Ransomware: How your Excel spreadsheet could cost you millions

25 October, 2021

The malware scourge is upon us:

  • In July 2020, a cybersecurity firm found evidence of malware on client computers and traced it back to updates for Austin, TX-based SolarWinds and their Orion network monitoring software. The malware compromised operating systems of the Pentagon, Homeland Security’s Cybersecurity and Infrastructure Agency, and U.S. department of Treasury, Justice, and Energy. The infection to SolarWinds software updates also compromised security of more than 100 companies, a list that includes Microsoft Intel, and Cisco. US authorities traced the malware to SVR, a Russian intelligence service. While no ransom was ever demanded or paid, government and companies have spent tens of millions in network analysis and cybersecurity upgrades.
  • In May 2021, a malware attack on the Colonial Pipeline Company, disrupted gasoline and jet fuel supply to much of the U.S. East Coast for several days. The company paid $5 million in bitcoin; US law enforcement they eventually recovered $2.3 million.
  • In June 2021, global beef producer JBS USA paid criminal hackers $11 million dollars in ransom to restore its software operating system.
  • Other recent attacks include insurance giant CNA Financial, and computer companies Acer and Quanta Computer, with ransomware demands of as much as $50 million.
  • In July, hackers traced to Russia-based REvil group paralyzed the operating systems of more than 200 companies by targeting upgrades of Kayesa network management software. The group, likely behind the JBS hack in June, reportedly demanded a ransom of $500,000 per company.
  • As of October 2021, the U.S. Treasury reports that U.S. companies have paid more than $590 million dollars in ransomware this year alone.

Some of the largest ransomware attacks preceded this recent spate:

  • 2017’s “WannaCry” malware attack infected 7,000 company computers in the first hour and 11,000 IP addresses over two days, including industrial giants Honda and Renault, demanding $600 million in bitcoin.
  • The Russian military launched the “NotPetya” ransomware attack in 2017, targeting Microsoft Windows based systems. NotPetya permanently locked out computer access for tens of thousands of users and paralyzed multinational corporations and organizations. Those affected included Merck & Co. pharmaceuticals and Mondelez International Foods in the U.S., Ukraine’s Chernobyl Nuclear Power Plant, British marketing agency WPP, the Maersk shipping line, France’s Saint-Gobain construction company, Germany’s Biersdorf personal care company, and Australia’s Cadbury Chocolate factory operations. NotPetya ranks as the most expensive ransomware attack, with total costs of more than $10 billion.

The number of ransomware attacks nearly doubled in the first half of 2021. According to research by analytics company Cognyte, 1,097 organizations were hit by ransomware attacks in the first half of 2021, compared to 112 in all of 2020. In a “State of Email Security” survey from research firm Mimecast, 61 percent of respondents said they had experienced a ransomware attack in the last 12 months. Of those respondents, 52 percent paid the ransomware, but more than one-third never recovered their data.

The growth ransomware is bad news for businesses and organizations of every size and stripe. Few companies can survive the crippling of primary software applications and denial of access to data for even a few days. Disrupted service can be particularly harmful when it affects critical infrastructure or emergency services, like medical facilities.

Ransomware: How it Works

Ransomware is a type of software designed to infiltrate an organization’s computer operating system. They wreak havoc by releasing sensitive documents to the public or locking access to files until a ransom is paid. Hackers can infect documents with malware code and spread their virus when team members collaborate or archive documents into new folders or databases. In many cases, the victim must pay the cybercriminal within a set amount of time or risk losing access forever.

Hackers attack by encrypting files at their endpoints or extensions. Examples include

  • Microsoft files ending with PowerPoint .PPT, Word .doc and .docx, and Excel .xlsx, .xlsm, .xlsb, .xltx, and older extensions like s.xls, .xlt, and .xml
  • Media flies ending with .mp4, .zip, .rar, and tar
  • Database files ending with .sql, .accdb, .mbd, and .obd
  • Imaging files ending with. ssd, .raw, .svg, and .psd

Other common hacker points-of-attack:

  • Via email: “Malspam”, malicious attachments or links sent via email
  • Via Testing Tools: Attacking testing tools like Cobalt Strike, Metasploit, or Mimikatz, to gain access to Active Directories and evade signature-based antiviruses

Protecting against ransomware: Securing documents in progress

One of the weakest links in file security is works-in-progress – Word documents, Excel spreadsheets, data analytics reports, and videos, designs, and images that are undergoing review and alteration.

The COVID pandemic has accelerated collaboration on raw, work-in-progress documents among remote parties, whose site cybersecurity may be weak – thus providing hackers with a perfect entry point for infiltrating your system and installing malware.

Improving the security of unstructured files during collaboration is now possible with a new protective layer: Dynamic Native File Protection (DNFP).

DNFP is a new type of security software provided by ShareVault, the company known for its ultra-secure virtual data room platform. ShareVault’s DNFP is specifically designed to protect documents that are in development: DNFP-protected files require an authorized user on an authorized device, effectively blocking any third-party attempts to hijack a file.

ShareVault DNFP software protects documents as they are being generated as well as when they are shared in collaboration. The DNFP administrator invites users to install DNFP, and then authorizes each user’s access and devices. The administrator can put a time limit on access, revoke authorization at any time, and can digitally “shred” documents on a user’s devices even after the user has left the team.

Dynamic Native File Protection

Cloud-based DNFP automatically installs at the computing operating system level – no IT team involvement is necessary. For users, simply click on a file and move it into a DNFP folder – no difficult learning curve.

DNFP provides protection for Word, Excel, PowerPoint, Photoshop, Illustrator, AutoCAD, SolidWorks, Cadence, and other productivity and design documents while they are in development and when they are shared – anywhere in the world. DNFP protects files regardless of how they are stored or shared – by email, Skype, Slack, DropBox, Google Drive, Microsoft 365, Zoom, et al. DNFP encryptions work for any device - desktops, laptops, phones, and tablets. And DNFP features auto-updates, to ensure users always have the latest iteration of protection.

Protecting against ransomware: Ultra-secure archived document storage

A Virtual Data Room (VDR) is a cloud-based platform that stores documents and protects access and collaboration among authorized users. ShareVault’s industry-leading secure virtual data room protects “View Only” archived documents, such as corporate financials, HR files, board communications, and clinical trial reports. Team members can safely collaborate while they are in the VDR environment. The VDR administrator controls team member and document access. This feature is particularly important for collaboration with remote parties, whose on-site cybersecurity protections are unlikely to be first-rate and thus are a potential entry point for hackers.

Virtual Data Room

ShareVault’s VDR provides maximum protection with files encrypted with AES-256, file connections are via HTTPS over Secure Sockets Layer (SSL), providing AES-256 encryption in transit. ShareVault also integrates Electronic Master Files (eTMF), the preferred method for pharma research companies to manage development brief content. The team administrator has multiple control options, including two-step password authentication, Page-level Tracking, end-date permissions, and the ability to shred documents even when they have already been downloaded.

As an additional layer of protection, companies should review all publicly exposed access protocols, including Remote Desktop (RDP), Virtual Network Computing (VNC), File Transfer (FTP), and Server Message Block (SMB). For increased protection, consider moving to multi-factor authentication.

ShareVault’s VDR accommodates a wide range of interfaces and plug-ins and works seamlessly with DocuSign, Dropbox, Office 365, AutoCAD, Cadence, and other popular business applications.

Protecting against ransomware: Backup your data

The Multi-State Information Sharing and Analysis Center (MS-ISAC), a division of the Center for Internet Security (CIS), which works on cyber threat protection for government agencies, recommends backing up your files onto off-line servers, as backups to active files and those stored in the cloud. Your backup strategy should include storing multiple iterations of files, which will allow your organization to recover from an unencrypted version.

Protecting against ransomware: Email filters

Install filters: Implement filters at your email gateway to block or erase emails with known malicious subject lines known and malspam indicators, and to block suspicious IP addresses. A further step is to filter inbound and outbound traffic based on IP addresses and ports.

Protecting against ransomware: Regular system updates

Update your organization’s operating systems, applications, and software regularly. Where possible, turn on auto-updates to ensure automatic installation of the latest security patches, which can specifically address security gaps that hackers are seeking to exploit.

Protecting against ransomware: Training

Training: Provide training to help staff identify suspicious emails and links and understand the dangers of malware

Protecting against ransomware: ShareVault!

For true state-of-the-art protection for both work-in-progress and archived documents, a company’s best choice is ShareVault’s combination of Dynamic Native File Protection (DNFP) and its Virtual Data Room (VDR) platform. DNFP and the VDR allow safe collaboration, even with remote parties, and dramatically reduces the risk of security breaches and vulnerability to ransomware attacks.