Ransomware is malware that uses encryption to hold a victim’s information to ransom. A user or organization’s critical data is encrypted so that they cannot access files, databases, or applications. A ransom is then demanded to grant access. Ransomware is often designed to spread across a network and target database and file servers and thus can quickly cripple an entire organization. It is a growing threat that generates billions of dollars in payments to cybercriminals and inflicts significant damage and costs on businesses and government organizations.
How does ransomware work?
Ransomware uses asymmetric encryption. This is cryptography that uses a key pair to encrypt and decrypt a file. The public-private key pair is generated by the attacker uniquely for the victim, with the private key decrypting files stored on the attacker’s server. The attacker provides the private key to the victim only after the ransom is paid, although, as seen in recent ransomware campaigns, this is not always the case. Without access to the private key, it is almost impossible to decrypt the files held for ransom.
There are many variations of ransomware. Ransomware (and other malware) is often spread via email spam campaigns or through targeted attacks. The malware requires an attack vector to establish its presence on an endpoint. Once its presence is established, the malware remains on the system until its task is complete.
After a successful exploit, ransomware drops and executes a malicious binary on the infected system. This binary then searches and encrypts valuable files such as Microsoft Word documents, images, databases, etc. The ransomware can also exploit the system and network vulnerabilities to spread to other systems and possibly to entire organizations.
Once files are encrypted, ransomware asks the user to pay a ransom within 24 to 48 hours to decrypt the files, or they will be lost forever. If a backup is not available or these backups have been encrypted themselves, the victim has to pay the ransom to restore personal files.
Why does ransomware spread?
Ransomware attacks and their variants evolve rapidly to counter preventive technologies for several reasons:
Easy availability of malware kits that can be used to create new malware samples as needed.
Using new techniques, such as encrypting the entire hard drive instead of selected files
Today’s thieves don’t even have to be tech-savvy. Ransomware marketplaces have sprung up online, offering malware strains to any would-be cybercrook and generating additional profit for the malware authors, who often ask for a cut of the ransom proceeds.
MVISION Insights Preview
Discover a preview of the only proactive solution to stay ahead of emerging threats.
Why is it so hard to find ransomware perpetrators?
The use of anonymous cryptocurrency for payments like Bitcoin makes it difficult to follow the money trail and track criminals. Cybercrime groups are increasingly developing ransomware systems to make a quick profit. The easy availability of open-source code and drag-and-drop ransomware development platforms has accelerated the creation of new ransomware variants and helps novice scripters create their own ransomware. Typically, cutting-edge malware like ransomware is polymorphic, allowing cybercriminals to easily bypass traditional signature-based security based on file hash.
What is ransomware-as-a-service (RaaS)?
Ransomware-as-a-service is an economic model for cybercrime that allows malware developers to earn money for their creations without having to distribute their threats. Non-technical criminals buy their wares and launch the infections while paying developers a percentage of their revenue. The developers take relatively few risks, and their customers do most of the work. Some instances of ransomware-as-a-service use subscriptions, while others require registration to gain access to the ransomware. Learn more about ransomware-as-a-service.
How to defend against ransomware
Follow these tips to avoid ransomware and mitigate the damage if you are attacked:
Back up your data: The best way to avoid the risk of your critical files being locked is to make sure you always have backups of them, preferably in the cloud and on an external hard drive. This way, in case of a ransomware infection, you can wipe your computer or device for free and reinstall your files from the backup. This will protect your data and you will not be tempted to reward the malware authors with ransom. Backups do not prevent ransomware, but they can mitigate the risks.
Back up your backups: Make sure your backup data is not accessible for modification or deletion from the systems where the data resides. Ransomware looks for backups and encrypts or deletes them so they cannot be restored, So use backup systems that do not allow direct access to backup files.
Use security software and keep it up to date: Make sure all your computers and devices are protected with comprehensive security software, and keep all your software up to date. Make sure you update your devices’ software early and often, as patches for bugs are usually included in every update.
Practice safe browsing: Be careful where you click. Don’t respond to emails and text messages from unknown people, and only download apps from trusted sources. This is important because malware authors often use social engineering to install dangerous files.
Use only secure networks: Avoid using public Wi-Fi networks, as many of them are not secure and cybercriminals can spy on your Internet usage. Instead, consider installing a VPN that will give you a secure connection to the Internet wherever you go.
Stay informed: Keep up to date with the latest ransomware threats so you know what to look out for. In case you get a ransomware infection and haven’t backed up all your files, know that some decryption tools are provided by technology companies to help victims.
Implement a security awareness program: Provide regular security awareness training for every member of your organization to help them avoid phishing and other social engineering attacks. Conduct regular drills and tests to ensure training is being followed.
9 steps to respond to a ransomware attack.
If you suspect you’ve been affected by a ransomware attack, it’s important to act quickly. Fortunately, there are several steps you can take to give you the best possible chance of minimizing damage and getting back to business as usual quickly.
Isolate the infected device: ransomware that affects one device is a moderate inconvenience. Ransomware that is allowed to infect all of your company’s devices is a major disaster and could put you out of business for good. The difference between the two often comes down to response time. To ensure the security of your network, shared drives and other devices, you need to disconnect the affected device from the network, Internet and other devices as soon as possible. The sooner you do this, the less likely it is that other devices will be infected.
Stop the spread: because ransomware moves quickly-and the device with ransomware is not necessarily patient zero-immediately isolating the infected device does not guarantee that the ransomware will not be present elsewhere on your network. To effectively limit the scope, you need to disconnect any devices that are acting suspiciously from the network, including those operating off premises-if they are connected to the network, they pose a risk no matter where they are. Shutting down wireless connectivity (Wi-Fi, Bluetooth, etc.) at this point is also a good idea.
Assess the damage: to determine which devices have been infected, look for recently encrypted files with strange filenames and look for reports of odd filenames or users having trouble opening files. If you discover devices that have not been fully encrypted, they should be isolated and disabled to contain the attack and prevent further damage and data loss. Your goal is to create a comprehensive list of all affected systems, including network storage devices, cloud storage, external hard drive storage (including USB sticks), laptops, smartphones, and other possible vectors. At this point, it is advisable to lock down shares. All of them should be restricted if possible; if not, restrict as many as possible. This will stop all ongoing encryption processes and prevent additional shares from getting infected during the remediation process. But before you do that, take a look at the encrypted shares. This can provide useful information: If a device has a much higher number of open files than usual, you may have just found your patient zero. Otherwise…
Locate patient zero: Tracking the infection becomes significantly easier once you identify the source. To do so, look for alerts that may come from your antivirus/antimalware, EDR, or active monitoring platform. And because most ransomware enters networks through malicious email links and attachments that require an end-user action, asking people about their activities (like suspicious opening emails) and what they noticed can also be useful. Finally, looking at the properties of the files themselves can also provide a clue-the person listed as the owner is likely the entry point. (Note, however, that there may be more than one patient zero!)
Identify the ransomware: Before going any further, it’s important to figure out what variant of ransomware you’re dealing with. One way is to visit No More Ransom, a global initiative McAfee is involved in. The site has a number of tools you can use to unlock your data, including the Crypto Sheriff tool: Simply upload one of your encrypted files, and it will be scanned to find a match. You can also use the information contained in the ransom note: If the ransomware variant is not described directly, retrieving the email address or the note itself using a search engine can be helpful. Once you have identified the ransomware and quickly researched its behavior, you should notify all unaffected employees as soon as possible, so they know how to spot the signs of infection.
Report the ransomware to authorities: Once the ransomware is contained, you should contact law enforcement for several reasons. First of all, ransomware is against the law and should be reported to the appropriate authorities just like any other crime. Second, according to the United States Federal Bureau of Investigation, “law enforcement agencies and tools may be used that are not available to most organizations. “Partnerships with international law enforcement agencies can be used to find the stolen or encrypted data and bring the perpetrators to justice. Finally, the attack may have compliance implications: If you fail to notify the ICO of an EU data breach within 72 hours, as required by the GDPR, your company could face hefty fines.
Assess your backups: now, it’s time to start the response process. The quickest and easiest way to do this is to restore your systems from a backup. Ideally, you will have an uninfected and complete backup that has been recently created to be of any benefit. If so, the next step is to use an antivirus/antimalware solution to ensure that all infected systems and devices are wiped free of ransomware-otherwise, your system will still be locked, and your files will be encrypted, potentially corrupting your backup. Once all traces of malware have been removed, you can restore your systems from this backup, and once you have confirmed that all data has been restored and all apps and processes are running normally-return to business as usual. Unfortunately, many organizations don’t realize the importance of creating and managing backups until they need them and don’t have them. As modern ransomware becomes more sophisticated and resilient, some of those who create backups soon find that the ransomware has corrupted or encrypted them, too, rendering them completely useless.
Research your decryption options: If you don’t have a viable backup, there’s still a chance you can get your data back. A growing number of free decryption keys can be found at No More Ransom. If one is available for the variant of the ransomware you are dealing with (and assuming you have erased all traces of malware from your system by now), you can use the decryption key to unlock your data. Even if you are lucky enough to find a decryptor, you are not done-you can still expect hours or days of downtime while you work on the fix.
Moving on: If you have no usable backups and can’t find a decryption key, your only option may be to cut your losses and start over. Rebuilding is not a quick or inexpensive process, but once you have exhausted your other options, this is the best you can do.
Why shouldn’t I just pay the ransom?
Given the possibility of weeks- or months-long recovery, it might be tempting to give in to a ransom demand. However, there are several reasons why this is a bad idea:
You may never receive a decryption key. If you pay a ransomware demand, you will receive a decryption key in return. However, when you perform a ransomware transaction, you rely on the integrity of criminals. Many people and organizations have paid the ransom only to receive nothing in return-they are then out tens or hundreds or thousands of dollars, and they still have to rebuild their systems from scratch.
You might get repeated ransomware demands. Once you pay a ransom, the cybercriminals who deployed the ransomware know that you are at their mercy. They may give you a working key if you are willing to pay a little (or a lot) more.
You may get a decryption key that works somehow. The creators of ransomware are not in the file recovery business; they are in the money-making business. In other words, the decrypter you receive may be just good enough for the criminals to say that they have held up their end of the deal. Moreover, it is not uncommon for the encryption process itself to irreparably damage some files. In this case, even a good decryption key cannot unlock your files-they are gone forever.
You can paint a target on your back. Once you pay a ransom, criminals know you are a good investment. An organization that has a proven track record of paying the ransom is a more attractive target than a new target that may or may not pay. What’s going to stop the same group of criminals from attacking again in a year or two or from logging into a forum and telling other cybercriminals that you’re an easy target?
Even if everything somehow turns out well, you’re still funding criminal activity. Assuming you pay the ransom, get a good decryption key and get everything working again. This is only the best worst-case scenario (and not just because you spend a lot of money). If you pay the ransom, you are funding criminal activity. Aside from the obvious moral implications, you reinforce the idea that ransomware is a working business model. (Think about it-if no one ever paid the ransom, do you think they would continue to release ransomware?) Bolstered by their success and their outsized payday, these criminals will continue to wreak havoc on unsuspecting businesses and continue to pour time and money into developing newer and even more nefarious ransomware-one of which may find its way onto your devices in the future.
image source: www.globalsign.com