The ransomware attack: what it is and how it works
Ransomware is malware that hackers use to deny businesses access to their data and demand a ransom for it. Hackers can make huge amounts of money from this practice. Ransomware can have devastating consequences for businesses, from the costs of the ransom demand to reputation damage. These kinds of attacks are one of the most common types of malware. Ransomware is still spreading and new variants keep coming out.
What is ransomware?
Ransomware is a type of malware that encrypts the victim's files. It denies a user or organization access to the files, databases, or applications on their computer. To regain access to this encrypted data, victims need to pay a ransom. Hackers can steal your data if you don’t pay this ransom. If the victim doesn't pay the ransom on time, the data could be gone forever. The cost of the ransom can range anywhere from a few hundred dollars to thousands. This amount is payable in cryptocurrencies. When the ransom is paid, there is a chance the hackers will give you the decryption key to access the data. But you can never be certain that the hackers will follow through with their end of the deal.Ransomware impacts business continuity, generates high costs, and damages sensitive data. A lot of major companies are a target of ransomware software. Attacks happen in all kinds of industries, even hospitals, and public services. Hackers will attack any consumer or any business.Most government agencies and cybersecurity organizations advise against paying the ransom so hackers are less encouraged to keep using ransomware software. Organizations that pay this ransom are also more likely to suffer from repeated ransomware attacks.
History of ransomware
Encrypting ransomware
The first malware extortion attack was the “AIDS Trojan” written by Joseph Popp in 1989. The “AIDS Trojan” hid files on the hard drives, encrypted the names, and displayed a message claiming that a certain piece of software had expired. After that, the victim was asked to pay in order to obtain a repair tool. This attack has one major flaw though. It relied solely on symmetric cryptography. This fatal flaw means that the decryption key could be extracted from the Trojan, so it was not necessary for victims to pay the extortionist at all. The extortionist was deemed unfit to stand trial and he promised to donate his profits to the fund for AIDS research. Therefore the name “AIDS Trojan”.The idea of using public-key cryptography for data kidnapping attacks was introduced by Adam L. Young and Moti Yung in 1996. They criticized the failed “AIDS Trojan” attack that relied solely on symmetric cryptography. Young and Yung created a cryptovirus using public-key cryptography and they referred to this attack as a “cryptoviral extortion”.By mid-2006, extortionate ransomware became more prominent and they started using more sophisticated RSA encryption schemes and increasing key sizes. An example of this is Trojans such as Gpcode, TROJ.RANSOM.A, Krotten, Archiveus, Cryzip, and MayArchive.
The rise of CryptoLocker
In late 2013 encrypting ransomware became prominent again with the rise of CryptoLocker. This ransomware uses the Bitcoin digital currency platform to collect the ransom money. By January 2015, ransomware-styled attacks occurred against individual websites via hacking. After that hackers started using ransomware with a two-stage payload (the user is tricked into running a script, which downloads and executes the software). Hackers used proxies tied to Tor hidden services to increase the difficulty of tracking their location and they started to offer their technology as a service on the dark web.
Non-encrypting ransomware
In August 2010, Russian authorities discovered a ransomware Trojan known as WinLock. WinLock didn’t use encryption. Instead, it restricted access to the operating system by displaying pornographic images. They asked users to send a premium-rate text message to receive a code that could be used to unlock their computer.Other examples of this type of ransomware include a ransomware Trojan that imitated the Windows Product Activation notice. It worked with placing a call on hold, causing large international long-distance charges. Another example is the ransomware Trojan based on the Stamp.EK exploit kit that was distributed via sites hosted on project hosting services.
Exfiltration (Leakware/Doxware)
A spin on the typical ransomware infection was a cryptovirology attack invented by Adam L. Young. This attack threatened to publish stole information instead of denying the victim access to it. The attacker threatens to publish the information unless a ransom is paid. This is a leakware or doxware attack.
Mobile ransomware
Ransomware started to gain more popularity. It also started targeting mobile operating systems. Mobile ransomware typically targets the Android platform because it allows apps from third parties to be installed. So it is easier to exploit. This attack will usually present itself as a blocking message on top of all other applications. However iOS devices can also be exploited through vulnerabilities in the iCloud accounts and the Find My iPhone system.
How does a ransomware attack work?
Ransomware uses asymmetric encryption. This means that it uses two keys to encrypt and decrypt a file. The attackers create these keys. They store the private key on their server and only give this key to the victim when the victim has paid the ransom. Although this is not always the case.There are many different ransomware variants and they all have different implementation details. But they all share the same core three stages.
Step 1: Infection and Distribution Vectors
Hackers distribute ransomware in many different ways, for example through targeted attacks or email spam attacks. It always needs an attack vector to establish its presence on an endpoint. Ransomware operators tend to prefer a few specific infection vectors.Phishing emails are one of those. A phishing email is an email that contains a link to a website with a malicious download or a malicious attachment with a downloader functionality. If the recipient falls for this trick, the ransomware downloads and executes itself.
Another example is ransomware taking advantage of services such as the Remote Desktop Protocol. This way, an attacker can steal someone’s credentials, gain access to a network and directly download and execute ransomware.
Step 2: Data Encryption
After the ransomware exploited the system, it drops and executes malicious code on the infected system. This code searches for valuable files and encrypts the victim's files. This encrypted data could be Microsoft Word documents, databases, images, and so on. Some ransomware variants will also delete backup copies of files to make sure recovery without the decryption key is more difficult. The ransomware can also spread further to other systems.
Step 3: Ransom Demand
Eventually, the user has to pay the ransom (expressed in a cryptocurrency) within a certain amount of time, or the files will be lost forever. Most commonly, this will present itself as a ransom note as the background. Or text files placed in each encrypted directory containing the ransom note.
How do you recognize a ransomware attack?
You might realize you made a mistake after downloading an innocent-looking attachment. But a lot of people don’t realize that their computer is suffering from a malicious software infection. In the beginning, there is a big chance nothing will happen. You will still have access to your files and as far as you know everything works perfectly. After a while, the ransomware will start encrypting your files behind the scenes. Before you know it, you can’t reach your files anymore and there is a ransom note on your computer screen.It is almost always too late when you have already downloaded the ransomware. That’s why you should look out for suspicious and unsafe websites. You should also look out for e-mails with suspicious attachments. A way to recognize these e-mails is to look at the sender’s e-mail address, the spelling, a hyperlink to an unfamiliar website, and a generic greeting. Another way to tell is if the sender is creating a sense of urgency or if they are trying to get your personal information.Telltale signs that your computer has a malware infection:
- The encrypted data is impossible to crack.
- File names are scrambled.
- File extensions are changed.
- There is a message displayed on your computer.
- The ransom is expressed in cryptocurrencies.
- The payment needs to be done in a certain amount of time.
- The ransomware can’t be detected by a standard antivirus.
- Ransomware is able to spread to the network the computer is connected to.
How does ransomware infect your computer?
Social engineering
These are all kinds of tricks hackers perform to get you to download a fake attachment or click a fake link. The harmful files can look like normal files. They can look like orders, receipts, bills, or messages. Victims think these files come from a company with a good reputation. As soon as you download the file, it’s too late, your computer has a malware infection.
Malvertising
Hackers buy advertising space to trick you into downloading the ransomware with just one click of a button. This can go from popular websites like youtube to well-known social media networks. Hackers will do everything they can to get to your sensitive data.
Exploit kits
This is a ready-to-use programming code neatly packed in a hacking tool. Everyone can use these kits to exploit vulnerabilities and security leaks in outdated software.
Drive-by-downloads
There are harmful websites that exploit outdated browsers and apps. They download ransomware in the background when you are just browsing the innocent-looking website.
Why are you more vulnerable to a ransomware attack?
Everyone can be the target of a ransomware infection. A lot of the time ransomware targets a certain software program that a lot of people use. It targets a certain vulnerability in that software to find victims.A patch or an update would fix these kinds of problems. But this isn’t as easy for everyone. A lot of businesses use custom software and that complicates things. The custom software can stop working, which ultimately means a delay in the software patch or update.Any device in your network that is connected to the internet is at risk.Some organizations might seem more tempting to hackers than others. For example, governments, medical facilities, and law firms might be more inclined to pay the ransom.There are many other reasons why a hacker might be able to steal your data more easily. Maybe you:
- almost never back up
- don’t know a lot about internet security or the threats of a cyberattack
- have no idea how to defend yourself against threats from the internet
- don’t want to spend money on cybersecurity solutions for your computer
- believe that a standard antivirus will protect your computer
- don’t believe a cyberattack can happen to you
The impact of ransomware on businesses
Businesses that fall victim to ransomware infections can lose thousands to millions of dollars in productivity and data loss. They can experience additional side effects like brand damage and litigation when hackers release their data and expose the data breach.
Why are ransomware attacks emerging?
Or maybe a better question: why is ransomware spreading?Ransomware attacks are rapidly evolving because of a lot of reasons. First of all, a lot more people are working from home which increases phishing. Phishing e-mails are easy and convenient for hackers to spread ransomware. Malware kits make it easier to create new malware. Hackers can also create cross-platform ransomware and they are using new techniques. Ransomware is spreading because it has become so easy. Even when you don’t know anything about ransomware, you can buy ransomware as a service.
What is ransomware-as-a-service or RaaS?
RaaS is an economic model that allows malware developers to sell their creations without distributing them. This makes it easy for them to make money and avoid the repercussions of cyberattacks. Criminals might pay these developers for their creations or they might pay them a percentage of their take.
Why is it so hard to find the perpetrators behind ransomware attacks?
Because hackers ask for a ransom in cryptocurrency, such as bitcoin, it’s almost impossible to follow the money trail and track down criminals. Cybercriminals are also devising ransomware schemes to make a profit as fast as possible. Easily available platforms to develop ransomware have accelerated the creation of newer and better variants. These newer variants can easily bypass standard security solutions.
Types of ransomware
- Crypto malware or encryptors are a common type of ransomware and they can cause a lot of damage. This encryptor secretly enters your computer and waits for a good moment to encrypt your files. You can even lose access to disk drives that are connected to your pc. This means you will lose access to files on these hard drives and to files saved in the cloud, like OneDrive. WannaCry is an example of this kind of ransomware. This ransomware extorted victims for more than 50.000 dollars and it denied hospitals access to their patient data.
- Lockers infect your operating system and completely close you out. This means you won’t be able to use your computer anymore and you will lose all access to your apps and files. Every time you start your computer a notification will pop up that tells you to pay the ransom to regain access to your computer.
- Scareware is fake software like antivirus software. This scareware warns you that something is wrong with your computer and asks for money to fix the problem. Some variants of scareware lock your computer, while other variants bombard you with annoying warnings and pop-ups.
- Doxware or leakware is a type of ransomware that threatens to post your stolen information online if you don’t pay the ransom.
- RaaS (Ransomware as a Service) is a type of ransomware that allows malware developers to earn money through non-technical criminals. These criminals buy the ransomware, distribute it and launch it. They pay the developers a percentage of their earnings. This type of ransomware is less risky for developers and less time-consuming.
Ransomware variants 2020 - 2021
There are many ransomware variants that all work in different ways. There are however a few notable ransomware variants that stand out from the crowd.
Ryuk
Ryuk is a very targeted ransomware variant. Most of the time it is delivered via spear-phishing emails or by using the Remote Desktop Protocol (RDP) method. Ryuk encrypts files that aren’t vital to a computer’s operation and then presents a ransom demand. This ransomware variant is well known for being one of the most expensive types of ransomware in existence. These ransom demands can be around 1 million dollars.
Maze
Maze is known for being the first ransomware variant to combine data theft and file encryptions. It started to publicly expose and sell data to the highest bidder when ransom demands were not met. The hacker group behind the Maze ransomware has ended its operations but some affiliates transitioned to other ransomware.
REvil (Sodinokibi)
The REvil group is a ransomware variant that also targets large organizations. This group is also known as Sodinokibi. They are one of the most well-known ransomware families on the net and they are responsible for many big breaches. REvil is also known to be quite expensive, sometimes demanding up to 800.000 dollars. They use the Double Extortion technique. This means that they demand a ransom to decrypt data and they might threaten to release stolen data if a second payment isn’t made.
Lockbit
Lockbit was first known as a data encryption malware and has since evolved into Ransomware-as-a-Service (RaaS). This ransomware was designed to quickly encrypt large organizations to prevent detection.
DearCry
DearCry takes advantage of four recently disclosed vulnerabilities in older Microsoft Exchange software. This ransomware encrypts certain types of files and displays a ransom note instructing victims to send an email to the ransomware developers. Victims will get an email back with instructions on how to decrypt their files.
New ransomware threats
Ransomware developers constantly invent new variants to avoid detection. Businesses have to keep up with these new methods to stay one step ahead of hackers. For example, hackers can use DDL side loading and services that look like legitimate functions. They can also target web servers. A new method to watch out for is spear-phishing. Spear-phishing is the act of performing reconnaissance on potential targets for their high privilege network access.
How to protect against a ransomware attack
Ransomware prevention usually involves backups and security tools. There are a number of steps you can take to decrease the cost and impact of a ransomware infection. Certain best practices can reduce the exposure to ransomware.
Utilize best practices
Continuous data backups
Paying the ransom demand isn’t the only way to protect your data. Frequent, automated data backups make sure you can recover from a ransomware attack. Even outside of ransomware protection, it’s a good practice against corruption or disk hardware malfunctions. By backing up files to the cloud and on an external hard drive, you can wipe your computer free and reinstall your files in case of a ransomware attack. You should also secure your backups by making sure they are not accessible for modification or deletion.
Patching
Another important best practice is patching. Cybercriminals will often look for vulnerabilities listed in patches and target systems that haven’t been patched yet. This is why it’s important to always patch and update your systems as soon as possible.
Defending your email against phishing and spam
Email phishing and spam are the most common ways that ransomware is distributed. You can a tool such as Secure Email Gateways with targeted attack protection to detect and block malicious emails. If you don’t use this kind of tool, you should always look at the sender of the e-mails and other signs of phishing. Other signs of phishing can be the bad spelling of the e-mail, a suspicious hyperlink to an unknown webpage, or an unprompted attachment. Altogether phishing attacks try to create a sense of urgency.
Cyber awareness training and education
Ransomware is often spread because people aren’t aware of the dangers. Employees often get tricked by phishing emails or social engineering. Learning how to identify and avoid ransomware attacks is crucial. It’s also important to stay informed about the latest ransomware threats.
User Authentication
Hackers love to use Remote Desktop Protocol or RDP. That’s why strong user authentication is important. It can make it harder for hackers to guess or steal passwords.
Defending your mobile devices against ransomware with mobile attack protection products
Together with mobile device management (MDM) tools, it can analyze applications that might compromise the environment.
Defending your web surfing against ransomware
Use secure web gateways to scan web surfing traffic and identify malicious web ads. Always be careful where you click and don’t install software from unreliable sources. Other tips to stay safe while searching the web are to avoid using public Wi-Fi networks and to consider using a VPN.
Monitoring
Monitor your server and network with monitoring tools to detect unusual activity.
Installing antivirus software and deploying anti-ransomware solutions
Install antivirus software to detect malicious programs and install whitelisting software to prevent unauthorized applications from executing. Finally, deploy anti-ransomware solutions to completely avoid ransomware attacks.
Why you shouldn’t just pay the ransom
After your files are encrypted, a screen displays a ransom note. On this note is displayed what amount of ransom must be paid. Victims are usually given a specific amount of time to pay the ransom demand. Hackers might also threaten to expose the data leak to the public.Most experts advise you not to pay the ransom because you can’t be sure you will receive the key to decrypt your data. Businesses that pay the ransom demand also have a higher chance of being targeted by a ransomware infection again.
How to remove ransomware
Nobody wants to see a ransomware demand note on their computer. When you suspect you’ve been infected with ransomware, it’s important that you get to work quickly. There are still several steps you can take to give you the best possible chance to minimize the damage.
Isolate the infected device and stop the spread
It’s important to disconnect the affected device from the network, internet, and other devices as soon as possible. This way you can avoid infection on your other devices. It’s also important to investigate other devices that could have been infected and isolate them as well. Any device connected to the network can pose a threat no matter where they are. It’s also a good idea to shut down wireless connectivity (Wi-Fi, Bluetooth, …) at this point.
Assess the damages and locate patient zero
Determine which devices have been infected by checking your files. Recently encrypted files will have strange file extension names and odd file names. You can also have trouble opening these files. When devices aren’t entirely encrypted, you should isolate and turn off this device to prevent further damage. You should always investigate these attacks. Make a list of all infected devices and systems. To find patient zero you should look for the device with the highest number of open files. You can also check for alerts from your antivirus or monitoring platforms. Most malicious software enters the system through emails so investigating your employees is also a good idea.
Identify the ransomware and report the attack to the authorities
It’s important to discover which ransomware variant you’re dealing with. You can find multiple tools online to analyze encrypted files to figure out the ransomware variant. Another option is to use a search engine to look up the email address on the ransom demand note to figure out the variant. Once you figure out the variant you can alert everyone affected and tell them about the signs of this ransomware infection. You can contact experts in incident response or computer forensics to help you with this attack. But most importantly, you should report this attack to your law enforcement.You should also follow your country’s GDPR laws and report the right instances when personal data is in danger. Otherwise, your business could receive some hefty fines.
Evaluate your backups and research your decryption options
Ideally, you have made a backup. This means you can wipe your system using an antivirus or antimalware solution and you can just reinstate your files. If you don’t have a viable backup, there might still be a chance to get your data back. There is a small chance you can find the decryption key for your ransomware variant online. If you have exhausted your options, it might be time to cut your losses.
Jimber Solutions
Jimber has three solutions that prevent ransomware attacks. We use isolation technology to isolate your browsing activity, corporate applications, and files and passwords in a separate environment that is set up on purpose. This environment is a Jimber layer that protects your computer's HTML code, Javascript code, and APIs. Hackers can only interact with this layer. They can’t damage your computer any more or steal your data.
Browser Isolation
Browser Isolation protects your browsing activity by placing all traffic in an isolated container. As soon as your browsing session is closed, all threats are eliminated. This way you can surf any website you want without being afraid of ransomware.
Web Application Isolation
Web Application Isolation protects your corporate applications from ransomware attacks. Only the right people have access to your sensitive data and you can access your apps anytime and anywhere you want. Web App Isolation protects your applications from a number of the OWASP top 10 vulnerabilities. Users only receive a graphical visualization of your data. Your corporate apps are protected by our container, your APIs are inaccessible and vulnerabilities are history.
The Digital Vault
With our Digital Vault, you can protect your files and passwords from ransomware attacks. Our Digital Vault uses our Web App Isolation technology. You never share your actual password, but you give access to an application in which you can share your password. This way, it can’t be stolen and you can share and edit your documents in a secure way. Our application works with encryption that makes your files unreadable to unauthorized people. Even if a hacker would gain physical access to the server the files are hosted on, they still would not be able to decrypt the files. So your sensitive information is always protected. Users only see a graphical visualization of their files and never the complete confidential document. The Web Application Isolation runs in the background and isn’t noticeable to the users. Files and folders open directly from the server and thus never physically reach the end user’s computer. This means hackers can’t hack into your vault and access your files.Do you want to learn more about the types of ransomware and their history? Check this out: https://www.techtarget.com/searchsecurity/feature/4-types-of-ransomware-and-a-timeline-of-attack-examplesLearn more about our solutions: https://jimber.io/en/solutions/Other topics that might interest you:What is malware?What is data encryption? Cyberattack Red Cross: An interview with cyber experts
Find out how we can protect your business
In our demo call we’ll show you how our technology works and how it can help you secure your data from cyber threats.
We’d love to help you get your customers on board.