1989; Harvard-trained Biologist Dr. Joseph Popp sent around 20,000 virus infected diskettes to participants of WHO’s International AIDS Conference. This was the very first documented example of AIDS Trojan, commonly known as PS Cyborg-1. Within no time (after about 90 reboots), the trojan was able to hide the directories and encrypted file names on client’s computer. In order to decrypt the file names and be able to see the directories, the victim would have to send some amount in return. With the advent of internet, it became very easy to carry forward Dr. Popp’s ransom ideas and monetize ransomware on a much wider scale.
What is Ransomware?
Malicious software prohibits users from accessing their computer files till they pay some amount as ransom to the attackers. In simple words, it is a malware that infects a computer; hides the directories; encrypts the files and does not allow users to access their files until a ransom is paid to decrypt them. Cyber attackers employ ransomware to restrict access to files assuming those files contain important information and the users will have no choice but to pay the ransom to access them again. These criminals may also threaten the victims to publish those encrypted/blocked files, containing critical information, over the internet to be viewed by the general public. From 2011 onwards, ransomware started spreading; infecting systems worldwide and at the same time transforming into even sophisticated forms with improved delivery capability. In Q3 2011, about 60,000 new ransomwares were detected and this doubled in Q3 2012 to over 200,000.
Types of Ransomware
There have been two major types of ransomware; crypto and locker, however, recently, two more have also joined the group.
These are double extortion and ransomware as a service (RaaS).
This affects basic computer functions and blocks access to the computer systems by using social engineering techniques to infiltrate systems. Once inside the system, perpetrators restrict and in some cases block users from accessing the system until ransom is paid. There could be different pop-up messages that can appear on the victim’s screen. For example, “You have been found to visit unethical sites/content” or “Your computer was used to visit websites illegally and in order to unlock your computer, you are required to pay a $150 fine”, or “Your computer has been hacked fully. Please click here to resolve the issue etc.”
It is the most damaging variant that encrypts the files and data within a system and asks for ransom in exchange for decryption key. Latest variants can also infect shared, networked and cloud drives and spread through emails, websites and even downloads.
Double extortion ransomware:
This is the technique in which cyber attackers infiltrate a system using any method including phishing, malware, vulnerability exploits, through Remote Desktop Protocol (RDP) server, or even stolen credentials. Thereafter, it fetches critical data besides encrypting it.
Ransomware As A Service (RaaS):
Ransomware as a service (RaaS) is a model in which architects/developers of ransomware sell it to other hackers for a fee or receive a percentage of successful ransom payments. The fee depend on the ransomware’s complexity/features and you can become a member by paying an entry fee. After having infected the target computer and collected payments, a portion of the payment (ransom) is paid to the RaaS creator under previously agreed-upon terms. One of the most notorious RaaS program in terms of its lethality and infectious is Ryuk.
How Ransomware Works?
Stages involved in the implementation of ransomware are:-
Stage 1. Infection and Distribution Vectors
Gaining access to a target computer is the first stage which can be done in multiple ways. First method is phishing emails that contain malicious attachment. Secondly, it could be through drive-by downloading which occurs when a user unknowingly visits an infected website. The malware is then downloaded/executed even without the user’s knowledge.
Another popular ransomware infection vector uses the services like Remote Desktop Protocol (RDP). An attacker who somehow managed to get/steal someone’s login credentials can login and access a computer remotely. Having gained the access, he can simply download the malware and execute it.
Crypto ransomware (a variant that encrypts files) can also spread through the methods mentioned above along with social media (instant messaging apps). Other latest methods of ransomware infection also include vulnerable web servers to gain access to an organization’s network.
Stage 2. Data Encryption
Since the encryption facility is built into an operating system, soon after gaining access to the system, ransomware starts encrypting the files with an attacker-controlled key and replacing the original files with the newer encrypted versions. The latest ransomware versions also have the capability of encrypting only the selected files so that the system does not malfunction at any stage and deleting any backup copies of these files to ensure decryption does not take place without a decryption key provided after receiving the ransom.
Different ransomware variants can use varying methods to infect. For example, Maze does the file scanning, seeks registry information and data theft before encrypting and the WannaCry ransomware looks for other vulnerable devices to infect and encrypt.
Step 3. Ransom Demand
After encrypting the files, it’s time now to demand ransom. Different ways can be adopted like a ransom note or message can be displayed/made to pop up on the desktop or any other means can be used. Typically, these messages ask for a set amount of cryptocurrency in exchange for the decryption key. Once the ransom is paid, the attacker will provide a copy of the decryption key used to protect the encryption. In certain cases, the attacker may not provide the decryption key even after receiving the ransom.
Impact on Businesses
Extended Downtime/Lost Productivity
Time during which an organization experiences less than 100% productivity or a material business interruption is termed as Downtime. JBS, a Brazilian company got infected for days and had to shut down its facilities in different countries. The system became functional after paying a ransom of roughly $11 Mn in Bitcoin. The average downtime after a ransomware attack has increased from 15 to 22 days. The delay in resumption of operations could be due to lack of documentation as organizations work with antiquated systems for which the documentation is inaccurate, or simply non-existent due to which IT guys may have to improvise response procedures and might take longer / unexpected time and may not be even effective. In such a situation, it is recommended to utilize “Ransomware Recovery Technology” which allows the affected organization to “roll back” to earlier uninfected versions of critical files.
Sensitive Data Exposure
Almost all ransom attacks involve threat of leaking the data to outsiders, higher bidders in case ransom payments are not received. This could be handled in two ways; one, by regularly archiving and deleting obsolete, redundant, and stale data in your organization and two, by restricting employees’ access to information, based on a “need to know basis.”
The Financial Impact – Ransom Payments
Average ransomware payment increased to $570,000 in 2021 and as a result, organizations started protecting themselves through cyber-insurance. However, owing to rise in ransomware threat, insurance premium also increased exponentially with an even decreased coverage. One possible recommendation to reduce financial burden could be not to pay instantly as negotiations with cyber-criminals may not necessarily result in restored data and you may not get your data even after payment. Reports indicate that only 65% of stolen data was restored after payments were made.
Tarnished Brand Reputation
If the cyber-attackers are able to penetrate into your systems, your reputation suffers damage. According to Forbes report, 46% of organizations suffered damage to their reputation as well as value after suffering cyber breaches.
Employee and Staff Layoffs
C-level positions (CEO, COO, CFO, CTO, CMO etc) are unlikely the ones at risk from ransomware, however other employees can become casualties as organizations seek to regain stability after an attack. According to one of the studies conducted last year, organizations were forced to eliminate jobs following a ransomware attack.
Forced to Close the Businesses
In 2019, the telemarketing firm, The Heritage Company became a ransomware victim to shut down its operations even after making a ransom payment to its attackers. Employees were informed that the 61 years old firm would suspend activities and that the workforce should seek other employment options. In a study conducted, more than 25% of participants informed that such an attack had forced the closure of their organization, at least temporarily.
How to Protect Against Likely Ransomware Threat?
• Educate and Train Users on Ransomware and its Response Actions.
Most ransomware attacks are through phishing emails that contain attractive socially engineered messages (links) which tempt the users to click them immediately. Provide social engineering and phishing training to employees. Educate them not to open unknown/suspicious emails, not to click on unknown links or click attachments contained in such emails, and remain very watchful before visiting unknown websites.
• Closing of Browsers once not in use.
Educate people to close the browser once they are not actually using it.
• Continuous Data Backups.
A routine process of regular data backups is another best practice to prevent data loss and to be able to recover it in case something bad materializes without paying ransom. This would also be useful in case of disk malfunction etc.
Patching is the process of applying updates to software often required to fix bugs/errors. Attackers will always target systems that have yet not been patched. Organizations need to ensure that their systems have the latest patches to reduce vulnerabilities for anyone to exploit.
• User Authentication.
As mentioned above, the use of RDP services to steal login credentials is a preferable method necessitating the use of strong authentication to make it difficult for an attacker to access the system. Besides, it is recommended not to provide personal information to unauthorized sources.
• Using Anti-Ransomware Solution.
Deploying anti-ransom solutions to effectively prevent, detect and recover from a ransomware attack should be a preferred option for all organizations. A number of anti-ransom kits are available which can help in this regard; however, they must have wide ransomware variant detection capability, fast detection and automatic restoration/recovery.
• Conducting initial ransomware assessments.
Before the decision to pay the ransom, freely available Ransomware Decryption Software may be given a try to investigate the attack.
• Maintaining Consistent Operational Effectiveness.
Frequent exercises and tests to check for vulnerabilities and non-patched areas will be beneficial. It must also be ensured that the incident response processes and procedures are themselves not dependent on IT system that itself is affected by ransomware attack.
• Implementing the Principle of Least Privilege.
Reduce privileged accounts, restrict permissions and deny unauthorized access to devices besides increasing stronger authentication logging and making sure that the logs are not deleted. Keep an eye on unauthorized access and keep security guys informed about unusual logins/failed attempts.
What to do in case of an Active Ransomware Infection?
Most likely, you will only come to know that your machine has been infected after it has encrypted your files/data and you might even have received a ransom note displayed on your screen. At this stage, you may not be able to decrypt your files, however, few steps must immediately be taken to contain its spread to other machines on the network. The following steps need to be taken:
Determine which systems are impacted.
Systems that have been affected must be isolated so that they do not infect others as it will minimize the loss and damage to the environment.
Isolate/Quarantine the Machine.
Since the ransomware spreads rapidly over the network, all affected systems must be disconnected either by cutting network access, hibernating and disconnecting the computer from the network followed by reaching out to an IT professional are a few preferred choices as opposed to shutting it down completely.
Do not Switch Off / Reboot the Computer.
While you might have received the ransom message, file encryption may be still in the process, hence, switching off your machine can result in loss of volatile memory. Likewise, if the machine is partially encrypted and is stuck due to an issue/error, rebooting will allow the malware to finish its job. Do not reboot.
System Restoration Priority.
If more than one system is affected, as a thumb rule, restore the ones that can be returned to normal faster or it can be based on productivity and revenue impact.
Eradicate the threat from the network.
A detailed root-cause analysis must be carried out by an expert who should access all logs to identify vulnerabilities in the network to avoid its recurrence as it is very common to be targeted again.
Backups are Critical (Before receiving any warning for ransom).
Some ransom variants can be decrypted without paying the ransom, hence, making a copy of the encrypted files on some external drive is a good option in case a failed decryption effort damages the files or some solution becomes available in the future. However, do not run backups during an attack as it would enhance the possibility of duplicating the ransomware itself.
Before paying the ransom, check for Decryptors.
Before paying the ransom, you must check with the “No More Ransom Project” to see if there is a free decryptor available. This can be tried to see if it helps in restoring what is lost/encrypted.
Before paying the ransom, digital forensic experts may be contacted to recover copies of files that the computers sometimes makes and stores in the system which might have not been infected by the malware.
Cleanup the Machine.
Cleanup the machine or the operating system and reinstall to ensure complete removal of the malware from it.
Ransomware has now highly evolved and is leading the world’s deadliest cyberthreats. In order to counter this menace, it is imperative to remain abreast with the latest malware strains. There are certain sites where one can find some good tips and handy PC tricks that can prevent such malware attacks and protect you from these entities.