaspersky on a cybercrime case, the Dutch Police didn’t know how to handle ransomware. Working with Kaspersky, they stopped a group of cybercriminals who used CoinVault ransomware. “We got all the cryptographic keys for that ransomware variant, and after that, it was quite a success,” says van der Wiel. “Then we said, ‘Why don’t we do this more often, but in a more organized way?'”

Today, victims in the Netherlands can go online and download a template to file a complaint to the police. “If [police] information is in order, they know which ransomware variant to focus on,” van der Wiel says. “If there are a lot of complaints about one ransomware variant, they might start investigating because often they have difficulties getting an overview of what’s going on in the country.”

Governments come together to combat common cyber-enemies

More than 170 support partners promote and assist NMR’s initiative. “We are really apolitical. I think we’re also one of the few places where you can find the Iranians support us, as well as Israelis, on the same page,” van der Wiels points out. In 2022, NMR has added three new partners, including Information Systems Audit and Control Association (ISACA), Sweden Chapter, and an Austrian banking group.

Like the United States, some country’s governments aren’t involved with NMR, but instead developed their own ransomware prevention campaigns. More countries are catching on that cybercrime will cost people and companies millions, even billions of dollars, if they don’t intervene.

Free Access to Ransomware Resources

If you’re attacked by ransomware, you’ll notice soon enough. “There is most likely something on your desktop called a ransom note. It’s an email address that you can contact. Or, it is information like a Bitcoin wallet to pay to,” van der Wiel explains.

If this happens, the first thing that NMR tells victims is: Don’t pay. Victims who pay a ransom still aren’t guaranteed the key they need to unlock their system. By giving criminals what they ask, victims are financially supporting crime operations.

Here’s what you should do instead:

  1. Report the crime to your local law enforcement authority for your country or region (Europol has a list).
  2. Upload it to NMR.

“You can paste your information [on the website], and then the Crypto Sheriff will try to find whether there is a decryption tool available or not,” van der Wiel says. If your information matches with a tool on NMR’s database of more than 120 tools, capable of decrypting more than 150 types of ransomware, all you have to do is download the tool and install it on your computer. All of this comes at no cost to the victim.

If your information doesn’t match a tool on NMR’s database, van der Wiel says there’s still hope. “[Victims] can wait until a decryption tool becomes available because sometimes, even after years, decryption tools become available.” NMR has dozens of private and public partners who regularly develop description tools. This month, the site added an update to the Rakhni Decryptor, a Trojan attacking victims since 2013.

Prevent Becoming a Ransomware Victim

If you prevent becoming a victim in the first place, it can save a lot of time and hassle. “The reason [cybercriminals] can make it happen most of the time is because of the human factor,” van der Wiel says.

Online security alerts are sounded within companies but are sometimes misinterpreted, deleted, and ignored. “If they see that there is a certain type of malware installed, which is used for remote access by ransomware groups, and they don’t recognize it as such, think ‘I’ll just delete it,’ or don’t pay much attention to it, then [criminals] can come back another time with a variant this is not detected by that specific antivirus product. Then, you’re kind of screwed.”

Don’t forget about basic preventative practices and make backups

Prevention tools are effective and don’t require a lot of expertise or money. Here are some things you can do yourself:

  • Don’t click on malicious links.
  • Remove emails you don’t trust.
  • Install the latest security software and security patches on your devices.
  • Make regular backups.

Especially backups are vital, van der Wiel says. Backups are preferably secured offline, like on a hard disk, so files can’t be accessed remotely.

“If you keep them online, make sure that there is version control,” he says. “If you have, for example, Dropbox, or something like that, and the file gets encrypted on your computer, they’re also uploaded to Dropbox immediately. You can only download your encrypted files, so that doesn’t work. You should have one with version control where you can go back to the previous version.”

No More Ransom Offers a New Option For Victims

Over the past six years, NMR has helped more than six million ransomware victims get free decryptions tools. They hope to grow the platform with more agencies and law enforcement authorities to combat ransomware as a united front. Nomoreransom.org offers a third choice to victims: recover their files securely without paying a dime to cybercriminals.

The work of the NMR Initiative is already paying off, van der Wiel says, and it’s a good sign that criminals aren’t happy. “It’s confirmed that we’re really doing the right thing, and it’s actually hurting their businesses. If we look at the amount of money we saved people… it’s millions and millions of dollars that don’t go into the pocket of criminals.”

If you’d like to learn more about No More Ransom, visit their website. For additional information and more tips on how to combat ransomware yourself, have a look at our in-depth ransomware article.

Leave a comment