Ransomware is a type of malicious software cyber criminals use to block you from accessing your own data. The digital extortionists encrypt the files on your system and add extensions to the attacked data and hold it “hostage” until the demanded ransom is paid. After the initial infection, the ransomware may attempt to spread throughout your network to shared drives, servers, attached computers, and other accessible systems. If the ransom demands are not met within the cyber crooks timeframe, the system or encrypted data remains unavailable, or your data may be deleted by the software, and the decryption key obliterated. So to answer the question, “What is Ransomware?” Ransomware is a potential nightmare for unprepared IT administrators.
How Ransomware Works
Ransomware enters your network in a variety of ways, the most popular is a download via a spam email attachment. The download then launches the ransomware program that attacks your system. Other forms of entry include social engineering, downloads of the malicious software from the web that can be direct from a site or by clicking on “malvertising,” fake ads that unleash the ransomware. The malware can also be spread through chat messages or even removable USB drives.
Typically, the software gets introduced to your network by an executable file that may have been in a zip folder or disguised as a fax or other viable attachment. The download file then encrypts your data, adds an extension to your files and makes them inaccessible. More sophisticated versions of the software are propagating themselves and can work without any human action. Known as “drive-by” attacks, this form of ransomware infects your system though vulnerabilities in various browser plugins.
The FBI estimates that there are 4,000 ransomware attacks launched every day. Every 40 seconds attack is launched.
1. The WanaCrypt0r incident in May is estimated to have infected over 200,000 systems in 70 countries in just a few days.
2. More than 97% of phishing emails sent in 2016 contained ransomware,
3. Pundits estimate that the payout to ransomware pirates for 2017 eclipsed $3 billion. https://infonews.bid/index.php/2017/03/21/ransomware-cost-companies-3-billion-in-2016/
4. 60% of small business have been hit by ransomware
5. Causing massive disruption, 63% said their system was shut down for more than a day.
6. According to an IBM X-Force’s Ransomware report, 70 % or business who were infected paid the ransom
7. Computer Weekly reports that 40% of spam now contains ransomware
8. Only 4% of organizations feel “very confident” in their ability to stop ransomware.
9. Downtime costs US businesses $700 billion in revenue in 2016
10. CBROnline states that 28% of companies lost files because they did not pay the ransom.
Without ponying up the money for the key, it is very difficult to decrypt files after an attack. Of course, good backup eliminates the need to succumb to ransomware demands.
While there are multitudes of iterations of thousands of variants, Tripwire ranks the 10 most popular strains of ransomware:
CryptoWall was first detected in 2014. With its sophisticated design, it is still having impact as a persistent threat.
SamSam is spread primarily though phishing attacks, this variant scans for a vulnerable server and moves throughout a network encrypting data long the way.
A particularly cruel ransomware. Jigsaw gives its victims 24 hours to pay up or it starts deleting your files. The program deletes files every hour in increasing volumes. After 72 hours of non-payment, the balance of your files get deleted.
Chirmera uses peer-to-peer messaging to generate an encryption code and it invites victims to join its “affiliate” program. The impact of the program was hampered by a rival ransomware vendor. Petya/Mischa dumped 3,500 decryption keys for the program online so that victims could unlock their files.
Launched as a ransomware-as-a-service (RaaS) model, the software tries to gain admin privileges and drops Petya, if admin access is denied they’ll install Mischa’s encryption technology.
This RaaS platform makes $1 million annually just from affiliate sales. It’s offered in 12 different languages and some versions even have a spoken ransom note.
This program customizes the ransom note with user’s name, birthday, location, social media account information and more. The software threatens to publish all the captured information unless payment demands are met.
HDDCryptor encrypts files on mounted drives as well as attacking previous connected drives. This malware hijacks the users start up screen so that only the ransom note is visible at boot up.
This ransomware was spread through spam campaigns. But the developers of the software have abandoned the project and the decryption key is now available for free online.
This ransomware gained notoriety by infecting and collecting big ransom from Hollywood Presbyterian Medical Center in CA. While it’s gone through several iterations, the software used unique distribution channels such as images in Facebook messenger and fake Flash Player update websites.
The most recent variants include:
1. WannaCry, which infected over 200,000 systems days after it was re-launched. This malware contains a worm component. It scans for and attempts to compromise using the same EternalBlue vulnerability machines on both its LAN and on the internet.
2. Havoc as a program that uses symmetric and asymmetric cryptography to encrypt its targeted files.
3. Satan is offered as RaaS which is promoted as a free ransomware kit that requires a simple registration. Satan targets 131 types of files and appends them with a .stn extension. The program is set up so that the distributor gets 70% of the ransom paid and the developer gets 30%.
4. VxLock targets files and appends the extension name .vxlock to its encrypted file.
5. LataRebo Locker prevents its victims from using their computers by using a large image containing the ransom note. It adds entries to the Windows Registry to enable activation whenever the user’s operating system starts up.
6. Philadelphia is a RaaS program that is available for sale to prospective cyber criminals. The software is customizable and it includes tips on how to launch successful “campaigns.”
Historically, one of the more prevalent attack programs was Cryptolocker, but what is Cryptolocker?
Cryptolocker is a ransomware that was first discovered in 2013. Once considered one of the most successfully distributed programs, a group of virus researchers restrained the expansion of the virus by shutting down its main method of distribution.
Is CryptoLocker still a Threat?
Despite the success in thwarting their original delivery methods there are new iterations of CryptoLocker rearing its ugly head. Both CryptoLockerEU and CryptON are active viruses have been found to use the same code used in the original.
Infosecurity reported that as part of the effort to propagate ransomware, phishing volumes increased eight fold in 2016.
Email spam grew by 65% in 2016 and 40% of those emails contained ransomware threats. In 2016 there were nearly 1 million phishing sites hosted on more than 170,000 domain addresses used to send out malicious phishing emails.
Ransomware attackers are honing their distribution plans to hit organizations that are more likely to pay ransoms, such as healthcare, government, education, and small businesses.
How to defend against ransomware
Whether you need to know how defend against CryptoLocker or any of the other 4,000 daily attacks, the first component of the solution is to warn co-workers against downloading suspicious file attachments. They won’t prevent all attacks, but it will help. It is also critical to ensure that your servers are being patched regularly, as many security gaps that ransomware hackers take advantage of are often protected in the latest Microsoft patches. Failing to stay up to date can cause major issues down the line. No matter what, you have to prepare to be hit. So it’s critical you not only have backups, but secure, tested backups and a well-documented, secure disaster recovery plan if the attack is pervasive enough. On the data protection side of things, keep these 5 components in mind:
Use backup! Follow the 3-2-1- rule. Three copies of your data, 2 different types of media and 1 version stored off-site. If you do get hit by ransomware you’ll have an easy escape. You can even consider keeping a backup offline (on tape or rotational media), but recovery times are longer from offline backups, and offline backups are more difficult to test.
Ransomware predominantly targets Windows OS. As backup systems can require many role-based instances for centralized management, data movement, reporting, search and analytics, securing all those machines can be complex.Consider locking them down to do only what they are required, and nothing more. Newer solutions based on integrated backup appliances typically remove that complexity and come hardened out of the factory.So security can be far simpler in those newer architectures.
Test the viability of your backup and disaster recovery strategy regularly. A lot of factors can impact recovery, including backups of machines that already contain ransomware. Test automation is becoming a trend in the data management and data protection industry. It is important those features are used more as security threats become more impactful to IT.
Early ransomware detection means faster recovery. More backup vendors are starting to use predictive analytics and machine learning to recognize possible attacks and alert administrators of abnormal fluctuations of data as backups are ingested.
If you’ve effectively backed up your data and tested its recoverability you will be ready to roll back your network to a safe restore point and avoid downtime, data failure and revenue loss.
Ransomware attacks have been ferocious. If you haven’t been attacked yet, it’s not a matter of if, but when…be prepared with Unitrends exhaustive line of defense.