When you are following information security news or just browsing your LinkedIn during your lunch breaks, you will bump into articles that companies were hit by a ransomware attack.
It’s not a surprise. Recently, there’s been a 40% surge in global ransomware—accounting for $199.7 million in US dollars—and a 3% growth in encrypted threats—accounting for $3.2 million in US dollars. According to forecasts, ransomware will cost businesses a loss of $20 billion globally by 2021.
Ransomware is a serious issue for companies that can result in loss in terms of financials, data, or reputation and brand damage.
But what is ransomware? Who is behind it and what’s their motive? How does it work step-by-step? What are the top infection vectors? And finally, what can you do to prevent a ransomware attack? Stay with us, and we will answer all your questions.
What's Ransomware?
Ransomware is malicious software—also referred to as malware—that infects the victim’s computer. When ransomware happens, the victim receives a message that they need to pay a ransom or their computer or system won’t be operational again. Criminals use ransomware to make money quickly. They use various techniques such as phishing emails or free software downloads to spread malware.
When the victim activates ransomware, it locks the computer and encrypts information, files, and data, often with a password. Businesses hit by ransomware may experience downtime, data loss, intellectual property theft, financial loss, loss of productivity, or, in a worst-case scenario, the company’s brand image could be seriously harmed.
Ransomware is a type of extortion virus
The original idea of ransomware is very simple. Attackers write a virus and spread it on people’s computers. To decrypt the data and files, they demand a small fee.Of course, it’s more complicated than that. Ransomware has several variations too. While certain malware will only encrypt your files, others will actually steal the data, move it somewhere else, and demand payment to give it back.
This is dangerous because criminals could make a copy of the files, and despite someone’s paying the ransom, they could still use the information, release it publicly, or sell it to the right buyer. This can be especially worrisome when attackers get their hands on intellectual property or customer data.
Ransomware-as-a-Service is real
Ransomware-as-a-service (RaaS) got its origin from the Software-as-a-Service business model. It enables even inexperienced cybercriminals to launch ransomware when they purchase a RaaS package that requires minimal coding. RaaS is the reason why ransomware is extremely popular among criminals with little to no technical knowledge.
Criminal groups are writing ransomware code, and through the RaaS model, they sell it to others who will launch the attack against their target. The package includes technical know-how and step-by-step information on launching the ransomware attack or, in some cases, even a dashboard where the customer can monitor the status of the attack in real-time. Most attack providers suggest launching the attack through phishing emails, or they also provide exploit kits. When the attack is successful, the RaaS provider takes a chunk from the profits.
Top infection vectors ransomware attacks exploit
Email phishing
Phishing emails are one of the predominant ways of spreading ransomware. While attackers are also using remote ports to distribute malware, during 2020, ransomware phishing emails have been on the rise. Attackers are also riding the wave of the global pandemic; subject lines related to the coronavirus have been popular.
Drive-by download
Drive-by download attacks mean that the attackers install malware on your devices without your consent. This could also be an unintentional download of malicious files to your device. You don’t need to click anything—the virus spreads immediately. Drive-by download attacks can also take advantage of applications and operating systems, so it’s important that you update them when new updates are available so you will be less prone to ransomware attacks.
Free software
Downloading free software is always dangerous. If you are downloading something that is not from a trusted entity or if the software looks suspicious, don't download it because it could be malicious.
Remote Desktop Protocol (RDP)
Remote Desktop Protocol (RDP) is just as popular an entry point for ransomware as phishing emails. RDP is a technology for connecting to remote systems, and currently there are millions of computers with RDP ports exposed online. This is why attackers are using this solution as one of their primary attack vectors for ransomware.
The technology has also played a role in why attackers have started to target enterprises instead of consumers. It’s rather easy to find vulnerable RDP systems.In addition to RDP, in 2020, intrusion through VPN has also become a primary entry point into corporate networks.
Software vulnerabilities
As mentioned above, when your software is not up-to-date, it becomes vulnerable to malware attacks. To stay safe, make sure that you automatically enable software and application updates on all your devices.
Active Directory (AD)
Ransomware via Active Directory (AD)—such as LockerGoga at Norsk Hydro—is definitely one the most dangerous attack types along with worm type ransomware—such as Wannacry. Basically, when the attackers get the AD admin, they can control all the computers within the network. With the rest of the attack vectors, attackers can typically only access one computer.
Who's behind ransomware attacks?
With RaaS providers, anyone can start a ransomware attack fairly easily. The Dark Web is full of ads for different providers. Still, the offenders are usually organized criminal groups or state actors financed by countries.
Organized criminal groups
Organized criminal groups—often operating from Eastern Europe—typically target thousands of victims with one attack. Their strategy is to use economies of scale: demand a small ransom payment from as many people as possible and thus maximize profit.
Organized groups have a well-built infrastructure to handle attacks, payments, decryption, and money laundering.
State actors
State-led ransomware attacks make the news quite frequently. These attacks often originate from countries such as North Korea, Russia, or Iran. Typically, they are not motivated by money, but they want to create chaos.
The NotPetya ransomware attack
Experts assume that state actors were responsible for the NotPetya ransomware attack. It primarily targeted Ukrainian victims. This is why cybersecurity experts believe that the primary objective of the NotPetya attack was sabotage.
The WannaCry ransomware attack
State actors are also blamed for the WannaCry ransomware attack. According to reports, there was no infrastructure for ransom payments nor any known cases of decryption. Nevertheless, experts are not sure about the main motive—whether the attackers were experimenting, planning sabotage, or masking it behind ransomware.
How does ransomware work?
Step 1. The infection
How does your computer become infected with ransomware? It’s easier than you think. Clicking on email links or opening attachments, sticking an unknown device—e.g., a USB—into your computer, downloading free software, or pirating movies and music are good starting points. Even old versions of applications or systems could harm your computer and start a virus.
Practicing safe online habits is the first step to not becoming infected and avoiding ransomware.
Step 2. The encryption
Let’s say you made a mistake, and now your computer has ransomware. The virus infected your computer and encrypted your files—suddenly, a warning pops up on your screen and demands a ransom.
Step 3. The ransom note
When you are a victim of a ransomware attack, you will definitely notice it. The message will be obvious on your screen.
The note is simple—it tells you the following:
- You have been attacked.
- To get your files back, pay the demanded amount of money within a given time according to the instructions.
- If you are not paying, you lose access to your files.
Step 4. The process of making the payment
Attackers have fine-tuned the payment process. When the process of making the payment is simple, and the amount is reasonable, people will take action. When the victims can easily get back their files by quickly performing the payment, they will more likely choose it over trying to fix the issue themselves.
Most ransomware attacks don’t want victims to use a credit card or a wire transfer because those are traceable. They usually ask for payment in untraceable cryptocurrencies, like Bitcoin.
Step 5. Unlocking the files
Once you’ve made the payment, you will get the keys to your files. At this point, ransomware should delete itself after decrypting the files. With less mature ransomware types, you will receive a program you need to run to do this for you.
Should you pay the ransom?
At this point, you must be wondering whether you should pay the ransom or not. Security experts advise against paying a ransom. The problem is that you are dealing with criminals, so you shouldn’t trust them. There’s no guarantee you’ll get your files back. When people and organizations pay, they are just pouring oil onto the fire: paying will encourage criminals to continue with ransomware attacks.
Experts advise that when it’s screen-locking ransomware, you shouldn’t pay because you can almost always get around it.It’s a more difficult question when you have business-critical data. In this case, you need to consider your options and how you can recover the fastest from the attack.
Prevention: How can I stay safe?
The best thing would be to avoid getting the malware at all. To do that, practicing safe online habits is a must.
- Don’t click on links in emails that look suspicious.
- Avoid opening or downloading strange email attachments.
- Keep the operating system, software, and applications up-to-date.
- Use anti-virus software.
- Don’t plug any unknown device into your computer.
- Don’t download free software or illegal movies or music from the internet.
- Create a backup of your files in the cloud or offline.
Remember: All devices are vulnerable to ransomware
It’s easy to fall victim to a ransomware attack. It could be as simple as clicking on a link in a phishing email, and you could almost immediately lose access to your files.
This is why it’s so important that you have the knowledge and the right skills to practice safe online habits. Email-based threat simulations are a great way to practice how you would recognize real attacks. When you do that frequently, you can minimize your chances of falling victim to a ransomware attack.
Read more about ransomware
- Subscribe to All Things Human Risk to get a monthly round up of our latest content
- Request a demo for a customized walkthrough of Hoxhunt