Ransomware is a type of malicious software (malware) that threatens to publish or blocks access to data or a computer system, usually by encrypting it, until the victim pays a ransom fee to the attacker. In many cases, the ransom demand comes with a deadline. If the victim doesn’t pay in time, the data is gone forever or the ransom increases.
Ransomware attacks are all too common these days. Major companies in North America and Europe alike have fallen victim to it. Cybercriminals will attack any consumer or any business and victims come from all industries.
Several government agencies, including the FBI, advise against paying the ransom to keep from encouraging the ransomware cycle, as does the No More Ransom Project. Furthermore, half of the victims who pay the ransom are likely to suffer from repeat ransomware attacks, especially if it is not cleaned from the system.
How Ransomware Works
Ransomware is a type of malware designed to extort money from its victims, who are blocked or prevented from accessing data on their systems. The two most prevalent types of ransomware are encryptors and screen lockers. Encryptors, as the name implies, encrypt data on a system, making the content useless without the decryption key. Screen lockers, on the other hand, simply block access to the system with a “lock” screen, asserting that the system is encrypted.
Figure 1: How Ransomware tries to trick a victim into installing it
Victims are often notified on a lock screen (common to both encryptors and screen lockers) to purchase a cryptocurrency, like Bitcoin, to pay the ransom fee. Once the ransom is paid, customers receive the decryption key and may attempt to decrypt files. Decryption is not guaranteed, as multiple sources report varying degrees of success with decryption after paying ransoms. Sometimes victims never receive the keys. Some attacks install malware on the computer system even after the ransom is paid and the data is released.
While originally focused largely on personal computers, encrypting ransomware has increasingly targeted business users, as businesses will often pay more to unlock critical systems and resume daily operations than individuals.
Enterprise ransomware infections or viruses usually start with a malicious email. An unsuspecting user opens an attachment or clicks on a URL that is malicious or has been compromised.
At that point, a ransomware agent is installed and begins encrypting key files on the victim’s PC and any attached file shares. After encrypting the data, the ransomware displays a message on the infected device. The message explains what has occurred and how to pay the attackers. If the victims pay, the ransomware promises they’ll get a code to unlock their data.
Who is At Risk?
Any device connected to the internet is at risk of becoming the next ransomware victim. Ransomware scans a local device and any network-connected storage, which means that a vulnerable device also makes the local network a potential victim. If the local network is a business, the ransomware could encrypt important documents and system files that could halt services and productivity.
If a device connects to the internet, it should be updated with the latest software security patches, and it should have anti-malware installed that detects and stops ransomware. Outdated operating systems such as Windows XP that are no longer maintained are at a much higher risk.
Why is Ransomware Spreading?
With more people working from home, threat actors increased their use of phishing. Phishing is a primary starting point for ransomware infection. The phishing email targets employees, both low-privileged users and high-privileged users. Email is inexpensive and easy to use, so it makes a convenient way for attackers to spread ransomware.
Documents are normally passed in email, so users think nothing of opening a file in an email attachment. The malicious macro runs, downloads ransomware to the local device, and then delivers its payload. The ease of spreading ransomware in email is why it’s a common malware attack.
New Ransomware Threats
Authors constantly change code into new variants to avoid detection. Administrators and anti-malware developers must keep up with these new methods so that detection of threats happens quickly before it can propagate across the network. Here are a few new threats:
DLL side loading. Malware attempts to hide from detection by using DLLs and services that look like legitimate functions.
Web servers as targets. Malware on a shared hosting environment can affect all sites hosted on the server. Ransomware such as Ryuk targets hosted sites, mainly using phishing emails.
Spear-phishing is preferred over standard phishing. Instead of sending malware to thousands of targets, attackers perform reconnaissance on potential targets for their high-privilege network access.
Ransomware-as-a-Service (RaaS) lets users launch attacks without any cybersecurity knowledge. The introduction of RaaS has led to an increase in ransomware attacks.
A primary reason for an increase in threats using ransomware is remote work. The pandemic introduced a new way of working globally. An at-home workforce is much more vulnerable to threats. Home users do not have the enterprise-level cybersecurity necessary to protect from sophisticated attacks, and many of these users comingle their personal devices with work devices. Since ransomware scans the network for vulnerable devices, personal computers infected with malware can also infect network-connected business machines.
Ransomware Prevention and Detection
Prevention for ransomware attacks typically involves setting up and testing backups as well as applying ransomware protection in security tools. Security tools such as email protection gateways are the first line of defense, while endpoints are a secondary defense. Intrusion Detection Systems (IDSs) are sometimes used to detect ransomware command-and-control to alert against a ransomware system calling out to a control server. User training is important, but user training is just one of several layers of defense to protect against ransomware, and it comes into play after the delivery of ransomware via an email phish.
A fallback measure, in case other ransomware preventative defenses fail, is to stockpile Bitcoin. This is more prevalent where immediate harm could impact customers or users at the affected firm. Hospitals and the hospitality industry are at particular risk of ransomware, as patients’ lives could be affected or people could be locked in or out of facilities.
