What is Ransomware?
Before we talk about ransomware attacks in detail, let's first clarify the ransomware definition we'll use: a malicious software type that's designed to block access to a victim's computer files or system until they pay the perpetrator a sum of money.
After a ransomware virus infiltrates a network or system - usually through phishing or by exploiting a software application's security vulnerabilities - it encrypts a victim's data, makes it inaccessible, and sends the victim a message detailing ransom payment instructions. Modern ransomware presents a dual threat in that it not only encrypts data but releases it to the public or dark web as well.
Types of Ransomware Attacks
Now that you know what ransomware malware is and how it works, it's important that you learn about different types of ransomware attacks including encrypting ransomware, scareware, screen-locking ransomware, and doxware. The more familiar you become with different types of ransomware, the better you can mitigate their threats.
Encrypting Ransomware
Arguably the most well-known type of ransomware is encrypting ransomware which locks a victim's files after infiltrating a computer system. Popular examples of encrypting ransomware like Locky and WannaCry demonstrate how easily a system's security vulnerabilities can be exploited and how nefarious phishing attacks can be when threat actors are able to use modern ransomware that employs complex algorithms. Encrypting ransomware renders a victim's data inaccessible and essentially useless until a demanded ransom has been paid.
Scareware
Slightly different from more conventional encrypting ransomware is scareware. Scareware is a type of ransomware that leads victims to believe their computer is under threat from malicious viruses that have compromised their files. Scareware is known for bombarding its victims with fraudulent security alerts and tools that promise to help clean a user's computer and resolve non-existent issues in exchange for a fee.
Screen-Locking Ransomware
One type of ransomware that has become significantly more prevalent as smartphones and mobile devices have become more integral to daily life is screen-locking malware. Screen-locking ransomware locks a user's device and displays immovable, often intimidating messages that prompt the user to pay a ransom. This type of ransomware often masquerades as an official warning from law enforcement agencies to further pressure victims into paying a ransom.
Doxware (or Leakware)
Last but not least on our list of ransomware types is doxware - sometimes referred to as leakware - which threatens to publicly disseminate a victim's information unless a ransom is paid. Doxware combines the relatively recent practice of publicly revealing private information known as doxxing with conventional encrypting ransomware. Doxware relies primarily on the fear of data exposure to pressure victims into acquiescing to a perpetrator’s demands.
How Do Ransomware Attacks Work?
Ransomware attacks typically start with the initial process of infiltration. Threat actors use infiltration methods and are adept at stealthily compromising systems; most commonly perpetrators use malicious email attachments or links that have embedded malware that seems innocuous. Other prevalent approaches to compromising user information with ransomware include masquerading as authoritative and/or trustworthy entities like law enforcement agencies to execute phishing schemes or exploiting system vulnerabilities in outdated or unpatched software.
Ransomware that successfully infiltrates a victim's system targets critical files and leverages sophisticated algorithms to encrypt personal files and make them inaccessible. Unfortunately, victims of ransomware malware often realize that they've come under attack only after ransomware has encrypted their files and they've received an ominous ransom note.
Ransomware attackers commonly outline their demands in their ransom notes and employ a ticking clock to pressure victims into paying a ransom. This ticking clock instills panic and urgency, especially when combined with encrypted critical data and the impending deadline that attacks impose on their victims. This combination maximizes the likelihood of the victim complying with the attacker’s demands.
What are the Ransomware Attack Threat Vectors?
There are several types of ransomware and ways in which threat actors deliver malicious software:
- Messages with malicious links and email attachments.
- Phishing, in which the threat actor captures credentials and then uses the credentials to breach systems and install ransomware.
- Remote desktop protocol (RDP) brute forcing, which involves taking advantage of improperly secured ports on remote desktop software. This attack vector is becoming more common as more employees are working from home.
- Malicious websites and drive-by downloads, in which the victim visits a malicious site that takes advantage of a flaw in a particular application, operating system, or web browser and then automatically installs malware without the victim’s knowledge or intent.
- System and software vulnerabilities, in which unknown or unpatched bugs in the system enable a threat actor to access the system,install ransomware, and eventually ransom payments from organizations.
What are the Current Ransomware Trends?
Threat actors are known to take advantage of significant regional, national, or global events, such as natural disasters, elections, and health crises, for ransomware distribution. For example, the year 2020 saw a massive increase in ransomware attacks (estimated to be somewhere between 300% and 700%). Researchers attribute the increase to the surge in the number of remote workers, which has resulted in weaker security controls, combined with fears and concerns about Covid-19. For example, ransomware distributions have often focused on promoting fake and malicious content and links related to topics such as:
- Healthcare concerns, such as cures, vaccines, and protective equipment in short supply, like masks and hand sanitizers
- Financial distress and fake government payment scams
- Remote work technology needs, such as video conferencing platform
Why Are These Attacks Becoming More Common?
We attribute the recent surge in ransomware attacks to several, interrelated factors. Primarily, significant financial incentives push perpetrators to execute ransomware attacks. These potentially substantial financial incentives as well as the ease of access to ransomware tools further exacerbate the alarming surge in ransomware attacks.
Cybercriminals are drawn to ransomware’s profitability and the relative ease of executing attacks. With the proliferation of cryptocurrencies, the payment and money laundering processes have become more anonymous and less risky. Additionally, the increasing interconnectedness of digital systems worldwide amplifies the potential impact of attacks, making them an attractive option for criminals. These factors, combined, have led to a disturbing rise in ransomware incidents globally, signaling an urgent need for enhanced cybersecurity measures and public awareness.
How has Ransomware Evolved Over Time?
Ransomware has been around for a while—at least as far back as at least 1989—but over the last 20 years it has evolved into something substantially more sophisticated, lucrative, and dangerous. The evolution of ransomware can be attributed to a variety of factors, including:
- Improvements in malware coding methods, including obfuscation techniques that hide the malware from security
- Lax security practices as well as the dramatic increase in the number of endpoints and BYOD policies
- The ease with which would-be criminals can access, distribute, and automate ransomware, such as ransomware-as-a-service models
- The advent of cryptocurrencies which not only facilitates payment but also enables cybercriminals to hide their identity from law enforcement
- The increase in the number of businesses that purchase ransomware insurance
- The willingness of victims to pay the ransom
Who are the Ransomware Threat Actors?
There are both ransomware gangs and independent ransomware criminals that purchase ransomware through ransomware-as-a-service operators. Among the known threat actors/gangs believed to create, sell, or distribute ransomware include the Lazarus Group (North Korea), Fancy Bear (Russia), Sodinokibi (location unknown), and the Sandworm Team (Russia). However, it is essential to remember that many ransomware threats come from criminals operating independently and buying the ransomware via a ‘ransomware-as-a-service’ model. In fact, many of the well-known strains of ransomware also sell ransomware as a service to other threat actors. These include Ryuk, Lockbit, Sodinokibi/REvil, and Egregor/Maze.
What Industries are Most Affected by Ransomware?
While all industries are targeted by ransomware, some are affected with greater frequency, including government, healthcare, education, legal, transportation, manufacturing, and farming/food production. In addition, some ransomware may only target particular industries. For example, the Babuk ransomware appeared to focus on the transportation, healthcare, plastics, electronics, and agricultural sectors.
Ransomware Investigation and Incident Response
If you believe you’ve been hit with a ransomware attack, the most crucial thing is to avoid ‘panic mode’ and conduct a thorough ransomware investigation. While decisive action should be taken as quickly as possible, any action you take should be informed and measured.
- Work with an incident response company—Consider working with a professional incident response team with a current and in-depth understanding of ransomware and how to best deal with an attack.
- Incident Response Plan: Your incident response plan should outline the processes to follow from an organization-wide perspective, including which teams and executives need to be informed, which experts or professionals need to be brought into the loop, whether you should contact the authorities, the policy on ransomware payment, and how to inform any internal staff or external customers that may be affected by the attack.
- Know the ransomware schema: Spend some time understanding what you can about the strain or variant of ransomware so you can determine the extent of the damage, including whether or not the threat actors were likely to have moved laterally within your systems.
- Know the threat actor: Individual and group ransomware threat actors all operate differently, so it is essential to know your particular attacker’s tactics, techniques, and procedures (TTPs). For example, some may be willing to negotiate the terms.
- Know your timeline: It is important to know how much time you have in the attack process to get your investigation done and determine whether you will be able to restore your data and devices.
- Insurance: Ransomware insurance is increasingly popular. If you have insurance, know your policy terms.
- Legal Counsel: Legal professionals can help you understand your business and regulatory obligations when disclosing and reporting the incident.
Ransomware Protection and Prevention Techniques
- Have an Incident Response Plan: It is important to have a customized incident response plan to guide you when your business deals with a ransomware attack or breach. A plan will help you determine the scope of business interruption, the extent of exposure, and the necessary resources, as well as the step-by-step processes to get your business up and running again.
- Visibility: Know your systems and your organizations. Businesses that find themselves victims of a ransomware attack often struggle if they haven’t taken the time to know or understand security features, logging policies, etc.
- Backups: Engage in regular system and data backups. If a ransomware attack happens, something this simple could save you from having to pay the ransom.
- Disable macros: Many ransomware strains need to be initiated through a macro. Ensure your staff keeps their macros disabled, so even if someone inadvertently clicks a link and downloads ransomware, the malicious code won’t install.
- Avoid open RDP: Make sure you don’t currently have any remote desktop protocols open to the Internet that might enable easy access for a threat actor.
- Use multi-factor authentication (MFA): MFA offers protection from ransomware attacks by helping to prevent a breach if a threat actor has gained access to someone’s credentials.
- Patch. Patch. Patch. Ensure all your hardware, devices, systems, and software are regularly patched and updated to prevent attacks via vulnerabilities and bugs.
- Apply least privilege: Limit access to resources (users, systems, or devices) based on the minimum needed for business operations to help prevent lateral movement across networks and systems if a breach occurs.
- Provide training: Make phishing and social engineering training mandatory for all employees.
Next Steps
Ransomware attacks are becoming more sophisticated every day. It is important to work with a security team that can support you in today’s complex threat environment. GuidePoint Security is experienced in offering the best and most comprehensive ransomware readiness protection for your business and industry, as well as assisting organizations in managing the complexities of a ransomware investigation and response.