What is Ransomware?
Ransomware is malicious code that is implanted in an application, computer or network and allows a hacker to either take control of sensitive or critical information that is saved OR take over control of the administrative capabilities of the server, network or computer. The hacker then uses their control to hold the data for ransom, demanding payment from the owner for the data’s release.
All successful ransomware has one thing in common – a delivery message that convinces the victim to pay the ransom. Cyber-psychologist, Dr. Lee Haddington, suggests that these screens rely on common social engineering techniques such as urgency (“pay up before I raise the price of the key”), fear (“if you don’t pay, you’ll never see your data again”), authority (“pay because I said you have to”) and sometimes helpfulness (“let me know if you need help making the payment”).(1)
Ransomware is Evolving
Two thousand nineteen has brought a shift in ransomware targets. As individuals rely on mobile devices more and more, the probability that their data is automatically backed up to a cloud drive reduces the likelihood that they would need to pay a ransom to restore data access. Hackers have shifted to target organizations instead. Attacks on large enterprises accounted for 81% of ransomware attacks in 2018.(2)
This change in strategy has been accompanied by new ransomware programs that are more targeted and better implemented. Technological advances have provided attackers more leeway to ensure that they hit their mark, leaving businesses with little recourse. In the past, healthcare and finance have been the most targeted due to the disastrous results that can happen with forced downtime. Recently, hackers have directed their focus to a common problem — slim government budgets which leave the IT department to make due with old hardware and out-dated software that is no match for their technical know-how. U.S. government systems have been in the crosshairs as well as local governments. Multiple municipalities in Florida, Georgia and Texas have been hit, as well as a large attack on the City of Baltimore in Maryland.
New Influences in Ransomware
Although security companies have devised strategies to protect against earlier versions of ransomware, technology is constantly evolving, providing hackers with new opportunities for devising new ways to steal. The following technological innovations have converged in the last few years, contributing to more targeted ransomware and escalating malevolence.
Money is always a driving factor in crime. The growth of bitcoin has handed criminals a perfect opportunity to anonymously take payment from ransomware victims, while also increasing difficulty for law enforcement to follow their trail. In addition to anonymity, bitcoin transactions are publicly documented — making it easy for criminals to confirm payments without sharing any personal information. Bitcoins are not tied to a bank or country of origin. Anyone can buy them from anywhere in the world, with just a credit or debit card, rendering currency exchange also unnecessary.
Typical malware downloads and stores malicious files on your computer’s hard drive. Fileless malware is a new type of malware that operates without copying files to the computer’s hard drive. When launched, the code turns legitimate system administration tools against you — tools that are built into the Windows operating system and are often required for normal business operations. These tools continue to run while also executing malicious actions.
Most antivirus systems screen for malware by scanning files and looking for malware signatures. Since this type of malware is embedded directly into the OS kernel, there is no signature for the antivirus software to detect, the attacker’s footprint is reduced and the file is much harder to uncover. This evasion strategy is part of what makes fileless malware so dangerous – very few systems scan at the level required to detect it.
Web robots run automated tasks on the Internet. They are pervasive because they are legal, difficult to detect and often used for legitimate business tasks. However, malicious bots account for about 20% of all Internet traffic (3) and are a very common way to instigate social media attacks. They can initiate harmful actions including stealing data, launching Denial of Service (DDoS) attacks, cyber espionage, and infecting systems with malware.
Mobile Devices and Cloud Computing
The explosion of mobile devices and cloud computing is exponentially increasing attack surfaces, meaning the area to scan and protect is also increasing at an unprecedented pace. With so many more devices and storage areas to monitor, it’s easier for malicious payloads to lie undetected or hide in the shadows and persist in their dirty work.
Internet of Things (IOT) Devices
The race to market is real and the benefits of being first cannot be overstated; however the results of this drive often mean new technology is released before full security review and testing are complete. With limited government security requirements, many companies treat security as optional, leaving billions of devices open to hacking.
Devices with an Internet connection, like smart home hubs, connected appliances (e.g., thermostat) and cars, can be infiltrated and hacked to take control of and hold homes or vehicles for ransom. Increasingly, connected medical devices can leave someone’s health at risk of a hacker’s control. The manufacturing sector is at risk with increased adoption of internet-connected robots. Office devices like printers and external hard drives can be used to infiltrate a network and move laterally to more sensitive systems and information.
Backup Targeting Ransomware
To undermine backup solutions that companies use to protect themselves from ransomware, hackers are now building malware that not only encrypts work files, but also attacks backups. With their backups compromised or deleted, victims are more likely to pay the ransom. Ryuk, Robinhood and Anatova are some more recent types of malware that target backup files in addition to encryption.
“Fines” and Sexploitation
Phishing emails that demand a ransom are a type of ransomware. They may not encrypt your files and hold them hostage, but they do hold the victim hostage to the threat of exposure. These messages sometimes claim that the hacker has found pornographic material on your computer and demand a ransom to remove it without exposing you. Other scams may try to impersonate law enforcement or tax collection services in an effort to avoid detection. The result is the same — pay a “fine” for your misbehavior or suffer the consequences.
How Can You Get Infected?
There are a number of ways for the malicious code to end up on your computer or network. Once a download is triggered, the transfer is often designed to happen in the background, without the recipient’s knowledge or notice. Based on the ransomware’s design, the file can install itself on the user’s computer or on a network. There are quite a few ransomware attack vectors, and hackers are constantly devising new ones.
Malicious email messages are still the most common and abundant means of accidentally downloading ransomware. The messages may be mass targeted phishing scams or individual spear phishing messages. The email will have an attachment or link that downloads and installs a malicious file when clicked.
Ransomware initiated from social media can be triggered by a link or attachment (e.g., photo) in a post, instant message or comment. These traps can be particularly tricky to spot because they often react as expected while also downloading malware in the background without the user’s notice.
Website – Driveby
Drive-by ransomware attacks occur when a user visits a booby-trapped website. A hacker will have either set up a malicious website, or hijacked a legitimate website, and set it to automatically install malware on visitor’s systems. Sometimes the user authorizes the download without understanding the consequences, but like with social media, the download can also be set to occur automatically, without the user’s knowledge or notice.
Website – Redirect
Redirection happens when a legitimate website has been hijacked. Background code has been added that makes it appear that a link opens the expected, legitimate website when actually the visitor is sent to another — malicious — website. The user may or may not notice, and malware can be set to automatically install.
Attached external devices that interact with your computer system can also take advantage of their connections to install malware. Devices like a USB drive or external hard drive are particularly risky, although keyboards, printers, mice and other peripherals can also cause problems. Even some charging cords have shown up with malware.
Keeping systems updated is a major component of reducing risk, and the main way to update functionality and security is to download and install patches to the current computer code. However, a system can be left open to a malware download via a patch that contains malicious code.
Preventing A Ransomware Attack
Best practices for preventing a ransomware attack address both humans and technology. One without the other will leave your IT infrastructure with undue risk.
Train All Staff
Training is the most effective way to combat the risks of downloading ransomware, from phishing emails, social media, etc. Teach all employees how to spot suspicious messages, dangerous websites and questionable links and attachments. If they know what to look for, they are more likely to ignore their sense of curiosity, as well as risky links and attachments, and recognize false claims that should be reported.
Backup Everything and Protect Your Backups
The more barriers there are between your daily-use system and your backups, the better protected you will be. Having a reliable backup and tested restoration procedure is your best chance of restoring your data and getting your business up and running again. Experts recommend maintaining multiple backup copies, with at least one kept off-site. Putting a backup copy in a bank vault every 6-12 months is a great strategy. In addition, set permissions so that your backup files have different authentication requirements and cannot be modified or deleted, and periodically test them to restore data.
Create An Incident Response and Recovery Plan (IR)
An essential component of any IT security program is to document measures beforehand that the organization will take to reduce the impact of a cybersecurity attack. The plan should outline details like roles and responsibilities, lines of communication, terms of escalation and response procedures, noting any details specific to the type of situation. The U.S.’s National Institute for Standards and Technology (NIST) has a Computer Security Handling Guide that is a good place to get ideas or a template if your organization has not yet drafted its own version.
What If You Get Attacked By Ransomware?
If you receive a ransomware demand message, the first step is to contact your IT department. They should have an incident response plan with directions for dealing with a malware or ransomware attack. Since there are multiple types of ransomware, they will be able to determine what type you have (actual encryption ransomware, screen-locking or just a fake message), and the best way to deal with it. Recognizing and not responding to these tactics is one step towards protecting yourself and your organization.
Once the IT staff has evaluated the situation, if necessary they will take you through disconnecting your machine and peripherals from both wired and wireless networks and then removing the ransomware. The most destructive types of ransomware can infect a computer or network and lie in wait for days, weeks or even months before deploying. Hidden copies on other machines and timers or lateral expansion settings can complicate the removal process. Therefore it is critical for someone with training to evaluate the problem before attempting decryption or removal.
If you do suffer an attack, security experts still advise NOT to pay the ransom. It may seem to be the quickest and easiest solution, but there are numerous instances of authentication keys that did not work, leaving the victim out the cash and still without their data.
What Can You Do?
Learn more about organizational security and how GLS’s Anti-Phishing Simulation Tool can help.
And as part of our Human Firewall 2.0 security awareness program, Global Learning Systems offers a wide array of courses for the prevention of phishing:
1 Townsend, Kevin. (2017, July 24). Researcher Analyzes Psychology of Ransomware Splash Screens. Retrieved from https://www.securityweek.com/researcher-analyzes-psychology-ransomware-splash-screens
2 Symantec Corporation. (2019, February). ISTR: Internet Security Threat Report Vol. 24. Retrieved from https://www.symantec.com/security-center/threat-report
3 Gralla, Preston. (2019, May 22). Malicious Bot Attacks: Why They’re More Dangerous than Ever. Retrieved from https://www.symantec.com/blogs/feature-stories/malicious-bot-attacks-why-theyre-more-dangerous-ever
1 McLellan, Charles. (2017, June 1). Cybersecurity in an IoT and mobile world: The key trends. Retrieved from https://www.zdnet.com/article/cybersecurity-in-an-iot-and-mobile-world-the-key-trends/
2 McAfee Labs. (2018, December). McAfee Labs Threats Report. Retrieved from https://www.mcafee.com/enterprise/en-us/assets/reports/rp-quarterly-threats-dec-2018.pdf
3 Homeland Security Today. (2019, August 7). FBI Warns of Banking Trojan That Eludes Antivirus as Fileless Malware Attacks Rise. Retrieved from https://www.hstoday.us/subject-matter-areas/cybersecurity/fbi-warns-of-banking-trojan-as-fileless-malware-attacks-on-the-rise/