Since 2016, an average of over 4,000 ransomware attacks occur every day in the US. Let’s run the math on that statistic and see how many that adds up to until the current time of writing.
At 4,000 ransomware attacks every day, that’s 1.46M in 2016 alone. If that average number continued for the next four years, that brings the grand sum of ransomware attacks to 5.64M by the end of 2021.
The statistic I started this blog post with is alarming, no doubt. But, the current reality is much worse than the math that I just broke down. The situation is worse because ransomware attacks were up 148% in 2020.
Sure, you could argue that there were more ransomware attacks in 2020 because more organizations had to operate with a remote workforce. That’s a valid argument, however, the post-pandemic world isn’t much different considering 25%-30% of workforces still do.
The point I’m trying to make with all of this is that ransomware isn’t just an ongoing threat for organizations that utilize a remote workforce, it’s a trending form of malware that shows no signs of slowing down.
To pile on, it’s a threat that spreads across every type of industry.
Back in October of 2020, University of Vermont (UVM) Medical Center lost access to its electronic health records, payroll, and more due to a ransomware attack. It took three weeks of 24/7 IT work before the hospital could get all of its systems in working order. The point I’m trying to make with all of this is that ransomware isn’t just an ongoing threat for organizations that utilize a remote workforce. It’s a trending form of malware that shows no signs of slowing down.
If you turned on any mainstream media channel during May of 2021, you’ll remember the attack on the Colonial Pipeline that halted the 5,500-mile oil provider and caused widespread panic across the entire Eastcoast.
More recently, in July of 2021, IT solutions developer Kaesya fell victim to an orchestrated attack from the REvil hacker group that affected its supply chain. At the time of writing, the exact number of affected companies from this attack isn’t known. It’s estimated that this attack could affect up to 1,500 medium-sized businesses.
Since each of these massive attacks was so successful from the hackers’ perspective, it’s no wonder that they’re trending upward.
What can organizations do to prevent this looming threat? Well, the answer might surprise you. It all starts with employees.
The average employee has access to 11 million files. In other words, that’s A LOT of faith that organizations place on their team. Especially when you consider the fact that 95% of all data breaches happen because of a mistake made by an employee.
OK, now we know that ransomware prevention begins with your employees because they’re the biggest threat to your organization. But, there’s still one more question that needs answering, what do you do with your team to mitigate their risk?
You need to mandate ransomware training for your employees. Here are the topics you MUST include during that session.
Table of Contents
Real-World Examples of Ransomware
If you take a look back at the way that I structured the introduction of this blog post, you’ll notice that it’s entirely based on the inclusion of real-world examples.
The very first sentence was a shocking statistic and I’d wager to bet that it grabbed your attention. That’s the entire reason why I put it there. Hopefully, I’m not coming off as boastful and you’re understanding the concept.
The point I’m trying to make is that integrating real-world examples works. It helps grab your audience’s attention by providing relevant examples to the theories you’re explaining.
A study from 2015 proved that students retain their lessons better with the help of case studies. More specifically, 82% stated that case studies “greatly” impacted their learning.
Sure, for this blog post we’re talking about your employees...not students enrolled in Biology. But that’s beside the point.
For your team to understand how important this topic is to your organization, you need to include real-world examples.
Of course, the next question is, “What examples should I include?”
There’s no perfect answer to that question. However, it’s best if you include a wide variety of high-level statistics as an introduction. You could include statistics like…
Experts estimate that a ransomware attack occurs every 11 seconds.
The average ransom fee has increased by $195,000 since 2018.
The average downtime for organizations that fall victim to ransomware is 21 days.
Almost 30% of companies have to lay off employees following a ransomware attack.
The largest ransomware payout was $40 million.
After hard-hitting statistics like the ones above, you should then move into examples specific to your vertical. The general stats help drive your narrative. Meanwhile, industry-specific data makes your ransomware training more relevant.
Some of the recent, industry-specific attacks you can look into incorporating into your training are…
Healthcare: Attack costs University of Vermont Medical Center $50 million in lost revenue.
Education: Students who attended Buffalo Public Schools and their parents lose their personal information to cybercriminals.
Finance: Bank login credentials and security question answers exposed during an attack on Toronto-based accounting firm.
Techniques Hackers Use That Lead to Ransomware Attacks
After covering real-world attacks with a barrage of jarring statistics and case studies, you’ll have your employee’s attention.
In other words, the next logical step is to explain the common techniques that hackers use.
At first, it might mean that you have a lot more research in front of you. I mean, I just had you find relevant examples before this section and now I’m suggesting that you need to find out techniques. Sheesh.
The content for this section isn’t as hard as it seems, though, because you already did the research.
You see, odds are that you already included how hackers orchestrate ransomware attacks in each case study that you went over with your team. There’s a high chance that the news stories you referenced during your case study discussion included how they happened.
In other words, they provide the perfect segway into a discussion about common techniques.
Depending on how many real-world examples you used, you’ll likely have some overlap. Believe it or not, that makes your job even easier from a research perspective because it tells you which technique is most commonly used on organizations within your own vertical.
If I had to guess, though, the most technique that leads to a successful ransomware hack is phishing. It’s a good guess because 70% of data breaches involve phishing and roughly 1 in 6,000 emails contain suspicious URLs.
But ransomware attacks aren’t exclusive to phishing.
Hackers are also constantly trying to figure out ways to exploit software vulnerabilities and remote desktop protocols (RDP).
I have a few examples to expedite your research on techniques.
In July 2021, more than 1,000 clients of IT management software provider Kaseya Ltd. had their systems blocked due to unpatched vulnerabilities.
A few years earlier, in 2018, an RDP ransomware attack struck almost 2,000 LabCorp servers requiring a total bounty of $52,500 to unlock infected devices.
Signs of an Infected System
Not every ransomware attack is a massive headline-grabbing event that gets everyone’s attention.
Yet, they’re successful because of how they grab their victim’s attention. The thing is, hackers want to make sure that their casualties know about the successful attack on their system because that’s how they get paid.
Sure, they could play the long game, steal sensitive information and sell it on the dark web. But, that requires more work and isn’t guaranteed.
The thing is, though, ransomware is almost always advertised as a big red and black screen with threats written all over it. Although dramatic, it doesn’t always happen this way.
In some cases, organizations don’t realize that they’re infected until they notice a pattern of customers calling in saying that certain functionalities within their system aren’t working. While troubleshooting the reported issues, the IT department finds a .txt file within a directory named “ransom note” with notification of their attack.
You see, although ransomware is an overt type of hack. Sometimes a covert approach instills a higher sense of urgency because of the art of surprise involved.
In any case, if you don’t realize your system is under attack right away, take a look at your file extensions.
Files affected by ransomware usually contain the following extensions…
ecc, .ezz, .exx, .zzz, .xyz, .aaa, .abc, .ccc, .vvv, .xxx, .ttt, .micro, .encrypted, .locked, .crypto, _crypt, .crinf, .r5a, .XRNT, .XTBL, .crypt, .R16M01D05, .pzdc, .good, .LOL!, .OMG!, .RDM, .RRK, .encryptedRSA, .crjoker, .EnCiPhErEd, .LeChiffre, .keybtc@inbox_com, .0x0, .bleep, .1999, .vault, .HA3, .toxcrypt, .magic, .SUPERCRYPT, .CTBL, .CTB2, .locky or 6-7 length extension consisting of random characters
You should include everything provided within this section in your ransomware training so that your entire team understands the signs that your organization may be under attack. The faster these signs get noticed, the quicker your IT team can respond.
Response Plan If You Fall Victim
At this point in your training, you’ve shocked your employees with real-world examples, explained the common techniques hackers use to get into your organization’s systems and pointed out the signs to identify an attack.
What’s left?
Well, you need to communicate what your employees need to do if they notice any suspicious activity.
This part will likely mesh with other cybersecurity training you’ve held or have scheduled. That’s a good scenario to be in though because you’re reiterating important concepts to your team.
Here is where you reiterate internal policies you might have in place. Hopefully, your policy details who to notify immediately so that your IT team can react quickly. After all, the burden of dealing with a ransomware attack falls on your technical team.
That’s why it’s also a good idea to provide technical response plan details for your IT team during your training, too.
Although it might seem like it makes the most sense to keep those technical conversations at a group level, it doesn’t hurt to have the entire organization understand the steps involved with isolating networks, backing up data, and quarantining malware.
There’s never a more appropriate time to give your organization a glimpse into how your IT department operates than during a training session about one of the biggest trends in cybersecurity.
Conclusion
Although it’s technically just another form of malware, ransomware isn’t going away anytime soon.
It caught on like wildfire among hacker groups after the NotPetya cyberwar gained global headlines. And it has only continued to grow in popularity.
It doesn’t help that massive attacks continue to succeed and gain the attention of popular media outlets.
Since the biggest threat to your organization is your employees, the best way to combat it is by providing them with an engaging training program that uses real-world examples.
After reading this blog post, you have everything you need to start creating a ransomware training program for your employees.