Ransomware -- Facts and defensive strategies
Threat for everyone
During a ransomware attack the data on an IT system is encrypted. Decryption requires payment of a ransom. Threatening the victim with the publication of the previously stolen data is increasingly common, putting additional pressure on the victim. Ransomware attacks are characterised by the fact that the effects on the victim are materializing immediately:
- Services and business processes can no longer be sustained.
- The IT infrastructure of the affected party comes to a halt.
- Due to the increasing professionalisation and division of labour on the attackers side, the entry barriers for carrying out ransomware attacks have dropped significantly attracting more perpetrators, in turn.
This means that ransomware can hit companies of any size. On this webiste, the BSI provides assistance and information on prevention and response to ransomware incidents:
(* = not provided in English yet)
Threat landscape
Joint Releases by ANSSI and BSI
Current information for companies
Prevention and detection
Top 10 Ransomware measures (Detection)
Alliance for Cyber Security *
Reaction
First-aid in case of critical IT-Security-Incident *
Companies *
Critical infrastructure and companies with reporting obligation *
Consumers
List of qualified APT IT-Providers *
Portal for reporting obligation *
Central Contact Point Cybercrime (ZAC) *
What is ransomware?
The English word "ransom" refers to the purpose for which cyber criminals use ransomware malware. Ransomware in its different variants usually aims to encrypt user data. After the data has been encrypted, attempts are made to extort a ransom with the threat that the data will only be released after payment of the mostly digital ransom. In the past, victims of ransomware were not only large corporations, but also medium-sized companies, hospitals and municipalities. Individuals can also be directly affected by ransomware attacks.
Growing threat situation
Ransomware has been an established business model for criminals for years and. BSI rates ransomware as one of the greatest operational threats to cyber security. The quality of attacks is constantly increasing, and once they are successful, incident response and handling are time-consuming and costly. The extortion of companies and public institutions through ransomware is the fastest growing area of cybercrime and is now a major problem.
With extortion large sums can be quickly "earned"; depending on the victim's ability to pay. Similar to a hostage being taken, the attacker has enormous leverage in his hands if the economic survival of a company is at stake due to the encryption of the entire IT infrastructure or if public institutions can only work with restrictions for a longer period of time.
Due to the now very strong division of labour in the cybercrime environment, the entry hurdle for such attacks has also dropped massively. Nowadays, it is possible to carry out a ransomware attack without significant prior knowledge and without a large financial investment. Moreover, prosecution is often difficult.
Protection against ransomware attacks
According to the BSI, the threat posed by ransomware is still underestimated. Yet there are effective protective measures that have been tried and tested for a long time. However, these are rarely implemented. There is not a "lack of measures", but a "lack of implementation".
The simplest but not sufficient measure to protect against ransomware and other malware is to make employees in companies and public institutions aware of the main infection routes. This is the unintended opening of attachments in emails as well as the unintentional forwarding to compromised websites on the internet. It is important to show a healthy distrust of all information on the Internet and of all contacts on the Internet. The same caution also protects against financial and personal damage in the private sphere.
In addition to this sensitisation and the use of common sense, there are technical and organisational measures that significantly increase protection against ransomware attacks.
Reaction: When the worst comes to the worst
However, even the precautionary measures outlined above cannot provide one hundred percent protection against ransomware. Should a security incident with ransomware occur, it is important to act quickly and carefully. For companies and public institutions in particular, appropriate crisis management is then important, which, in addition to the technical recovery aspects, especially takes into account the necessary internal and external communication. It makes sense to involve IT security experts and service providers at an early stage, to report the incident to the responsible authorities (such as the state CERT and the state commissioner for data protection) and to file a report with the state criminal police office.
Together against ransomware
Among the financially motivated actors, the operators and affiliates of the ransomware-as-a-service LockBit are currently the biggest threat in Germany as well as worldwide. Together with the IT security authorities from the United States, Australia, Canada, the United Kingdom, France and New Zealand, the U.S. Federal Bureau of Investigation (FBI) and U.S. Multi-State Information Sharing and Analysis Center (MS-ISAC), a joint report was published on 14 June 2023 to understand the modus operandi of these ransomware attackers and possible protective measures.