What is Ransomware?
Ransomware is a type of malware that attackers use to hold data hostage unless a ransom is paid. If not prevented, or caught shortly after infection, ransomware attacks can cripple organizations by stealing it to sell on the Dark Web, making sensitive information public, or destroying data entirely. Customer information, financial data, intellectual property, and employee details are frequently targeted during attacks, and may still be stolen, even when attackers are paid off.
Ransomware has been the most pervasive cyber threat since 2005. According to the 2020 Malware Report by Cybersecurity Insiders, 43% of cybersecurity professionals surveyed experienced an attack and 80% of respondents felt it was at least moderately likely they would experience another attack within the next 12 months. Additionally, 82% of those surveyed were most concerned about ransomware out of any type of malware.
How Does Ransomware Work?
Ransomware can be deployed in several ways. According to the 2020 Malware Report, 83% of security professionals consider phishing emails to be the most dangerous attack vector. In fact, according to the Verizon Data Breach Investigations Report, 94% of malware deliveries are completed through a phishing email of some type. Other potential entry points are email attachments, users visiting malicious or compromised websites, and exploit kits.
Though there are various strains of malware, every type shares a few common characteristics. First, ransomware blocks access to a victim’s files. Next, targets receive a note with demanding a certain amount of money to restore access to their files. Though the cost varies, the payment typically must be made through some form of cryptocurrency, like Bitcoin or Monero. Unlike marked bills or money wiring, cryptocurrency is nearly impossible to trace, so cybercriminals can be confident that they won’t be tracked through their payment.
There are two types of ransomware. Encrypting ransomware (crypto-ransomware) converts files into ciphertext, rendering them unreadable . Attackers will deliver a decryption key upon payment, and threaten to delete the encryption key if the ransom goes unpaid, which effectively destroys the data by making it unusable.
Non-encrypting ransomware uses lock screens that take up the entire screen and display a ransom note in some form. These strains are often less successful, since once the lock screen is removed, which is possible to achieve without paying the threat actors, the files remain unaltered.
What is the Purpose of Ransomware?
Of course, ransomware’s primary purpose is typically financial gain. No matter what a victim chooses to do, once they receive the ransom note, the attacker has the opportunity to make money in some way. If the ransom is paid, they get money without having to do any more work. If they aren’t paid, most strains of ransomware enable attackers to steal the data they are holding hostage. From there, they can sell the data, and make their money that way.
However, another big threat of ransomware is its power to be used as a decoy. In fact, the power of ransomware as a tool for distraction dates back to 2015. By the end of 2016, a large number of targeted attack groups began adopting these methods of using ransomware as a tool to get IT and security teams chasing potential infections, allowing them to infiltrate the network and get what they are truly seeking.
This approach causes considerable damage, as it causes so much confusion among victims and often delays effective responses. While attackers are entering the system in another area, IT response teams are preoccupied trying to recover from the initial ransomware attack—performing backup activities, shutting down offending systems, identifying internal ransomware procedures, and determining if they should pay the ransom.
What is Ransomware-as-a-Service (RaaS)?
Savvy threat actors, inspired by the legitimate software-as-a-service (SaaS) model, have created their own version to sell on the Dark Web. RaaS is an increasingly common practice in which cybercriminals create ransomware, and either sell it to others or rent it and take a portion of any bounty collected when it is used in a successful attack. This model has helped proliferate ransomware, as it opens up an entirely new clientele to cyber attacks. People who don’t know how to code or create ransomware can now easily become attackers.
For example, Satan RaaS provides quite a few features for users to easily tailor this malware without needing any expertise. They can set the extortion amount, customize their notes, translate the malware into different languages, track transactions, and even obtain new releases of Satan. Additionally, they get detailed instructions on how to test and deploy their malware. In exchange, the developers of Satan get a 30% of whatever income attackers using the ransomware receive.
What Are Some Examples of Ransomware?
First appearing in 2017, BadRabbit is crypto-ransomware strain that has infected targets mainly through hacked websites and drive-by spreads. It is able to move quickly, using an SMB component that allows it to move across an infected network and propagate without user interaction.
An epidemic of BadRabbit began in October 2017, attacking over 200 organizations across the globe. For example, media outlets in Russia were targeted, as well as the Odessa airport in Ukraine.
CryptoLocker was first active in 2013, and was typically deployed as an attachment to an email that seemed to be from a real organization. Cryptolocker extorted millions of dollars, attacking over 250,000 victims.
Though very successful, CryptoLocker was shortlived—the Gameover ZeuS botnet being used to distribute it was dismantled by an international task force called Operation Tovar.
Locky began appearing in 2016, usually spreading through phishing emails. For example, some appeared as invoices that have an attached Word document containing the malware.
Locky is considered one of the most effective pieces of ransomware. A Los Angeles Hospital paid $17,000 to regain access to their systems, while the Office of Personnel Management (OPM) had sensitive information from 22 million people stolen when they didn’t pay.
Named after a graphic novel character, Ryuk appeared in 2018, and is a type of crypto-ransomware developed to attack organizations, including municipal governments, state courts, hospitals, enterprises, and large universities. Many of these organizations have paid hefty fees to recover their files following a Ryuk attack, only to find that any number of files have been stolen, and some of the data left behind is beyond repair. Read more>
One of the most noted Ryuk attacks was on the Tribune Publishing newspapers in December 2018. Not only were there disruptions and delivery delays, they were also reinfected after an initial quarantine.
WannaCry was responsible for a global ransomware attack in 2017, spreading through the EternalBlue vulnerability in Microsoft Windows. The patch for this vulnerability had been previously released, but not all organizations were up to date on that patch and were easily attacked.
Over 230,000 computers were attacked, but less than 400 targets paid the ransom of $300. Ultimately, the impact of this attack was relatively low, but it exposed that many organizations had dangerous security weaknesses that left them extremely vulnerable.
First spotted in November 2019, Zeppelin has primarily targeted large companies in Europe and the United States. Zeppelin is rather unusual—researchers have found that in some instances, files were only partially encrypted, which may be a bug, or an intentional feature to make the files unusable.
In one case, data was not even encrypted, but simply stolen, either to add additional pressure to pay the ransom, or to try and sell the data on the dark web if payment didn’t go through.
What Do You Do After a Ransomware Attack?
Part of what makes ransomware so dangerous is that once you receive the ransom note, attackers have successfully breached your network. Once you have been infected, there are usually only two options: pay the ransom or rebuild from backups/scratch.
Experts almost universally advise not to pay the ransom. The fact is, you simply cannot trust that attackers will return your data once you’ve paid. Once you’ve paid, they have what they want, and face zero consequences for not holding up their end of the bargain. For example, XBash malware poses as ransomware, but is programmed merely to destroy Linux databases, and contains no restoration mechanism.
Despite this, according to a survey by CyberEdge Group, 38.7% of organizations paid the ransom, and only half of these victims recovered their data. Of the 61.3% that did not pay the ransom, 53.3% were able to recover some of their data. It’s far better to invest the ransom payment into recovering the data through other means. Ultimately, paying ransom is bad for everyone. You’re unlikely to get your data back and giving into demands only encourages either a repeat attack, or further attacks on other organizations.
Regardless of what path an organization chooses, it is still strongly recommended to contact authorities. For example, U.S. companies can contact the FBI, either through their local office, or with an IC3 complaint form. Reporting ransomware attacks allows as much knowledge as possible be collected in order to learn and improve prevention methods. Additionally, such agencies are often the most capable of widely disseminating information, putting other organizations on high alert.
How Do You Prevent and Manage Ransomware Attacks?
There are five key ways to reduce the risk of ransomware attacks:
In order to ensure that there won’t be any disruption to operations in the event of an attack, it’s best to create backups of all of your critical information. However, it’s important to segregate your backups. Many strains of ransomware have begun to seek out and encrypt backups that are on the same network. Backups should be stored on different networks to avoid being affected in an attack.
Unfortunately, users present an unavoidable risk to ransomware. However, pen testing and pen testing solutions can help prepare users to better recognize ransomware infection methods. For example, phishing emails trick users into clicking a link in an email designed to look as though it came from a trusted source. Social engineering pen testing can uncover who is susceptible to these attacks by launching phishing simulation campaigns. From there, additional training should be provided to teach your employees how to be more vigilant before clicking another suspicious email.
Penetration testing can also help deter attacks by uncovering and exploiting security weaknesses, demonstrating the feasibility of systems or end-user compromise and the potential related consequences such incidents may have on the involved resources or operations. Pen tests not only help expose these weaknesses, they also prioritize them based on their level of risk. Organizations can structure their remediation plans based on these priorities.
Additionally, becoming an easy target can be avoided by keeping systems and devices up to date. If a patch is available for any devices or third-party software, patch them. These patches fix known vulnerabilities that attackers can easily take advantage of to gain access and deploy ransomware. Make sure that these patches are properly installed—many require a restart in order to take effect.
Finally, Identity Governance and Administration (IGA) solutions mitigate risk by limiting access, reducing the exposure of sensitive data. IGA solutions enable a robust approach to managing and governing access by focusing on the principle of least privilege, eliminating excess privileges, and granting access to only those who absolutely need it in order to do their jobs.
Ransomware typically lurks for some time, finding sensitive files to steal or encrypt. The ransom only occurs at the end of the attack cycle, so as long as you can detect the ransomware before then, it significantly reduces the risk of long term or permanent damage.
Threat detection tools like network traffic analysis (NTA) work to monitor your network for malicious activity, alerting your security team the moment a risk is uncovered. These solutions help prioritize risk, providing vital information to enable a rapid response so that security analysts can both eliminate the threat and minimize damage, enabling rapid recovery and remediation. Instead of monitoring the network, NTA solutions monitor the traffic, looking for and confirming malicious activity, ensuring that immediate action can be taken.
An organization’s security posture shouldn’t be assessed just once. IT environments, and the methods used to attack them, are constantly evolving, so it is to be expected that new weaknesses will emerge. Evaluating and testing processes on a regular basis will continuously strengthen and improve them.
Ransomware Solutions from Core Security
Simple enough for your first test, powerful enough for the rest.
Learn More >
Immediately detect critical threats other solutions miss.
Learn More >
Native virus protection software for IBM systems (Linux, AIX, and IBM i).