What is Ransomware?
Ransomware is a type of malicious software that threatens to publish or blocks access to data or a computer system, usually by encrypting it, until the victim pays a ransom fee to the attacker. In many cases, the ransom demand comes with a deadline. If the victim doesn’t pay in time, the data is gone forever.
Ransomware attacks are all too common these days. Major companies in North America and Europe alike have fallen victim to it. Cybercriminals will attack any consumer or any business and victims come from all industries.
Several government agencies, including the FBI, advise against paying the ransom to keep from encouraging the ransomware cycle, as does the No More Ransom Project. Furthermore, half of the victims who pay the ransom are likely to suffer from repeat ransomware attacks.
Examples of Ransomware
By learning about the major ransomware attacks below, organizations will gain a solid foundation of the tactics, exploits, and characteristics of most ransomware attacks. While there continues to be variations in the code, targets, and functions of ransomware, the innovation in ransomware attacks are typically incremental.
- CryptoLocker, a 2013 attack, launched the modern ransomware age and infected up to 500,000 machines at its height.
- TeslaCrypt targeted gaming files and saw constant improvement during its reign of terror.
- SimpleLocker was the first widespread ransomware attack that focused on mobile devices
- WannaCry spread autonomously from computer to computer using EternalBlue, an exploit developed by the NSA and then stolen by hackers.
- NotPetya also used EternalBlue and may have been part of a Russian-directed cyberattack against Ukraine.
- Leatherlocker was first discovered in 2017 in two Android applications: Booster & Cleaner and Wallpaper Blur HD. Rather than encrypt files, it locks the home screen to prevent access to data.
- Wysiwye, also discovered in 2017, scans the web for open Remote Desktop Protocol (RDP) servers. It then tries to steal RDP credentials to spread across the network.
- Cerber proved very effective when it first appeared in 2016, netting attackers $200,000 in July of that year. It took advantage of a Microsoft vulnerability to infect networks.
- BadRabbit spread across media companies in Eastern Europe and Asia in 2017.
- SamSam has been around since 2015 and targeted primarily healthcare organizations.
- Ryuk first appeared in 2018 and is used in targeted attacks against vulnerable organizations such as hospitals. It is often used in combination with other malware like TrickBot.
- Maze is a relatively new ransomware group known for releasing stolen data to the public if the victim does not pay to decrypt it.
- RobbinHood is another EternalBlue variant that brought the city of Baltimore, Maryland, to its knees in 2019.
- GandCrab might be the most lucrative ransomware ever. Its developers, which sold the program to cybercriminals, claim more then $2 billion in victim payouts as of July 2019.
- Sodinokibi targets Microsoft Windows systems and encrypts all files except configuration files. It is related to GandCrab
- Thanos is the newest ransomware on this list, discovered in January 2020. It is sold as ransomware as a service, It is the first to use the RIPlace technique, which can bypass most anti-ransomware methods.
How Ransomware Works
Ransomware is a type of malware designed to extort money from it victims, who are blocked or prevented from accessing data on their systems. The two most prevalent types of ransomware are encryptors and screen lockers. Encryptors, as the name implies, encrypt data on a system, making the content useless without the decryption key. Screen lockers, on the other hand, simply block access to the system with a “lock” screen, asserting that the system is encrypted.
Victims are often notified on a lock screen (common to both encryptors and screen lockers) to purchase a cryptocurrency, like Bitcoin, to pay the ransom fee. Once the ransom is paid, customers receive the decryption key and may attempt to decrypt files. Decryption is not guaranteed, as multiple sources report varying degrees of success with decryption after paying ransoms. Sometimes victims never receive the keys. Some attacks install malware on the computer system even after the ransom is paid and the data is released.
While originally focused largely on personal computers, encrypting ransomware has increasingly targeted business users, as businesses will often pay more to unlock critical systems and resume daily operations than individuals.
Enterprise ransomware infections or viruses usually start with a malicious email. An unsuspecting user opens an attachment or clicks on a URL that is malicious or has been compromised.
At that point, a ransomware agent is installed and begins encrypting key files on the victim’s PC and any attached file shares. After encrypting the data, the ransomware displays a message on the infected device. The message explains what has occurred and how to pay the attackers. If the victims pay, the ransomware promises they’ll get a code to unlock their data.
How to Prevent Ransomware Attacks
- Defend your email against Ransomware, Email phishing and spam are the main way that ransomware attacks are distributed. Secure Email Gateways with targeted attack protection are crucial for detecting and blocking malicious emails that deliver ransomware. These solutions protect against malicious attachments, malicious documents, and URLs in emails delivered to user computers.
- Defend your mobile devices against Ransomware, Mobile attack protection products, when used in conjunction with mobile device management (MDM) tools, can analyze applications on users’ devices and immediately alert users and IT to any applications that might compromise the environment.
- Defend your web surfing against Ransomware, Secure web gateways can scan users’ web surfing traffic to identify malicious web ads that might lead them to ransomware.
- Monitor your server, network and back up key systems, Monitoring tools can detect unusual file access activities, viruses, network C&C traffic and CPU loads, possibly in time to block ransomware from activating. Keeping a full image copy of crucial systems can reduce the risk of a crashed or encrypted machine causing a crucial operational bottleneck.
How to Remove Ransomware
- Call federal and local law enforcement, Just as someone would call a federal agency for a kidnapping, organizations need to call the same bureau for ransomware. Their forensic technicians can ensure systems aren’t compromised in other ways, gather information to better protect organizations going forward and try to find the attackers.
- Learn about anti-ransomware resources, No More Ransom portal and Bleeping Computer have tips, suggestions and even some decryptors for selected ransomware attacks.
- Restore data, If organizations have followed best practices and kept system backups, they can restore their systems and resume normal operations.