Concerning security challenges, organizations are alarmed by the gravity of ransomware attacks. Ransomware is becoming more effective with the attackers trying new and sophisticated methods. Attacks have become huger and expensive in recent years, owing to the Ransomware-as-a-Service model. Though there was a fall in ransomware attacks in the start of 2022, it increased substantially in the past few months.
What is Ransomware Attack?
Ransomware malware can encrypt files and documents from a single PC to an entire network, including servers. Ransomware can be spread via malicious attachments in emails or in infected harmful software apps, compromised websites, and infected external storage devices. The attacker requests a ransom from the victim to restore access to the data upon payment.
Ransomware Distribution Methods
| Distribution Methods | Description |
| Phishing Emails | Clicking a link hidden in compelling emails, which redirects to a malicious webpage |
| Email attachments | Opening a malicious email attachment. The file can be delivered in different formats comprising a Word document, Excel spreadsheet, ZIP file, PDF, etc. |
| Remote Desktop Protocol (RDP) | Once the user’s remote computer connects to the infected onsite server, the attacker gets access to the remote computer by traversing the RDP connection. |
| MSPs and RMMs | Attackers target Managed Service Providers (MSPs) through phishing attacks and by exploiting the remote monitoring and management (RMM). |
| Malvertising | Victim clicks a legitimate advertising site embedded with malicious code. |
| Drive-by infections | Performing a download inadvertently wherein the attackers host the malicious content on their site. They may even spread the content into legitimate websites. |
| Infected programs | Installing a program consisting of harmful code. |
| Network propagation | Diffusing the malicious code to other devices via network and USB drives. |
| Social media | Victim clicks on a malicious link on Facebook, Twitter etc. |
| Pirated software | User utilizing pirated software on Windows, Linux PC or Mac. |
Ransomware Examples
Though ransomware has its origin in the late 80s, it has only gained momentum in the past decade. This can be attributed to the presence of untraceable payment methods including Bitcoin.
WannaCry- 2017- It is hyped to be the biggest ransomware attack in history. It makes use of a vulnerability in Microsoft’s SMBv1 network resource sharing protocol. It consists of a self-propagation mechanism that makes it infect other machines. Once a system is impacted, the WannaCry worm propagates itself and infects other unpatched devices.
Ryuk – 2018 – Ryuk infects machines through phishing emails or drive-by downloads. After a system is infected, Ryuk encrypts certain types of files and then asks for a ransom demand. It is generally used in combination with other malware including TrickBot.
Locky – 2016 – Locky can encrypt more than 160 file types. It is majorly distributed by exploit kits or phishing. When Locky infects the user’s computer, it will scan every drive letter and network share for targeted file types.
Petya – 2016 – Petya infects a machine and can lock up your total hard drive, stopping your computer from booting up at all. It performs this by accessing the Master File Table (MFT). After the infection, Petya executes a payload that encrypts data on the total hard drive system.
Of late, ransomware including Thanos (2020) DearCry (2021) etc. have emerged with clear indication that ransomware is making a steady rise.
Ransomware Protection
Ransomware protection comprises technologies, strategies and tools that can stop cybercriminals from carrying out ransomware attacks. It comprises:
- Endpoint protection – Moving beyond legacy anti-virus tools to next-generation anti-virus
- Data backup – Continuous data backup and 3-2-1 rule
- Patch Management – Patches are meant to upgrade, optimize, or protect existing software, computer servers, etc
- Email Protection – Training employees to recognize malicious emails
- User Authentication – Strong user authentication can eliminate RDP issues
- Application Whitelisting and Control – Devise device controls that let you to limit applications installed on the device to a centrally managed whitelist
- Network Defenses – Firewall or web application firewall, intrusion prevention and intrusion prevention system
Ransomware Detection
Ransomware detection techniques assist in identifying ransomware infections and decrease the impact of attacks.
Prominent techniques for detecting ransomware on an infected device.
- Detection by signature (including file hashes, the domain names and IP addresses of command and control infrastructure)
- detection by behavior (behavior-based detection algorithms)
- detection based on data traffic (algorithm detecting unusual data patterns)
Ransomware Removal
- Stop and restart the system in safe mode
- Install an anti-malware program, and scan the computer and bring it back to a previous non-affected state
- Restore the system using backup files saved on a separate disk
- Re-format the disk and restore from an earlier backup suppose working in the cloud
Should you pay the ransom?
Several security experts and law enforcement authorities comprising the FBI suggest not to pay the ransom suppose a ransomware attack hits. Decryption is not always the right option for ransomware. The major reasons for not paying the ransom are:
- There is no sure assurance that you will get your data back
- The attackers will be encouraged to commence more attacks once the ransom amount is paid
- The organization might be imposed civil penalties for paying
Disasters
