Ransomware is a type of Malicious code(malware) that threatens to publish or block access to data or a computer system of the victims, usually by encrypting it, until the (victims) pay a ransom fee to the attacker. In many cases, the ransom demand comes with a deadline. If the victim doesn’t pay in time, the data is gone forever or the ransom increases.
Ransomware attacks are all too common these days. Major companies in North America and Europe alike have fallen victim to it. Cybercriminals will attack any consumer or any business and victims come from all industries.
Several government agencies, including the FBI, advise against paying the ransom to keep from encouraging the ransomware cycle, as does the No More Ransom Project. Furthermore, half of the victims who pay the ransom are likely to suffer from repeat ransomware attacks, especially if it is not cleaned from the system.
Example of the Ransomware infected system.
History of Ransomware Attacks
Ransomware can be traced back to 1989 when the “AIDS virus” was used to extort funds from recipients of the ransomware. Payments for that attack were made by mail to Panama, at which point a decryption key was also mailed back to the user.In 1996, ransomware was known as “crypto viral extortion,” introduced by Moti Yung and Adam Young from Columbia University. This idea, born in academia, illustrated the progression, strength, and creation of modern cryptographic tools. Young and Yung presented the first crypto virology attack at the 1996 IEEE Security and Privacy conference. Their virus contained the attacker’s public key and encrypted the victim’s files. The malware then prompted the victim to send asymmetric ciphertext to the attacker to decipher and return the decryption key—for a fee.
Attackers have grown creative over the years by requiring payments that are nearly impossible to trace, which helps cybercriminals remain anonymous. For example, the notorious mobile ransomware Fused requires victims to pay using Apple iTunes gift cards instead of normal currencies, like dollars.
Ransomware attacks began to soar in popularity with the growth of cryptocurrencies, such as Bitcoin. Cryptocurrency is a digital currency that uses encryption techniques to verify and secure transactions and control the creation of new units. Beyond Bitcoin, there are other popular cryptocurrencies that attackers prompt victims to use, such as Ethereum, Lite coin, and Ripple.
Ransomware has attacked organizations in nearly every vertical, with one of the most famous viruses being the attacks on Presbyterian Memorial Hospital. This attack highlighted the potential damage and risks of ransomware. Labs, pharmacies, and emergency rooms were hit.
Examples of Ransomware
By learning about the major ransomware attacks below, organizations will gain a solid foundation of the tactics, exploits, and characteristics of most ransomware attacks. While there continue to be variations in the code, targets, and functions of ransomware, the innovation in ransomware attacks is typically incremental.
WannaCry: A powerful Microsoft exploit was leveraged to create a worldwide ransomware worm that infected over 250,000 systems before a kill switch was tripped to stop its spread. Proofpoint was involved in finding the sample used to find the kill switch and in deconstructing the ransomware.
CryptoLocker: This was one of the first of the current generation of ransomware that required cryptocurrency for payment (Bitcoin) and encrypted a user’s a hard drive and attached network drives. Cryptolocker was spread via an email with an attachment that claimed to be FedEx and UPS tracking notifications. A decryption tool was released for this in 2014. But various reports suggest that upwards of $27 million was extorted by CryptoLocker.
NotPetya: Considered one of the most damaging ransomware attacks, NotPetya leveraged tactics from its namesake, Petya, such as infecting and encrypting the master boot record of a Microsoft Windows-based system. NotPetya leveraged the same vulnerability from WannaCry to spread rapidly, demanding payment in bitcoin to undo the changes. It has been classified by some as a wiper since NotPetya cannot undo its changes to the master boot record and renders the target system unrecoverable.
Bad Rabbit: Considered a cousin of NotPetya and using similar code and exploits to spread, Bad Rabbit was a visible ransomware that appeared to target Russia and Ukraine, mostly impacting media companies there. Unlike NotPetya, Bad Rabbit did allow for decryption if the ransom was paid. The majority of cases indicate that it was spread via a fake Flash player update that can impact users via a drive-by attack.
REvil: REvil is authored by a group of financially motivated attackers. It exfiltrates data before it encrypts it so that targeted victims can be blackmailed into paying if they choose not to send the ransom. The attack stemmed from compromised IT management software used to patch Windows and Mac infrastructure. Attackers compromised the Kaseya software used to inject the REvil ransomware onto corporate systems.
Ryuk: Ryuk is a manually distributed ransomware application mainly used in spear-phishing. Targets are carefully chosen using reconnaissance. Email messages are sent to chosen victims, and all files hosted on the infected system are then encrypted.
Who is At Risk?
Any device connected to the internet is at risk of becoming the next ransomware victim. Ransomware scans a local device and any network-connected storage, which means that a vulnerable device also makes the local network a potential victim. If the local network is a business, the ransomware could encrypt important documents and system files that could halt services and productivity.
If a device connects to the internet, it should be updated with the latest software security patches, and it should have anti-malware installed that detects and stops ransomware. Outdated operating systems such as Windows XP that are no longer maintained are at a much higher risk.
Why is Ransomware Spreading?
With more people working from home, threat actors increased their use of phishing. Phishing is a primary starting point for ransomware infection. The phishing email targets employees, both low-privileged users and high-privileged users. Email is inexpensive and easy to use, so it makes a convenient way for attackers to spread ransomware.
Documents are normally passed in email, so users think nothing of opening a file in an email attachment. The malicious macro runs download ransomware to the local device and then delivers its payload. The ease of spreading ransomware in email is why it’s a common malware attack.
How to Prevent Ransomware Attacks
Defend your email against Ransomware: Email phishing and spam are the main way that ransomware attacks are distributed. Secure Email Gateways with targeted attack protection are crucial for detecting and blocking malicious emails that deliver ransomware. These solutions protect against malicious attachments, malicious documents, and URLs in emails delivered to the user's computer.
Defend your mobile devices against Ransomware: Mobile attack protection products, when used in conjunction with mobile device management (MDM) tools, can analyze applications on users’ devices and immediately alert users and IT to any applications that might compromise the environment.
Defend your web surfing against Ransomware: Secure web gateways can scan users’ web surfing traffic to identify malicious web ads that might lead them to ransomware.
Monitor your server, network, and backup key systems: Monitoring tools can detect unusual file access activities, viruses, network C&C traffic, and CPU loads, possibly in time to block ransomware from activating. Keeping a full image copy of crucial systems can reduce the risk of a crashed or encrypted machine causing a crucial operational bottleneck.
How to Remove Ransomware
Call federal and local law enforcement: Just as someone would call a federal agency for a kidnapping, organizations need to call the same bureau for ransomware. Their forensic technicians can ensure systems aren’t compromised in other ways, gather information to better protect organizations going forward, and try to find the attackers.
Ransomware Recovery
Learn about anti-ransomware resources: No More Ransom portal and Bleeping Computer have tips, suggestions, and even some decryptions for selected ransomware attacks.
Restore data: If organizations have followed best practices and kept system backups, they can restore their systems and resume normal operations.
For more tech-related news & post follow me on
Comments
Post a Comment