What is Ransomware, How to Prevent It, and How to Respond If You're Attacked
What is ransomware?
One of the fastest growing cyber threats, ransomware affects businesses in all sectors and has caused missed medical appointments, transportation issues, and more. A high profile recent incident was the attack on Colonial Pipeline in May, which led to gas shortages throughout the northeast.
Ransomware, in simple terms, is malware which encrypts your files and demands payment, often in bitcoin or another cryptocurrency, to release them. This can cause significant downtime, especially if you don't pay the ransom.
History of Ransomware
A lot of people think ransomware originated in Russia. In fact, the first documented attack took place in 1989 and was called the AIDS trojan. It's called that because it targeted AIDS researchers...proving that the healthcare sector has always been a target. However, it wasn't until 2006 or so that ransomware became a common problem. In true technology fashion, the delivery vector is now seen as a dinosaur hardware piece (the floppy disk) and victims were asked to send the money to a P.O. Box.
Ransomware has evolved drastically since then, and can now abuse modern technology at scale to wreak havoc on a larger number of businesses, faster.
The Largest Ransomware Attack
In May 2017, the WannaCry attack happened. Until this year, it was the largest ransomware attack ever, affecting 200,000 computers in 150 countries. In July 2021, it was dethroned by the REvil gang, in a July 4 attack where the gang demanded a total of $70 million to release the decryptor key. The attack closed grocery stores in Sweden, compromised two large Dutch IT services and affected thousands of small businesses...perhaps more than the criminals expected.
How does Ransomware Work?
Ransomware uses asymmetric encryption to encrypt your files. Sophisticated variants may also affect your backup. The criminals will give you the key to decrypt the file, which is not the same as the one that encrypts it, if you pay up. If not, some variants will give a time limit after which it will delete the files.
This is done using a malicious binary that searches for and encrypts valuable files, such as Word documents and databases. Some ransomware executables encrypt your entire drive, locking you out completely. This is called "locker" ransomware and the point is to prevent you from working.
A few other types exist. "Siegeware" affects internet of things devices and can result in hackers being able to impact physical infrastructure. Doxware threatens to leak your sensitive information on the internet, rather than encrypting it.
Fake ransomware also exists. This might take the form of a popup that claims your files are encrypted (in fact, they aren't). The attacker is hoping you won't notice or an email claiming they have your files and will distribute them (they don't).
How Ransomware Infects Computers
For ransomware to do its dirty business, it has to get onto your computer in the first place. It can get into your network in various ways.
The most common way ransomware enters a network is by a spam email attachment. When the victim opens the attachment, the ransomware program is launched and begins its attack on the system. Some variants may also propagate through the network.
Ransomware can also be distributed by social engineering (a "coworker" sends you a link), direct downloads and malvertising (fake ads). In a few cases, ransomware has been introduced to a target by physical means, like a removable USB drive.
Why is Ransomware Spreading?
The issue with ransomware is that it can be incredibly profitable for the criminals. Despite advice from law enforcement, many victims find the easiest solution is to pay the criminals. Needless to say, many experts say you should not do this. Not only can it encourage further attacks, but in some cases you may not even get your files back because they were deleted instead of encrypted, or because the criminals are using some script they found on the dark web that doesn't work properly. A lot of the malware used for ransomware comes from easy kits, and much of it is cross platform.
Why is it So Hard to Find Ransomware Perpetrators?
The FBI has a particularly hard time tracking down these criminals for several reasons.
- They typically use cryptocurrency, which adds a layer of anonymity and makes it hard for investigators to "follow the money." On September 21, 2021 the US Treasury Department's Office of Foreign Assets Control's (OFAC) sanctioned virtual currency exchange SUEX for their role in facilitating ransomware transactions.
- In many cases, the perpetrators are not in the U.S. They tend to hang out in countries, such as Russia and Indonesia, from which they are hard to extradite. In a few cases, such as the Colonial Pipeline attack, state actors have been implicated.
Ransomware plots also tend to pop up, collect their money, and vanish again, making them hard to track and harder to catch. Be aware that the perpetrators may never be caught, but it is still worth reporting it.
What is ransomware-as-a-service (RaaS)?
As already mentioned, much of the money in the ransomware "business" is being made by coders who sell their malware to others. This allows them to decrease the chance of being caught even further.
This has led to a literal ransomware-as-a-service model. The coders sell the malware, for a percentage, to criminals who don't have their technological expertise. They use both subscription models and registration models.
What is Fileless Malware?
Fileless malware is a particularly tricky kind of malware. Instead of tricking you into installing an executable, fileless malware sneaks into legitimate applications. This allows it to hide from traditional antivirus tools and evade whitelisting. Fileless attacks are increasing dramatically. Ransomware of all varieties can be made fileless.
Encrypting Ransomware
Like many fileless malware attacks, encrypting ransomware typically uses something called PowerShell, which hides the ransomware in a malicious document or file. For example, in 2019, an attack used a vector of a malicious Microsoft Word document to slip a VBScript downloader into the startup directory.
Non-Encrypting Ransomware
This type of ransomware displays a large popup and generally makes some grandiose claim. For example, it might claim that the FBI found illegal material on your computer, that you have a virus and need to pay to have it removed (yeah, you do, this is the virus), or that you have illegal software and need to pay for a license.
Exfiltration (Leakware/Doxware)
Exfiltration ransomware, as already mentioned, claims that they have your files and will distribute them publicly if you don't pay up. This is the form of ransomware you should be least tempted to pay up on as likely they either don't have your files...or will distribute them anyway.
Mobile Ransomware
Fileless malware has allowed for an increase in mobile ransomware. Phones and tablets can also be targeted, especially by locker ransomware (the temptation to pay up so you can send and receive texts again is high).
How to Defend Against Ransomware
As we mentioned, the most common source of ransomware is malicious email attachments. So, one of the best defenses is training to ensure that employees know not to open unsolicited attachments and to check through another communication channel whether the person actually sent it. Other means of defense are:
- Secure the top threat vector: email. Adopt an email security solution that automatically scans your inbound and outbound emails for malicious links, attachments and patterns. Inbound email filtering prevents malicious emails from entering your inbox by placing them into quarantine instead. Outbound email filtering protects your mailboxes in case of compromise. It is also important to leverage the use of an email security audit, such as Zix’s Microsoft 365 audit to identify vulnerabilities in an email environment that attackers could compromise.
- Have regular backups, in more than one location, and make sure they're secure. This can allow you to wipe and restore to get rid of ransomware. Check that your backup system doesn't allow direct access to files.
- Use antivirus software and keep it up to date. Always use a firewall.
- Avoid using unsecured networks such as hotel and public Wi-Fi. Use a VPN if you have to.
- Watch for links sent by coworkers that seem out of character, don't respond to texts from strangers, and only download applications from trusted sources.
- Enable and enforce Multi-Factor Authentication (MFA) rather than allowing users to login with just a password.
What Are the Impacts of Ransomware?
Ransomware generally hits a company at two levels. First of all, it can result in data and file loss, especially if good backups are not being kept or if the ransomware got into the backups.
The other huge impact, though, is downtime. The time spent removing the ransomware, during which employees may not be able to work, is the largest impact. Thankfully with common ransomware there are often removal tools available.
7 Steps for Responding to a Ransomware Attack
So, if you do have ransomware, what should you do? Here are some options instead of paying the ransom:
- Immediately disconnect the infected system from the network and shut it down to reduce the risk of the ransomware spreading.
- Disconnect any other devices that are behaving suspiciously or not in use, including off premises devices.
- Audit for recently encrypted files with strange names, reports of odd file names, etc. Isolate and turn off any infected devices. Lock shares.
- Identify the ransomware. Tools like No More Ransom could be helpful here. This site has free tools, including CryptoSherriff, which can identify the variant by scanning an encrypted file. Sometimes the ransom note will tell you which variant it is.
- Report it to the authorities. They can't always catch the perpetrators, but they can try and it will also ensure that you are covered.
- Evaluate backups. If you have complete, uninfected backups, simply restore them. If not, use an antimalware system to remove all traces and then restore.
- Look for a free decryption key. These are distributed by white hats for many popular variants.
In most, but not all cases, these steps can get you your files back.
How Zix Helps You Prevent Ransomware
We love to help protect businesses by providing education. To learn more about ransomware, check out our brand new guide called Ransomware and Beyond: the guide to alleviate ransomware panic. There, you can quiz yourself or your team on ransomware knowledge, and dive deep into the history, origins, and practices for ransomware detection, prevention and response. To stay up-to-date on the latest threats, navigate to our blog. Although we don't remove ransomware, we help prevent it with our security solutions, including email threat protection and 24/7 threat analysis. We can also help with backup and recovery solutions in the event of an attack. Contact Zix to find out how we can help you keep your company safe from this growing threat.