Ransomware – the new ‘get rich quick scheme’

License to print money

If cybercrime were a recognised industry, the average cybercriminal would need to build an extension on their home just for their awards!

Joking aside, there are hundreds of successful attacks daily where critical data has been compromised, encrypted and a ransom demanded (often paid as well). We highlight some of the biggest attacks each month in our blog

We have teamed up with a forensic data analyst to bring this insight into the mind of a cybercriminal. You can share your comments and experiences at the bottom of this page.

Everyone has the basic tools to prevent a ransomware attack progressing from an email infected with malware, right through to a ransom demand being displayed on the screen.

With some preventative measures, you can also recover from a successful ransomware attack.


Cybercrime is a simple business

Cybercrime is very easy to perpetrate from anywhere in the world. It really is the perfect business for the mobile worker who has access to the internet and email. To be successful though, it does require some thought and a methodical approach in the same way as any other job. Although the crime is a simple ‘numbers game’, we shouldn’t make light of the people behind it because they are slick and are dedicated to what they do.

As data owners, we have to be lucky all of the time; a cybercriminal has to be lucky only once.

What is a Ransomware attack?

Ransomware is a type of malware which is normally distributed via phishing emails. Unsuspecting users are hit with malware in an email attachment or redirected to a website where the malware is downloaded and executed. Malware can also infect a PC simply by visiting a website where malware is stored.

When executed, the malware application will encrypt data on the user’s network so that it cannot be accessed. A ransom request in bitcoins will be shown on the screen to unlock the files.

There is no way to recover the data except to pay the ransom. There is also no way to get your money back afterwards.


The typical and simplest attack will consist of someone sending malware to an unsuspecting recipient via email. The attachment is opened, and ‘hey presto’, the virus encrypts all the data that person can access. The data is now encrypted.

Then you have to decide if you want to make the payment!!

Ransomware attacks are completely different from methodical penetration attacks on internet-connected devices to see which insecure ports are open. Someone preparing a ransomware attack will need to know who they want to target, how to target them, what their expected response will be and how to repeat the process effectively.

The cybercriminal’s plan

Let’s look at how simplistic the attacks are once a plan is in place, and how you can check if you are on their radar.

Step 1 (identify the target)

The cybercriminal will make a list of organisations who will have no choice but to pay a ransom to recover their data. This will be just about anyone and will specifically target those who MUST pay a ransom. These will be police, medical, MOD, education, and any company who is reliant on their data.

Our research shows the most consistently attacked groups are schools and local government. The police and big companies shouldn’t feel left out though, but typically it is the organisations with lesser funding who get hit. Taking on big companies will be hard work because they will have the staff and technology to prevent and defeat attacks, and they will almost certainly have many copies of their data should they be successfully attacked. Such attacks are unlikely to result in a big PAYDAY.

Police normally aren’t a popular target for obvious reasons. However, as we reported in March 2019, the Police Federation was successfully attacked. The Police won’t have the resources to investigate an attack on YOUR company, but will find enough resources to investigate their own mishaps.

The most likely reasons schools are targeted is because they can get sued for losing data and will pay a ransom. Schools must open every email they receive and they never have enough funding to pay for the technical staff and systems required to prevent attacks. This, unfortunately makes them an easier targer. If humans are manually opening emails all day long, it is expected they will at some point fall foul of a clever attack which lets the malware into the network.

Large companies will have the required defences in place such as web filtering to stop users visiting risky websites, scanning of all emails at the source with 3 or more anti-virus applications, and on-network systems which detect when a malware attack might be happening. They are still targets, but not the obvious choice.

Step 2 (when to start and stop the attack)

When to start the attack is also very important to the cybercriminal. Schools are targeted more frequently around exam periods because there are a flurry of student requests and exam work which needs marking. Sending malware during the summer holidays is probably a waste of time for the criminal because it won’t be opened.

We might also see a spike in betting companies being targeted around important sporting events. With the majority of revenue being earned around the FA Cup final and Grand National days, you can see the value of taking their networks down around these periods.

Denial-of-Service attacks DoS flood networks in order to prevent legitimate network traffic and they are also date specific. DoS is different from ransomware in many ways, but it shows how and when the cybercriminal will view you as a target.

Easy steps to prevent ransomware landing on your network

Look at this way, you can’t stop someone walking past your home or car with the intent to break a window and take what isn’t theirs. The reassurance that you will get your stolen goods back afterwards is, little consolation. Somewhere in the middle between the intent and the theft you need a strategy to prevent that intent for crime to go any further.

Somehow at work, this mindset doesn’t always come into play. It is easy to prevent ransomware, but as with everything in life, there is some effort involved. The easiest ways to prevent ransomware attacks are:

1. Ban raw email and use an electronic helpdesk
Instead of using standard email which is cumbersome, allows unsolicited emails to flow in and has no in-built management, try using an electronic helpdesk. Your customers can still use their email systems to contact you without the need for them to change how they work. The difference is that all email inbound to you is now screened and managed. The most basic systems will also allow you to block email addresses and remote networks so they can’t contact you.

There are many helpdesk systems available online which are free to use for small companies. Larger systems can be hosted online or on-premise. We use WHMCS as part of our service plan which allows us to have as many support staff as we like for less than £30 a month. Using these systems correctly will instantly deny unwanted attachments and links to malware.

You can deploy a system-wide anti-virus service which will automatically scan all emails at source and block attachments you don’t want to let in. Staff can still view safe files such as PDF attachments and images, whilst you can block .exe or .zip files (these often contain viruses).

With an electronic helpdesk, every email will still arrive at your organisation and will be visible to everyone in the team. You can see when an email has gone unanswered for a set period of time, who has replied to each message and what they said.

Larger organisations who don’t deal with the public will block free email accounts such as Gmail or Yahoo because their customers won’t use those types of accounts.
The cybercriminal will never use an email domain of their own because that will require some sort of payment trail which will identify them.
If you block emails from free email accounts you will have probably prevented 99% of potential malware attacks in one action.

2. Be aware of when heightened attacks will occur.

Following on from the betting shop analogy above, IT Admins can use historical data from their firewalls, web filters and anti-virus systems to build up a profile over time of when the attacks are more frequent.

3. Manage user’s permissions correctly

Ransomware CANNOT encrypt your data if the network account comprised doesn’t have permission to do so. Malware can’t elevate the permissions of the user account which has been compromised and will be ineffective if that account has minimal access to their local PC and network data.
It is very rare that a user will need full admin rights to their PC. These rights can be controlled by Windows policies at the domain level by the IT Admin. Rights can be granted and revoked when required, but should never be left unchecked. Start with minimal PC and network rights and increase as required.

Department heads will very often have an ‘entitled’ right to have full access on their PC and network data when in practice they don’t need it. Department heads are often the most targeted because they have been at their jobs a long time, and their email address is more well known than that of the new starter.

4. Web filtering

There are many web filtering applications and services on the market which will prevent a user from visiting an unauthorised website and unknowing downloading malware. Not only do they protect your network, but they can also increase productivity by restricting which non-work related websites can be viewed and when. Some will require you to install software on your network and some will simply require you to reroute your Internet traffic. This can be done in minutes will hand over the responsibility of securing your web browsing traffic to experts.

5. Protect your email
If you are using sales@ and info@, so are the cybercriminals. Use different non-generic email addresses and add a contact form to your website instead of publishing your email.
Also, be careful where you enter your email address online. If you sign up for free offers, your email address will probably be sold on.

6. Small companies still have a fight.
As a small company or sole trader, you have the consolation of knowing that you might not get onto the radar of a cybercriminal. It is still very easy to secure yourself though.

Simple works best
– Always have an up-to-date anti-virus and firewall application on each PC and laptop.

This will prevent viruses coming in via email, webmail and removable media. It will also block access to dodgy websites where malware is lurking. If you have more than 1 device in your company, set up central reporting so that you know when a virus or attack has been blocked and when the security software needs updating. Most systems have this feature built-in.

– Never open emails you are suspicious of and never visit dodgy websites.

Recover from ransomware

Full backups are your best weapon against a successful ransomware attack

Regardless of what happens to your data, if you have regular full backups of your data, you can recover from any incident.
Your full backup doesn’t have to be stored on expensive media or to an online storage system; it simply needs to be somewhere which suits your availability and security levels. Your budget and bandwidth will also dictate whether you have multiple copies of your data backed up, and where they are stored.

You will need to store enough full copies so that you can go back in time to a backup prior to the ransomware attack happening and check these are durable.

Incremental backups MIGHT allow you to recover from a ransomware attack, however, a full backup which is not linked to your live data and other backup sets is the only method we recommended.

Ransomware attacks reiterate the need for reliable backups.

We have been experts in online backup since 1999 and have provided our service to every sector in the UK except the Police and MOD.

Back in the 1990s when we worked with networks and tape drives for backup, it was very common to see an entire organisation’s data stored on a server with one hard disk, or at best mirrored to a second disk in RAID 1 format. RAID 5 was at the time, the stuff of dreams within IT budgets. We frequently saw servers fail with a total loss of data.

In the last 15 years, hardware failures of these types are less frequent, and some IT Admins have been less concerned about their backups now their data is stored in the cloud.

In the last 5 years or so we have seen a complete renewal of the need for a solid backup because of ransomware.

If your data is stored in the cloud, it can easily be destroyed in a ransomware attack.


At the most basic level you can make a copy of your server drives to removable storage by using a simple command like “xcopy d:storage*.* x:backup-device-storage /s/v/c/d/e”
This isn’t the way most organisations would do it, however it highlights how easy it is to beat the cybercriminals.

If you use our cloud-2-cloud backup service, you can backup anything to anywhere.

Our system simply allows you to backup anything to anywhere.

Contact us to start a discussion or post your comments below if you have something to add for the community.


Leave a Reply

Your email address will not be published. Required fields are marked *

The Old Sorting Office, Corsham, Wiltshire SN13 9AA
Tel: 0800 907 8238 https://www.bobcloud.net/wp-content/themes/bobcloud/images/logo.png