Ransomware

What is Ransomware?

Ransomware, a form of malicious software, aims to block access to computer files for users or organizations. It achieves this by encrypting the data and demanding a ransom for the decryption key. This coercive tactic often forces organizations to opt for paying the ransom as the simplest and most economical way to recover their files. Some versions of ransomware have expanded their capabilities, including data theft, to intensify pressure on victims to meet the ransom demands.

This type of malware, ransomware, has swiftly emerged as the most prevalent and conspicuous threat. Recent instances of ransomware attacks have severely impacted hospitals, hindering their vital services, disrupting public services in urban areas, and inflicting considerable harm on a range of organizations.

Different Types of Ransomware:

Ransomware manifests through various delivery methods and impact outcomes. Its delivery mechanisms span Ransomware as a Service (RaaS), automated delivery (non-service-based), and human-operated tactics. The effects of ransomware encompass data unavailability, destruction, deletion, exfiltration, and extortion.

Diverse categories delineate ransomware types:

(1) Locker ransomware: Blocks access to victims’ data or systems entirely.

(2) Crypto ransomware: Encrypts some or all files belonging to victims.

(3) Scareware: Misleads victims into believing their devices are infected, coercing them into purchasing software that supposedly removes the ransomware but actually steals data or introduces further malware.

(4) Extortionware (leakware, doxware, exfiltrationware): Involves attackers pilfering victims’ data and threatening to publicize or sell it on the dark web.

(5) Wiper malware: Mimics ransomware but destructively erases data from victims’ systems, irrespective of ransom payments.

(6) Double extortion ransomware: Encrypts data and exfiltrates it, compelling victims to pay a ransom, potentially twice.

(7) Triple extortion ransomware: Encrypts data, exfiltrates it, and introduces a third threat, such as a DDoS attack or the extortion of the victims’ associates, forcing multiple ransom payments from the initially infected organization.

(8) RaaS, distinct from the ransomware types, operates as a subscription-based model. Ransomware developers vend the pay-for-use malware to operators who, in turn, share a percentage of the attack proceeds with the developers.

How Ransomware Works:

To achieve success, ransomware must first infiltrate a targeted system, encrypt its files, and then extort a ransom from the victim. Although the specific methods can differ between ransomware variations, they all adhere to these fundamental three phases.

Infection and Distribution Vectors:

Ransomware, akin to other types of malware, infiltrates an organization’s systems through various means. However, ransomware operators tend to favor specific pathways for infiltration.

One prevalent method involves phishing emails. These deceptive emails might carry a link to a website housing a malicious download or an attachment embedded with downloader capabilities. If the recipient falls prey to the phishing attempt, the ransomware gets downloaded and activated on their system.

Another widely used approach capitalizes on services like the Remote Desktop Protocol (RDP). By acquiring or guessing an employee’s login credentials, an attacker gains access to authenticate and remotely control a computer within the corporate network via RDP. This access allows the attacker to directly install and activate the malware on the controlled machine.

Alternatively, some opt for direct system infection, similar to WannaCry’s exploitation of the EternalBlue vulnerability. Most ransomware variations employ multiple means of infiltration.

Data Encryption:

Once ransomware breaches a system, it initiates the encryption process on its files. Leveraging the inherent encryption tools within an operating system, this operation entails accessing files, encrypting them using a key controlled by the attacker, and substituting the originals with encrypted versions. To maintain system stability, many ransomware versions exercise caution in choosing which files to encrypt. Furthermore, some variants go the extra mile by deleting backups and shadow copies of files, complicating recovery in the absence of the decryption key.

Ransom Demand:

Once the file encryption process concludes, the ransomware prepares to demand a ransom. The methods employed to execute this demand vary among different ransomware variants. Frequently, alterations are made to the display background, showcasing a ransom note, or text files are dispersed across encrypted directories, each containing the demand. These notes typically stipulate a specific amount of cryptocurrency in exchange for restoring access to the victim’s files. Upon payment, the ransomware operator may offer either the private key utilized in safeguarding the encryption key or the encryption key itself. This crucial information can then be utilized with a decryptor program, also supplied by the cybercriminal, to reverse the encryption and reinstate access to the user’s files.

While these fundamental stages are present in all ransomware variations, individual ransomware types may integrate distinct procedures or additional steps. For instance, variants like Maze engage in file scanning, access registry information, and conduct data theft before initiating encryption. On the other hand, WannaCry ransomware seeks out vulnerable devices to infect and encrypt while scanning for potential targets.

How to Prevent Ransomware Attacks:

Preventing ransomware presents a significant challenge for organizations across various scales and industries, and there’s no one-size-fits-all solution. Professionals emphasize the necessity for enterprises to adopt a comprehensive ransomware prevention approach, incorporating the following key elements:

(1) Cyber Awareness Training and Education- Phishing emails remain a prevalent method for spreading ransomware. Educating users on recognizing and sidestepping potential ransomware attacks holds immense importance. Given that numerous cyber-attacks are initiated through well-crafted emails sans malware, relying solely on socially engineered messages to prompt users to click malicious links, user education stands as a pivotal defense strategy for any organization.

(2) Defense-in-depth Security- Employing a defense-in-depth strategy involves a multi-layered security approach, where various controls collaborate to prevent malicious activities. Should one defense fail against malware, the intention is that another overlapping security measure will thwart its progress.

Security experts strongly advocate for the implementation of fundamental cybersecurity tools and tactics. These include anti-malware software, multifactor authentication, firewalls, email and web filtering, network traffic analysis, allowlisting/denylisting, endpoint detection and response systems, adherence to the principle of least privilege, and the integration of secure remote access technologies such as VPNs and zero-trust network access. Additionally, they emphasize the importance of restricting or blocking the use of RDP (Remote Desktop Protocol).

(3) Advanced Security Controls- Although fundamental cybersecurity measures can identify and intercept numerous familiar ransomware strains, sophisticated security technologies have a greater chance of detecting new types of attacks. It’s essential to explore advanced tools and tactics like extended detection and response (XDR), managed detection and response, Secure Access Service Edge (SASE), SIEM (Security Information and Event Management), user and entity behavior analytics, zero-trust security, and cyber deception for enhanced protection.

(4) Continuous Data Backups- Ransomware, by definition, is a form of malicious software crafted to lock access to encrypted data, essentially coercing victims into paying a ransom for data retrieval. Implementing automated and secure data backups enables organizations to rebound from such attacks with minimal data loss, sidestepping the necessity of ransom payment. Consistently maintaining backups as a standard practice stands as a crucial measure against data loss, offering a safety net for recovery in cases of corruption or hardware failures. These functional backups also serve as a lifeline for organizations impacted by ransomware assaults, facilitating their recovery process.

(5) Patching- Keeping systems up to date with the latest patches is crucial in safeguarding against ransomware attacks. Cyber-criminals frequently exploit newly discovered vulnerabilities in unpatched systems. Therefore, it’s essential for organizations to consistently apply the latest patches across all their systems. This proactive approach significantly diminishes potential vulnerabilities, making it harder for attackers to exploit weaknesses within the business infrastructure.

Notable Ransomware Variants:

Since 2020, over 130 different active ransomware families or variants have been pinpointed by cybersecurity researchers. These variants encompass distinct ransomware strains, each characterized by their exclusive code signatures and functionalities.

Amid the multitude of ransomware variants that have circulated, certain strains stand out for their significant impact on ransomware evolution, the magnitude of their damage, or the persistent threats they continue to present today.

(1) CryptoLocker- CryptoLocker emerged in September 2013, marking the dawn of the contemporary ransomware era. Utilizing a botnet—a cluster of compromised computers—CryptoLocker became a trailblazer by robustly encrypting users’ data, amassing approximately USD 3 million in extortion before international law enforcement intervened in 2014, halting its operations. Its triumph spurred a wave of imitations, setting the stage for subsequent iterations such as WannaCry, Ryuk, and Petya.

(2) WannaCry- WannaCry, the initial high-profile cryptoworm, was ransomware that could autonomously spread across networks. It targeted more than 200,000 computers across 150 nations by exploiting the unpatched EternalBlue vulnerability in Microsoft Windows, which system administrators had overlooked. Besides encrypting crucial data, WannaCry also menaced to erase files if payment wasn’t made within a week. Regarded as one of the most significant ransomware assaults, its financial impact reached an estimated staggering sum of up to USD 4 billion.

(3) Petya and NotPetya- Petya differs from other crypto-ransomware by encrypting the file system table instead of individual files, making it impossible for the infected computer to boot Windows. A highly altered variant, NotPetya, was deployed for a widespread cyberattack, mainly targeting Ukraine in 2017. NotPetya acted as a wiper, rendering systems inaccessible even if the ransom was paid.

(4) Ryuk- Emerging in 2018, Ryuk spearheaded the trend of ‘big-game ransomware’ assaults aimed at particular high-worth targets, typically demanding ransoms surpassing USD 1 million. Ryuk possesses the ability to seek out and neutralize backup files and system restore functionalities. A recent iteration with cryptoworm capabilities surfaced in 2021.

(5) DarkSide- DarkSide, believed to be operated by a group potentially based in Russia, stands as the ransomware type that targeted the U.S. Colonial Pipeline on May 7, 2021, marking it as the most severe cyber assault on vital U.S. infrastructure thus far. Consequently, the pipeline, which provides 45 percent of fuel to the U.S. East Coast, faced a temporary shutdown. Beyond direct assaults, the DarkSide group also grants licenses for its ransomware to affiliates through RaaS (Ransomware as a Service) agreements.

(6) Locky- Locky is an encrypting ransomware known for its unique infection approach: it employs concealed macros within email attachments (specifically Microsoft Word files) disguised as authentic invoices. Once a user downloads and opens the Microsoft Word document, these malicious macros covertly initiate the download of the ransomware payload onto the user’s device.

(7) REvil/Sodinokibi- REvil, also recognized as Sodin or Sodinokibi played a pivotal role in popularizing the Ransomware-as-a-Service (RaaS) model for distributing ransomware. Notably involved in big-game hunting and double-extortion tactics, REvil orchestrated prominent attacks in 2021, targeting major entities like JBS USA and Kaseya Limited. JBS, facing severe disruption to its entire U.S. beef processing, opted to pay an $11 million ransom. Kaseya, affecting over 1,000 of its software customers, experienced significant downtime due to the attack. In early 2022, the Russian Federal Security Service reported the dismantling of REvil and the indictment of several of its members.