What is Ransomware?
Ransomware is malware that prevents users or organizations from accessing files on their computers. Ransomware encrypts files and demands ransom payments for decryption keys.
This malware puts organizations in a position to pay the ransom to gain access to their files. Ransomware victims may be more motivated to pay ransom because some variants include data theft.
Ransomware is quickly becoming the most visible and prominent type of malware. Ransomware has been a major threat to hospitals’ ability and willingness to provide critical services. It also crippled the public services in cities and caused considerable damage to many organizations.
Ransomware attacks are on the rise.
WannaCry, 2017, was the first major ransomware outbreak. Ransomware attacks can be profitable and were demonstrated by the WannaCry attack, which was a large-scale, well-publicized incident. There have been dozens of ransomware variations since then and they have been used in many attacks.
Ransomware has seen a recent rise in popularity due to the COVID-19 pandemic.
Organizations quickly shifted to remote work and created gaps in their cyber defenses. These vulnerabilities have been exploited by cybercriminals to deliver ransomware. This has led to a surge in ransomware attacks. In Q3 2020, ransomware attacks increased by 50% compared to the first half of that year.
Popular Ransomware Variants for 2020-2021
There are many ransomware variations, each with their own characteristics. Some ransomware groups are more successful and prolific than others, which makes them stand out.
Ryuk is an example of a very targeted ransomware variant. This ransomware is often delivered by spear phishing emails. It can also be used to compromise user credentials to log in to enterprise systems via Remote Desktop Protocol (RDP). Ryuk encrypts files that are not critical to the computer’s operation after infecting it. Then, he demands ransom.
Ryuk is well-known for being one of the most costly ransomware types. Ryuk demands ransoms that average over $1 million. Ryuk’s cybercriminals are mainly focused on companies that have the resources to pay their ransom demands.
Maze ransomware is known for being the first variant of ransomware to combine file encryption with data theft. Maze began to collect sensitive data from victims’ computers after they refused to pay ransoms. This data could be sold or exposed to the public if the ransom demands weren’t met. As an incentive, the potential for a costly data breach was also used.
The group behind the Maze ransomware has officially ended its operations. This does not mean that ransomware is no longer a threat. Some Maze affiliates now use the Egregor ransomware. The Egregor, Maze and Sekhmet variants may all have a common source.
Another ransomware variant is the REvil group, also known as Sodinokibi. It targets large organizations.
One of the most popular ransomware families is REvil. The ransomware group, which has been operated by the Russian-speaking REvil group since 2019, has been responsible for many big breaches such as ‘Kaseya’ and ‘JBS’
Over the past several years, it has been competing with Ryuk for the title as the most expensive ransomware variation. REvil is known to have demanded $800,000 ransom payments.
Although REvil was originally a ransomware variant of ransomware, it has changed over the years.
Double Extortion is a technique that allows them to steal data from businesses and encrypt the files. In other words, attackers may demand a ransom in order to decrypt the data. If a second payment isn’t made, they might threaten to release stolen data.
LockBit is a data encryption malware in operation since September 2019 and a recent Ransomware-as-a-Service (RaaS). This ransomware was designed to quickly encrypt large organizations in order to prevent it from being detected by IT/SOC teams.
Microsoft released four patches in March 2021 to fix vulnerabilities in Microsoft Exchange servers. DearCry is a ransomware variant that exploits four vulnerabilities recently discovered in Microsoft Exchange.
DearCry ransomware can encrypt certain file types. DearCry will display a ransom message directing users to send an email asking for assistance in decrypting their files after encryption is complete.
Ransomware: How it Works?
Ransomware must be able to access a target system and encrypt files there in order to succeed. Then, it will demand ransom money from the victim.
Although the details of ransomware implementations may vary between ransomware variants, they all share the same three core stages
Step 1: Infection and Distribution Vectors
Ransomware can be used to gain access to the systems of an organization in many ways, just like other malware. Ransomware operators prefer to use a handful of infection vectors.
Phishing emails is one example. Malicious emails may include a link to a website that hosts a malicious download, or an attachment with downloader functionality. The ransomware will be downloaded to the computer of the email recipient if they fall for the phish.
Remote Desktop Protocol (RDP) is another popular way to infect your computer with ransomware. An attacker can access the remote desktop protocol (RDP) to remotely access a computer in an enterprise network. The attacker can then download and execute the malware directly on the machine they control.
Other people may try to infect your system directly, as WannaCry did with the EternalBlue vulnerability. Ransomware can infect multiple systems.
Step 2. Data Encryption
Once ransomware has gained control of a system it can start encrypting its files. This is done by simply accessing files and encrypting them using an attacker-controlled key. Then, the encrypted versions can be replaced with the originals. Ransomware variants tend to be cautious about which files they encrypt in order to maintain system stability. To make it more difficult to recover the key without backup or shadow copies, some ransomware variants may also delete these files.
Step 3. Ransom Demand
Once file encryption has been completed, ransomware can make a ransom request. This can be done in a variety of ways by different ransomware types. However, it is common to change the background to display a ransom request or to place text files in encrypted directories containing ransom notes. These ransom notes typically demand payment in cryptocurrency to gain access to victim’s files. The ransomware operator will provide either a copy or a copy the symmetric encryption keys, depending on whether the ransom has been paid. This information can be used to decryptor programs (also provided by cybercriminals) to reverse encryption and restore user files.
These three steps are common to all ransomware variations, but different ransomware may include additional steps or implementations. Ransomware variants such as Maze scan files, collect registry information and steal data before encrypting it. WannaCry also scans for other devices that could be infected and encrypted by the WannaCry ransomware.
Ransomware: How to Protect Yourself
Utilize Best Practices
Proper preparation can significantly reduce the impact and cost of ransomware attacks. These best practices will help reduce ransomware exposure and minimize its impact on an organization.
- Cyber Awareness Training, Education: Phishing emails are often used to spread ransomware. It is important to train users how to spot and avoid ransomware attacks. Many cyber-attacks today start with an email that doesn’t contain malware but is merely a socially-engineered message encouraging users to click on malicious links. User education is often considered one of the most important defenses an organisation can put in place.
- Continuous data backups: Ransomware is malware that is designed to prevent access to encrypted data from being restored. An organization can recover from an attack using automated, protected backups without causing any data loss or paying ransom. Regular backups of data are a good practice to avoid losing it and be able to retrieve it in the case of disk failure or corruption. Organizations can also benefit from functional backups to help them recover from ransomware attacks.
- Patching: As cybercriminals often search for new exploits in patches, they will target systems that have not been patched. Patching is an essential component of defending against ransomware attack. It is crucial that organizations make sure that all systems are updated with the most recent patches. This reduces the potential for attackers to exploit.
- User Authentication: Ransomware attackers love to access RDP using stolen credentials. Strong user authentication can make it more difficult for attackers to use a stolen or guessed password.
The Attack Surface can be reduced
Prevention is the best strategy for ransomware mitigation due to the high cost of ransomware infections. You can reduce the attack surface by addressing
- Phishing messages
- Unpatched Vulnerabilities
- Remote Access Solutions
- Mobile Malware
Ransomware must encrypt all files of users in order to have a unique fingerprint. These fingerprints are what anti-ransomware solutions use to detect. A good anti-ransomware solution should have the following characteristics:
- Wide variant detection
- Fast detection
- Automated restoration
- A restoration mechanism that is not based on commonly used tools (such as Shadow Copy, which has been targeted by ransomware variants),
Ransomware Removal – What to do if you are infected
Ransom messages are not something that anyone would like to see on their computers. They indicate that ransomware has been successful. An organization can take steps to address an active ransomware infection.
How to Reduce an Active Ransomware Infection?
Ransomware attacks that are successful are only detected when data encryption has been completed and a ransom note is displayed on infected computers’ screens. The encrypted files may not be recoverable at this point. However, you should take immediate steps to restore them.
- Quarantine the Machine Ransomware variants may try to spread to other connected drives. You can stop the malware spreading by blocking access to other targets.
- Turn off the computer Unencrypted files can make a computer unstable. Also, turning off a computer could cause loss of volatile memory. To maximize your chances of recovering, keep the computer turned on.
- Make a backup: You can decrypt files using some ransomware variations without having to pay the ransom. In case of a future solution or failure to decrypt the files, make a backup copy of the encrypted files on removable media.
- Look for decryptors To find out if there is a free decryptor, check with the No More Ransom Project. To see if the decryptor can be used to restore encrypted files, you should first run it on a backup of the data.
- Ask for help: Sometimes backup copies of files are kept on computers. If the malware has not deleted these backup copies, a digital forensics expert might be able to retrieve them.
- Cleanse and restore: You can restore the device from a backup or an operating system installation. This will ensure that malware is removed completely from the device.