How is ransomware performed?

by
How is ransomware performed

Ransomware is a type of malicious software that blocks access to a computer system or data until a ransom is paid. It has become an increasingly common threat in recent years. Ransomware typically spreads through phishing emails or by exploiting vulnerabilities in systems. Once executed, it encrypts files on the victim’s computer and displays a ransom note demanding payment, usually in cryptocurrency like Bitcoin, in order to get a decryption key. Understanding how ransomware works can help organizations and individuals better defend against this threat.

How does ransomware infect a system?

There are a few common infection vectors that allow ransomware to get onto a victim’s computer:

  • Phishing emails – The attacker sends an email posing as a legitimate source, like a company or contact. The email contains an infected attachment or link which when opened downloads and executes the ransomware.
  • Drive-by downloads – Visiting a compromised website can trigger an automatic download of ransomware onto the victim’s system.
  • Remote desktop connections – Connecting to a remote desktop that is infected with ransomware can spread the infection to the connecting computer.
  • Software vulnerabilities – Unpatched or outdated software can have vulnerabilities that ransomware exploits to execute and infect.
  • Malicious ads – Ransomware code can be distributed through malicious ads or pop-ups on websites.

Once the ransomware file has been downloaded, it is executed on the victim’s system which begins the process of encrypting files and displaying the ransom demand. Advanced ransomware can also exploit other vulnerabilities to spread across networks.

How does ransomware encrypt files?

The key ability of ransomware is to encrypt files on the infected system in a way that locks out the owner from being able to access them. Different strains of ransomware use different encryption algorithms, but the general process is similar:

  1. The ransomware generates a symmetric encryption key to encrypt files.
  2. It encrypts this key itself with a public asymmetric encryption key.
  3. The files on the system are encrypted symmetrically with the first key.
  4. The asymmetric private key to decrypt the symmetric key is kept only by the attackers.
  5. Without access to the asymmetric private key, the victim cannot decrypt their files.

By utilizing asymmetric or public-key encryption, the attackers can retain control of the ability to decrypt the files. Even if the ransomware program itself is removed, the files will remain encrypted. This is why payment of the ransom demand is the only way to obtain the private key for decryption.

What types of files does ransomware target?

Ransomware aims to encrypt files that are valuable to the victim and for which restoration from backups is difficult. Documents, photos, databases, and other data are common targets. Certain types of files are often prioritized:

  • Office files – Documents, spreadsheets, presentations (e.g. Word, Excel, PowerPoint files)
  • Archives – Database files, compressed files, disk images
  • Multimedia – Photos, videos, music files
  • Email data – Email messages, attachments, address books
  • Source code and web files – Webpages, scripts, source code repositories
  • System files – System configuration files and backups

By encrypting both personal files like photos and work/business critical files like documents and source code, the attackers maximize impact on the victim.

How does the ransom payment process work?

Once the victim’s files are encrypted, the ransomware displays a ransom note with payment instructions. This usually requires the following steps:

  1. The note provides a bitcoin wallet address for payment.
  2. The victim purchases bitcoin and sends the demanded amount to the provided address.
  3. Once payment is received, the attackers send the private decryption key.
  4. The victim runs the decryptor software with the provided key to decrypt their files.

The ransom note often includes threats of permanent data loss if payment is not made quickly or if the police are contacted. The ransom demand amount varies but is often thousands of dollars worth of bitcoin.

How do ransomware creators profit from this?

Ransomware has proven to be a lucrative criminal business for those who develop and distribute the malware, motivated by the millions of dollars in potential profits:

  • Affiliate programs – Developers pay affiliates commissions for distributing the ransomware and infecting victims.
  • Ransom payments – Demanding bitcoin ransoms from victims generates direct revenue.
  • Dark web sales – Prebuilt ransomware kits and malware tools are sold on dark web markets.
  • Targeted attacks – Wealthy individuals, businesses, hospitals and government systems can yield higher ransoms.

It is difficult to pin down exact figures, but some estimates indicate ransomware generates over $1 billion in annual revenue for cybercriminals. The rise of ransomware as a service model and affiliate distribution networks has increased incentives for criminals to take part in these types of attacks globally.

What are typical ransom amounts demanded?

The ransom payment amount varies based on the target and type of ransomware:

  • Individual users – Often $500 to $1500 ransom payment demanded.
  • Businesses – Tens of thousands of dollars, sometimes over $100k for large corporations.
  • Government systems – Up to millions of dollars for larger municipal systems.
  • Hospitals – Hundreds of thousands in some cases. Can be higher due to disrupted operations.

Trends show ransom demands increasing over time as criminals seek higher payouts. Initial amounts sometimes increase if not promptly paid. Bitcoin’s rising value has also inflated USD denominated ransom demands.

How do attackers process and launder the ransom payments?

To successfully profit from ransomware campaigns, attackers utilize various techniques to process and launder the incoming payments from victims:

  • Bitcoin mixing – Transactions are mixed with others to obscure the money trail.
  • Cryptocurrency exchanges – Bitcoin is converted to other cryptocurrencies like Monero that are harder to track.
  • Mules and money laundering networks – Funds are moved through compromised systems and layered through accounts.
  • Exchanges to fiat currency – Crypto-to-crypto and crypto-to-fiat exchanges allow cash-out to traditional currencies.

The rise of decentralized cryptocurrencies like Bitcoin has enabled growth of ransomware by making payments harder to trace. Law enforcement agencies have still been able to trace and seize some ransom payments when attackers make mistakes.

What are some notable recent ransomware attacks?

Some major ransomware attacks that have impacted governments, companies, and infrastructure in recent years include:

  • 2021 Colonial Pipeline attack – Disrupted petroleum distribution on the U.S. east coast for nearly a week.
  • 2022 Costa Rica government attack – Crippled government computer systems forcing declaration of a national emergency.
  • 2022 Medibank attack – Australia’s largest health insurer had data on millions of customers stolen.
  • 2017 WannaCry attack – Impacted over 200,000 systems across 150 countries including parts of the UK’s NHS.
  • 2022 attack on Air India – Major airline had passenger and employee data compromised.

Many other attacks regularly make headlines as ransomware groups like REvil, Conti, DarkSide, and others continue to target vulnerable organizations. Healthcare, critical infrastructure, and schools are frequent targets.

What are the consequences of paying the ransom?

Paying the ransom demand is controversial for a few reasons:

  • No guarantee files can be recovered – Attackers may not provide working decryption.
  • Encourages more attacks – Paid ransoms incentivize hackers to continue campaigns.
  • May violate laws – Regulations in some countries prohibit payments to sanctioned entities.
  • Data may still leak – Many ransomware groups still threaten to leak data after payment.

However, for businesses that cannot operate without the encrypted data, there are business continuity reasons they may feel compelled to pay. Some cyber insurance policies may cover ransom payments as well. There are arguments on both sides and each organization needs to evaluate the trade-offs carefully.

What are recommended steps to prevent ransomware infections?

Preventing ransomware comes down to building defenses across people, processes, and technology. Some key prevention best practices include:

  • Security awareness training – Educate employees on phishing and malware threats.
  • Email security controls – Block dangerous file types, filter suspicious emails.
  • Vulnerability management – Patch and update software promptly.
  • Least privilege access – Limit users through role-based access controls.
  • Secure backups – Maintain recent backups offline and immutable.
  • Endpoint detection – Use EDR to monitor endpoints for anomalies.

Layered defenses utilizing next-gen antivirus, firewalls, threat intelligence and tools like email/browser isolation can all help stop ransomware before it takes hold in a network.

Should ransomware payments be banned?

There is an active policy debate around whether ransomware payments should be outright banned by law. Two perspectives exist:

  • Ban payments – Banning payments could deter attacks by eliminating the economic incentive and profits for criminals behind ransomware campaigns.
  • Allow payments – Banning payments takes options away from victims and could lead to more data being leaked. A better approach is enhanced cybersecurity and law enforcement.

A compromise approach some policymakers advocate is banning payments specifically when they are funding sanctioned entities or would violate existing laws. Ransomware payment bans have been proposed but not yet enacted in countries like the U.S. and Australia.

What cybersecurity measures can reduce ransomware impact?

If ransomware does make it onto an endpoint, measures can be taken to reduce its impact and ability to spread further:

  • Network segmentation – Prevents lateral movement between different network segments.
  • Application allowlisting – Only approved apps can run, preventing malware execution.
  • Privileged access management – Strictly limit the number of admin credentials.
  • Disable macros – Block Office macros to impede malware execution.
  • Backups – Ensure critical data can be restored without paying the ransom.

Modern endpoint detection and response (EDR) solutions also have features like automatic containment of infected endpoints that can limit damage.

Should ransomware payments be tax deductible?

Some argue that allowing ransomware payments as tax deductions encourages businesses to proactively invest more in cybersecurity. Others counter that it reduces disincentives to pay ransoms. There are reasonable arguments on both sides:

  • Allow deduction – Reduces financial hit of attack and incentivizes cyber investment.
  • Disallow deduction – Paying ransoms should not provide financial benefits or incentives.

Several countries like the U.S. and Canada allow ransomware payments as tax deductible business expenses. But some policymakers want to eliminate this tax treatment to discourage payments.

How can ransomware forensics help identify attackers?

Threat intelligence and forensic analysis of ransomware code and infrastructure can yield valuable clues about the attackers to inform defenses and law enforcement response:

  • Code similarities – Compare code to other known ransomware variants.
  • Wallet addresses – Trace cryptocurrency payments to associated wallets.
  • Execution artifacts – Analyze files created and red flags during execution.
  • Decryption tools – Reverse engineer decryption tools.
  • Payment sites – Monitor payment/leak sites for data.

Firms specializing in ransomware forensics provide services to help attribute attacks to known groups or newly identified ones. However, skilled attackers often cover their tracks using methods that hinder analysis.

How has ransomware evolved and advanced over time?

Ransomware capabilities and sophistication have grown considerably in recent years, including:

  • Shift to data exfiltration – Many ransomware groups now also threaten to leak stolen data publicly after an attack, adding additional pressure to pay.
  • Ransomware-as-a-Service – Allows greater commercialization via ransomware kits, affiliate programs, etc.
  • Double extortion – Demanding two ransoms, one for decryption key and another to prevent data leak.
  • Supply chain attacks – Compromising software suppliers and IT providers to spread ransomware down the supply chain.
  • Vulnerability exploitation – Exploiting known flaws like PrintNightmare and ProxyShell for network access.

Attackers clearly invest heavily in enhancing capabilities and evading defenses. A concerning trend is partnerships between ransomware groups and nation states like North Korea.

Conclusion

Ransomware remains a serious threat, with damage costs into the billions of dollars in recent years. Understanding how ransomware works provides insight into key vulnerabilities that need to be shored up. Leveraging layered defenses across people, processes and technology represents the best approach for reducing exposure. But additional policy changes and law enforcement actions are still needed to curb the alarming growth of criminal ransomware.