Ransomware attacks on organizations, governmental departments, and even large companies made headlines both in 2021 and 2022. Not only this, even individuals faced attacks on their PCs, mobiles, and laptops. These attacks are alarming as they can grab and keep all confidential or sensitive data hostage. However, only until you pay a certain amount to retrieve them.
If a ransomware attack has happened to you or you simply wish to be aware, you are in the right spot. In this article, we will answer: what is ransomware, what different forms they take, who they target, and what you can do to get rid of them and prevent an attack in the first place. Let’s get started!
What Is Ransomware?
Malware that has been coded to attack files and sensitive data to keep them hostage is known as ransomware. Ransomware denies access to the users or owners of these files and data so they can demand a ransom in exchange for letting them go.
Cybercriminals make use of encryption keys so the files are no longer readable. They only decrypt them upon receiving payment. Most people are willing to pay because they think this is the cheapest and easiest way to gain back access.
The worst part is that variants of ransomware have come to light that can perform additional damage, such as data theft. This allows hackers to demand a higher ransom and gain more criminal benefits.
As of now, ransomware is one of the most popular, common, and visible types of malware that larger companies or organizations are worried about. Recent attacks have also been on hospitals that caused public service to go down. Not only do these put data at risk, but you also have to pay a ransom, and successful attacks can greatly damage your reputation.
Why Are Ransomware Attacks Becoming So Prevalent?
The latest ransomware series was initialized by the 2017 WannaCry outbreak. Not only was this ransomware infection publicized, but it was also large-scale, proving that such attacks were indeed possible and could help cybercriminals make loads of money. The attack in 2017 led to the formation of further ransomware variants that have been used in a series of other attacks.
Even the Covid-19 era caused another surge in these attacks. Since remote work became popular, companies have had to quickly take strong measures to ward off criminals and strengthen cyber defenses. This measure was important as cyberattacks make use of vulnerabilities or weak points to inject ransomware attacks.
The 3rd quarter of 2020 saw a 50% rise in ransomware attacks compared to the first half of 2020, which is indeed quite alarming.
Ransomware Attack History
- Ransomware attacks first appeared in 1989 when only the AIDS virus was used for the extortion of funds.
- Ransom was collected by mail and asked to be sent to Panama. A decryption key was mailed back to the victim in exchange.
- By 1996, ransomware threats became known as cryptoviral extortion. This idea was introduced by Columbia University students Adam Young and Moti Yung. The original idea was also used to design modern-day cryptographic tools.
- Yung and Young also presented their ideas as the first cryptovirology attack at the IEEE Security and Privacy conference held in 1996.
- The cryptovirology attack was a virus that encrypted files using a public key. The malware forced victims to send an asymmetric ciphertext to the cyber attackers. This was deciphered with a decryption key and returned upon payment of ransom.
- Modern-day attacks ask for payments more sneakily and are difficult to trace. Even hackers remain anonymous. Fusob, mobile ransomware, asks victims to pay ransom in the form of Apple iTunes gift cards, so they are difficult to track.
- Cybercriminals have also started asking for payments in cryptocurrencies like Bitcoin, Ripple, Bitcoin, and Ethereum.
- The most famous attack to date on a hospital is the one made on Presbyterian Memorial Hospital. Labs, emergency rooms, and pharmacies were all hit and caused a lot of damage. Tons of other companies in various fields have also faced financial loss and data theft due to ransomware attacks.
- Attackers have become more innovative and have launched several variants and methods to attack. An attack that asks for two other users to download/install from a malware link along with paying ransom has also been reported.
What is RaaS?
RaaS (Ransomware-as-a-Service) is an economic model that aids cybercriminals in earning illegal money through malicious code and malware. They often do not use or implement the code on their own.
Criminals with no technical knowledge purchase these wares to launch infections and pay the developers a certain commission on each successful attack.
This way, the developers are less at risk while their clients do the work for them. Oftentimes, RaaS makes use of subscriptions, while others make use of registration tactics to gain unauthorized access.
What Are The Popular Variants Of Ransomware?
There are quite a bit of ransomware variants, and each one has its specific features. Some variants are more popular and have been more successful at launching attacks than others. These have also helped cyber attackers make heaps of money. Let’s look at what these are below:
A strong Microsoft exploit was used to create WannaCry, a global ransomware worm. It injected into and affected nearly 250,000 systems until a kill switch was tripped to prevent it from spreading further.
Proofpoint helped find a sample that was used to locate the killswitch and deconstruct the worm.
Maze is the very first ransomware that was able to combine a data theft and encryption attack on sensitive data. Maze begins stealing sensitive data and credentials when a target refuses to pay the ransom. It then encrypts this data as well to put added pressure on the victim.
These ransom attacks also threaten to sell or publicly expose sensitive data if the ransom is not paid. This way, the hacker can still make money by selling confidential data to the highest bidder. They have nothing to lose.
Most victims tend to pay up when they realize they have faced an expensive data breach. They will either have to pay more later, risk damaging their reputation, and face-sensitive data loss that could cause further problems.
A ransomware group that launches Maze attacks has gone out of operation for now. However, this does not mean that such attacks cannot still happen.
Cybercriminals have transitioned to Maze affiliates like Egregor, Sekhmet variants, and Egregor ransomware. These are also all believed to be coming from the same source.
Ryuk is a targeted variant that is often injected into networks/systems through spear phishing emails. It can also be delivered using stolen credentials used to sign into enterprise networks. An RDP (Remote Desktop Protocol) is often used for this purpose.
Files and data on an infected system are encrypted to demand a ransom. All of these are encrypted except those required by the computer to function. Ryuk attacks are very expensive, averaging over 1 million US dollars.
The ransom amount that is demanded causes hackers to focus on enterprises, organizations, and large companies that have the resources to pay a hefty amount.
This malware is also a data encryption variant that came to be in September 2019. It recently emerged as RaaS (Ransomware-as-a-Service).
This ransomware also focuses on large companies and businesses. It speedily encrypts company data to avoid detection by security teams, software applications, and SOC/IT departments.
The Sodinokibi or REvil group targets larger companies to demand a huge ransom. This group is quite popular and well-known on the Internet. The group has its origins in Russia and was launched in 2019. They have caused massive data breaches like JBS and Kaseya.
REvil is in tough competition with Ryuk to come on top as the most expensive ransomware variant. REvil attackers have demanded 800,000 US dollars for an attack.
Not only this, but this ransomware variant has evolved over the years to also steal data from large organizations while it encrypts data.
This way, it functions similarly to Maze, as the hackers can demand a second payment if the first one for encrypted data is not made. This is known as the Double Extortion technique.
Lapsus$ is another gang that targets high-profile companies. Their origins are in South America, and they are well-known for extortion and threats to sell/release confidential data if the ransom is not paid.
The group also claims that it has successfully attacked Ubisoft, Nvidia, Samsung, and some others. They steal source code to disguise malware files to help them easily pass undetected into a highly secure network or system.
Microsoft released 4 vulnerability matches in March of 2021 that were present with their Exchange servers. DearCry was designed to attack exactly these four spots that had been disclosed.
DearCry encrypted certain files. Whenever a user tried to access these, they were commanded to send a message to the ransomware attackers to get instructions for decryption.
NotPetya is considered the most damaging attack in history. It leveraged tactics from Petya and launched attacks that encrypted master boot records of Microsoft Windows OS.
This attack also picked the same tactics as WannaCry to spread like crazy and demanded bitcoin as ransom. Some have even reported that NotPetya cannot undo the changes it makes to the master boot record. This means it wipes off the system files of the target system and makes them unrecoverable.
CryptoLocker was one of the first few ransomware attacks that demanded bitcoin as ransom. It encrypted hard drives after attaching itself to network drives.
This ransomware injects into a system through email attachments that claim to be UPS/FedEx tracking reports.
A decryption tool was launched in 2014 to stop this attack,k but numerous reports have shown that CryptoLocker has already extorted a whopping 27 million US dollars.
Bad Rabbit is considered the cousin of NotPetya. It uses similar code and exploitation strategies to spread. This ransomware targeted media companies in Russia and Ukraine.
Unlike its cousin, Bad Rabbit does not offer decryption upon ransom payment. Cases report that it spread through fake Flash player updates and attacked the hardware drives.
How Does A Ransomware Attack Work?
Ransomware worms need access to a target system to attack and encrypt files so they can demand a ransom for decryption later on. Each variant is implemented differently. However, all of these do share similar core strategies. Let’s look at these below:
Similar to malware, ransomware can gain access to company systems and networks through different methods. Specific injection vectors are, however, preferred by ransomware operators.
The most common method is spear phishing emails. Malicious links are sent via email to the victim. These could be attachments or download links that cause the recipient’s system to be compromised.
RDP, or Remote Desktop Protocol, is another infection vector that is widely popular amongst ransomware operators. Attackers steal and guess login credentials through these to gain remote access to an enterprise network. Once they have access, they can easily download and inject malware code into the system.
Other attempts are made through variants like WannaCry that make use of vulnerabilities similar to how an attack was launched on EternalBlue. A lot of ransomware variants have several infection vectors.
Once ransomware is injected into a system and has access, it starts encrypting ransomware-hacked data. Ransomware is malware that has been coded to do this automatically using an attacker-controlled key. Original documents are replaced with encrypted files.
A lot of variants attack specific files to make sure the system does not go down. A stable network and computer are necessary to demand ransom. A few variants also delete backups and file shadow copies to make a recovery without a decryption key impossible.
Once files are encrypted, cyberattackers demand a ransom. Although different variants make use of different techniques to do this, most often change the display background to a ransom note. Text files may also be placed with encrypted directories containing ransom notes demanding cryptocurrency or money for decryption.
If the victim does pay the ransom, the ransomware operators offer a copy or private key to undo the effects. Encryption keys can be used to decrypt data using a decryptor program, which is also often provided by hackers. This is then used to restore file access.
Other variants may be implemented in different ways and may have additional recovery steps. For example, Maze checks registry data, scan files, and performs data theft before encrypting user data. WannaCry detects further weak points to infect vulnerable systems and files on other devices.
How To Ward Off Ransomware Attacks?
Make Use Of Best Practices
Preparation and preventive methods can significantly reduce damage costs and decrease the impact of any malware attack. Let’s look at what your company can follow to minimize exposure and damage below:
Spread Awareness And Train Employees
Since ransomware usually spreads through phishing emails or malicious software, users must be trained on how to identify spam and ward off potential threats.
Some emails do not even contain malware. They simply encourage users to click on malicious links. Therefore, users need to know that even clicking on a link they do not trust is of utmost importance for system security.
A company with users that are well aware of how ransomware attacks happen and what they can do to prevent them can stay safe.
Covering up vulnerabilities means ransomware attacks are less likely since hackers will be unable to find points of entry. Cybercriminals always target systems that have not been patched or have uncovered exploits. Make sure all company systems have the latest patches to decrease this risk.
Back-Up Data Often
Backing up data means you can easily recover it if anything bad happens. If your system is attacked by ransomware, you will have no option but pay the ransom if you do not have a backup.
You can opt for automatic and secure data backups to minimize data loss and financial burden. It is also a good idea not to store backup files on similar systems as backup data can be easily compromised too.
Regular backups also help with other issues like system failure, disk corruption, server problems, and hardware malfunction.
Functional backups are even better as they help with quick recovery after a ransomware attack.
User authentication helps prevent unauthorized access. Since an RDP can steal user credentials and is a common tactic applied by ransomware attackers, strong authentication is the only way to keep it safe. This way, even if cyberattackers do have user credentials, they will find it quite difficult to gain entry into a system.
- Attack Surface Reduction
Since a ransomware attack can cause huge financial loss, the best method is to prevent them from occurring in the first place. You can reduce the attack surface by:
- Phishing emails/messages.
- Patching vulnerabilities.
- Making use of remote access solutions.
- Being wary of mobile malware.
- Use Anti-Ransomware
Ransomware encrypts all important files on an infected system, so each one has a unique fingerprint. An anti-ransomware software tool identifies these and eradicates the issue. It does this through the following:
- Speedy detection to block ransomware.
- Detecting most variants.
- Performing automatic restorations.
- Using a restoration mechanism.
How To Remove Ransomware From A System?
No one wants to see a ransom message on their screen. This only means an infection was successful, and you were able to do nothing about it.
However, if your computer is infected, all you can do is either pay the ransom or take active measures to prevent further damage. Your encrypted files are most likely unrecoverable but certain steps must be taken immediately:
- The first thing you should do is quarantine the infected machine. This is to prevent the ransomware from spreading to other drives and devices. Doing so will reduce the chances of further exploitation.
- Keep your computer or devices on, as turning them off will cause you to lose volatile memory. Keeping it on increases the chances of recovery.
- Create a backup of encrypted files, as some variants use common keys that can be decrypted easily without paying the ransom. Create a backup on removable media to aid possible decryption or file damage in the future.
- See if you can use a free decryption program to decrypt your data. If file restoration is successful, you won’t have to pay the ransom.
- Take help from technicians and IT professionals to see if they can manage to restore the files. Some digital forensics experts can recover file copies if they have not been deleted permanently.
- Perform a system restore from a clean backup or complete OS installation to ensure the malware is completely removed from the infected device.
Ransomware can cause serious damage if you do not have the right security software for ransomware prevention. It is necessary to educate employees and make use of the right software to keep resources, data, and critical assets safe and prevent financial loss. Implementing the right security strategies to prevent ransomware infection and other security threats is also important to protect sensitive data.