Ransomware has been a persistent threat for organizations across industries for many years now. As more businesses embrace digital transformation, the likelihood of being targeted in a ransomware attack has grown considerably. This is because cybercriminals’ methods to carry out attacks are becoming more challenging to identify and manage.
With ransomware attacks growing in complexity, organizations must stay updated on the rising cost and frequency of an attack and the best practices for protecting against these vectors.
What is a ransomware attack?
Ransomware is malicious code designed to gain access to a network and encode files on a system. A cybercriminal can hold the encrypted files hostage until a ransom is paid. Given the moneymaking nature of those attacks, cybercriminals are perpetually making and testing new vectors and variants of ransomware. This has given rise to a replacement age of ransomware attacks that leverage advanced deployment techniques to avoid detection altogether. As refined ransomware kits become cheaper and easier to get, staying protected could be a deep concern for businesses trying to grow their digital capabilities.
How Does Ransomware Work?
Every ransomware has an entirely different behavior. There are two forms of ransomware: locker ransomware and encrypting ransomware. The first locks the victim out of the software system, making it impossible to access the desktop and any apps or files. Therefore, the latter is the most typical, containing advanced encoding algorithms. It’s designed to block system files. However, the result is continually identical. Files or systems are locked and a ransom is demanded to unlock them. Here are some common steps on how ransomware works:
Ransomware Delivery and Deployment
Attackers simply look for the easiest way to infect a system or network and use that backdoor to unfold the malicious content. Nevertheless, these are the most common infection strategies used by cyber-criminals:
- Malicious links or attachments in phishing email campaigns (there are plenty of forms that malware can use for disguise on the web)
- Security exploits in vulnerable software.
- Internet traffic redirects to malicious websites.
- Malicious code has been injected into legitimate websites’s web pages.
- Drive-by downloads.
- Advertising campaigns.
- SMS messages (when targeting mobile devices)
- Vulnerable Remote Desktop Protocol exploitation.
After the initial access, ransomware spreads via lateral movement techniques to all devices in your network and tries to induce full access. If no micro-segmentation or network segmentation is implemented, the ransomware can move laterally on the network. This means that the threat spreads to alternative endpoints and servers within the entire IT environment, thus partaking in self-propagation. This way, hackers will use detection evasion techniques to build persistent ransomware attacks.
Keeping data hostage is no longer the only method. If ransomware used tactics like weak symmetric encryption in the past, ransomware operators currently leverage many advanced strategies like data exfiltration. Hackers can exfiltrate sensitive business data before creating the encryption resulting in double extortion. In this manner, cybercriminals will threaten organizations to create their data public if the ransom isn’t paid.
Ransomware can search for backups to destroy them before encrypting data. This malware can acknowledge backups by file extension, and documents stored in the cloud might be at risk. Offline backup storage or read-only features on backup files could prevent backup recognition and deletion.
Ransomware is the combination of cryptography with malware. Ransomware operators use asymmetric encryption, a.k.a. public-key cryptography, which employs a group of keys (one public key and one private key) to encrypt and decrypt a file and defend it from unauthorized access or use. The keys are unambiguously generated for the victim and only made available after the ransom is paid.
It is almost impossible to decrypt the files held for ransom without access to a private key. Certain types of ransomware, on the other hand, can be decrypted using ransomware decryptors.
After encryption, a warning pops up on the screen with directions on how to pay for the decryption key. After encryption, a message appears on the screen with instructions for purchasing the decryption key. Everything happens in a matter of seconds, leaving victims stunned as they stare at the ransom note in disbelief.
Types of ransomware vectors
Understanding the methods used by cybercriminals to gain access to a system is crucial to preventing ransomware attacks.
Remote desktop protocol (RDP)
RDP is a protocol designed by Microsoft that enables users to remotely connect to and carry out commands on a system. The difficulty is that RDP security is heavily hooked on having strong password hygiene, usually neglected by users. This implies that cybercriminals can often crack RDP credentials and access a system. These credentials are offered for purchase on the Dark Web for those who don’t want to do the work.
Another popular ransomware vector is email phishing. Using social engineering techniques, cybercriminals will send emails to employees that appear to come from legitimate sources. Once opened, the email will ask for employee credentials or download malware onto the system. The key to mitigating phishing risk is functioning with employees to make sure that they understand how to spot illegitimate messages across all communication platforms.
Exploiting software vulnerabilities is another common ransomware delivery technique. Unpatched software creates gaps in security that open the door to malware intrusions. Not solely will this expose organizations to accrued levels of cyber threat activity, but it also makes them an easier target for attackers since they can gain access to unpatched systems without having to reap credentials. To cut back this risk, make sure to determine a patch management schedule to enforce new system patches as soon as they are released.
Top Targets for Ransomware
Public institutions, like government agencies, manage large databases of personal and confidential information that cybercriminals can sell, making them favorites among ransomware operators. Public institutions typically use outdated software systems and equipment, implying that their computer systems are packed with security holes begging to be exploited. As a result, the staff is not trained to identify and avoid cyber attacks.
Unfortunately, a successful infection incorporates a huge impact on conducting usual activities, inflicting large disruptions. Under such circumstances, ransomware victims experience financial damage either by owning up to huge ransomware payouts or by bearing the value of recovering from these attacks.
Threat actors understand that a successful infection will cause major business disruptions, which can increase their probabilities of getting paid. Since computer systems in firms are usually complicated and prone to vulnerabilities, they can simply be exploited through technical means. In addition, the human factor is still a huge liability that can be exploited through social engineering techniques. It is worth mentioning that ransomware will affect computers and servers and cloud-based file-sharing systems, going deep into a business’s core.Businesses are afraid of legal repercussions and brand damage, so cybercriminals know that they would rather not report an infection.
Home users are the number one target for ransomware operators because they rarely have data backups.They have little or no cyber security education, which means they’ll click on almost anything, making them prone to manipulation by cyber attackers. They also fail to invest in the need to have cyber security solutions and don’t keep their software up to date. Finally, because of the large number of potential victims on the Internet, more infected PCs mean more money for ransomware gangs.
Best Practices for Preventing Ransomware Attacks.
- Penetration Testing
- Foster a cyber security awareness culture.
- Keep software up to date.
- Use a VPN on public Wi-Fi.
- Segment your network.
- Back up and encrypt data.
- Assets Inventory.
- Use a multi-layered cyber security approach.
- Isolate affected endpoints.
- Track down the attack.
- Identify the ransomware strain.
- Report the attack to authorities.
- Remove the malware.
- Patch and update your security systems.
- Recover your data.
Conti is a sophisticated Ransomware-as-a-Service (RaaS) model initially detected in December 2019. Since its beginning, its use has grown rapidly and has even displaced the use of alternative RaaS tools like Ryuk. The common initial infection vectors used are spear-phishing and RDP (Remote Desktop Protocol) services. Phishing emails work either through malicious attachments, like Word documents with an embedded macro that can drop/download BazarLoader, Trickbot, IceID Trojans, or via social engineering techniques employed to urge the victim to provide further information or access credentials.
Conti ransomware has become famous when targeting health care institutions. Its usual strategies leverage phishing attacks to attain remote access to a machine and further spread laterally onto the network while performing credentials stealing and unencrypted data gathering.
WannaCry is a unique ransomware case because once it infects a system, it can duplicate itself without changing files or affecting the boot sector of a computer.WannaCry was responsible for a global cyberattack in May 2017, infecting over 230,000 computers in less than a day due to its duplicative nature.
WannaCry targets computers running outdated versions of Microsoft Windows, exploiting the Eternal Blue vulnerability. Poor patching hygiene is responsible for much of its success, emphasising the importance of patching on a regular basis.
DarkSide ransomware is a comparatively new ransomware strain that threat actors are using to target multiple massive, high-revenue organizations resulting in encryption and theft of sensitive information and threats to create it publically accessible if the ransom demand isn’t paid. In August 2020, it started attacking organisations all over the world. Like other similar threats used in targeted cyber attacks, DarkSide not only encrypts the victim’s information but also exfiltrates it from the impacted servers.
DarkSide ransomware makes use of vulnerabilitiesCVE-2019-5544 & CVE-2020-3992. Both vulnerabilities have wide accessible patches; however, attackers target organizations using unpatched or older versions of the software. The attackers’ techniques in DarkSide ransomware are often sophisticated: Initial access by Exploiting Public-Facing Applications (e.g., RDP), Privilege Escalation, and Impair Defenses.
CryptoLocker is a Trojan horse malware used between September 2013 and Late May 2014 to gain access to and encrypt files on a system. Cybercriminals would use social engineering techniques to induce employees to download the ransomware onto their computers and infect a network. Once downloaded, CryptoLocker would show a ransom message offering to decrypt the data if a cash or Bitcoin payment was created by the stated deadline. While the CryptoLocker ransomware has since been taken down, it’s believed that its operators extorted around 3 million dollars from unsuspecting organizations.
Ryuk is a ransomware-as-a-service (RaaS) group that’s been active since August 2018. It is widely known for running a non-public affiliate program in which affiliates will submit applications and resumes applying for membership. In the last months of 2020, the gang’s affiliates were attacking approximately 20 firms every week, and, starting in November 2020, they coordinated a huge wave of attacks on the US healthcare system.
Ransomware brought extortion worldwide, and it’s up to all of us, users, businesses, and decision-makers, to disrupt it.