What is Ransomware: A Pocket Guide for IT Professionals
In one of the most high-profile ransomware attacks of recent times, Colonial Pipeline, the largest petroleum pipeline in the U.S., was attacked. Following the attack, the company had to shut operations for several days. To bring their systems back online, they ended up paying a ransom of 75 bitcoins (approx $4.4 million).
This attack highlighted the increasing vulnerability of firms to ransomware attacks. In 2019, over
200,000 U.S. firms
were compromised by ransomware – a serious number by any standards. But then, in the first half of 2020, global ransomware attacks increased by 715% YoY.
So, what is ransomware? How does ransomware work?
How does ransomware spread?
In this article, we address all these questions about this increasingly common cyber threat.
What is Ransomware?
Ransomware is a kind of malware (malicious software) that a bad actor installs on a victim’s system without their knowledge. It then encrypts their files or data, and locks them out of the system. To decrypt these locked files, the criminal demands a ransom from the victim.
HISTORY OF Ransomware
Currently, it is estimated that a ransomware attack occurs approximately every 11 seconds . Over the course of a year, that pace corresponds to nearly 3 million ransomware attacks. Ransomware is one of the most dangerous and prevalent cyberthreats in the current threat landscape. Let’s take a look at how this malware got this far.
Although ransomware attacks may have gained popularity only in the mid-2000s, they have been around since as early as 1989. The AIDS Trojan was the first known ransomware attack - carried out by sending 20,000 infected floppy disks to AIDS researchers from over 90 countries. The malware program was activated after a computer was powered on ninety times, and the ransom demanded was $189.
Attacks during this period were quite basic and didn’t involve complex code or modes of delivery. They usually locked the victims’ computers, preventing them from using basic functions like the keyboard and mouse, until the ransom was paid.
Ransomware attacks remained rare after the AIDS Trojan, and only picked up pace in the mid-2000s when attackers began using more sophisticated and difficult-to-crack encryption methods such as RSA encryption.
In 2011, it became harder for users to differentiate between actual notifications and threats when a ransomware worm came out that could mimic Windows Product Activation notice. By 2015, there were numerous variants that were being used to launch attacks all over the world.
Today, ransomware attacks are much more advanced and frequent with much more expensive ransom demands. They aren’t just restricted to individuals, but target businesses, transportation organizations, healthcare providers, and even governments. Attackers can even choose from a range of resources such as toolkits and ransomware-as-a-service programs to carry out malicious attacks. And with the internet and digitization, cybercriminals work round the clock to take advantage of every opportunity they can find.
How Does Ransomware Work?
In 2020, ransom payouts touched nearly $350 million in cryptocurrencies , a 311% increase over 2019. Ransomware attacks often yield such huge payouts for attackers because they’re easy to set up, and require almost no technical or coding skills. As long as the threat actor can access the Dark Web, they can buy ready-to-use ransomware toolkits or a Ransomware-as-a-Service (RaaS) subscription to easily author and launch an attack.
The most common ways for ransomware to infiltrate your system are through security gaps or through phishing emails. In some other cases, drive-by downloading happens when a person accesses an infected website without realizing it, and malware is downloaded and installed without the user knowing. Once the virus has taken control of the victim's computer, it can do many things, but the most typical is to encrypt some or all of the user's files.
Ransomware works on the basis of asymmetric encryption that uses two keys – a public key and a private key. The attacker generates this unique key pair for the victim. They send the private key to the victim only after they pay the ransom – or so they say. In many cases, the victim never receives the private key, so they lose access to their files or data forever. Between 2020 and 2021 , the number of organizations that paid the ransom rose from 26% to 32%, but only 8% got all of their data back.
How Do Ransomware Attacks Happen?
There are several possible vectors for ransomware infections. A malicious actor may, for example, distribute ransomware using email phishing. The victim receives a ransomware-infected attachment. Once they open it, the ransomware is installed on their system, and the game begins.
Other possible ransomware attack vectors include:
- Social engineering
- Malware downloads
- Directly from a malicious site – something known as “Drive by Downloading”
- By clicking on a “malvertisement” or a fake ad
- Chat messages
- USB devices
Sometimes attackers launch ransomware to exploit network vulnerabilities, and spread to other systems across the organization. This kind of lateral movement can be especially dangerous, because it now involves unlocking and recovering data for not just one device, but multiple devices.
How Does Ransomware Spread?
As we mentioned above, ransomware is easily available to any script kiddie who has the means to acquire it (a script kiddie is someone who can acquire and use a malicious program or code with little to no expertise). With good generic interpreters, they can create cross-platform ransomware, which can spread easily in a very short time. They can also leverage new techniques to encrypt complete hard disks, allowing them to expand the scope and scale of their attacks.
WHY Does Ransomware Spread?
2021 saw an explosion of ransomware attacks around the world. How did it become such a rampant threat? Below are some of the factors that contributed to the spread of ransomware:
- a surge in ransomware actors
- expansion of current affiliate programs
- lucrative targets and improved revenues
- RaaS systems have reduced the obstacles to entrance into ransomware operations
- More businesses are opting to pay the ransom to regain access to their data
- rise of cryptocurrencies like Bitcoin
- growing online population
- remote work
- lack of security and preparation, and/or awareness
- unpatched vulnerabilities
WHO ARE THE MALICIOUS ACTORS?
The threat actors behind the frequent ransomware headlines of today are usually organized cyber criminal groups. These groups steal data, encrypt files and then extort companies for money. Other threat actors include lone wolf hackers or “script-kiddies” - people who hack because they can, and hacktivists that hack for a cause.
WHY IS IT SO HARD TO FIND RANSOMWARE PERPETRATORS?
The fact that many businesses today are willing to pay huge sums of money as ransom, has only given attackers more courage to carry out more malicious attacks. Tracking down these attackers and bringing them to justice is a complex and long-drawn process with no guarantee of a successful outcome. In addition, it also involves local, federal, and sometimes international authorities.
It is common for hacker groups to work remotely and in a decentralized manner, which makes it extremely difficult to locate them. Moreover, attribution is difficult in the cyberspace. The search can slow down further if the hackers are operating from a different country. This would require the cooperation of international authorities and law enforcement agencies. If the attackers are prosecuted in a foreign country, they then have to be brought back to the local authorities which can take even longer.
WHAT IS RANSOMWARE-AS-A-SERVICE?
RaaS is a business model that allows hackers and criminal enterprises to rent ransomware and use tools to carry out ransomware attacks. The services are available for a monthly subscription fee, a percentage of the client’s profits, or a one-time licensing fee. Once they’ve completed the payment, attackers can pick the type of malware they want to use and launch the campaign to infect victims.
In addition to ransomware tools, these platforms also provide 24*7 support for attackers, community forums, and step-by-step guides to launch attacks.
RaaS usage is now becoming increasingly common. For instance, the 2021 attacks on Colonial Pipeline and IT Provider Kaseya, were both carried out using RaaS.
Types of Ransomware
Crypto Ransomware
This ransomware encrypts hard drives, folders and files. Attackers then demand a ransom with the promise of decrypting the data.
Locker Ransomware
It infects the device operating system to completely lock the user out. The lock screen displays the ransom demand, often with a countdown timer, which is used to create a sense of urgency.
Scareware
This fake software dupes a victim into thinking there are security issues on their device, and demands money to eliminate them.
Doxware/Leakware
It hijacks a device, and threatens to publish the user’s sensitive information online unless they pay a ransom.
POPULAR RANSOMWARE VARIANTS
Over the years, many ransomware strains have evolved, and continue to cause problems for organizations (and individuals) all over the world. The most well-known ransomware strains are:
Ryuk
Ryuk is a popular ransomware variant that was first discovered in the wild in 2018. The targets and charges associated with Ryuk are much bigger compared to other ransomware types. Their past targets include EMCOR, UHS Hospitals, and many newspapers. It’s one of the first ransomware that has the ability to identify and encrypt network drives and resources, as well as delete shadow copies on the endpoint. It usually enters a company network through a TrickBot infection.
Maze
Maze is a sophisticated ransomware strain that has been around since 2019. What’s especially dangerous about this strain is that it combines the negative effects of a ransomware attack with those of a data breach. Users of this strain also use data exfiltration as a pressure tactic. It is typically distributed through malicious emails, exploit kits, or Remote Desktop Protocol (RDP) brute force attacks.
REvil
REvil, also known as Sodinokibi, was first discovered in 2019 and soon gained prominence for its high-profile attacks. It functions as RaaS and was one of the most active variants of 2021. It was also used to introduce double extortion in 2020. It was officially shut down by law enforcement agencies after its attacks on critical industries.
LockBit
LockBit attacks first surfaced in September 2019, when it was termed the ".abcd virus." It is a type of ransomware also known as the crypto virus. Its main targets are enterprises and government organizations. It is used to launch targeted and self-spreading attacks, and functions as a RaaS.
DearCry
This version targets vulnerable Microsoft Exchange servers. It is an unsophisticated strain that is easily detectable. It is an excellent example of how threat actors take advantage of newly disclosed vulnerabilities.
LAPSU$
Lapsus$ is a new ransomware variant that started doing the rounds in 2022 with attacks on Okta, NVIDIA, Samsung, and Microsoft. It is usually distributed through phishing emails. Lapsus$ takes advantage of this account access by displaying their control through hacking Twitter and other social media accounts. Large technology businesses in the telecoms, hardware, software, and gaming industries are the primary targets.
Other common strains include:
- Bad Rabbit
- Petya
- NotPetya
- WannaCry
- CryptoLocker
- CryptoWall
- Cerber
- Locky
- Jigsaw
- GoldenEye
WHO IS AT RISK?
Your risk of ransomware attacks depends on many factors, some of which include - how valuable your data is, how urgent it is for you to access your data, how weak your security is, and level of awareness in your company. Today’s top ransomware targets include academic organizations, healthcare providers, the government, finance, energy and utilities, and retail sectors. However, it is important to note that attackers don’t discriminate and that small businesses are just as vulnerable as any other business.
THE BUSINESS IMPACT OF RANSOMWARE ATTACKS
Cyberattacks can have far-reaching consequences on your business and customers. Listed below are some of the most damaging consequences of the ransomware attack:
FINANCIAL IMPACT
Ransomware attackers are known to demand hefty amounts of money from organizations for ransom payments. The largest known amount till date is $50 million by the REvil group during the attack on computer manufacturer company, Acer. However, ransom payouts account for only a fraction of the financial damages incurred during a ransomware attack. As per external sources, the average cost of resolving a ransomware attack, including downtime, resource investment, and most crucially, harm to brand and opportunities lost, is over $2 million for enterprises.
EXPOSURE OF SENSITIVE AND CONFIDENTIAL DATA
It is common practice among hackers to threaten companies with data exfiltration in order to get the money they want. Data exfiltration is the act of transferring or publishing unauthorized and confidential data to extortion websites. In the first half of 2021, about 80% of all ransomware attacks included the threat of exposing exfiltrated data.
BRAND REPUTATION DAMAGE
Brand value and reputation are two assets that are built entirely on customer trust. Cyber security breaches can easily damage brand reputation that has been built over years of hard work.
EXTENDED DOWNTIME
One of the major consequences of a cyberattack is the disruption of normal business operations. Even after the attack, they continue to cause long periods of low productivity that can extend up to several days or even weeks. Critical resources that customers, employees, and partners need to do their jobs may become unavailable during the course of an attack. In addition, data recovery is a tedious and time-consuming process.
RISK OF FUTURE CYBERATTACKS
Once an attacker infiltrates your system, they can find additional exploitable vulnerabilities. Ransomware attacks can therefore leave your company vulnerable to subsequent malicious attacks.
How to Prevent Ransomware Attacks
However, it is possible to prevent ransomware attacks, or at least minimize their impact by following these best practices:
- Use updated security software ( e.g. antivirus and firewall)
- Patch and update the operating system
- Back-up all data, preferably in the cloud or an external hard drive
- Take secure backups, and separate them from original data/files
- Educate users on phishing, social engineering, and other possible threat vectors
- Avoid using insecure or open WiFi networks
What to Do After a Ransomware Attack
- Quickly isolate the infected device from the enterprise network and the Internet
- Disconnect all devices from the network if they are behaving suspiciously
- Assess the damage and create a list of infected systems
- Identify the ransomware variant and educate all affected users on how to spot the signs of infection
- Report the ransomware to the proper authorities
- Wipe all infected systems with antivirus/anti-malware solutions
- Restore systems from the backup
- If a viable backup is not available, look for possible file/data decryption options
If neither backups nor decryption keys are available, the only option is to accept that the files and data are lost forever, and start rebuilding the system from scratch. This can be a painful process, which is why it’s crucial to take regular backups. Periodic vulnerability scans and penetration tests are also a proactive way to find possible weaknesses that may leave the organisation vulnerable to ransomware. .
Conclusion
In 2019, ransomware caused $11.5 billion in global damage. In 2020, this figure jumped to $20 billion. Ransomware is now a lucrative business, and companies everywhere are vulnerable to it. That’s why they must take preventive action to protect themselves and their customers from this threat.
