What Is Ransomware?
Ransomware is a type of malicious software, also known as malware. It encrypts victim’s data and demands payment in a predetermined ransom. The attacker will usually demand payment in cryptocurrency, such as bitcoin. The attacker will then send the victim a decryption code to unlock their data.
In recent years, a variety of ransomware variations have emerged. We’ll discuss these variants in more detail below. We’ll also discuss how to protect your system from future attacks.
What is Ransomware Attack?
Ransomware is a form of malware attack that encrypts and locks the victim’s files, and then demands payment to unlock the data.
This type of attack takes advantage of human, system, network, and software vulnerabilities to infect the victim’s device–which can be a computer, printer, smartphone, wearable, point-of-sale (POS) terminal, or other endpoint.
Ransomware Attack Examples
There are thousands of strains of ransomware malware. We have listed a few examples of malware that caused widespread damage and had a major impact on the world.
WannaCry is a ransomware entry-level that exploits the Windows SMB protocol. It also has a self propagation mechanism that allows it to infect other computers. WannaCry is packaged as a dropper, a self-contained program that extracts the encryption/decryption application, files containing encryption keys, and the Tor communication program. It is easy to find and remove. WannaCry was a rapidly spreading virus that affected 230,000 computers in 150 countries and caused an estimated $4 billion of damage.
Cerber is ransomware-as-a-service (RaaS), and is available for use by cybercriminals, who carry out attacks and spread their loot with the malware developer. Cerber can run silently as it encrypts files. It may also try to stop antivirus and Windows security software from running to prevent users from recovering the system. It displays a ransom notice on the desktop wallpaper after it has successfully encrypted files.
Locky can encrypt 160 file types. These are primarily files used for designers, engineers, and testers. It was released for the first time in 2016. It is primarily distributed by exploit kits or phishing–attackers send emails that encourage the user to open a Microsoft Office Word or Excel file with malicious macros, or a ZIP file that installs the malware upon extraction.
Cryptolocker was first discovered in 2017 and has since affected more than 500,000 computers. It is most commonly spread via email, file sharing sites, or unprotected downloadings. It encrypts files on the local computer, as well as scanning mapped network drives and encrypting files it has access to. Crypolocker can be used to bypass firewalls and legacy antivirus software.
Petya is ransomware which infects a computer and encrypts the entire drive. It does this by accessing the Master File Table. The entire drive is rendered inaccessible although the files themselves are not encrypted. Petya was first discovered in 2016. It was spread via a fake job application that linked to a Dropbox infected file. It was only a problem with Windows computers.
Petya asks the user to consent to allow it to make administrative-level changes. It then reboots the computer and displays a fake screen showing a system crash. Meanwhile, it begins encrypting your disk behind-the scenes. The ransom notice is displayed.
Although the original Petya virus did not prove to be very successful, a new variant called NotPetya, developed by Kaspersky Labs was more dangerous. NotPetya has a propagation mechanism and can spread without human intervention.
NotPetya originally spread using a backdoor in accounting software used widely in the Ukraine, and later used EternalBlue and EternalRomance, vulnerabilities in the Windows SMB protocol. NotPetya encrypts not only the MFT, but all files on the hard disk. It encrypts the data but damages it so that it can’t be recovered. Users who pay the ransom will not be able to retrieve their data.
Ryuk infects computers via drive-by downloads or phishing emails. It uses a dropper, which extracts a trojan on the victim’s machine and establishes a persistent network connection. Attackers can then use Ryuk as a basis for an Advanced Persistent Threat (APT), installing additional tools like keyloggers, performing privilege escalation and lateral movement. Ryuk is installed on each additional system the attackers gain access to.
After installing the trojan to as many machines as they can, the attackers activate the locker ransomware and decrypt the files. The ransomware component of a Ryuk-based attack campaign is the final stage. This happens after the attackers have done damage and taken the files.
GrandCrab was first released in 2018. GrandCrab was released in 2018. It encrypts user’s files and demands a ransom. This ransomware-based extortion attack used ransomware to launch ransomware attacks that threatened victims’ porn-watching habits. There are many versions of the program, and all of them target Windows computers. GrandCrab’s most recent versions are free to decrypt.
Ransomware Distribution Techniques
When the victim clicks on a link or visits a webpage, or installs an application or file that contains malicious code to secretly download and install ransomware, the device is infected. There are many ways this can occur:
|Phishing email||Clicking on a link embedded within an email redirects you to a malicious website.|
|Attachments to emails||You can open an email attachment to enable malicious macros, or download a document embedded in a Remote Access Trojan.|
|Social media||Clicking malicious links on Facebook, Twitter, instant messenger chats and social media posts.|
|Malvertising||Clicking on a legitimate advertisement site with malicious code.|
|Infected programs||Installing an app or program that contains malicious code.|
|Drive-by infections||Visit an unsafe, suspicious or fake website; or open or close a popup.|
|Traffic Distribution System (TDS).||A link from a legitimate gateway website will redirect the user to a malicious web site based on their geo-location, browser, operating systems, or other filters.|
|Self-propagation||Spreading malicious code to other devices via network and USB drives.|
What is Ransomware?
Once a device has been exposed to the malicious software, ransomware attacks proceed as follows. Ransomware may remain on a device indefinitely until it is most vulnerable. Only then can it execute an attack.
- Infection–Ransomware is covertly downloaded and installed on the device.
- Execution–Ransomware scans and maps locations for targeted file types, including locally stored files, and mapped and unmapped network-accessible systems. Ransomware attacks can also delete backup files or folders and encrypt them.
- Encryption–Ransomware performs a key exchange with the Command and Control Server, using the encryption key to scramble all files discovered during the Execution step. It locks the access to all data. (See Figure 2.
- User Notification–Ransomware adds instruction files detailing the pay-for-decryption process, then uses those files to display a ransom note to the user.
- Cleanup–Ransomware usually terminates and deletes itself, leaving only the payment instruction files.
- Payment–Victim clicks a link in the payment instructions, which takes the victim to a web page with additional information on how to make the required ransom payment. Hidden TOR services are used often to encapsulate or obfuscate communications in order to avoid detection by network monitoring.
- Decryption–After the victim pays the ransom, usually via the attacker’s Bitcoin address, the victim may receive the decryption key. The victim may not receive the decryption keys as promised.
Data lockouts can be caused by one infected user.
These are some best practices to help prevent Ransomware infection in your company.
While antivirus is a good first step to protect against ransomware, legacy antivirus tools are not able to protect against all ransomware variants.
Endpoint protection platforms today offer next-generation antivirus (NGAV), which protects against evasive ransomware, fileless malware attacks like WannaCry and zero-day malware whose signatures are not yet in malware databases. Endpoint Detection and Response capabilities (EDR) and device firewalls are also available. These enable security teams to detect and block any attacks on endpoints that occur in real-time.
Backup data regularly to an external hard drive using versioning control (create three backup copies on different media, with one backup stored in another location) To prevent encryption, disconnect the hard drive from the device if possible.
Make sure that the operating system and applications are up-to-date on your device. Install security patches. To quickly identify and fix known vulnerabilities, run vulnerability scans.
Application whitelisting and control
You can set up device controls to restrict the number of applications that are installed on your device to a centrally controlled whitelist. To prevent malicious websites from being visited, you can increase browser security settings and disable Adobe Flash and other potentially dangerous browser plugins. Disable macros in word processing and other potentially dangerous applications.
Training employees on how to recognize and avoid phishing emails is a good idea. To automatically block spam and malicious links, use endpoint protection technology.
Use a firewall or web application firewall (WAF), Intrusion Prevention / Intrusion Detection Systems (IPS/IDS), and other controls to prevent ransomware from communicating with Command & Control centers.
Real-time alerting/blocking is used to identify ransomware-specific write/read behavior and block users and endpoints.
Deception-based detection uses the technique of strategically placing hidden files on file storage systems in order to detect ransomware encryption behavior at the early stage of an attack. Any write/rename actions to the hidden files triggers an automatic block of the infected user/endpoint while allowing access for uninfected users/devices.
For forensic investigations, use granular reporting to support audit trail support.
A deception-based detection method ensures that only infected users are blocked from accessing data
Ransomware Removal: How To Mitigate An Active Ransomware Infection
Here are the steps to take to stop Ransomware infections in your network.
- Isolate: Identify infected computers, disconnect from networks, and lock shared drives to prevent encryption.
- Check to see if there are backups for encrypted data. Find out what ransomware strain you were affected by and whether there are decryptors. Consider whether paying ransom might be an option.
- Retrieve – If you don’t have the tools to decrypt your data, you can restore it from backup. Although the authorities in most countries do not recommend paying ransom, it may be an option in certain cases. You can use standard procedures to remove ransomware, or wipe the affected systems and reimage them.
- Reforce – Conduct a lesson learned session to learn how internal systems were infected, and how to prevent it from happening again. Recognize the vulnerabilities and security gaps that allowed the attackers to infiltrate your systems, and then fix them.
- Evaluation – After the crisis is over, it’s time to look back at what happened and learn from the lessons. What was the key to ransomware’s success? What vulnerabilities allowed for penetration? What caused antivirus and email filtering to fail? How widespread was the infection? How easy was it to wipe infected computers and to reinstall them? Was it possible to restore backups from the affected machines? To be more prepared for the next attack, you need to address any weaknesses in your security.
Ransomware, the Internet of Things
Security is a problem with Internet of Things devices. As more and more of these make their way onto the market, they’re going to provide billions of new attack vectors for cyber criminals, potentially allowing hackers to hold your connected home or connected car hostage. A ransom note on your smart fridge, toaster or stove is one thing.
There’s even the potential that hackers could infect medical devices, putting lives directly at risk.
In March 2018, researchers at IOActive took this once step further by demonstrating how a commercially available robot could come under a ransomware attack. Researchers made the robot swear and demand payment to get its normal life back.
The UK’s NCSC has also warned that the growth in smart cities could also be a tempting target for cyber attackers – and it’s not hard to imagine that that holding city-wide services to a ransomware attack could be very profitable for criminals.
Ransomware is constantly evolving, so it’s important for employees and organizations to be aware of the danger it presents. Ransomware can cause severe damage and can even prevent you from decrypting it.
Do I have to pay a ransomware ransom for my ransomware?
Some people believe victims should pay ransom to get their encrypted data back. This is despite warnings from law enforcement agencies.
Be aware that cyber criminals could make your organization a target because you paid a ransom. You could end up in the crosshairs with other cyber criminals looking to exploit your weak security. Remember that you are dealing with criminals and their nature could mean they don’t keep their word. There’s no guarantee that you will ever receive the decryption keys, even if you have them. Decryption isn’t even always possible: there are stories of victims making ransom payments and still not having encrypted files unlocked.
One example: A ransomware attack on Linux that was discovered earlier in the year required a bitcoin payment. However, it did not store encryption keys locally, nor through a command and control server. This made paying the ransom impossible.
Is it possible to install ransomware on your smartphone
Yes. Ransomware attacks against Android devices have increased massively, as cyber criminals realise that many people aren’t aware that smartphones can be attacked and the contents (often more personal than the stuff we keep on PCs) encrypted for ransom by malicious code. Various forms of Android ransomware have, therefore, emerged to plague mobile users.
In fact, any internet-connected device is a potential target for ransomware, which has already been seen locking smart TVs.
How can I get rid of ransomware?
Europol and the Dutch National Police launched the “No More Ransom” initiative in July 2016. In collaboration with several cybersecurity companies, including Kaspersky Labs and McAfee, the initiative offers victims free decryption tools to ransomware variants. This will allow them to retrieve encrypted data without falling prey to cyber extortionists.
The portal provides decryption tools to decrypt four ransomware families – Shade Rannoh Rakhn and CoinVault. This scheme is constantly adding new decryption options for more ransomware versions.
This portal also offers advice and information on how to avoid becoming a victim of ransomware. It is kept up-to-date in order to make sure that the most recent ransomware tools are always available.
No More Ransom has grown from offering a set of four tools to carrying a vast number of decryption tools covering hundreds of families of ransomware. These tools have so far decrypted thousands of devices, thereby denying criminals millions in ransoms.
With more than 100 partners from the private and public sectors, the platform is now available in many languages.
Individual security companies also regularly release decryption tools to counter the ongoing evolution of ransomware – many of these will post updates about these tools on their company blogs as soon as they’ve cracked the code.
Another way of working around a ransomware infection is to ensure your organisation regularly backs up data offline. Although it might take some time to transfer backup files to a new machine from an infected computer, it is possible to isolate the unit and then continue your business. Just make sure that crypto-locking crooks aren’t able to encrypt your backups, too.
What is the recovery time from ransomware attacks?
Ransomware can cause havoc in an organisation. An encrypted network can render it useless, and no action can be taken until the systems are restored.
If you are a responsible organisation and have backups, your systems can be brought back online in as little as a few hours. However, this will depend on how large the company is.
It is possible to restore functionality temporarily, but it can also be difficult for organisations to get their systems up and running again, as was the case with the Petya attack.
A month on from the outbreak, Reckitt Benckiser confirmed that some of its operations were still being disrupted and wouldn’t be fully up and running until two months on from the initial Petya outbreak.
Apart from the immediate financial impact that ransomware can cause to a network, it can also have a negative effect on its finances. A business can’t afford to be offline for long periods of time. This can lead to a loss in revenue and the ability to provide the services it promised.
This is a problem if customers are looking to do business with your company: In some industries, customers could be turned away by the fact that you have been hacked.
How can you stop a ransomware attack from happening?
Ransomware attacks are on the rise, with hackers exploiting insecure remote desktop protocols and ports that connect to the internet. One of the best things an organization can do to avoid falling prey to ransomware attacks is to ensure ports are not exposed to the internet, unless they’re absolutely necessary.
Remote ports should be protected against ransomware criminals. Organizations should ensure that login credentials have complex passwords to prevent them from cracking simple passwords with brute force attacks. Two-factor authentication can be used to protect against attacks. An alert will be sent if unauthorised access attempts are made.
Organizations should ensure that their network is up-to-date with security updates. Ransomware and other malware are often spread through the use of known vulnerabilities.
EternalBlue is the same vulnerability that powered WannaCry, NotPetya and other attacks. The security patch to prevent it has been around for more than three years.
When it comes to stopping attacks via email you should provide employees with training on how to spot an incoming malware attack. Even picking up on little indicators like poor formatting, or that an email purporting to be from ‘Microsoft Security’ is sent from an obscure address that doesn’t even contain the word Microsoft within it, might save your network from infection. Ransomware can be prevented by following the same security measures that protect you against malware attacks.
There’s also something to be said for enabling employees to learn from making mistakes while within a safe environment. One firm developed an interactive video experience that allows employees to make decisions about a series and see the consequences. They can learn from their mistakes and not suffer the consequences.
Technically, preventing employees from enabling macros is a major step in ensuring they aren’t running a ransomware program unknowingly. Microsoft Office 2016, and now Microsoft Office 2013, both carry features that allow macros to be disabled. Employers should at the minimum invest in antivirus software to keep users informed about malicious files. Backup important files and make sure they aren’t compromised by an attack in another key.
What makes ransomware so popular?
You could say there’s one key reason why ransomware has boomed: because it works. Ransomware can only be accessed by one user, who may either launch a malicious attachment to an email or re-use a weak password.
Criminals wouldn’t use ransomware if ransom-paying organisations didn’t happen. Businesses need to have access to their data to be able to function, so some are willing to pay ransom to get it done.
It’s also a great way for criminals to make money. If ransomware can instantly pay hundreds, or even thousands of dollars to large numbers of infected victims, why spend the time developing complicated code or creating fake credit cards using stolen bank details?
There are those who argue that cyber insurance is making ransomware more of a problem. Cyber insurance is a policy that protects organisations from cyberattacks.
However, some cyber insurance policies will cover paying the ransom itself – leading some cybersecurity experts to warn that cyber-insurance payouts covering the cost of paying ransoms is adding to the problem, because cyber criminals know that if they hit the right target, they’ll get paid.
What will a ransomware attack set you back?
The ransom demand is the cost of infecting your computer with ransomware. This can vary depending on whether it’s paid or what type of ransomware you have.
Ransomware attacks can vary in size but it’s becoming increasingly common for hacking gangs to demand millions of dollars in order to restore access to the network. Hacking gangs can demand such large sums of money because there are many organisations willing to pay.
This is especially true if ransomware locks the network and prevents the organisation from doing business. They could lose significant revenue every day or hour the network is down. It’s estimated that the NotPetya ransomware attack cost shipping firm Maersk up to $300m in losses.
An organisation that refuses to pay the ransom will not only lose revenue for weeks or even months but they will also likely have to pay a large amount for a security firm to restore network access. This might cost more than the ransom request in some cases but it is still going to legitimate businesses and not criminals.
Whichever way the organisation deals with a ransomware attack, it’ll also have a financial impact going forward; because to protect against falling victim again, an organisation will need to invest in its security infrastructure, even if that means ripping out the network and starting over again.
Customers may lose trust in your company due to poor cybersecurity or take their business elsewhere.
Why should organizations worry about ransomware?
Ransomware can cause serious damage to your business. Your revenue could be affected if you are locked out of your files by ransomware for just one day. But given that ransomware takes most victims offline for at least a week, or sometimes months, the losses can be significant. Ransomware locks systems, and it takes a lot of effort to restore them.
Ransomware can cause business damage beyond the immediate financial impact. Consumers also become cautious about giving out their personal data to organizations they feel are insecure.
Cybercriminals have discovered that ransomware can not only target businesses, but also critical infrastructure such as hospitals and industrial facilities. This could have serious consequences for the people living in the real world.
Ultimately, the attackers are looking for an easy way to make money and a hospital that finds its network encrypted with ransomware can’t afford to compromise patient care by keeping the network offline for weeks to manually restore it. That’s why, unfortunately, many ransomware victims in healthcare will pay the ransom – particularly when they were already overwhelmed by the impact of the COVID-19 pandemic.
The education sector has also become a very common target for ransomware campaigns. Cyber criminals have observed that schools and universities are increasingly dependent on remote learning because of the coronavirus pandemic. Potentially thousands of people use the networks, many using their own devices. All it takes for a malicious hacker or phishing email to gain access to one account or one password crack to gain access to the network are one successful phishing email.
The UK’s National Cyber Security Centre (NCSC) urged schools and universities to take notice of the growing threat of ransomware, after a ransomware incident led to the loss of student coursework, school financial records, as well as data relating to COVID-19 testing.
What makes small businesses attractive for ransomware attacks?
Small and medium-sized businesses are a popular target because they tend to have poorer cybersecurity than large organisations. Despite this, many SMEs believe that they are too small to be targeted. However, even a ransom of a few hundreds dollars can still make cyber criminals very rich.