Ransomware Support Practice: Cyber Attack Experts

While the news media publishes that most ransomware attacks cost only a few hundred dollars, on a weekly basis Cytelligence negotiates on behalf of clients where ransomware demands for payments are between $20,000 and $150,000 in Bitcoin.

Ransomware is serious business. Don’t leave ransomware negotiations to amateurs or well- meaning techies. And ransomware is definitely not a D-I-Y project.

Ed Dubrovsky
Managing Director
Cyber Breach Response

It’s one of the most prevalent cyber security threats in the world, making headlines daily: crippling ransomware attacks. Ransomware attacks are used by independent hacking cells, professional crime syndicates, ex-employees, and so-called hacktivists to extort money from individuals and organizations while crippling your ability to access your files, your client database, R&D research, your own intellectual property, your website, and even basic email. Cyber security firm Cytelligence is uniquely qualified to help both individuals and businesses deal with ransomware attacks across Canada, from Halifax, to Ottawa, to Toronto, to Winnipeg, to Calgary, and Vancouver - and all points in between.

Essentially, ransomware takes your data hostage and hackers will extort a ransom for the release of your data. Why do cybercriminals want your data? Data is the new "gold." Here are just some of the things that typically happen during a ransomware attack:

  • Mission-critical systems are disabled, principally operations and payment systems
  • Personal, identifiable information has been potentially exfiltrated (this is useful to cybercriminals for identity theft later)
  • End-of-life systems are unrecoverable
  • Your back-ups are encrypted as well
  • Intellectual property is captured and released to the Dark Web, to be sold to the highest bidder

These are some of the situations that Cytelligence's ransomware removal team faces each week, supporting individuals, small business and enterprise-organizations in the safe resolution of their ransomware attacks.

Make no mistake: a ransomware attack affects your operational capacity, your financial position, your stock price if your company is publicly traded; your compliance with regulators and with privacy laws; as well as your overall reputation with customers, suppliers, and employees through the media and resulting negative publicity. The effects of a ransomware attack can be very long-lasting indeed.

Worst of all, there is no guarantee that even if the ransom is paid, that your data access will be fully restored. It may only be partially restored. Or, that the cybercrooks did not make copies of your data, for nefarious purposes later. Like the saying goes, "There is no honour among thieves."

Our goal at Cytelligence is to help you recover from ransomware attack and return to day-to-day activities in the shortest amount of time, in a confident, precise, and cost-effective manner. We developed our Ransomware Support Practice to resolve current hostage attacks and then empower the organization with guided changes to help with future ransomware attacks prevention:

  • We have reduced the cost of ransomware attacks through expert negotiation.
  • We have helped with decryption of systems without any payment to the attacker.
  • We have detected and contained on-going attacks during ransomware negotiations.
  • We manage the entire ransomware attack, using our knowledge, expertise and influence.

You get our extensive experience in ransomware removal, compromise assessments, digital forensics, breach investigation and cyber security consulting to solve your ransomware incident in a professional manner that reduces the anxiety over a ransomware attack.


Specific Ways Our Ransomware Support Practice Helps You


Fast, effective and just-in-time ransomware attack protection is critical, and it is the foundation of our approach. Our cyber security experience allows us to move fast, communicate openly and honestly, establish clear strategies and tactics that support success, and reduce the anxiety you have over the ransomware attack. When your organization is under attack from ransomware virus, time is not on your side. Rely on Cytelligence's years of expertise and experience in dealing with cybercriminals and cyber security attacks.

We work with your IT teams, legal representatives and breach coach to contain the incident, determine ransomware recovery options, negotiate with the threat actor and manage payment through cryptocurrencies.

Specific ways our ransomware removal and protection service helps you:

Create clear lines of communication with the threat attackers to ensure end-to-end conversations.
Deep and dark web research into the ransomware attack and attacker you are currently facing.
Examine ransomware recovery methods quickly and efficiently, outside of ransomware payment.
Protected payment strategy to help ensure payment demands are met and expected results follow.
Negotiation with the threat actor for lower payments, early release of data, and attack details.
Procurement and processing of small and large Bitcoin transactions in hours.
Historical and on-going review of Bitcoin wallet and threat actor identities.
Reconnaissance of additional weaknesses that can lead to ongoing ransomware attacks.
Determine data loss and data exfiltration associated to the ransomware attack.

We have come across many circumstances in which the encryption of corporate systems was the final act in a breach situation. Frequently, attackers will exfiltrate confidential and restricted information for sale on the Dark Web while simultaneously creating a ransomware attack.

Part of our job is to investigate the 'gray-and-black markets' to understand the full breadth and depth of the attack. In other words, where did your data end up, so you can best prepare.

Ed Dubrovsky
Ed Dubrovsky
Managing Director
Cyber Breach Response

In addition to helping manage the attack, Cytelligence works with you to understand any pre-ransom events that occurred in your organization including exfiltration of data, distribution of confidential or restricted information, system occupation, and the sale of your assets on the Dark Web.

Equally important is our ability to support your organization in post-incident ransomware recovery.

A major Canadian company was forced to pay $425,000 in Bitcoin over the weekend to restore its computer systems after suffering a crippling ransomware attack that not only encrypted its production databases but also the backups as well.

IT World Canada, July 13, 2017


Under ransomware attack? Call us immediately at 416-304-3934.

Ransomware, by the Numbers

  • 22% of businesses with fewer than 1,000 employees were hit with a ransomware attack in 2017

  • 70% of companies pay the ransom (only 37% of users back-up data)

  • Average downtime was 25 hours, costing $100,000

  • 15% of companies hit with ransomware lost revenue

  • Almost all organizations had to cease business operations immediately 50% of those who paid ransom, paid more than $10,000

  • 20% paid more than $40,000

  • 2017 record ransom paid: US$1M, by Nayana, a Korean web hosting company that hosts 3,600 websites

  • 2017 average ransom: $800 to $1,000 [per user]

  • 2016 average ransom: $679 [per user]

  • 2015 average ransom: $295 [per user]

Proactive Cyber Security Helps to Prevent Ransomware Attacks


At Cytelligence, we believe a proactive cyber security posture is much more valuable than responding to a ransomware crisis. Here's why: Cytelligence's Security Consulting enables you to evaluate your current cyber security programs and practices and what other cyber security measures you should put in place. Proactive cyber security planning gives you the luxury of time - which you don't have in a ransomware crisis. In a ransomware crisis, experience, expertise, and response time are everything.

Fifty per cent of modern cyber security is comprised of proactive practices and analyses that are used to create awareness, acceptance and preventive measures against different categories of attacks. Cytelligence offers an entire range of proactive cyber security services including: Offensive Security Audits; Penetration Testing Services; Vulnerability Assessments; Secure Code Assessments; Phishing Awareness Services; and Comprehensive Cyber Security Training.

Our Security Consulting Practice is a powerful review of your organization's cyber security practices to help prevent against future ransomware attacks. We work with your team members to understand your IT, Security and Information practices and then build an actionable plan to help secure your organization against current forms of ransomware and ransomware worms.

Using best practices developed from ransomware attacks during the last three years, we build a solid plan with credible cyber security improvements. This approach is enhanced by our own knowledge and use of malware kits, penetration testing, and incidence response to build positive fortifications that create strong cyber security measures without reducing your business effectiveness.

  • We understand your legal, social, data and HR practices around data and its containment
  • Examination of the human and digital methods for cyber security awareness and prevention
  • Recognize how your cyber security measures prevent or enable ransomware virus and other malware attacks
  • Ensure you have positive and actionable practices in the case of a ransomware attack

Start a proactive review today of your organization's cyber security practices to help guard against ransomware attacks. Contact any of our offices today.


Why Cybercriminals Love Ransomware


Cryptovirology was invented in Russia in 1989. There are actually three types of ransomware:

  • one that locks your files;
  • one that encrypts your files;
  • and one that deletes your files.

Since 2012, ransomware has exploded as the "attack vector" of choice for cybercriminals. There are lots of good reasons for this.

First, ransomware is relatively cheap. Computer servers to launch a ransomware infection are cheap, too. Second, ransomware is easy compared with running guns, drugs, or human trafficking. Third, ransomware is far safer for cybercrooks and lower cost than guns, drugs, and human trafficking. A cybercriminal unleashing ransomware on organizations is just an ISP number. Fourth - for the same reason - the chances of getting caught are slim. Fifth, the odds of getting prosecuted are even slimmer. Sixth, there is great, free support from other cybercriminals on the Dark Web. And seventh, ransomware is hugely profitable because it is essentially a numbers game - and entirely scalable.

Since 2016, ransomware virus has been engineered to take on the properties of worms. In other words, the ransomware is self-replicating and can attack many more victims - both organizations and individuals - with ease. A worm copies itself on every computer on the network, guaranteeing repeat business for cybercrooks. The WannaCry, WanaCrypt0r, and ZCryptor in 2017 were all ransomware worms.

It comes as no great surprise, then, that ransomware is predicted to be a $6 trillion dollar industry by 2021, according to CSO Magazine.


Why Cryptocurrencies and Ransomware are Good Buddies


Cryptocurrencies and ransomware go hand-in-hand. In addition, cryptocurrencies are also used to launder the proceeds of crime, according to Thomson Reuters. Here’s why:

Anonymous: No need to show ID, such as a birth certificate, a social insurance number, or a passport to create a "digital wallet" where cryptocurrencies are held.

Decentralized: Cryptocurrencies are not controlled by a centralized government, or a central bank.

Totally digital: No physical object exists (no paper money, no gold, etc.). It is all code, on an electronic ledger.

Irrefutable: Transactions cannot be reversed. Once cryptocurrency is in your digital wallet, that's the end of the line. No cancellations, no refunds.

Scalable: Digital wallets can process thousands of transactions at a time.

Extensive use of cryptography: Creation of coins is encrypted; transactions are encrypted; digital wallets are encrypted; public ledgers that store transactions are encrypted. All this cryptography provides a very safe environment for cybercrooks to launder money.

Converting to cash is easy. Bitcoins can be sold for currency on an exchange; think of it like trading Forex.


How to Defend Your Organization Against Ransomware Attacks


Improving your organization's cyber security posture has a lot to do with educating your employees. Cytelligence offers proactive Comprehensive Cyber Security Training to our clients. Here are specific tips that Cytelligence has developed to help protect against ransomware attacks:

  1. Bringing your own devices (BYOD) is dangerous because IT administrators don't know what data and programs are on them and what cyber security features, if any, are installed on them. Hackers know this.

    Set up a "No Bringing Your Own Device to Work" (BYOD) policy. Explain to employees why BYOD devices are dangerous for cyber security and connecting their own devices to a company network is a very bad idea.

    Google "BOYD templates" for examples of policies that your organization can adapt. Here's one template from the Society of Human Resources Management.

  2. Inform employees that you will be disabling certain macros and certain emails that contain ".exe" and ".zip" file extensions. IMPORTANT: Some blocked files and attachments may be legitimate, so be prepared for some calls from upset employees.

  3. Explain what phishing is to employees and how it works. Here's the thing: 93% of phishing emails contain ransomware, according to CSO Magazine.
    • Teach employees to look carefully at the SENDER's address:
      orders@airccanada.com is not the same as orders@aircanada.com
      support@llavalife.com is not the same as support@lavalife.com
    • Teach employees about "moussing over" an email sender's address, to determine the real address (but not click on it!). Never click on attachments from someone you do not know.
    • There is always a sense of urgency, to entice users to "click now." Resist!
    • Many phishing emails have poor English grammar and typos they are not written by native English speakers.
    • What is the address at the bottom of the email? Is it the real address of the company?
    • Emails purported to be from PayPal, eBay, Amazon, Morgan Chase, RBC, CIBC, BMO, TD, etc. informing you of a cyber security breach of your account, asking you to click on embedded links.
    • Explain the types of files that cybercriminals use to infect computers, including ".exe", ".zip", and macros that could be masking as ransomware. Or, ".zip" files masquerading as a PDF.


    Adopt Good Cyber Security Hygiene in your Information Technology Department

  4. Back up your data. It may be a pain, but you will know that your data is secure. Think like a Boy Scout: "Be Prepared." Cybercriminals know that infecting computers is a cyber security "numbers game": the more computers that they infect, the more money they make. Many smaller organizations don't back up their data; 44% of individual users don't back up their data, either. Hackers know this.


  5. Keep your operating systems updated. Neglecting planned software updates and emergency software patches is what cybercriminals are counting on. In fact, neglecting planned software updates is just an invitation for a ransomware attack.

    For example, the NotPetya ransomware attack was preventable: Microsoft issued a software update (security update MS17-010) on March 14, 2017. Many organizations did not install it. The NotPetya ransomware with worm capability (a variant of Petya, a known ransomware since March 2016), was unleashed by cybercriminals on June 27, 2017. That was 15 weeks to perform a required cyber security update that many international conglomerates and smaller organizations simply ignored.


  6. Because many ransomware infections are spread by macro scripts on MS-Office files sent via email, instruct your email administrator to disable them. Microsoft confirms that hiding malware in macro scripts is a new favourite method of infection for cybercriminals.


  7. Block programs sent via email that could execute from the AppData/LocalAppData folders. These are typically files with ".exe" file extensions. Emailing victims an entire Zip folder is also a popular way to spread ransomware. Ransomware software can also be hidden in PDFs from unfamiliar senders, or Zip folders can be masked as PDFs, which happened with CryptoLocker in 2013.


  8. Limit user privileges. One of the most important principles of good cyber security is the principle of least privilege: A user should have no more access to data and systems than is necessary for their task.

    Too often, cyber security problems result from users having excessive privileges and excessive access to data. Edward Snowden, a contractor to the NSA, had unlimited user privileges. Data in the R&D lab, client/customer data, and payment systems should be managed with the limited user privileges principle.

Any solution starts with a conversation. Our team is ready to discuss your projects, immediate security concerns and confidential actions. We are looking forward to hearing from you.

Let's discuss your security needs

If it's an emergency, call us now – 416-304-3934

Any solution starts with a conversation. Our team is ready to discuss your projects, immediate security concerns and confidential actions. We are looking forward to hearing from you.