Can Ransomware Infect Encrypted Files?
Originally published by ShardSecure here.
Written by Marc Blackmer, VP of Marketing, ShardSecure.
By now, you likely know that ransomware has become a major concern for businesses and organizations across the globe. The European Union Agency for Cybersecurity (ENISA) noted a 150% rise in ransomware attacks between 2020 and 2021, while a Cybersecurity Ventures report estimated that ransomware will cause $265 billion in annual economic losses by 2031.
Ransomware attacks can be devastating regardless of your industry. In its 2021 Internet Crime Report, the FBI recorded over $49 million in ransomware losses, up from $29 million in 2020. (The FBI noted that this figure does not include any third-party remediation services or lost business, time, wages, files, or equipment — nor do victims always report a loss amount — so its estimate is artificially low on several fronts.)
With the threat from ransomware growing so rapidly, it’s no surprise that organizations are searching far and wide for the right solutions. Encryption, a common security measure used for data protection and regulatory compliance, may sound like a solid option.
But is it a viable solution? Below, we’ll break down your options and explain some ways to help your organization neutralize the impact of cybercrime.
In a word, no. Ransomware can infect even encrypted files by adding a layer of encryption on top of the existing protection.
There are a few common kinds of ransomware:
- Crypto-ransomware, which encrypts valuable files to prevent the owner from accessing them.
- Locker ransomware, which does not encrypt a computer’s files but locks a victim out of their device.
- Scareware, which uses pop-ups to make false claims about frightening viruses infecting a user's device and requests payment to solve the fictitious issue.
There are other types as well, but most ransomware works by encrypting files — and it can do so whether those files were originally encrypted by the owner or not.
The bright side? Encryption does help prevent against the threat of data exfiltration, which occurs when ransomware attackers threaten to release sensitive or confidential information that was compromised during the attack. As long as those attackers lack the time, compute power, and resources to decrypt your encrypted files, they will not be able to exfiltrate them.
However, encryption is not a viable solution to prevent a ransomware attack in the first place, since it was not designed for that purpose. Businesses will require other solutions to keep themselves safe against the rising threat of cybercrime.
In the event of a ransomware attack, it’s usually important to report the event to the FBI, the Multi-State Information Sharing and Analysis Center (MS-ISAC), the Internet Crime Complaint Center (IC3), and/or the US Secret Service. These organizations may be able to offer assistance in handling the attack.
Because this kind of information is so critical for tracking down cybercriminals and preventing future attacks, reporting ransomware attacks is now required by law in some cases. With the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), 16 critical infrastructure industries in the US are now required to report any ransomware payments they make to the Cybersecurity and Infrastructure Security Agency.
Ransomware can cause significant financial damage beyond the extortion payment itself. According to one report, organizations paid an average of $1.4 million to recover from a ransomware attack.
Ransomware may lead to a massive disruption in business continuity and financial stability, withoutage and downtime costs, response and restoration expenses, loss of devices and people hours, regulatory penalties, monitoring and investigation costs, lost business opportunities, damaged reputations, and even class action lawsuits.
Despite the severe ramifications of a cyberattack, businesses shouldn’t lose hope entirely. Below, we’ve gathered several expert recommendations for protecting your organization against the impact of ransomware.
Although ransomware is becoming much more sophisticated, the majority of ransomware attacks are still effective for one key reason: human error.
A Sophos survey found that 9% of ransomware incidents in 2020 could be attributed to misconfigured public cloud instances , while another 45% were because of successful phishing attacks with malicious file downloads, email links, and email attachments.
These phishing attempts are often effective because they use increasingly tricky social engineering to impersonate a trusted colleague and trick users into downloading compromised attachments.
Anti-spam and anti-virus products are a solid first step. Comprehensive ransomware training is also a good idea for organizations with remote employees.
Businesses large and small are increasingly turning to cyber insurance policies to protect themselves against a range of cyberattacks. Cyber liability insurance, which may cover financial losses from cyberattacks and tech-related lawsuits alike, can offer payouts to cover ransoms, lost income from network outages, and even government fines.
Meanwhile, data breach insurance can help businesses respond more quickly in the event of loss or theft of customers’ personal identifiable information. These policies may cover credit monitoring services for victims or PR services to handle the public fallout from a data breach — valuable services, given that the average cost of a US data breach in 2020 was nearly $4 million.
These kinds of policies can be particularly useful for combating ransomware. According to the Institute for Security and Technology, ransomware attacks are the most commonly reported cyber insurance claim — and that number is only growing. Luckily, ransomware policies now cover everything from data restoration and incident response costs to interruptions in business continuity and the ransom payment itself.
An innovative application of microsharding technology can help neutralize the effects of ransomware by desensitizing sensitive data for use in multi-cloud and hybrid-cloud environments.
Microsharding works by shredding data into tiny fragments (or microshards) that are too small to contain a complete birthdate or any other piece of sensitive data. The process also removes file metadata and distributes the microshards across multiple logical containers of the user’s choice to render data unintelligible and of no value to ransomware attackers.
Based on the concepts of RAID 5 and traditional sharding — a process used to distribute a single dataset across multiple databases and increase a system’s total storage capacity — microsharding means that data can be rebuilt whenever it’s tampered with, deleted, or held hostage by ransomware.
Microsharding technology can also be integrated with existing encryption solutions for a defense-in-depth approach. Encrypted data can be microsharded and distributed to multiple customer-owned storage locations. That way, even if a storage location is compromised, attackers will only have access to an unintelligible fraction of that data.
Microsharding technology is a strong option to help organizations neutralize the impact of ransomware and achieve better security for their sensitive data in the cloud.
Sign up to receive CSA's latest blogs
This list receives 1-2 emails a month.