Ransomware attacks have become increasingly common in recent years. Ransomware is a type of malicious software that encrypts files on a user’s computer and demands a ransom payment in order to decrypt the files and restore access. There are several different methods that cybercriminals use to deliver and execute ransomware attacks.
Email Phishing
One of the most common methods of distributing ransomware is through email phishing campaigns. The attacker sends emails disguised to look like they are from a legitimate source, such as a company, bank, or other organization that the target knows or does business with. The email may claim there is a problem with the target’s account that needs to be addressed immediately by opening an attachment or clicking a link. If the user falls for the scam and opens the attachment or link, malware such as ransomware is downloaded onto their system.
Some signs of a phishing email include:
- Poor spelling and grammar
- Generic greetings like “Dear Customer”
- Suspicious links
- Threats of account suspension
- Attachments from unknown sources
- Requests for sensitive information
Users should be cautious about opening attachments or links in unsolicited emails, even if they appear to come from a legitimate source. It’s best to verify the email by contacting the supposed sender directly before interacting with any embedded links or attachments.
Infected Websites
Another method cybercriminals use is infecting websites with malware that gets downloaded onto the victim’s computer when they visit the site. This is known as a drive-by download attack. Often, legitimate sites can get hacked and infected with ransomware payloads without the owner’s knowledge.
Some common ways sites get infected include:
- Exploiting vulnerabilities in site software or plugins
- Uploading backdoored files via insecure FTP
- Injecting malicious code into databases
- Hacking site administrator accounts
Users can unknowingly pick up ransomware just by browsing to a compromised website. The malware may get installed in the background without any action on the user’s part. Keeping software up-to-date and using ad-blockers can help reduce the risk of drive-by attacks.
Malvertising
Malvertising involves injecting malicious ads on legitimate sites, which infect visitors when clicked. Cybercriminals may purchase ad space on trusted sites and then deliver ransomware through corrupted ads. Types of malvertising include:
- Pop-up/pop-under ads containing malware payloads
- Banner ads that install malware
- Video ads that run malicious code
These ads may promote fake security alerts that urge users to download bogus security software that is actually ransomware. Users should avoid clicking on suspicious pop-up ads and banners, especially ones that warn of infection or promise to scan your system.
Social Engineering
Social engineering refers to manipulating users into performing actions that compromise security. This may involve:
- Posing as IT/support to trick users into granting remote access
- Sending fake security alerts warning of infection and prompting users to run malware
- Persuading users to download fake apps/files by impersonating colleagues
Cybercriminals are experts at impersonation and crafting persuasive messaging to get users to let their guard down. Educating staff and implementing policies around unsolicited contact can help reduce the risk of social engineering.
Software Vulnerabilities
Unpatched vulnerabilities in operating systems and applications can sometimes be exploited to deliver ransomware. Types of vulnerabilities that may get leveraged include:
- Buffer overflows
- Command injections
- Privilege escalations
- Arbitrary code executions
Keeping all software updated with the latest security patches helps remove opportunities for cybercriminals to compromise systems. Enable automatic updates where possible and prioritize patching known critical vulnerabilities.
Network Propagation
Some ransomware variants attempt to spread laterally across networks to infect more systems once an initial foothold is gained. This can occur through:
- Brute forcing login credentials
- Exploiting vulnerabilities in SMB file shares
- Abusing administrative tools like PsExec
- Stealing token impersonation
Segmenting networks appropriately and disabling unused services/features can slow lateral movement. Monitoring tools can also detect abnormal internal activity like brute force attacks.
Rogue Mobile Apps
Fake or compromised mobile apps distributed through app stores can be Trojanized with ransomware payloads. Some signs of suspicious apps include:
- Requests for unnecessary permissions
- Poor reviews
- Developer is unknown
- App is a clone of a popular legitimate app
Sticking to official app stores like Google Play and Apple App Store reduces the risk, as they proactively screen apps for malware. However, malicious apps can still occasionally slip through vetting processes.
Infected Removable Media
Malware like ransomware may also spread through infected USB drives, external hard drives, SD cards, and other removable media. The malware can auto-run as soon as the media is connected to a system and infect it. Only use removable media from trusted sources and scan before accessing any files.
Malicious Downloaders
Some malware acts as an initial downloader designed to fetch and install additional payloads like ransomware. This technique is used to help evade detection. By only retrieving the main malicious payload after installation, the dropper may be able to bypass security measures looking for specific threats.
The downloader itself may not display any obvious malicious behavior. The secondary payload it installs, such as ransomware, does the actual damage. Proactively blocking unknown programs from downloading files can mitigate this method.
How do ransomware attacks execute on a compromised system?
Once a ransomware payload makes it onto a vulnerable computer, it follows a typical attack process to encrypt files and hold them hostage:
- Reconnaissance – The malware first gathers details about the infected system, including the operating system version, language, installed programs, and connected drives.
- Reporting – It contacts the command and control server operated by the attackers and sends back data like IP address, machine name, and reconnaissance info.
- Key exchange – The C&C server generates an RSA public-private keypair and sends the public key back to the ransomware payload.
- Encryption – The malware now uses the public key to launch the encryption routine and encrypt files, often targeting documents, images, databases, backups, and other important data.
- Deletion – Unencrypted original copies of the files may be deleted to make recovery difficult.
- Ransom note – A ransom note is displayed with payment instructions for the victim to recover files by obtaining the private decryption key.
- Persistence – To continue running after reboots, the malware adds registry keys or launch agents to maintain persistence on the infected system.
- Lateral movement – Some variants attempt to spread across the network to infect more computers and leverage valid credentials collected.
Understanding the attack lifecycle informs mitigations like blocking command and control communication, securing private keys, preventing deletion of originals, and containing lateral movement.
What are the different types of ransomware variants?
There are several major families and types of ransomware that use slightly different tactics and capabilities:
Scareware
Scareware does not actually encrypt files, but displays alarming messages claiming infection or illegal activity was detected. Fake security alerts try to scare users into paying to remove the non-existent threats.
Locker Ransomware
Locker ransomware locks users out of their devices by replacing the login or boot screen. However, it does not encrypt files. Payment is demanded to restore normal boot access.
Encrypting Ransomware
Encrypting ransomware is what most people think of when they hear the term. It encrypts files on the device and network and demands payment for the decryption key. Well-known examples include CryptoLocker, WannaCry, Cerber, and Sodinokibi.
RaaS (Ransomware-as-a-Service)
RaaS allows cybercriminals to use ransomware toolkits provided by malware authors for a percentage of the profits. This model has made ransomware more accessible to less technical attackers.
Targeted Ransomware
Targeted ransomware is designed to infect specific companies, organizations, or industries rather than individual home users. These customized ransomware variants take time and effort to develop.
Proxy Ransomware
Proxy ransomware uses an infected machine to anonymously relay the ransom demand to the victim. This adds separation between the attacker and victim.
Hybrid Cryptomalware
Hybrid cryptomalware combines ransomware with other malware capabilities. For example, some variants also steal and exfiltrate sensitive files before encrypting them.
What are common targets of ransomware attacks?
Ransomware attacks cast a wide net looking to infect as many vulnerable systems as possible. However, there are some common targets that attackers may be more likely to pursue:
- Businesses – Especially mid-size companies with valuable data but weaker security than large enterprises.
- Healthcare organizations – To disrupt operations and patient care by encrypting medical records and devices.
- Schools and universities – These contain student data, research, and intellectual property.
- State and local governments – To interfere with municipal operations, emergency services, courts, DMV systems etc.
- Law firms – The data at these firms is highly sensitive and mission-critical.
- Financial firms – To freeze customer accounts, transactions, loans etc. which generates massive urgency to pay.
- Retail and ecommerce – Encrypting databases and websites can have catastrophic effects during peak sales seasons.
Certain industries like healthcare and finance face regulatory requirements, lawsuits, and fines if they lose access to data. This increases pressure on them to pay ransoms. Businesses can minimize their ransomware risk with comprehensive training, layered security, payment alternatives, communication plans, and insurance.
What is the underground ransomware economy?
Ransomware has grown into a booming cybercrime industry powered by an infrastructure of specialized roles:
- Malware developers – Create new ransomware tools and manage software development kits and malware-as-a-service offerings.
- Affiliates – Distribute ransomware using methods like phishing campaigns. Earn a percentage of ransoms.
- Money launderers – Help obscure the source of ransom payments and convert to clean crypto or cash.
- Negotiators – Contact victims to demand payments and negotiate ransoms.
- Tech support – Some ransoms offer “support” to victims struggling to make payments.
- Bloggers – Run news sites reporting on ransomware attacks and trends.
This division of duties enables specialization and makes the ransomware business model very efficient. Cybercriminals can purchase turnkey ransomware kits, hire specialists for distribution and negotiation, outsource money laundering, and minimize direct involvement in attacks.
Ransomware Revenue Sources
Ransomware groups generate revenue from multiple sources:
- Ransom payments from victims
- Upfront payments or profit-sharing from affiliates
- Subscriptions fees for RaaS access
- Reselling access to breached networks and data
- Cryptocurrency theft and mining using infected systems
It is a highly diversified and resilient business model. Even law enforcement takedowns of individual groups often do little to disrupt overall operations.
Ransomware Costs for Victims
Beyond just the ransom, victims also face various secondary costs including:
- Lost revenue from business interruption
- Cost of restoring systems from backups
- Temporary outsourcing to maintain operations
- Customer churn and reputation damage
- Legal liability and regulatory fines
- Increased insurance premiums
Some estimates put the total average cost of a ransomware attack for midsize companies at around $2 million when all damage is considered.
Is Paying Ransoms Recommended?
There is extensive debate around paying ransoms. Potential advantages include:
- Quicker recovery of files
- Avoiding business disruption
- Preventing stolen data leaks
However, paying ransoms also has downsides:
- No guarantee files will be recovered
- May be illegal depending on jurisdiction
- Encourages more attacks
- Shows inability to defend against ransomware
Ultimately, the decision to pay is a complicated cost-benefit analysis for each individual victim organization. There are merits on both sides, and no perfect answer. The majority of victims do end up paying ransoms, though law enforcement discourages this.
Conclusion
Ransomware remains one of the top cybercrime threats to businesses, with huge profits fueling constant innovation and growth for attackers. By better understanding how ransomware works and spreads, organizations can implement more effective security to detect and respond to attacks. Defense in depth combining strong technical controls, user training, incident response plans, backups, and other layers is key to mitigating the business disruption and financial damages of ransomware.