Ransomware has been a persistent threat for organizations across industries for many years now. As more businesses embrace digital transformation, the likelihood of being targeted in a ransomware attack has grown considerably. This is because cybercriminals’ methods to carry out attacks are becoming more challenging to identify and manage.

With ransomware attacks growing in complexity, organizations must stay updated on the rising cost and frequency of an attack and the best practices for protecting against these vectors.

What is a ransomware attack?

Ransomware is malicious code designed to gain access to a network and encode files on a system. A cybercriminal can hold the encrypted files hostage until a ransom is paid. Given the moneymaking nature of those attacks, cybercriminals are perpetually making and testing new vectors and variants of ransomware. This has given rise to a replacement age of ransomware attacks that leverage advanced deployment techniques to avoid detection altogether. As refined ransomware kits become cheaper and easier to get, staying protected could be a deep concern for businesses trying to grow their digital capabilities.

How Does Ransomware Work?

Every ransomware has an entirely different behavior. There are two forms of ransomware: locker ransomware and encrypting ransomware. The first locks the victim out of the software system, making it impossible to access the desktop and any apps or files. Therefore, the latter is the most typical, containing advanced encoding algorithms. It’s designed to block system files. However, the result is continually identical. Files or systems are locked and a ransom is demanded to unlock them. Here are some common steps on how ransomware works:

Ransomware Delivery and Deployment

Attackers simply look for the easiest way to infect a system or network and use that backdoor to unfold the malicious content. Nevertheless, these are the most common infection strategies used by cyber-criminals:

  • Malicious links or attachments in phishing email campaigns (there are plenty of forms that malware can use for disguise on the web)
  • Security exploits in vulnerable software.
  • Internet traffic redirects to malicious websites.
  • Malicious code has been injected into legitimate websites’s web pages.
  • Drive-by downloads.
  • Advertising campaigns.
  • SMS messages (when targeting mobile devices)
  • Vulnerable Remote Desktop Protocol exploitation.

Lateral Movement

After the initial access, ransomware spreads via lateral movement techniques to all devices in your network and tries to induce full access. If no micro-segmentation or network segmentation is implemented, the ransomware can move laterally on the network. This means that the threat spreads to alternative endpoints and servers within the entire IT environment, thus partaking in self-propagation. This way, hackers will use detection evasion techniques to build persistent ransomware attacks.

Attack Execution

Data Exfiltration

Keeping data hostage is no longer the only method. If ransomware used tactics like weak symmetric encryption in the past, ransomware operators currently leverage many advanced strategies like data exfiltration. Hackers can exfiltrate sensitive business data before creating the encryption resulting in double extortion. In this manner, cybercriminals will threaten organizations to create their data public if the ransom isn’t paid.

Destroy Backups

Ransomware can search for backups to destroy them before encrypting data. This malware can acknowledge backups by file extension, and documents stored in the cloud might be at risk. Offline backup storage or read-only features on backup files could prevent backup recognition and deletion.

Data Encryption

Ransomware is the combination of cryptography with malware. Ransomware operators use asymmetric encryption, a.k.a. public-key cryptography, which employs a group of keys (one public key and one private key) to encrypt and decrypt a file and defend it from unauthorized access or use. The keys are unambiguously generated for the victim and only made available after the ransom is paid.

It is almost impossible to decrypt the files held for ransom without access to a private key. Certain types of ransomware, on the other hand, can be decrypted using ransomware decryptors.

Demand Ransom

After encryption, a warning pops up on the screen with directions on how to pay for the decryption key. After encryption, a message appears on the screen with instructions for purchasing the decryption key. Everything happens in a matter of seconds, leaving victims stunned as they stare at the ransom note in disbelief.

Types of ransomware vectors

Understanding the methods used by cybercriminals to gain access to a system is crucial to preventing ransomware attacks.

Remote desktop protocol (RDP)

RDP is a protocol designed by Microsoft that enables users to remotely connect to and carry out commands on a system. The difficulty is that RDP security is heavily hooked on having strong password hygiene, usually neglected by users. This implies that cybercriminals can often crack RDP credentials and access a system. These credentials are offered for purchase on the Dark Web for those who don’t want to do the work.

Email phishing

Another popular ransomware vector is email phishing. Using social engineering techniques, cybercriminals will send emails to employees that appear to come from legitimate sources. Once opened, the email will ask for employee credentials or download malware onto the system. The key to mitigating phishing risk is functioning with employees to make sure that they understand how to spot illegitimate messages across all communication platforms.

Software vulnerabilities

Exploiting software vulnerabilities is another common ransomware delivery technique. Unpatched software creates gaps in security that open the door to malware intrusions. Not solely will this expose organizations to accrued levels of cyber threat activity, but it also makes them an easier target for attackers since they can gain access to unpatched systems without having to reap credentials. To cut back this risk, make sure to determine a patch management schedule to enforce new system patches as soon as they are released.

Top Targets for Ransomware

Public institutions

Public institutions, like government agencies, manage large databases of personal and confidential information that cybercriminals can sell, making them favorites among ransomware operators. Public institutions typically use outdated software systems and equipment, implying that their computer systems are packed with security holes begging to be exploited. As a result, the staff is not trained to identify and avoid cyber attacks.

Unfortunately, a successful infection incorporates a huge impact on conducting usual activities, inflicting large disruptions. Under such circumstances, ransomware victims experience financial damage either by owning up to huge ransomware payouts or by bearing the value of recovering from these attacks.

Businesses

Threat actors understand that a successful infection will cause major business disruptions, which can increase their probabilities of getting paid. Since computer systems in firms are usually complicated and prone to vulnerabilities, they can simply be exploited through technical means. In addition, the human factor is still a huge liability that can be exploited through social engineering techniques. It is worth mentioning that ransomware will affect computers and servers and cloud-based file-sharing systems, going deep into a business’s core.Businesses are afraid of legal repercussions and brand damage, so cybercriminals know that they would rather not report an infection.

Home users

Home users are the number one target for ransomware operators because they rarely have data backups.They have little or no cyber security education, which means they’ll click on almost anything, making them prone to manipulation by cyber attackers. They also fail to invest in the need to have cyber security solutions and don’t keep their software up to date. Finally, because of the large number of potential victims on the Internet, more infected PCs mean more money for ransomware gangs.

Best Practices for Preventing Ransomware Attacks.

  • Penetration Testing
  • Foster a cyber security awareness culture.
  • Keep software up to date.
  • Use a VPN on public Wi-Fi.
  • Segment your network.
  • Back up and encrypt data.
  • Assets Inventory.
  • Use a multi-layered cyber security approach.
  • Isolate affected endpoints.
  • Track down the attack.
  • Identify the ransomware strain.
  • Report the attack to authorities.
  • Remove the malware.
  • Patch and update your security systems.
  • Recover your data.

Ransomware Examples

Conti

Conti is a sophisticated Ransomware-as-a-Service (RaaS) model initially detected in December 2019. Since its beginning, its use has grown rapidly and has even displaced the use of alternative RaaS tools like Ryuk. The common initial infection vectors used are spear-phishing and RDP (Remote Desktop Protocol) services. Phishing emails work either through malicious attachments, like Word documents with an embedded macro that can drop/download BazarLoader, Trickbot, IceID Trojans, or via social engineering techniques employed to urge the victim to provide further information or access credentials.

Conti ransomware has become famous when targeting health care institutions. Its usual strategies leverage phishing attacks to attain remote access to a machine and further spread laterally onto the network while performing credentials stealing and unencrypted data gathering.

WannaCry

WannaCry is a unique ransomware case because once it infects a system, it can duplicate itself without changing files or affecting the boot sector of a computer.WannaCry was responsible for a global cyberattack in May 2017, infecting over 230,000 computers in less than a day due to its duplicative nature.

WannaCry targets computers running outdated versions of Microsoft Windows, exploiting the Eternal Blue vulnerability. Poor patching hygiene is responsible for much of its success, emphasising the importance of patching on a regular basis.

DarkSide

DarkSide ransomware is a comparatively new ransomware strain that threat actors are using to target multiple massive, high-revenue organizations resulting in encryption and theft of sensitive information and threats to create it publically accessible if the ransom demand isn’t paid. In August 2020, it started attacking organisations all over the world. Like other similar threats used in targeted cyber attacks, DarkSide not only encrypts the victim’s information but also exfiltrates it from the impacted servers.

DarkSide ransomware makes use of vulnerabilitiesCVE-2019-5544 & CVE-2020-3992. Both vulnerabilities have wide accessible patches; however, attackers target organizations using unpatched or older versions of the software. The attackers’ techniques in DarkSide ransomware are often sophisticated: Initial access by Exploiting Public-Facing Applications (e.g., RDP), Privilege Escalation, and Impair Defenses.

CryptoLocker

CryptoLocker is a Trojan horse malware used between September 2013 and Late May 2014 to gain access to and encrypt files on a system. Cybercriminals would use social engineering techniques to induce employees to download the ransomware onto their computers and infect a network. Once downloaded, CryptoLocker would show a ransom message offering to decrypt the data if a cash or Bitcoin payment was created by the stated deadline. While the CryptoLocker ransomware has since been taken down, it’s believed that its operators extorted around 3 million dollars from unsuspecting organizations.

Ryuk

Ryuk is a ransomware-as-a-service (RaaS) group that’s been active since August 2018. It is widely known for running a non-public affiliate program in which affiliates will submit applications and resumes applying for membership. In the last months of 2020, the gang’s affiliates were attacking approximately 20 firms every week, and, starting in November 2020, they coordinated a huge wave of attacks on the US healthcare system.

Conclusion

Ransomware brought extortion worldwide, and it’s up to all of us, users, businesses, and decision-makers, to disrupt it.

Post comment

Your email address will not be published. Required fields are marked *

ThreatScan, Product of Cyber Security Hive

Interested in Threat Scan? Schedule a Demo?

After filling the form a representative from our team will reach out to you


  • – Understand your use case
  • – Schedule a demo
  • – Help you get onboard
  • – Help you setup your first test
  • – Timely reports for your compliance

Fill this form to Signup

    Threatscan Logo

    ThreatScan is Next Gen, Ai powered vulnerability management and penetration testing platform to manage your vulnerability assessment and penetration testing

    General Information
    ThreatScan Information
    Contact Us

    Address: 2nd Floor, Tower, Prestige Blue Chip, 3, Dairy Colony, Adugodi, Bengaluru, Karnataka 560029

    Phone: +91-9901024214, +91-9886344465

    Email: contactus@threatscan.io

    All Rights Reserved | © Copyright Threat Scan 2022

    Facebook Twitter Youtube