What is Ransomware?
Ransomware is a growing threat to organizations around the world as cybercriminals use it in targeted and damaging attacks. It is a type of malicious software that prevents the victims from accessing their documents, pictures, databases and other files by encrypting them and demanding a ransom to decrypt them back. A deadline is assigned for the ransom payment, and if the deadline passes, the ransom demand doubles or files are permanently locked.
How Ransomware Works?
An understanding of what is ransomware and how it works is essential in preparing to protect against it. Ransomware is malware that encrypts a victim’s files and then demands a ransom to restore access to these files. In order to be successful, ransomware needs to gain access to a target system, encrypt the files there, and demand a ransom from the victim.
Most Popular Ransomware Variants
Cryptowall
Ransomware that started as a Cryptolocker doppelgänger, but eventually surpassed it. After the takedown of Cryptolocker, CryptoWall became one of the most prominent ransomware to date. CryptoWall is known for its use of AES encryption and for conducting its Command & Control communications over the Tor anonymous network. It is widely distributed via exploit kits, malvertising and phishing campaigns.
WannaCry
Ransomware which was spread in a large scale attack in May 2017 utilizing a Windows SMB exploit called EternalBlue in order to propagate within and between networks. It infected more than 100,000 computers by taking advantage of an unpatched Microsoft Windows vulnerability.
Jaff
Ransomware which began being distributed by the Necrus botnet in May 2017, via spam emails containing a PDF attachment which contains an embedded DOCM file. As the malware first emerged, it was massively spread at an infection rate of approximately 10,000 emails sent per hour.
Locky
Ransomware which started its distribution in February 2016, and spreads mainly via spam emails containing a downloader disguised as a Word or Zip attachment, which then downloads and installs the malware that encrypts the user files.
TorrentLocker
Ransomware that encrypts user documents, pictures and other types of files. Victims are requested to pay up to 4.1 Bitcoins (approximately US $1800 at the time) to the attackers to decrypt their files.
Cerber
Offline ransomware, meaning that it does not need to communicate with its C&C server before encrypting files on an infected machine. It is spread mostly via malvertising campaigns which leverage exploit kits, but also through spam campaigns. It is operated by its author as a ransomware-as-a-service; the author recruits affiliates to spread the malware for a share of the ransom payment.
Protecting From and Preventing Ransomware
Proper preparation can dramatically decrease the cost and impact of a ransomware attack. Taking the following steps can reduce an organization’s exposure to ransomware and minimize its impacts:
Malware is often spread using phishing emails. Training users on how to identify and avoid potential malware attacks is crucial. As many of the current cyber-attacks start with a targeted email that does not even contain malware, but only a socially-engineered message that encourages the user to click on a malicious link, user education is often considered as one of the most important defences an organization can deploy.
Malware’s definition says that it is a malware designed to make it so that paying a ransom is the only way to restore access to the encrypted data. Automated, protected data backups enable an organization to recover from an attack with a minimum of data loss and without paying a ransom. Maintaining regular backups of data as a routine process is a very important practice to prevent losing data, and to be able to recover it in the event of corruption or disk hardware malfunction. Functional backups can also help organizations to recover from ransomware attacks.
Patching is a critical component in defending against ransomware attacks as cyber-criminals will often look for the latest uncovered exploits in the patches made available and then target systems that are not yet patched. As such, it is critical that organizations ensure that all systems have the latest patches applied to them, as this reduces the number of potential vulnerabilities within the business for an attacker to exploit.
Accessing services like RDP with stolen user credentials is a favourite technique of ransomware attackers. The use of strong user authentication can make it harder for an attacker to make use of a guessed or stolen password.
The need to encrypt all of a user’s files means that ransomware has a unique fingerprint when running on a system. Specialized anti-ransomware solutions can use this to identify and terminate potentially malicious processes, minimizing the damage caused.
What to do when your system infected malware?
A malware message is not something anyone wants to see on their computer as it reveals that a ransomware infection was successful. At this point, some steps can be taken to respond to an active malware infection, and an organization must make the choice of whether or not to pay the ransom.
1 Comment
Comments are closed.