Ransomware can be an immensely profitable business for cybercriminals. It can infiltrate computers easily and spread rapidly throughout their networks.
Attackers encrypt files and data before demanding an untraceable cryptocurrency payment to decrypt them. While paying this ransom may restore files temporarily, many cybersecurity experts advise against paying it as there’s no guarantee it will decrypt them and it encourages further attacks by attackers.
What is Ransomware?
Ransomware is malware designed to access or lock out data until a fee is paid, often exploited against global infrastructure, federal agencies and healthcare systems.
Ransomware usually starts by infiltrating devices or systems through email phishing attacks or social engineering schemes, before searching and encrypting valuable files located on them. Finally, attackers leave instructions for how to pay a ransom fee in return.
Cybercriminals have taken to using ransomware increasingly due to its accessibility. Hackers can utilize ransomware-as-a-service (RaaS) kits from malware developers for easier attacks without needing complex programming knowledge or expertise.
Ransomware attacks are among the most profitable forms of cyber attacks for hackers. But paying the ransom doesn’t guarantee the victim will receive their data decryption key and may bring more attacks in its wake from criminals who find out who paid.
Ransomware Attacks
Ransomware attacks often lock a computer or other devices and encrypt data before demanding payment from victims – with amounts often fluctuating depending on who initiated it and when. After demanding money to decrypt files, cybercriminals demand money in return – with most victims paying up.
Businesses of all sizes face a growing cyberthreat. Attackers use various means to infiltrate an organization, including malvertising, compromised websites and software downloads. Many legacy antivirus products do not detect these threats effectively – therefore for effective defense next-generation security is needed.
To protect against ransomware attacks, organizations should make sure all systems and devices are up-to-date with the latest patches and software. Furthermore, network management technology should be utilized to monitor endpoints for abnormal behavior while blocking C&C server connections. Maintain regular backups, keeping them offline. Establish an incident response plan that can assist companies in responding and recovering from ransomware attacks quickly. Cisco Talos threat hunters provide insight into emerging cybersecurity threats so organizations can build strong defenses quickly. Learn more. To reduce spread, immediately quarantine infected machines. Ideally this process could be automated with security solutions that isolate machines automatically while disconnecting communications flows or blocking lateral movement.
1. Email
Email is one of the primary infection points for ransomware infections. Criminals use social engineering techniques to fool recipients into opening attachments sent in phishing emails that contain ransomware; once opened, this malicious software installs itself onto the victim’s device and begins searching for and encrypting valuable files. A more advanced variant may use remote desktop protocols to gain access to login credentials and gain entry to additional endpoints across an organization.
Once malware infiltrates a device, it will encrypt all files on that computer or connected network drives to render them unusable, prompting criminals to demand a ransom payment so as to decrypt those files.
To counter this threat, organizations must ensure employees have strong password hygiene and are aware of potential scam emails before clicking links or attachments in them. In addition, regular cybersecurity awareness training sessions should take place alongside tabletop exercises highlighting new cyber threats. Furthermore, risk assessments must be conducted to identify and safeguard their most critical assets, along with creating a comprehensive cybersecurity strategy including backup and disaster recovery plans to minimize impact of data loss incidents.
2. Social Engineering
Cyber criminals use social engineering techniques to exploit users, which is why ransomware attacks often start with phishing emails that pose as legitimate businesses and contain links leading to malware infection. Cyber awareness training and education programs must therefore be implemented within businesses in order to help employees recognize suspicious email attachments from unknown sources, verify identity before providing access to mission-critical systems, and avoid public Wi-Fi networks.
Once inside a system, ransomware begins its work of encrypting files and replacing the originals – an easy process as this encryption functionality is built directly into operating systems. Attackers typically target industries with high vulnerabilities such as healthcare, small and mid-sized businesses (SMB), governments, critical infrastructure, non-governmental organizations (NGOs) and education as targets of attack.
Attackers may utilize remote desktop protocol (RDP) to remotely access infected systems, which may lead to ransomware infection spreading throughout a network. Therefore, CISOs should create a disaster recovery plan which includes safeguarding quarantined backups while monitoring for stolen credentials in dark web marketplaces and testing security controls regularly.
3. Cracked Software
Cracked software websites have long been an attractive platform for cybercriminals to spread malware. To do so, they inject programs with malicious code that allows them to monitor devices after installation as well as exploit vulnerabilities they find there. Furthermore, this type of software often fails to receive updates, leaving cybercriminals open loopholes they can take advantage of.
Malware typically used by cyber criminals encrypts victims’ files, rendering it inaccessible until a ransom payment is made in cryptocurrency, providing criminals with anonymity and protection from law enforcement authorities.
As one way of combatting this threat, businesses should implement stringent software policies and robust cybersecurity plans with regular patching, updating and testing of systems – this can help lower employee exposure to cracked software while speeding up data recovery processes.
4. Pop-Ups
Cybercriminals craft pop-up ads to trick unwary users into downloading malware, then use this malicious software to infiltrate devices and collect sensitive information such as passwords and financial data, or to send ransomware attacks against victims.
Hints that a pop-up may be fake include spelling mistakes and unprofessional images, along with an immediate sense of urgency – such as a countdown timer warning you that your device will shut down shortly – are also telling signs.
Tech support scam pop-ups typically display messages claiming that a virus or security threat has been detected on the victim’s device, prompting them to call an help line number or subscribe to online services in order to remedy it.
Note that closing a pop-up won’t stop malware from executing; it simply closes the window, not the ad. If a pop-up contains drive-by downloads, by the time it disappears viral code may already be running in the background – to protect yourself in such an instance you should forcibly terminate your browser (Windows: Ctrl-Alt-Delete; Mac: Command-Esc) and run an anti-malware scan as soon as possible.
5. Cold Calls
Cybercriminals use social engineering tactics such as phishing to dupe employees into opening malicious attachments or visiting insecure websites that contain ransomware files, which then make their way through browsers. Blocking employees from being able to enable macros as well as using firewalls, behavioral anomaly detection solutions and endpoint protection solutions may prevent employees from inadvertently running malicious ransomware files.
Attackers may employ screenlockers that lock users out of their devices and demand payment to unlock them, as well as Trojans to notify them that child pornography, illegal software downloads or other prohibited content has been found on their PC and demand ransom payment to unlock it.
Ransomware gangs are known for systematically gathering and exfiltrating sensitive data before encrypting it and demanding payment from their victims. If payment fails, these criminals often threaten to publish the private data online as another extortion method; some companies have even paid ransomware criminals instead of hiring IT specialists and restoring systems; making ransomware attacks one of the most dangerous digital threats for businesses and consumers alike.
Why Are Ransomware Attacks Emerging?
Ransomware attacks can have serious repercussions for businesses; recovery can take days or even weeks and may lead to customer abandonment (CNA). Furthermore, an attack could damage reputation and force customers away (CNA).
Popp’s original malware concealed file directories; more advanced ransomware attacks encrypt entire drives or the whole system. Once an attacker gains initial access, they can “dial home” to their C&C server for full network analysis before encrypting as much of the system as possible.
Cybersecurity experts often warn against paying ransoms, citing their effect as encouraging criminals to continue targeting organizations. Furthermore, paying ransom may even violate OFAC regulations in certain cases; such as when paying to attackers from countries subject to sanctions. By adopting ACSC best practices businesses can reduce their risk of ransomware attacks including backup storage and vulnerability patches as well as employee training on how to recognize phishing emails as well as potential risks from clicking suspicious links or attachments.
Ransomware – The Latest Cyber Attacks Against Businesses
Ransomware is one of the most dangerous cyberthreats that businesses currently face, encrypting files and documents on computers ranging from single endpoints to entire networks and servers.
Backing up data regularly is essential in avoiding paying ransom demands, while regularly updating software will fill any security holes that might appear. Ad blockers can help protect users against malvertising and drive-by downloads that lead to malware infections.
How To Defend Against Ransomware?
Ransomware is a malicious type of software that attacks businesses, hospitals, schools and other institutions that depend on data to operate. This type of attack can be particularly detrimental for organizations storing confidential data in databases; failure to pay the ransom will lead to the permanent loss or exposure of sensitive files.
One of the best ways to protect against ransomware is to regularly back up your data on an external storage device or the cloud, so if ransomware infiltrates, you will be able to restore it quickly and easily.
Maintain a current version of both your operating system and antivirus software to provide adequate protection from ransomware threats. These updates often include security patches to ward off these threats.
Be sure to use strong passwords across all accounts on your computer and never share them with anyone. Avoid public Wi-Fi networks, as cybercriminals use this technique to spread ransomware; if necessary, a virtual private network (VPN) should be utilized instead. Furthermore, ensure to disable auto-play settings on your device so as to prevent ransomware infection.
1. Update all outdated software
Many hackers target outdated software as it makes accessing devices and networks simpler for them. They utilize techniques such as drive-by downloads, exploit kits or malvertising (legitimate digital ads that have been compromised by hackers) to install ransomware onto devices.
Once a device becomes infected with ransomware, it will encrypt files or data before displaying a message demanding payment to unlock them. If payments are made in return for unlocking encrypted data and files, an attacker usually restores them upon payment receipt.
Attaining software and operating system updates is the key to mitigating many threats; however, keeping up with them all may prove dauntingly time consuming and dauntingly costly.
Security testing, including penetration and vulnerability assessments, should be an integral part of an organization’s risk management process to identify weaknesses in systems and applications. Regularly scheduling penetration and vulnerability tests is key to helping detect and address vulnerabilities that may lead to ransomware attacks. Enterprises should also regularly back up critical data so that, should ransomware attack occur, backup copies can allow organizations to quickly power down endpoints affected, reimage it with current backup images, apply updates quickly and apply patches effectively in response.
2. Use stronger passwords
Employees using weak passwords to log into computers leave themselves and their systems vulnerable to hackers who could use these compromised logins to gain entry to company networks and launch ransomware attacks. To mitigate such threats, companies should require strong passwords as well as multi-factor authentication for staff logging onto computers.
Reducing ransomware attacks by disabling any unnecessary accounts or services can reduce their “blast radius”, giving attackers less access to critical data.
Keep backup copies of all business-critical information to help prevent ransomware attacks, so if they strike again you will be able to quickly restore your systems without paying a ransom fee.
Paying ransoms is strongly discouraged by cybersecurity and law enforcement agencies because doing so encourages cyber criminals to launch more ransomware attacks and does not guarantee you the key decrypting your files. Furthermore, paying a ransom violates Treasury Department regulations prohibiting transactions with individuals and entities subject to economic sanctions in your country.
3. Avoid using public Wi-Fi
Ransomware attacks come in all shapes and sizes, typically encrypting files and blocking access. This could affect anything from individual PCs to entire networks including servers. Attackers usually focus on obtaining valuable information like login credentials, customer personal details and intellectual property from these systems in exchange for payment.
Public Wi-Fi networks can expose all of your computer activity to hackers due to being open, which allows anyone to join. This opens up cybercriminals’ ability to conduct man-in-the-middle attacks against you.
They could intercept your internet traffic and redirect it elsewhere, or direct it towards malicious websites where they can gather sensitive data such as login IDs and passwords.
For optimal security, the best approach is to connect to secure private networks whenever possible; or when connecting to public Wi-Fi networks, only connect with password-protected and brand-related networks with high profiles, as this may limit who can join and decreases the possibility of hacker attack on your connection.
4. Upgrade your security system
Corporate CISOs are increasingly alarmed at cyber attacks against businesses. Cyber attackers have increasingly targeted essential services providers like oil, food and transportation. Ransomware attacks against Colonial Pipeline, JBS Meatpacker and Steamship Authority have disrupted operations by encrypting files with ransomware that demands money in order to decrypt them.
Ransomware typically enters networks via three main infection vectors, including email phishing, social engineering and exploit kits. Exploit kits typically search compromised websites for web application vulnerabilities that they can exploit to inject ransomware or other malware into visitors’ browsers and download ransomware to them.
Hackers are increasingly exploiting zero-day vulnerabilities to gain access to systems, which are flaws uncovered and addressed by security researchers, but haven’t been patched by victims’ operating systems yet. Zero-day vulnerabilities are particularly dangerous because they allow hackers to bypass existing defenses and spread across networks quickly. A solid defense strategy includes having an emergency backup and recovery plan as well as segmented networks which reduce attack surfaces for hackers to exploit. Learn more about protecting yourself with Cisco’s comprehensive suite of security products including our award-winning malware detection!
5. Back-Up Your Data
Whenever faced with a ransomware attack, one of the first things you should remember is not paying the criminals – this advice has now been adopted by law enforcement agencies as paying will only encourage them to continue attacking your business or others like it in future attacks.
Your organization must ensure it keeps regular data backups that can be restored without the risk of being held hostage by their network provider. This requires creating offline backups stored on hard drives or other devices that can be disconnected from it and restored at will.
Your employees should also be educated on ransomware to identify suspicious email attachments and links, and prevent themselves from accidentally opening malware or clicking on links that install ransomware onto their devices. Furthermore, it’s wise to limit users’ access to certain files so as to protect sensitive information and prevent cybercriminals from encrypting it or making it publicly available.
Popular Ransomware Variants
Since its invention, ransomware has been used as an effective means to extort money from organizations. Typically, ransomware encrypts sensitive files and demands payment in bitcoin or cryptocurrency in order to decrypt them.
Cybercriminals use ransomware to target a range of devices, from computers, printers and smartphones to printers, smartphones and wearables – exploiting human vulnerabilities as well as system and network weaknesses in order to access sensitive information on an endpoint and gain control of it.
Depending on their variant, an attacker may use pop-up windows to scare victims into paying a fee or purchasing software which purports to address their issue; unfortunately, this software often installs further ransomware onto devices and steals sensitive data from them.
Current ransomware attacks typically consist of crypto- or locker variants that encrypt files on desktop computers, but recent attacks have also targeted enterprise data systems through Remote Desktop Protocols (RDPs) login credentials; attackers then gain access to endpoints within an enterprise network and can gain remote control of them.
Ransomware became a worldwide threat following WannaCry’s 2017 outbreak and many variants have since appeared.
Locker ransomware encrypts individual files and demands payment in return for decryption keys; later variants also target shared networked and cloud drives.
Ryuk was one of the first ransomware variants to target large enterprises that can afford ransom payments, encrypting network drives, delete shadow copies, as well as encrypt files. It primarily targeted large organizations.
1. Ryuk
Ryuk first emerged in 2018 and quickly become popular for targeting large, high-value targets – a practice known as “big game ransomware.” Based on an earlier version called Hermes that was sold through underground cybercrime forums in 2017, this variant has proven its worth as big game ransomware.
Once compromised, malware encrypts the system file table before trying to identify and disable backup files and recovery features. Furthermore, it spreads quickly via peer-to-peer networks or drive-by downloads.
Ryuk first made headlines for attacking US print news media outlets, then moved onto healthcare providers and city organizational functions such as New Bedford’s IT systems which caused residents to miss appointments with citizens as well as accessing its portal. Later reports claimed Ryuk could even disable hospital operating systems – for instance the Covid-19 outbreak at Universal Health Services in 2020 was just such an example.
As with other ransomware variants, Ryuk is often spread using Emotet and TrickBot Trojans that steal information. Falcon detects it using behavior-based analysis and suspicious process blocking to stop its installation in the first place.
2. Maze
Maze is an easy and affordable user research platform that allows users to conduct user tests, conduct interviews and gather data easily and affordably. Designed for both beginner and experienced users alike, this user research solution offers several solutions specifically suited for product development, prototype testing and user research projects.
Scareware (RaaS) can trick users by showing alarming messages such as “Your PC is Infected!” or “Attackers can see Your IP, Protect It Now!” However, taking this bait enables attackers to gain entry to systems and lock out or encrypt files and data on them.
Cryptolocker was one of the most notable scareware attacks, extorting over $3 million before finally being shut down in 2014. This ransomware encrypts files, scrambles their names, deletes system restore points and makes recovery impossible without paying a ransom fee.
3.REvil Sodinokibi
REvil (an acronym for Ransomware Evil), one example of ransomware-as-a-service, encrypts files, deletes backups and spreads malware across victim systems. This threat is capable of bypassing some security solutions while hiding within other programs making detection and removal more challenging than expected.
Kaseya security platform can even be disabled, leaving point-of-sale terminals and self-service checkouts inoperable; attackers then attempt to blackmail businesses by demanding that they pay for the decryption key to their systems.
REvil is similar to GandCrab but offers unique features. Like other crypto malware, REvil has the ability to blacklist user interface (UI) and keyboard languages; determine whether an OS is Windows or Linux; append a five or six digit number-letter combination unique for each victim and create encrypted files with multiple extensions varying depending on victim ID number; blacklist them and check for Windows OS version only versus Linux OS type and append an encrypted file with random extension numbers appended after encryption has taken place; append the number-letter combination appended during encryption in an encrypted file’s extension name (extension varies per victim).
5. DearCry
DearCry is ransomware that exploits flaws in Microsoft Exchange servers on premises, creating encrypted copies of attacked files before deleting their originals and making new encrypted copies in order to extort ransom. Sophos Intercept X detects and blocks DearCry using both CryptoGuard and signature-based protection mechanisms.
As with other ransomware variants, CryptoLocker encrypts files and demands money in exchange for decrypting them. But victims are strongly advised against paying this ransom as attackers often don’t deliver promised decryption software and paying may not guarantee data recovery from backups; to protect against potential exploitation it would be wiser to install necessary patches on on-premise Exchange servers as soon as possible and disconnect them from the Internet to reduce exposure to this threat.
6. Lapsus$
Lapsus$ stands out as an anti-ransomware gang in that their goal is not profits but chaos. Emerging on the cybersecurity scene early 2022, this hacker collective quickly made waves by breaching high-profile organizations and then releasing their stolen data to the public.
While some incidents associated with this group involve extortion, most do not. Instead, the members – thought to be teenagers – likely enjoy attracting attention by engaging in brazen attacks that garner national media coverage.
Microsoft, in reference to DEV-0537, details how this threat actor gains access by exploiting employees at victim organizations and their partners such as hosting companies, call centers and software supply chains. Furthermore, DEV-0537 utilizes advertisements posted on Telegram in order to recruit individuals with privileged access who could supply VPN, VDI or Citrix credentials on behalf of its victims.
Final Thoughts
As ransomware variants continue to evolve in their nature and functionality, it’s crucial that users know what signs to look out for. Ransomware is malware which denies access to computer systems or files until victims pay a ransom fee – this threat may come through phishing attacks, email attachments, vulnerability exploits and computer worms.
Ransomware attacks often encrypt files, scramble file names, delete system restore points and employ asymmetric encryption methods that are difficult to break. Attackers typically gain initial access to networks through credentials stolen from authorized users or purchased on the Dark Web before installing ransomware via remote desktop protocol (RDP) and other forms of malware; payments for ransoms typically require Bitcoin payments as payment.