Ransomware attacks have become increasingly common in recent years. They involve malicious software that encrypts data on a device or network, preventing the owner from accessing it. The attacker then demands a ransom payment in cryptocurrency to provide the decryption key and restore access. Understanding how ransomware is delivered can help organizations and individuals defend against these attacks.
What is ransomware?
Ransomware is a type of malware that encrypts files on a device or network. The attacker provides a decryption key to recover the files only if a ransom is paid, usually in a cryptocurrency like Bitcoin that is difficult to trace. There are several different types of ransomware, but they generally work in a similar way by encrypting data and demanding payment.
How is ransomware delivered?
There are a few common methods that attackers use to deliver ransomware to a target:
Phishing emails
Phishing involves sending fraudulent emails that appear legitimate, tricking the recipient into opening malicious attachments or links. These emails may look like they are from a trusted source and contain links or attachments that install the ransomware when opened.
Compromised websites
Attackers may exploit vulnerabilities in websites to insert malicious code that infects site visitors with ransomware. This “drive-by download” does not rely on any user action and can infect victims simply by visiting the website.
Software vulnerabilities
Unpatched vulnerabilities in operating systems, software, and devices can allow ransomware to gain access. Attackers scan for devices with unpatched vulnerabilities and use exploits to install and execute the malicious code.
Remote Desktop Protocol (RDP)
RDP credentials can be cracked through brute force attacks, giving attackers full control over the target system for remote installation of ransomware. Weak RDP passwords are often exploited.
Trojan horses
Malware that disguises itself as legitimate software can be used to install ransomware when a user runs what they believe to be a harmless program. Trojans enable attackers to gain remote access for covert installation.
What are the different types of ransomware?
There are several major families and variants of ransomware that use differing tactics:
Cryptolocker
One of the earliest ransomware threats, Cryptolocker is spread through email attachments and infects Microsoft Windows devices. It uses AES encryption to lock files.
CTB-Locker
Distributed via exploit kits and RDP brute force attacks, CTB-Locker (Curve-Tor-Bitcoin Locker) abuses Windows’ volume shadow copy backup system to make encryption more difficult to recover from.
Locky
Arriving as email attachments posing as invoices and other files, Locky avoids detection by using macros to download the payload from an external server. It has infected millions of systems worldwide.
WannaCry
This extremely virulent ransomware cryptoworm spread through the EternalBlue exploit targeting SMBv1 on Windows machines. It caused major outbreaks globally in 2017.
Ryuk
Ryuk ransomware is distributed manually and often targets larger organizations with bespoke infection and encryption processes optimized for rapid impact and high-value ransoms.
RansomEXX
A newer ransomware-as-a-service platform that allows affiliates to customize attacks. It uses strong encryption and targets vulnerable RDP endpoints.
What access do attackers need to install ransomware?
To successfully install and run ransomware on a system, attackers require some level of access and ability to execute code. The level of access needed depends on the distribution method:
- Phishing – Opening attachments or links provides some execution access
- Drive-by downloads – Website access is sufficient for infection
- Software exploits – Access varies based on the exploit used
- RDP attacks – Full remote access allows ransomware installation
- Trojans – User must run the disguised program, enabling code execution
In most cases, the attacker needs to be able to run a program of some kind to infect the system with ransomware. That program then establishes persistence, spreads, and encrypts data.
How does ransomware encrypt files?
There are a few techniques ransomware uses to encrypt user files and make them inaccessible:
Asymmetric encryption
A public-private keypair is generated locally, with the private key used to encrypt files. Only the attacker has the public key to decrypt.
Hybrid encryption
The ransomware generates a symmetric AES encryption key to rapidly encrypt large numbers of files. The AES key is encrypted with an asymmetric public key so only the attacker can decrypt it.
Damaging the Master File Table (MFT)
Some ransomware overwrites or damages the MFT, which prevents NTFS from locating files. This renders files permanently unrecoverable even with a key.
Exploiting shadow copies
Windows automatic backup copies called Volume Shadow Copies can be targeted and deleted to prevent recovering encrypted files from backups.
How do ransomware attacks begin?
Ransomware attacks generally begin by gaining an initial foothold in the victim’s environment:
Delivery
The malicious code is delivered through phishing, drive-by downloads, software exploits, RDP, Trojans, or other vectors.
Execution
User interaction like opening attachments or links causes the malware to execute its payload.
Establishing persistence
The ransomware installs itself in the system or network, adding registry keys, services, or other persistence mechanisms.
Lateral movement
The malware propagates across the network to infect more systems and escape containment.
What network protocols do ransomware families use?
Ransomware typically uses standard network protocols to spread and establish command and control channels once active in a system or network:
| Protocol | Use |
|---|---|
| SMB | Propagation and encryption of networked files |
| TCP | Command and control, data exfiltration |
| UDP | Command and control due to speed and flexibility |
| HTTP/HTTPS | Command and control, mimicking legitimate traffic |
Disabling or limiting SMB, TCP/UDP, and web protocols can help restrict ransomware activity post-infection.
What are the consequences of a ransomware attack?
There are a range of negative consequences that stem from a successful ransomware attack:
- Loss of access to critical data and systems
- Disruption to business processes and operations
- Revenue and productivity losses from downtime
- Costs for incident response and recovery
- Harm to reputation and customer trust
- Payment of large ransoms
These effects can be severe, even catastrophic, for businesses and organizations. Systems can remain down for weeks after major attacks as data and services are restored.
What is the average ransom payment?
According to Coveware’s Q3 2020 Global Ransomware Marketplace report, the average ransom payment increased to $233,817 in the third quarter, a 171% increase compared to the prior year. The highest ransom paid by an organization was $10 million.
However, only about 65% of ransomware victims get their data back after paying, as attackers sometimes delete files even after receiving payment.
How can ransomware attacks be prevented?
The key to preventing ransomware and other cyber attacks is layered cybersecurity defenses and workforce education. Recommended best practices include:
- Keep all software up-to-date with the latest patches
- Use strong spam filters and malware detection
- Back up data regularly and keep backups offline
- Enforce the principle of least privilege for access
- Require strong passwords and multi-factor authentication
- Segment networks and isolate critical systems
- Disable RDP or use VPNs and network monitoring
- Train employees on cyber risks and phishing
- Deploy endpoint detection and response tools
- Monitor for IoCs and update firewall rules
Dedicated cybersecurity personnel, processes, and budgets are essential to implement these defenses and lower the risk of ransomware and other malware infections.
Should ransomware demands be paid?
There is significant debate about whether organizations should pay ransoms to recover encrypted data. Considerations include:
- Paying encourages and funds more attacks
- Some ransomware cannot be reversed even with the key
- Attackers may increase demands if they know you’ll pay
- You may not get all data back after paying the ransom
- Payment may be the best way to resume operations quickly
- Some laws prohibit paying ransoms
There is no consensus, and each situation is unique. Consult experts and carefully weigh the tradeoffs of paying ransoms on a case-by-case basis.
Conclusion
Ransomware represents a serious threat to organizations, businesses, and end users today. Attackers have financial incentive to develop new strains and target methods. By better understanding how ransomware works and is delivered, organizations can implement informed defenses to detect and respond early to attacks before significant damage is done.
Ongoing training, testing defenses, backing up data, segmenting networks, and monitoring for threats are key practices to reduce the risk and impact of ransomware attacks. There are also emerging technological solutions like deception technology that can trick and trap ransomware before it damages systems.
With a comprehensive cybersecurity strategy that combines aware employees, technological defenses, and threat intelligence, organizations can strengthen their resilience against ransomware and ransom demands.