According to ThreatPost, ransomware has seen a significant uptick so far in 2021, with global attack volume increasing by 151 percent for the first six months of the year as compared to the first half of 2020.

Businesses owners are scared, and employees are on the alert. At the first sign of an attack, many companies have protocols in place that are to be immediately activated. Usually, supervisors are notified and backups generated. However, in the fog and panic after the initial minutes of an attack, time is crucial, and clear-thinking often goes out the window.

Hackers are aware of this period of panic and it has given rise to a different kind of attack: the fake ransomware attack.

“Imagine going to work, turning on your computer, and seeing a demand for bitcoin in exchange for an encryption key. Most people would break out into a cold sweat and just start doing anything they could to contain the damage,” says Tony Rogers, a cybersecurity consultant in Toronto, who has studied so-called fake ransomware attacks.

These “first reaction” moments, as many call them, are the most crucial in any ransomware attack, and despite the panic that often ensues, protocol must prevail.

Fake ransomware first-reaction protocols

“When people are in panic mode, they often forget the protocol, so they’ll open attachments they might not typically open, send passwords they might not typically send, or transfer funds they might not typically transfer. People will do anything in those first moments after an attack has begun, and hackers know this,” Rogers states.

Rogers says employees need to be trained to not panic if a ransomware attack unfolds. Second, let a professional handle it. Period.

“A ransomware attack isn’t something for an amateur to handle. The first call needs to be to the CISO or the MSP,” Rogers adds, pointing out that MSPs need to make it 100 percent clear to their clients if they get notice of a ransomware attack, contact the MSP. Do not try to handle it on their own.

“Some businesses haven’t wanted to incur additional expense from their MSP, so they’ll try to handle it themselves, and then it becomes much more costly. Clients need to know to call the MSP,” Rogers says.

MSPs need a plan too

Rogers also notes that the MSP must have first-reaction protocols in place too.

“I’ve seen engineers panic at the first sign of ransomware also and do things they typically wouldn’t do,” Rogers says. A successful ransomware attack could make the MSP look bad. No one wants that.

“But not all attacks are genuine,” Rogers advises. The first thing he tells MSPs to do is to check for unusual activity on the network. If there is none, chances are the `attack’ isn’t an attack.

“Sometimes simply rebooting will remove the ominous message. Hackers will create a pop-up that locks up the computer and doesn’t allow someone to navigate away. It looks like the real deal, but simply shutting down the system and restarting will remove it,” Rogers recommends.

The employees shouldn’t panic, and neither should the MSP.

“I’ve seen panic in both places, and there shouldn’t be, because it solves nothing and hackers take advantage of the first reaction window,” Rogers explains.

Poor man’s ransomware attack

Some hackers have caught on to the fact that they can create “fake” ransomware to infiltrate an account or network.

“I knew of one SMB in Toronto that received a realistic-looking ransomware demand. Everything had the hallmarks of a real attack on the surface, except for one thing,” Rogers says. That “one thing”? The amount.

“The attacks were asking for $250,” Rogers notes. “That is not enough to keep real ransomware hackers in business.”

But that is enough for a clever college kid or garden variety criminal to find appealing and easy to pull off.

“The CFO wired the money to the hackers and then called their MSP,” Rogers explains. A full examination of the system revealed no breach. The company was out $250, which was getting off easy compared to an actual ransomware attack. But the hackers picked an amount that someone would likely pay.

“The company was out $250 and there was no harm done to the networks but, still, had the company notified the MSP before paying, that $250 would have been saved and the hacker wouldn’t be encouraged to continue,” Rogers advises.

Other`poor man’s attacks involve simply the “threat” of ransomware. Earlier this year many emails went out threatening a ransomware attack. According to Cybersecurity Insiders:

But now, people are getting messages that if they don’t pay a ransom in advance, their computer will be locked down from further access. The message further claims that the malware has already been pushed to the would-be victim’s computer and might erupt at any moment. 

The email that hit many inboxes earlier this year warned of a ransomware infection infecting a business’s computers if they didn’t pay 0.1 Bitcoin or $650 as a ransom.

“That was too low an amount and should have set off red flags, also true ransomware attacks don’t telegraph their intentions in advance,” Rogers points out.

So, ironically, beware of monetary demands that are too low. They probably indicate someone is just out there trying to make a quick buck.

Not always harmless

Not all fake ransomware attacks are as harmless as the $250 mistake.

Fake ransomware attacks can be used to steal credentials, scrape passwords, install keystroke loggers, and unleash other unsavory payloads to strike at a future date.

SMBs should always consult with their MSP when trying to decide how to handle any perceived threat.

Photo:  Craig Hastings / Shutterstock

Posted by Kevin Williams

Kevin Williams is a journalist based in Ohio. Williams has written for a variety of publications including the Washington Post, New York Times, USA Today, Wall Street Journal, National Geographic and others. He first wrote about the online world in its nascent stages for the now defunct “Online Access” Magazine in the mid-90s.

One Comment

  1. […] Read more at SmarterMSP's original post. […]

    Reply

Leave a reply

Your email address will not be published. Required fields are marked *