Ransomware is the second most frequent malware attack after Command and Control (C2) attacks, according to the Verizon Data Breach Report . Email continues to be the primary injecting mechanism for all malware, including ransomware. So how do you teach users not to click on phishing links?
The opinion of the professionals: nothing. People will do what is in their nature. Therefore, we need to approach the ransomware problem differently. In this article, we will look at the main features and methods of dealing with ransomware.
For more information on ransomware, see Troy Hunt 's free Introductory Course on Ransomware Virus .
What are Ransomware?
Ransomware is malware that encrypts victim data. The attacker then asks the victim to pay a ransom for the key to decrypt her files.
The first such program appeared in 1989, distributed on floppy disks, and required a payment of $ 189.
In 2019, a ransomware attack hit the city of Baltimore. The liquidation of the damage cost about $ 18 million.
But how exactly does this malware work?
How does ransomware work?
Ransomware is a multi-stage attack that cybercriminals carry out in a variety of ways. But the key steps are the same - infiltrate the victim's network, encrypt as much data as possible, and extort payment for decryption.
1. Infection
First, attackers need to inject malware into the selected network. Most often, this is a simple phishing attack using malicious programs in file attachments. The ransomware then either runs locally or tries to replicate to other computers on the network.
2. Obtaining security keys
The malware then informs the attackers about the victim's infection and obtains the cryptographic keys needed to encrypt the data.
3. Encryption
At this point, the ransomware encrypts the victim's files. It starts with a local drive and then tries to check the network for mapped drives or open drives to attack. For example, CryptoWall deleted Volume Shadow Copy files to make it difficult to restore from a backup, and was also looking for a way to steal BitCoin wallets. WannaCry used the EternalBlue vulnerability to spread to other computers and then encrypt.
4. Extortion
The victim is stricken and the attacker sends a notification demanding payment for decryption. Usually, it contains some figure in dollars with threats like βpay us, or you will lose your dataβ.
It's worth noting that thanks to cryptocurrency, the distribution of ransomware has become a lucrative business. It is difficult to measure the profitability of criminal activity at this time, but the frequency of attacks indicates that attackers see benefits and continue to use these methods.
Lately, the extortion plan is based on the threat of data disclosure. Ransomware is capable of not only encrypting data on a system, but also transmitting it to attackers. This is followed by a threat: pay us or your data will be publicly available.
5. Unlock and recovery
What matters now is whether the victim pays the ransom and hopes the perpetrator will honestly send the decryption keys. Or it removes malware and tries to manually recover the encrypted data.
Attackers usually do not provide keys even after receiving the money . Yes, although it can be shocking. This is why the extortion incident in Baltimore was so costly and why it took so long to recover. In Baltimore, attackers were not paid, so IT staff had to recover data when they could, and reconfigure devices on which they could not.
The recovery plan must also consider the threat of data disclosure.... But how can you prevent an attacker from disclosing the stolen data? No way. In this regard, protecting systems and preventing ransomware infiltration is much more important than backing up data.
You can learn more about how ransomware works in the video below - it's included in our free introductory course on Ransomware by Troy Hunt :
How to Protect Against Ransomware: Basic Tips
Building protection against ransomware attacks involves taking steps by individuals and the entire enterprise to prevent infection.
Don't click on links!
Yes, you've heard about this before. But it's always worth repeating again. In 2020, a large percentage of malware entered systems through phishing emails. People (all without exception!) Will not stop following links. We recently published The Ultimate Guide to Phishing Attacks , which details the principles of a phishing attack and tips on how to avoid falling victim to it.
Protect your email and endpoints
We know from experience that employees will always click on links. Therefore:
- Scan all emails for known "strains" of malware and update firewalls and endpoint protections with the latest known virus signatures;
- Notify users about external emails;
- Provide VPN for users to use outside of the network.
Store backups
Keep up-to-date backups to protect important data - both corporate and personal. The best and fastest way to deal with ransomware is to immediately re-image the disk and then restore the data from the last reliable backup. Of course, if the data was not deleted as a result of the attack, this is another problem.
Protect confidential information
People are genetically predisposed to trust. This is one of the evolutionary reasons for the enormous spread of our species. Our inherent trust helps psychics to convince us that we ourselves have made a certain choice, and to attackers - to force them to tell them our passwords or mother's maiden names.
When someone asks you for confidential information, be skeptical and follow the established rules. This is the same problem as with links, but it could be real personal communication.
Who is at risk?
In theory, everyone can be harmed by ransomware. For economic reasons, the most sophisticated attacks usually target large, solvent organizations. But ransomware attacks do not always have a specific target. Some attackers use carpet bombing techniques and try to infect as many users as possible at the same time.
7 types of ransomware everyone should know
Attackers are constantly developing new types of ransomware that exploit various attack vectors such as malicious ads, ransomware worms, and peer-to-peer file transfer programs.
Ransomware attacks don't have to be dodgy to be effective. A well-known vulnerability was exploited to spread WannaCry and NotPetya and proved to be super effective.
Recently, ransomware as a service (RaaS) has become very popular, such as Netwalker , where hackers lease their malware to other cybercriminals, resulting in increased incidence and coverage.
Let's take a look at other types of ransomware and how they work.
Cryptographers
The first and most common category of these programs is ransomware ransomware. CryptoLocker and CryptoWall have gained a reputation for being reliable encryption ransomware viruses. Encryption is the process of encrypting data, so it cannot be read without the appropriate key.
Hacking ransomware
Brute force cracking: A symmetric key algorithm takes from a few hours for a small 20-bit key to millions of years for a 128-bit key.
Both public and symmetric keys can theoretically be brute-force cracked. But you shouldn't count on it. Modern encryption is too complex a process even for the fastest computers.
More specifically, the chances of decrypting files infected by the ransomware using brute force are somewhere between scanty and zero (and much closer to zero).
Ransomware that deletes data
Attackers can threaten that any attempt to decrypt your files will lead only to a "permanent data loss" . Or the files will be deleted if you don't pay.
Well-known data deleting viruses are Gpcode and FileCoder.
The opinion of the professionals: if files are βdeletedβ by ransomware, they cannot be overwritten on the disk. The best option is to restore from a backup.
Blockers
Attackers create malicious websites that try to trick you into thinking that the police are looking for you and you need to pay a fine, or otherwise abuse your trust. They even know how to disable keyboard shortcuts to make it harder for you to close the screen. Such methods are used, for example, by the Winlock and Urausy programs.
The opinion of professionals: all incoming messages with a request to transfer money are fraudulent.
Ransomware for mobile devices
Since ransomware has proven itself well on PCs, cybercriminals create similar programs for mobile devices. Basically, they are a kind of blocker, since encrypting a mobile device that is regularly backed up is pointless.
Ransomware response rules
The following actions will help to cope with the ongoing ransomware attacks and mitigate their consequences:
1. Insulation
The first step in fighting ransomware is to isolate infected systems from the rest of the network. Stop these systems and disconnect the network cable. Turn off WI-FI. Infected systems must be completely isolated from other computers and storage devices on the same network.
2. Identification
Then, find out what kind of malware caused the infection on your computers. Incident Response, IT staff, or third-party consultants must identify the type of ransomware and plan how to best deal with the infection.
3. Alert regulatory authorities about the threat
Depending on the consequences of the incident and the applicable legal provisions, the incident should be reported to the regulators.
4. Removal of malware
Remove malware from infected systems to prevent further damage and the spread of the virus.
5. Data recovery
After suppressing the attack, proceed to the recovery process. Paying the ransom is one option. Perhaps the attackers are noble thieves and will give you the keys you need to decrypt your data. The best option is to restore from the most recent backup available. If available.
Is the ransom worth paying?
Not. In most cases, this is not worth doing. Ransomware protection and available backup options should be a priority. Back up regularly to prevent such attacks and protect your data, so you never need to pay the ransom. However, in practice, things can be much more complicated.
Is cyber insurance provided to protect against ransomware attacks? Is it possible to buy bitcoins to pay the ransom on time? Are there backups for infected systems? Is the data critical? When deciding whether to make a foreclosure, you will most likely need to answer these questions.
Before considering transferring funds
Finding a decryption tool
Browse the internet for existing decryption tools . You do not need to pay a ransom when keys are found to repel an attack. Sometimes cybersecurity experts manage to obtain decryption keys from malicious servers and publish them online. Some of them are described below:
When should you think about transferring funds?
At the cybersecurity summit, Joseph Bonavolonta, in charge of the FBI's cybersecurity and counterintelligence program, said, "To be honest, we often advise you to just pay the ransom."
He also clarified: βA successful ransomware attack ultimately benefits the victims: since so many pay the ransom, malware authors are less inclined to squeeze large sums out of a single victim by setting small sizes. And most ransomware scams keep their word. Therefore, you will be given back access. "
Most ransomware viruses require a ransom in the $ 200β $ 10,000 range, according to the FBI.
However, there are precedents when the amount was much higher. In 2014, attackers encrypted the files of the Detroit administration and demanded a ransom in the amount of 2,000 bitcoins, which at that time was about $ 800,000. This story has a happy ending: the Detroit administration didn't need this database, so it didn't pay.
Sometimes transferring funds is the right decision. The Dixon County Sheriff's Office in Tennessee paid $ 622 in Bitcoin to hackers who encrypted the department's criminal files. According to detective Jeff McCliss, "it came down to a choice between losing all the data and not being able to perform the critical tasks in which we used it, and paying a little over $ 600 to get the data back." The sheriff's office was lucky - he was given back access to his files.
Refusal to pay: when you shouldn't go on about
Some cybersecurity experts are urging not to pay the ransom due to the lack of guarantees that the files will be returned to their original state even after the funds are transferred. In addition, agreeing to pay ransomware exacerbates the existing problem by making the victim a target for further malware attacks.
In 2016, it was reported that the ransomware-stricken Kansas hospital had paid a ransom in hopes of getting back to work as soon as possible, but after the funds were transferred, the files were only partially decrypted. At the same time, the cybercriminals demanded more money to decrypt the remaining files. As a result, the hospital refused to pay a second time as it no longer seemed like a "smart or strategic decision."
To make matters worse, if infected with a defective strain such as Power Worm, files cannot be recovered regardless of the action taken. Even if one wants to pay the ransom, this attack will inevitably destroy the victim's data during encryption.
In other cases, such as during an attack by the NotPetya virus, the purpose of which is not financial gain, but the destruction of data, even if you accumulate bitcoins to pay the ransom, it will not be possible to return the data.
Agree that this is a simple and effective solution - to stop the ransomware attack at the very beginning, when only a couple of hundred files are encrypted, instead of having to deal with a fully encrypted storage system later.
Additional resources and literature
Here you will find a number of articles on ransomware, as well as links to specific variants found by Varonis security analysts:
- Ransomware Meets Its Match With Automated Cyber ββDefenses
- Cerber Ransomware: What You Need to Know
- The Malware Hiding in Your Windows System32 Folder: Mshta, HTA, and Ransomware
- New SamSam Ransomware Exploiting Old JBoss Vulnerability
- Ransom for the Queen: Varonis detects SaveTheQueen ransomware ransomware