Ransomware attacks against businesses

In 2023, 13 ransomware attacks with an impact were recorded by CERT-EE in Estonia; however, not all victims report them. The number of victims of a ransomware attack may seem small, but the impact of a ransomware attack on an organisation in terms of lost revenue and reputational damage can be huge: there is an example from Estonia where the total cost of the attack amounted to millions of euros.

The most common ways to get infected with ransomware are:

• A file attached to an email triggers malicious code.
• Links sent by email lead to documents with malicious content.
• Vulnerable web browsers or software components are exploited.
• Public remote desktop services such as Remote Desktop Protocol (RDP) are exploited to gain access to the systems of the victim.

How to prevent a ransomware attack?

Recovering from a ransomware attack is difficult – and in the case of a data leak, it may be impossible – so it makes sense to take proactive measures to prevent infection and mitigate the consequences. To do this, you should:

• always use the latest software version and make sure you have all security updates installed (including browser extensions and plug-ins);
• configure logging in secure web gateways and email gateways and block or quarantine as early as in the gateway all documents containing executable files, container formats, and other file formats which could potentially contain files with active content;
• make regular backups, always keeping one offline backup, and check the status and integrity of the backup regularly (ransomware can run in the background for several days before it is detected, so the malware may have already reached the backups);
• limit the privileges of system users and reduce the number of devices that can access the systems of the organisation (implement the least privilege principle and establish a BYOD policy to reduce the number of devices that can access the organisation’s systems);
• train your staff about cyber threats and remind them that they should not click on unfamiliar links or open unfamiliar attachments.

What should you do if you have fallen victim to a ransomware attack?

If you have fallen victim to a ransomware attack, you can follow these steps:

• If an incident is detected, unplug the infected device from the network immediately (do not forget the wireless network).
• If you have fallen victim to a ransomware attack or suspect that you have received a malicious file, make sure to notify CERT-EE by emailing cert@cert.ee. We are able to help you. This information will also give us a better overview of the Estonian cyberspace and we will be able to prevent ransomware attacks and other similar incidents better.
• If you want to perform the initial malware scan yourself, you will need to perform memory acquisition (if the system is not turned off) before disk acquisition.
• Recovery:
  • In rare cases, it is possible to recover some files (for example, from Windows backups, dumps, or a ransomware that has used incorrect encryption), but you should not count on it.
  • If possible, keep the actual infected device, which you can put back into use when a decryptor is released.
  • In the event of infection, CERT-EE recommends restoring the operating system from a backup or reinstalling the software to prevent reinfection. Before restoring from a backup, you must make sure that it is not infected with malware as well.
• Carefully consider the risks before contacting the attackers. There is no guarantee that the perpetrator will decrypt the files after you pay the ransom. It also sends a message to the criminals that their actions are successful so they may choose to attack you again.
• Useful links:
  • To find out which ransomware you are dealing with, go to id-ransomware.malwarehunterteam.com;
  • you can check the existence of a decryptor at www.nomoreransom.org.