fbpx

September 12, 2021 - No Comments!

What is Ransomware? How It Works and Ways to Prevent It

Ransomware attacks have become too common nowadays, and big companies in Europe and North America have become a victim of it. Cybercriminals will work to attack any business, users, or users that come from any industry.

By understanding what is ransomware and major ransomware scams, organizations and users will get a solid foundation on the exploits, characteristics, and tactics of the ransomware attacks. Keep reading to learn more about ransomware attacks.

What is a Ransomware?

Ransomware is a type of malware(malicious software that involves holding the victim's information at ransom. First, the user's data is encrypted, making them unable to access their databases, files, or applications, then a ransom is asked to provide access.

It has been designed to spread across the network then target the file servers and database. Ransomware has become an increasing threat, generating a lot of dollars in payments to cybercriminals, causing damage to users and organizations.

History of Ransomware

Ransomware is not a 21st-century invention but has been around since 1989, where the AIDS virus was used to extort money from ransomware victims. In 1996, ransomware, which was known as cryptoviral extortion, was introduced by Adam Young and Moti Yung of Columbia University.

In the 1996 IEEE Security and Privacy conference, they presented their first cryptovirology attack, where the virus had encrypted the victim's files and the attacker's public key. This malware then prompted the victims to send the asymmetric ciphertext to the attacker then return the decryption key at a fee.

Over the years, attackers have really grown by asking for payments that are not easy to trace, making cybercriminals anonymous. These attacks have also become popular with the growth of cryptocurrencies like Bitcoin, Litecoin, Ripple, and Etherum.

The first concrete case of ransomware was reported in Russia in 2005, and since then, these concrete cases have spread all over the world, with other new types proving to be successful. In 2011, an increase in ransomware attacks was experienced. This has made the manufacturers of antivirus software increase focus on their virus scanners on ransomware.

How Ransomware Works

Ransomware utilizes asymmetric encryption, which is cryptography that uses keys to decrypt and encrypt a file. This pair of keys is generated by the attacker using the private key to decrypt the files and store them on the attacker's server.

This way, the attacker will only provide the private key to the victim only after the ransom is paid; however, that is not always the case. If the victim lacks access to the private key, it becomes impossible to decrypt the files stored in the ransom.

Many variations of ransomware exist, but most often, the ransom or any other malware is distributed through targeted attacks or email spam campaigns. Any malware required an attack vector so as to create its presence on the endpoint.

Once this presence is created, the malware will remain on the system until the task is completed. When the task is successfully completed, the ransomware drops and creates a malicious binary on the system. The binary them encrypts valuable files like images, databases, documents, etc.

How to Detect Ransomware

To be able to detect ransomware, the right security software and a watchful eye are important. The software should help you perform vulnerability scans so that you will be able to find intruders in your system.

The first step is to ensure that your computer is not the best target for ransomware. The device software should always be up to date so that you can benefit from the latest updates and security patches.

You need always to be careful with email attachments and rogue websites. However, the best preventive measures may not always work, making it essential to have a contingency plan that includes a backup of your data.

What Examples of Ransomware Are There?

The innovation of ransomware attacks is incremental and there continue to be variations in the functions, targets, and code of the ransomware. Here are some common ransomware attacks that have taken place in the recent past;

1. WannaCry

WannaCry is one of the most serious and largest ransomware attacks that took place in the spring of 2017. During the attack, about 250,000 victims from approximately 150 countries were asked to pay a ransom until the killswitch was tripped to stop the spread.

2. CryptoLocker

This was also one of the first contemporary decoration of ransomware attacks requiring a cryptocurrency (Bitcoin) and encrypted the attached network drives, and user's hard drive. It spread via email using an attachment that claimed to be UPS and FedEx tracking notifications. A decryption tool for this attack was created in 2014, but approximately $27 million was already extorted.

3. NotPetya

This is known to be one of the most damaging ransomware attacks since they got tactics from Petya like encrypting and infecting the master boot record of the Microsoft Windows-based system. The NotPetya used a similar vulnerability as WannaCry to rapidly spread it and demand payment (Bitcoin) to undo those changes. However, NotPetya couldn't undo the changes to the master boot record, rendering the target system unrecoverable.

4. Bad Rabbit

This one used a similar code and exploits as NotPetya to spread and was visible ransomware that targeting Ukraine and Russia and impacting the media companies in the areas. However, unlike NotPetya, this ransomware infection allowed for decryption once the ransom was paid. Additionally, it was spread using a fake Flash player update that impacted the users.

What are the Main Forms of Ransomware?

The posed threat by ransomware is dependent on the variant of the virus. There are two main categories of ransomware that include;

  • Locker Ransomware- This is where the basic computer functions are affected
  • Crypto Ransomware-This is where the individual files are encrypted

This type of malware will make a significant difference when it comes to dealing with and identifying ransomware.

Should I pay the ransom?

Most law enforcement agencies urge the victims not to pay the ransom to the ransomware attackers. However, logically speaking, refusing to pay the ransom will only encourage the hackers to create more ransomware.

Many organizations who find themselves in such a situation will begin doing a cost-benefit analysis where they weigh the price of the ransom and the value of the encrypted files. The attackers tend to keep the prices low, an amount that will be able to pay on short notice.

Some will even adjust the ransom to match the economy of the country that the infected computer is operating from. They tend to demand less from developing countries and more from rich countries, as well as discounts offered for acting fast.

There are a number of things you need to have in mind. First, the ransomware may not have encrypted data at all, so ensure you're not dealing with scareware before you send the money. Additionally, paying the ransom doesn't guarantee your encrypt files will be back.

How to Prevent Ransomware Attacks

Before protecting against ransomware, prevention is always better than cure. There are several ways you can use to prevent ransomware attacks, including;

  1. Defend your web surfing will help create secure web gateways that can make the user's web surfing traffic to help identify the malicious web ads that might cause ransomware.
  2. Protect your email- Email span and phishing are one of the main ways ransomware attacks are distributed. Therefore, securing the emails from the attacks is crucial for blocking and detecting malicious emails from delivering ransomware.
  3. Monitor your network, server, and backup key systems to help detect unusual activities, network C&C traffic, CPU loads, and viruses to block them from activating.
  4. Protecting your mobile devices- You can find protection software that will help analyze the applications on the devices and alert the user of any applications that might be harmful to your files.
  5. Install antivirus software that detects malicious software and whitelisting software to prevent some harmful applications from executing.
  6. Backup data- The best way to avoid paying the ransom is to make sure you have a data backup of them, preferably in an external hard drive or in the cloud. This way, if your computer system gets affected, then you can wipe it free and reinstall the files.
  7. Secure the backups- As much as it is important to do backups, it is also crucial to make sure that the backup files are not accessible for deletion or modification.
  8. Stay informed- Be informed about what is ransomware and the latest ransomware threats so you know how you can best work on your infected system. Moreover, know the common decryption tools that are available to help victims.

Steps for Responding To a Ransomware Attack

If you suspect your operating system has been attacked by a ransomware attack, it is crucial to act quickly. Here are the nine steps you should follow to minimize the damage and return the business to its original state;

  1. Isolate the infected device- Ransomware that affects one device is a small inconvenience, while one that affects all your devices is a major inconvenience. To make sure your operating systems and network, shared devices, and other devices are safe, it is important to disconnect the affected device, the internet, and other devices immediately.
  2. Stop the spread- Disconnect all devices, including those that are off-premises, and shut down the wireless connectivity (WIFI, Bluetooth, etc.).
  3. Check the damages- Check for encrypted and encrypting files or malicious attachments with weird file extension names, but if the devices have been completely encrypted, then they should be turned off and isolated. You want to create a comprehensive list of the affected systems, including cloud storage, network storage devices, smartphones, etc.
  4. Locate Patient Zero- Tracking the infection will be easier when you identify the source. To do this, you need to check for any alerts from the antivirus security software and the properties of the files.
  5. Identify the ransomware-There are online tools that help free your data and identify the ransomware.
  6. Report the attack to the authorities as soon as possible
  7. Check your backups and start the response process
  8. Understanding the decryption options if you don't have a viable backup.

Frequently Asked Questions (FAQs) on Ransomware Attacks

1. Why is ransomware spreading?

Ransomware variants and ransomware attacks have been evolving because of a number of reasons, including;

  • Use of new techniques like encrypting the whole disk instead of the specific files.
  • Availability of malware kits that are used to make new malware samples.
  • The use of known generic interpreters that create cross-platform encrypting ransomware.

Nowadays, the attackers don't need to be tech-savvy as ransomware marketplaces have increased online, where they offer malware strains for a cybercrook. This way, they generate profit for the malware authors who will ask for a commission when the ransom is paid.

2. Why is it so difficult to find ransomware perpetrators?

Finding ransomware families has become harder and harder because of a number of reasons. First, the attackers use an anonymous mode of payment-Cryptocurrency like bitcoin. This makes it difficult to track down the criminals or follow the money.

Secondly, the easy availability of drag and drop platforms and open source code has accelerated the creation of some new ransomware variants, and script novices can now create their own ransomware.

Lastly, the cutting-edge malware like the ransomware variant has a polymorphic design that allows the cybercriminals to bypass the traditional signature-based security depending on the file hash.

3. Who is a target for ransomware?

Attackers use different ways to choose the organizations to attack with ransomware, including an opportunity. For example, attackers might target the universities since they have smaller security teams and have systems that include a lot of file sharing, making it easier to penetrate.

On the other hand, some organizations may be tempting targets since they are more likely to pay the ransom faster, for example, medical facilities or government agencies. Other organizations with sensitive data, for example, law firms, may pay to keep the news of the compromised data quiet.

4. What is ransomware-as-a-service (RaaS)?

Ransomware-as-a-service (RaaS) is an economic model that enables malware developers to earn money from their creations without having to distribute their threats. Instead, the non-technical attackers will buy these ware and launch the ransomware infections while paying the malware developers their take.

These developers will run a relatively low risk since their customers will do the work most of their time. Some developers will offer subscriptions while others will require registration in order to get access.

Published by: Jacky Chou in Software

Leave a Reply