What is ransomware?
Ransomware is a type of malicious software (malware) that encrypts files on a device and demands payment in order to restore access. It has become an increasingly common cyber threat in recent years. Ransomware typically spreads through phishing emails or by exploiting vulnerabilities. Once installed, it will encrypt files using encryption algorithms and essentially hold the files hostage until the demanded ransom is paid.
How does a ransomware attack unfold?
A ransomware attack typically unfolds in the following stages:
1. Initial compromise
The first stage involves the attacker gaining initial access to a network, usually through phishing emails sent to employees. These emails may contain malicious attachments or links that download the ransomware when opened or clicked on. The ransomware can also be installed through exploit kits that target vulnerabilities in applications.
2. Lateral movement
Once inside the network, the attacker will often attempt to move laterally and gain administrative privileges. This allows them to infect more devices on the network. They may steal credentials or exploit vulnerabilities to do this.
3. Encryption
When ready, the attacker will trigger the installed ransomware to run on compromised devices across the network. The ransomware will encrypt files, folders, drives, or entire servers. Different strains of ransomware use different encryption algorithms, but the end result is the same – the files become inaccessible to the user.
4. Extortion
Once encryption is complete, the ransomware displays a ransom note demanding payment, usually in cryptocurrency like Bitcoin. The note threatens permanent data loss if payment is not made within a short timeframe. The ransom amount can range from a few hundred to millions of dollars.
5. Recovery
If payment is made, attackers may provide a decryption key to restore data. However, there is no guarantee they will comply. The best recovery option is to restore encrypted files from backups, if available. Otherwise, decryption is very difficult without the attacker’s key.
What systems and data are impacted?
Ransomware can target and encrypt:
– Personal documents, photos, videos on desktops and laptops
– Shared folders and drives on servers
– System files on individual computers which causes them to crash
– Databases, virtual machines, and cloud storage if connected to the infected network
Essentially anything connected to an infected system that contains files could potentially be encrypted during a ransomware attack.
What are the signs of a ransomware attack?
On a single computer
Signs that a specific computer may be impacted by ransomware include:
– Being unable to access files and data
– Files having unfamiliar or encrypted extensions
– A ransom note left as text or html on the desktop
– Strange processes or services running in the Windows Task Manager
– System crashes or boot up failures
On a network
Signs that a wider network is under attack by ransomware include:
– Multiple users reporting file access issues
– Shared files and folders becoming inaccessible
– Server operations like printing slowing or failing
– Ransom notes appearing on multiple computers
– Antivirus software being disabled
– Strange network traffic patterns to unknown locations
What does the ransom note look like?
The ransom note is the message displayed after encryption which details the ransom demands. It is usually left as a text or html file in an obvious location like:
– Desktop
– Shared network folder
– Login/splash screen
Ransom notes often:
– Inform victims their files are encrypted and inaccessible
– Provide a timeframe before which payment must be made
– Threaten permanent deletion of data if payment isn’t received
– Provide instructions for payment in cryptocurrency
Examples include bitcoin wallet address, ransom amount, and steps for making payment. Ransom notes may also try to intimidate victims by displaying high ransom figures.
What are ransomware’s impacts on an organization?
Ransomware can severely impact an organization’s operations including:
Business disruption
– Employees unable to access documents, email, servers needed for daily business activities
– Operations grind to a halt as systems become unavailable
– Loss of productivity and revenue as focus shifts to dealing with attack
Reputation damage
– Cyber attacks reflect poorly on security posture
– Shareholders, customers lose confidence in breached organization
– Public knowledge of attack attracts further malicious activity
Financial costs
– Direct ransom demands which may range from hundreds to millions of dollars
– IT and incident response costs to investigate, remediate, and bolster security after attack
– Revenue losses from business disruption during downtime
– Legal, PR, and regulatory compliance costs
Data Loss
– Encrypted files permanently lost if decryption key not obtained
– Backups deleted or encrypted may make restoration difficult
– Business critical data and IP stolen during attack
What steps do attackers take to increase ransom likelihood?
Attackers use various tactics to pressure victims into paying ransom demands:
Short payment deadlines
Ransom notes often threaten permanent data loss if payment isn’t made within 24-48 hours. This creates urgency to pay the ransom to recover files.
Incremental deadlines
If the initial deadline isn’t met, attackers may extend it in exchange for a higher ransom amount. This further pressures victims.
Stolen data threats
Attackers may threaten to publicly release sensitive data exfiltrated during the attack if the ransom isn’t paid.
Intimidating ransom demands
Large ransom totals intimidate victims into thinking paying is cheaper than rebuilding systems. However, paying encourages more attacks.
Scare tactics
Ransom notes emphasize consequences like legal liability, financial costs, and permanent data loss if ransom isn’t paid.
Pseudonymity
Demands for untraceable cryptocurrency payments coupled with anonymous communication make attackers hard to identify.
What are the different types of ransomware?
There are several major families and strains of ransomware, classified by their behavior:
Encrypting ransomware
The most common type that encrypts files and makes them inaccessible until decryption key is provided after paying ransom. Examples:
– WannaCry
– CryptoLocker
– CryptoWall
Locker ransomware
This ransomware locks users out of the operating system or computer itself until the ransom is paid. Examples:
– REvil
– MegaCortex
Doxware
Threatens to publish sensitive data stolen during the attack unless ransom is paid. Examples:
– CL0P
– DoppelPaymer
RaaS
Ransomware-as-a-Service enables affiliates to easily distribute ransomware. Examples:
– Ryuk
– Sodinokibi
Mobile ransomware
Designed to lock access or encrypt data on mobile phones and tablets. Examples:
– Android Defender
– Koler
What are the most common ransomware delivery methods?
Phishing emails
Malicious email attachments or links to load and execute ransomware code. Common formats include Office docs, PDFs, scripts like JS.
Software vulnerabilities
Exploiting known weaknesses in operating systems, applications, services to install and run ransomware.
Remote desktop access
Brute forcing RDP access or stealing admin credentials provides backend entry point to deliver ransomware manually across a network.
Drive-by downloads
Browsing to websites compromised with exploit kits that target browser or plugin vulnerabilities to install ransomware.
Removable media
Infected USB drives, external hard disks, CDs/DVDs used to manually transfer ransomware onto computers offline.
What are the most common ransomware targets?
Microsoft Office
Office documents like Word, Excel commonly used to distribute macros and scripts carrying ransomware.
Out-of-date software
Vulnerable, unsupported operating systems and software more easily exploited to deliver ransomware.
Healthcare organizations
Ransomware cripples critical systems and patient records availability. Attacks can be life threatening.
State and local government
High value target with growing ransomware attacks impacting services, data availability.
Educational institutions
Wealth of sensitive data combined with cybersecurity weaknesses make schools ransomware targets.
Cloud environments
Syncing with infected on-prem systems can propagate ransomware to cloud-based files and VMs.
What are the most devastating ransomware strains?
| Ransomware Strain | Year | Impact |
| WannaCry | 2017 | Over 200,000 computers across 150+ countries encrypted. Disrupted critical infrastructure like healthcare, logistics, telecoms. |
| NotPetya | 2017 | Caused over $10 billion in global damages. Quickly spread through large multinational companies. |
| Ryuk | 2018 | Targeted enterprises and earned over $150 million in ransom. Known for high ransom demands. |
| Sodinokibi | 2019 | RaaS model amplifies attack reach. Leaked data when ransom not paid. Earned $123 million+. |
| Conti | 2020 | RaaS ransomware heavily used to attack healthcare, government, and education. |
What steps help defend against ransomware?
User education
Training users on phishing and social engineering helps avoid email-based attacks.
Email security
Tools like spam filtering and antivirus help stop phishing emails and malicious attachments from reaching users.
Vulnerability management
Patching known weaknesses used by ransomware to exploit systems reduces attack surface.
Segmented networks
Prevents lateral ransomware spread between systems if initial compromise occurs.
Offline backups
Critical for restoring encrypted data without paying ransom. Test regularly.
Ransomware detection
EDR software can detect ransomware behavior to alert and respond to limit damage.
Incident response plan
Having a plan for investigation, containment, communication minimizes business disruption.
How can encrypted data be recovered without paying ransom?
From backups
Restoring data from offline, uninfected backups disconnected from network.
Using decryption tools
Free decryption tools exist for some ransomware strains if encryption is basic.
Decryption keys
Keys publicly released years later once attackers abandon older ransomware.
Brute forcing
Trying every decryption key possible via computing power. Only works for weak encryption.
Exploiting flaws
Errors in ransomware code or encryption implementation may enable decrypting some files.
Forensic analysis
Examining ransomware code on infected systems provides insights into decryption methods.
Paying ransom
Obtaining decryption tools by paying is risky. Encourages more attacks.
Conclusion
Ransomware is a continuously evolving cyber threat capable of crippling organizations and causing long term damage extending beyond just the ransom payment itself. By better understanding how ransomware attacks unfold, the potential impact, and specific defense strategies organizations can hope to reduce their risk. Having incident response and business continuity plans in place remains crucial however to effectively manage ransomware attacks. With advanced prevention, detection, and recovery mechanisms the devastating effects of ransomware can be minimized.
