Ransomware is one of the most prominent cybersecurity threats organizations face today. Any institution or company (small or large) can fall victim to ransomware – including schools, healthcare providers, educational facilities, non-profit entities, and government agencies. Cybercriminals that deploy ransomware attacks do not discriminate.
Thankfully, there are ways to protect your organization from ransomware attacks. In this article, you’ll discover everything you need to know about ransomware as a chief information security officer (CISO), from its evolution to preventative methods to prevention.
1. What Is Ransomware?
Some business leaders are taken aback by the term 'ransomware,' while others are aware but unprepared. The “ransom” part in the cyberattack name provides a good idea of what it’s all about. When a computer or network is attacked by ransomware, the malware encrypts data in the system or blocks access to it. Then the developers behind the attack will demand a ransom to decrypt files.
But how does it spread?
An organization’s system is typically infected by ransomware through phishing emails, attachments, or links. Hackers can also infect a system through unsafe websites and even an infected USB flash drive. Plus, clever attackers don’t deploy ransomware applications right away.
Instead, the network and assets are first analyzed to identify weaknesses before carrying out the actual attack. After all, the culprits need to ensure there are no boobytraps, and the business is even worth attacking.
As previously noted, in a ransomware attack, infected files are encrypted and rendered inaccessible until the attacker's demands are met. Think of your favorite hostage movie – that's sort of how it goes down with ransomware.
The victim will receive detailed instructions on how to pay the ransom. Payments are often requested in Bitcoin, ranging from hundreds to tens of thousands of dollars. After paying the ransom, the cybercriminal should restore access or decrypt the files, though that’s not necessarily the case.
There's no guarantee that the culprits will decrypt the files, and even if the developers do, nothing can prevent data duplication. Assets may be duplicated and auctioned off on the dark web anyway.
No CISO wants to be in a scenario where the private customer and business information is held hostage for ransom by cybercriminals. It's a scary thought, but it happens every day.
Main Categories of Ransomware
Ransomware attacks can differ in tactics, but the ransom request is always a factor. Here are the four main categories of ransomware you should know about, along with other closely related malware.
- Crypto Ransomware – This category of ransomware encrypts the most valuable files on a computer and prevents access until demands are met. The cybercriminals hold the decryption key, and without it, you can't get your data back.
- Locker Ransomware – This class of ransomware attack doesn’t encrypt files. Instead, the organization is entirely locked out of all applicable computer systems until ransom demands are met.
- Scareware – While not specifically ransomware, scareware is a malware tactic that manipulates users into doing unfavorable things, such as downloading or buying malicious software. Scareware can be used to distribute ransomware and fake notifications from supposed law enforcement agencies.
- Leakware – With this type of threat, the attacker steals your company’s data and threatens to make it public if a ransom isn’t paid. Leakware (or doxware) isn’t specifically ransomware, but it uses a similar tactic to extort businesses.
2. A Quick History of Ransomware
Did you know that the first ransomware attack took place in 1989?
Joseph Popp, a biologist, handed out 20,000 infected diskettes to attendees of the World Health Organization’s AIDS conference. The label of those disks read "AIDS Information - Introductory Diskettes." People who inserted the floppy disks received this message:
It was called the AIDS Trojan or PS Cyborg ransomware in some circles. Victims had to send $189 to the attacker at a PO Box in Panama. Fortunately, authorities caught the cybercriminal, and the program was easy to overcome since it used symmetric cryptography.
The traditional application of cryptography was never offensive. Its purpose was to provide more privacy to users and prevent loss of confidentiality or access to information. Today, “cryptovirology," the use of cryptography to build ransomware and other malicious software, is common among cybercriminals. Cryptovirology represents a conjunction of public and symmetric cryptographic techniques and Trojan horse technology. Every significant technological development comes with a degree of power, which can be abused or used as intended.
3. The Significance of Ransomware
Ransomware attacks account for 23 percent of malicious software or malware used to breach systems and networks. It was the number one data breach threat in 2020 for businesses and government agencies. Attacks on organizations increased 20 percent compared to the previous year, and researchers expect things to get worse.
According to some estimates, ransomware operations resulted in more than $1 billion ($1,005,186,000) in losses between 2019 and all of 2020 globally – though actual numbers are probably much more considerable. Alone, it’s estimated that one gang of ransomware operators earned $150 million worth of Bitcoin payments.
Specific markets are certainly more susceptible to attacks than others. Often the high-profile attacks occur in medical organizations because these institutions are more willing to pay the ransom. The second on the list of favorite targets is the financial services sector. Again, these companies have more to lose, hence, more willing to pay up.
Further, ransomware attacks are continuously being updated and tweaked by the developers. Because an organization can choose to recover data from backups instead of paying a ransom, many attackers now employ a “double-extortion” strategy.
That means attackers not only encrypt files and prevent access but also steal and threaten to make the information public if demands aren't met. Some malicious actors will auction off the data on the dark web. According to IBM Security, 59 percent of ransomware attacks used double-extortion.
Evolution is part of what makes ransomware a unique and severe cybersecurity threat to all sorts of organizations.
4. Ransomware Variants
New variants of ransomware pop up regularly, so it’s challenging to keep track of all the different strains. However, they do rely on similar tactics. Therefore, it’s worth looking at the most widely used types of ransomware you might run into for preparation.
You may have heard of the infamous GandCrab ransomware family. Well, the attackers that made it are likely the distributors of Sodinokibi, cutting-edge and highly evasive ransomware. It takes several measures to avoid detection by security systems, such as antivirus scanners.
- It’s responsible for 22 percent of all ransomware attacks.
- Once it gains access to a machine, it’ll attempt to execute using elevated user rights. That way, it can acquire full access to all files and resources.
- It’ll delete the backup contents of a device after infiltration.
- It utilizes AES (Advanced Encryption Standard) to encrypt session keys and data sent to the control server and uses Salsa20 encryption for user files.
- The ransomware uses an Elliptic-curve Diffie-Hellman key exchange algorithm for generating and propagating encryption keys.
Nefilim was first discovered last year but quickly became a notable ransomware variant. The ransomware threatens to release the information of victims to the public if no ransom payment is made – double extortion.
- It's responsible for 11 percent of all ransomware attacks.
- Its code shares similarities with another ransomware called Nemty 2.5.
- When it finds its way into the victim's system, it uses AES-128 encryption to encrypt files. It then uses RSA-2048 to encrypt the AES encryption key, which is then added to every encrypted key.
- Victims will need to get the RSA private key from the attacker to decrypt files.
The name Ryuk may sound familiar since it's the name of a fictional character from the popular anime Death Note. However, the name Ryuk is now also known as ransomware since its discovery in August 2018.
- It’s behind 7 percent of all ransomware attacks.
- It’ll encrypt essential files, and ransom demands range from hundreds to millions.
- The main targets of Ryuk are mostly high-profile organizations, including government and healthcare. Between February 2018 and October 2019, it is estimated that the operators of Ryuk generated about $61 million.
- Ryuk has the capability of identifying and encrypting network drives and resources. It can also delete shadow copies of backups on the endpoint. That means the attacker can disable Windows System Restore, rendering it useless and making a recovery impossible in most cases.
- It infects users by getting people to open weaponized Microsoft Office documents via phishing emails.
This is a fast-growing ransomware cybersecurity threat created by 'Circus Spider,' a cybercrime group. Netwalker is among the most dangerous ransomware ever made because it does more than hold the victim's data ransom.
- Netwalker is responsible for 7% of all ransomware attacks.
- Rather than threaten to make data public, the operators of Netwalker will leak some stolen data samples online to show seriousness.
- It uses a RaaS (ransomware-as-a-service) model – more on that later in this article.
- The operators mainly target healthcare and educational institutions. In one publicized attack on the University of California San Francisco, Circus Spider collected 1.14 million in ransom.
Windows users should be anxious about Ragnar Locker ransomware, one of the more sophisticated threats.
- It accounts for 7% of all ransomware attacks.
- Generally, attackers deploy the malware manually after initial compromise, network observation or reconnaissance, and pre-deployed tasks on the network.
- Once it has total control of the network, data exfiltration occurs, stealing sensitive information. The actors behind the attack will ask for a ransom. Victims are also warned that files will be released publicly if the ransom isn’t paid.
- Ragnar Locker is known to target communication, cloud service, construction, travel, and enterprise software industries, though not a limited list.
The Maze ransomware targets organizations across many industries worldwide, and researchers believe it operates via an affiliate network. The scary thing about Maze is that it doesn't only penetrate an organization’s systems. The operators can take advantage of assets in one network and use that information to gain access to others. For example, if the affected company is an IT service provider, the developers may gain access to hundreds or even thousands more networks and computers.
- The Maze ransomware is responsible for 7 percent of all ransomware attacks.
- The attackers usually gain initial access via spear-phishing attachments, external remote services, or network vulnerabilities.
- Maze captures many user credentials as part of maintaining a backdoor into the network if discovered, and it can potentially create new privileged accounts.
Other ransomware variants are responsible for 42 percent of all data breaches, such as Egregor, CLOP, and Medusa. Many rely on similar tactics. Knowing about the most common variants in existence can help organizations prepare and defend against a potential breach.
5. Ransomware-as-a-Service (RaaS)
Ransomware developers have adopted the SaaS business model, creating RaaS. It allows affiliates, even novice hackers, to deploy already developed ransomware attacks.
RaaS drops the barrier to entry significantly. In the past, extensive coding knowledge was a prerequisite to becoming a hacker. Nowadays, anyone who meets the affiliate membership requirements can start wreaking havoc on unsuspecting victims. Affiliates receive high dividends for all successful ransom payments, and some groups pay affiliates up to 80 percent, such as Netwalker.
The most successful RaaS developers offer software with an incredibly high chance of success and capabilities that make it hard to discover. The profitability of RaaS adoption is on a continuous rise since it allows ransomware to affect more targets.
6. Real World Examples of Ransomware Attacks
The best insights can come from observing past incidents.
In 2014, a hacker group named "Guardians of Peace" leaked confidential data from Sony Pictures. The attack was unusual because their request was for Sony to withdraw a somewhat controversial movie, "The Interview." It's undoubtedly one of the most well-documented ransomware attacks because it involved a huge media company, world leaders, and famous actors.
WannaCry is ransomware allegedly created by the United States National Security Agency but leaked by a cybercrime group named 'Shadow Brokers’ in 2017. The ransomware is best known for a devastating attack that hit 230,000 computers globally, causing $4 billion in losses worldwide. For example, WannaCry cost the UK National Health Service $92 million when it hit a third of hospital trusts.
Hackers targeted Travelex in 2020, successfully taking down all of the company’s websites across 30 countries. That caused chaos for foreign exchange transactions worldwide in January, forcing Travelex to pay $2.3 million in ransom.
In Colonie, New York, cybercriminals hacked into the computer system and demanded a $400,000 ransom in Bitcoin to unlock it. Fortunately, the town had a separate backup system, allowing it to recover, which took weeks. Many departments had to operate offline for the duration.
7. How to Defend Against Ransomware Attacks
By now, you know ransomware is a mega threat and why precautions are necessary. So, the real question becomes how to prevent ransomware attacks from being successful.
Here are some things businesses can do to best defend against ransomware.
- Establish security awareness within the organization. You can do this through monthly security campaigns that remind employees to avoid clicking on unknown senders' links and attachments, among other best practices.
- Establish Group Policy Objects (GPOs) rules. That will allow your organization to control the execution of files on endpoints. You can add rules that block file execution from specific directories, disable attachment-based file executions, restrict access to the control panel, etc.
- Ensure you have antivirus and firewall installed on all endpoints within the organization. Antivirus software is based on signatures, so there’s still the risk of new ransomware variants slipping through the cracks. The firewall serves as an extra layer of security or first line of defense. A multi-faceted security system is best – one that employs heuristics, behavior-based detection or EDR (Endpoint Detection and Response), EPP (endpoint protection platform), etc.
- Backup your data. Ideally, a backup that’s entirely separate from the computer system is best. That’s because if a ransomware attack happens, the backup shouldn’t be affected. But carefully consider all available options since each will come with a degree of risk.
- Restrict admin rights on endpoints. You can reduce user privileges to decrease the attack surface significantly.
- Keep commonly exploited third-party applications updated, such as Flash, Java, Internet Explorer, and others.
Be sure to acquire the right security solutions. As ransomware continues to evolve, the best cure is a strong defense, maintained and regularly tweaked for improvements.
This article originally ran in Today’s Cybersecurity Leader, a monthly cybersecurity-focused eNewsletter for security end users, brought to you by Security Magazine. Subscribe here.