Ransomware is a topic we read about more as time goes on. Unfortunately, much of what we see about it in popular media assumes that there is nothing that can be done about it. That's really far from the truth, and this article suggests an overall business strategy where L&D plays a key role in making users invincible.

What is ransomware?

Just in case this is a new term to some readers, as it may be for the employees you train, here is a (relatively) short summary of what it is and why it needs to be part of your curriculum planning in 2021 and onward.

Ransomware is a form of malicious software ("malware") that can take more than one form, depending on the intent and goals of the persons (criminals, to use the right term) who set up an infection in a system. Basically, ransomware is a way to extort organizations and individuals. Like many criminal activities, ransomware exploits human fears, weaknesses, and lack of knowledge. But the key to remember and to emphasize in training employees is that the criminals who engage in this activity are not geniuses, and the software and the way it is used is not perfect.

Some ransomware is designed to infect your computer, but not all. The criminal who sets up a ransomware attack may claim to have complete control of your system. The attack may threaten to encrypt all of your files so they are unusable unless you pay a ransom of a specific amount by a specific date. If you meet their demands, the criminal will provide you with a key to decrypt the data and other information. Believe it or not, they almost always keep their promise, although they still have your data and may sell it to others or use it to launch another attack. And of course, the cost of retrieving the data is far higher than the ransom alone—in 2021 the cost of cleanup is said to be twice what it was in 2020.

Other ransomware attacks may threaten to release your files or sensitive information to the public or the media unless you pay the ransom. In these attacks and in the ones that encrypt all your files, the ransom is generally paid through a deposit of some form of cryptocurrency in an account that the criminal believes will make recovery difficult or impossible.

In a third form, the criminal claims to have downloaded embarrassing information or video/audio from the camera, microphone, or storage on the victim's computer, and threatens to send these files to all of the victim's contacts. If the victim pays the ransom or meets the attacker's conditions, the attacker says the files will not be sent. This is basically blackmail, and the attacker still has the files (if there actually are any—this may be a bluff or a scam). It may also turn into a "protection" scheme to ensure a steady flow of revenue to the attacker. These attacks mostly go after individuals.

Responses to ransomware

Attackers are going after businesses that are part of the public infrastructure (for example, hospitals) or after influential individuals. In some cases, attackers go for individuals who are neither influential nor wealthy, but ones who have some exploitable behavior, including members of groups that attackers may believe are vulnerable. In the latter cases, the ransom amounts tend to be much smaller although for an individual the amount may still be considerable.

In June 2021, the US Department of Justice raised the priority of investigations to a level similar to that of terrorism. This came as a result of the damage caused by ransoms such as the one in the Colonial pipeline "hack" and as a result of the increase of ransomware activity and the cost. The average ransom has risen to $300,000 or more.

The growth of ransomware is the result of three factors. First, the international cloud structure has grown greatly, and it is easily accessible. Second, cryptocurrency is a useful development that criminals use to collect ransom through nearly anonymous means and also what amounts to money laundering techniques. Third, there are now "kits" known as Ransomware as a Service (RaaS) provided by criminals on the Dark Web.

RaaS works like Software as a Service (SaaS). Attackers can buy the RaaS kits on a subscription basis. Kits are available as affiliate programs, with lifetime access fees, and some provide profit-sharing plans.

Why does ransomware work?

Ransomware works for the reasons that any extortion scheme works. Attackers are skilled at manipulating victims, both because organizational victims need their data and files back, and because the attackers can use shame and embarrassment to keep victims "on the hook."

In the case of attackers who claim to have embarrassing content, many of these claims may be no more than scams in which the attacker does not have any actual content. This means the attacker does not have to do much work. All it takes is to use a templated threat letter copied from one of the RaaS kits, and a way to obtain a password or to spoof an email address. If an attacker sends 100,000 scam letters (no actual media files required) and demands a $2,000 ransom, and if only 10% of the targets respond, the attacker makes a lot of money with little effort. How often can this be repeated? There are millions of compromised passwords available on the Dark Web, and a criminal can easily exploit these. Visit the website "HaveIBeenPwned.com" which contains 613,584,246 real-world passwords previously exposed in data breaches. This is a goldmine for criminals, and they don't even have to pay for access or engage in phishing campaigns (which is how many compromises are gained) to succeed.

Ransomware is projected to dominate the cybercrime world in the immediate future, so it would be well to have a plan for the day it hits your system. The first step is to include this information in your training program.

What can you do about it?

Ransomware is getting more powerful in some ways, but you have an advantage. Add ransomware response to your instructional priorities so that your users and employees know what to do and are confident in their ability to recognize and respond to the challenges.

It is true that designers of anti-malware software and other applications bear a lot of responsibility to do a better job of hardening their products against malware, but users are still the front line, and malware development is not standing still. Considering what malware is costing the economy at this point, preparing users to help spot attacks is definitely worth the time and effort. Add to that the challenges faced by remote employees, the growth of cloud apps, and vulnerabilities of third-party security providers, and there are plenty of cybersecurity gaps for end-users to spot and deal with.

One advantage your end users have over the criminals who use RaaS kits is that kit users do not necessarily have the benefit of sophisticated skill sets or information needed to tailor, launch, and use the malware. This explains why so many malware users rely on the templated delivery letters and massive delivery databases. It is important to help your end-users and employees understand and remember not to panic when one of those malware or phishing examples hits their in baskets.

The first response to malware or phishing is to call your IT department or your cybersecurity coordinator. Your training program should include this advice, and the contact information needed. If you don't have an IT department or a coordinator (small organization or you are an independent developer), contact the FBI.

If you are an independent developer, you should install the best antimalware you can afford, based on your research of the latest public reviews. Even an application that is not at the top of the Top Ten lists is going to provide some protection. If your IT department has installed antimalware, employees should be trained in the basics of its use.

There are many other actions that will reduce vulnerability to ransomware:

  • Keep software updated.
  • Change passwords frequently on critical accounts (get IT to identify the critical ones and include the information in employee training). This slows down attackers and stops some attempts at security compromise.
  • Include the old tried and true advice: "Don't open suspicious email or links, and inform IT when you find these." Teach employees how to recognize phishing and what to do when they find it.
  • Do a regular Web search on keywords "ransomware" and "malware" and coordinate with IT or your cybersecurity team to alert employees to threats.
  • Support your local BYOD policies in your training.

You and your employees can stop cybercriminals

Those criminals who run ransomware and cyberattacks are not geniuses. They make mistakes. They lack the information they need to attack your system effectively and precisely—unless someone gives it to them.

Your role in fighting cybercrime attacks is training users to be alert and to know what resources are available to them. Employees should know that they too have a vital role. It isn't all up to IT. And employees must also understand that if a cyber attack or ransomware attack succeeds, it is not their fault. A successful ransomware attempt is the result of a chain of security compromises, not just what one person did or did not do, especially involving a response to something they have never seen before.

Be sure that your training gives employees or other users the tools and knowledge they need. Cooperate with IT in security exercises, and let users know about successful responses within your organization and others.