Who is at-Risk?
Technically, all are at risk from ransomware attacks. The more sophisticated ransomware attacks tend to be more costly and target larger organizations that have greater financial resources. Not all ransomware attacks can be targeted. Carpet-bombing is a technique used by some attackers to infect as many people as possible.
Ransomware poses a serious threat to both users and organizations.
7 Ransomware Types You Must Know
Ransomware is constantly being developed by attackers. It uses various attack vectors like ransomware, malvertising, and peer-to-peer file transfer.
Ransomware attacks do not have to be complex to be successful. WannaCry and NotPetya used a well-known vulnerability to spread, and they were super-effective.
And now there is even Ransomware-as-a-Service, where hackers sell their malware to other cybercriminals, increasing the frequency and reach of ransomware. Ransomware authors could recruit anyone to sign up and both would share a portion of the profits.
This ransomware is just a few of the many types available. Here are more details about how they work.
Encryption
Encryption ransomware is the most popular type of ransomware. CryptoLocker and CryptoWall have a reputation for being strong encryption ransomware. Encryption refers to the process of making data unreadable without the right key. To decrypt the data you will need keys. There are two types: public and symmetric keys.
Symmetric keys
Asymmetric-key algorithms include Rivest Cipher 4 (4RC4), Advanced Encryption Standard 4 (AES), and Data Standard Encryption Standard 4 (DES). The same key can be used for encryption and decryption with symmetric-key encryption. The symmetric key must be kept secret by both parties to make it work.
Public Keys (Asymmetrical Key).
Rivest, Shamir, & Adleman use two different keys in their famous RSA algorithm. You can have both a public key that anyone has access to and a private one that you control.
Breaking an encryption
Brute force cracking -trying all the possible combinations of numbers to find the right key -a symmetric-key algorithm takes a couple of hours for a small 20-bit key to millions of years for a 128-bit key.
The theory is that both public and symmetric keys could theoretically be cracked by brute force. It’s not something you can bank on. Modern encryption is too complex for even the fastest computers.
The chances of brute force encryption of ransomware-hit files are very slim, if not impossible.
Elimination
With deletion, attackers threaten and warn: any of your attempts to decrypt files would only result in an “irrevocable loss of your data.” Or if you don’t pay, the files get deleted. Gpcode, FileCoder are two popular examples of data deletion.
Pro Tip: Files that are ‘deleted by ransomware’ may not be overwritten on your disk. You should always restore from backup. However, if you do not have backups and need to retrieve your files, you might be able to recover them off the disk.
Locking
New login screens and HTML pages have been created by hackers to try to trick you into believing that the police are after you. To make it more difficult to remove, they could disable keyboard shortcuts. Winlock and Urausy are two examples.
Pro tip: Any pop-up asking for money is a scam
Mobile Ransomware
Ransomware is so effective on PCs that attackers have created ransomware for mobile platforms. These are mostly the locking varieties, as it is not practical to encrypt a mobile device you do not have backed up.
How to Respond to Ransomware Attacks
These steps will help you manage and prevent an active ransomware attack.
1. Maintain backups
To manage a ransomware epidemic, the first step is to isolate infected systems from all other networks. Turn off those infected systems and disconnect the network cable. Turn off WIFI. You must isolate infected systems from all other computers and storage devices.
2. 2. Identification
Next, determine what type of malware-infected your computers. An outside consultant, Incident Response Team or IT organization can determine which strain of ransomware is infected and plan the best course of action.
3. Get involved with the authorities
It may be necessary to report an incident to the FBI, or any other government agency depending on its impact and the applicable regulations. The FBI issued a PSA in 2016 asking for reports of ransomware to help increase their capabilities and understanding of the ransomware attacks.
4. Get rid of the Malware
To prevent further damage and spreading of the malware, remove it from infected systems.
Once the malware attack is contained, you can begin the process of recovering from it. You can pay the ransom, but the attackers may be honest thieves and give you the keys to decrypt your data. It is best to restore from the latest backup. Assuming that there is a good backup.
Do You Have to Pay Ransomware
No. You shouldn’t have to pay ransom in most cases. Ransomware prevention and the availability of backup and recovery options are my top priorities. You can prevent ransomware from affecting your data now, and you won’t have to pay a ransom.
It’s an even more complex issue if you read this article after the fact.
Is cyber insurance available to protect against ransomware attacks Is it possible to buy bitcoins to pay the ransom on time? Are there backups for the systems being attacked? Are the data considered mission-critical? These are just a few of the questions that organizations may need to answer before they decide whether to pay the ransom.
Before you consider payments
These are some things to consider before you make a pay/don’t pay decision.
Review Your Cyber Insurance Policy
Cyber insurance is a relatively recent invention that can help cover the costs associated with managing a data breach, or other cybersecurity incidents. Cyber insurance can be used to cover and manage costs such as:
- Notifying affected parties and customers in the event of a data breach
- Compensation of the affected parties and the restoration of identities
- Recovering compromised data
- Rebuilding computer systems
Cooperate with Law Enforcement
Officially, the FBI does not recommend paying the ransom. But, this doesn’t mean they won’t recommend that you pay a ransom if you approach law enforcement.
If law enforcement is called in, they will have the expertise and insight to help you make these decisions.
They can, for example, tell if an attack is coming from a known group, which gives them the experience and prior knowledge of the incident.
The FBI can also ensure that you don’t inadvertently pay off terrorists if you pay the ransom. It is illegal to pay off terrorist organizations. No one should have that conviction.
You should look for a decryption tool
Go online to see if a decryption tool exists. There is no need to pay if keys are already available for the attack. Sometimes, the police or security professionals can obtain keys for an attack from malicious servers. They can then share them online. These are just a few:
What You Should Do About Paying
Joseph Bonavolonta was the Assistant Special Agent for the FBI’s CYBER and Counterintelligence Program. He stated that he often advised people to just pay the ransom at Cybersecurity Summit.
He said, “The ransomware’s success benefits victims because many people pay. Malware authors are less likely to extract excessive profit from anyone victim, which keeps ransoms low. Ransomware scammers are a lot more trustworthy than they seem. You do get your access back.”
The FBI said that ransomware payments typically range between $200 and $10,000 if you pay.
There have been cases where the ransom was much higher. Attackers stole the files of the City of Detroit and demanded a ransom of 2,000 Bitcoins. This ransom was approximately $800,000. The good news is that Detroit did not need the database and paid the fine.
Sometimes paying is the best decision. Tennessee Dickson County Sheriff’s Office paid $622.00 to hackers for encrypting its criminal case files. Detective Jeff McCliss stated that it was a decision between losing all that data and being unable to provide the vital services that the data would’ve helped us to provide to the community, or spending 600-and some-odds dollars to retrieve the data.” They were lucky to get access to the files.
Thou Shall not Pay: When to Resist
Security experts disagree with Mr. Bonavolonta’s comments and advise you to not pay the ransom. There is no guarantee that your files will be restored to their original state even after you have paid the ransom. Paying a ransom perpetuates the problem and makes you more vulnerable to malware.
According to 2016 reports, a Kansas hospital that was infected with ransomware paid the ransom to get their business back on track. However, the ransom only partially decrypted the files. Cybercriminals demanded more money to decrypt all the files. The hospital refused to pay the second ransom as it was not a “wise maneuver or strategy”.
Worse, you will not be able to get your files back if you are infected by a deficient strain like Power Worm. Even if the ransom is paid, the attack will undoubtedly destroy the victim’s data.
Alternately, if an attack like NotPetya occurs, where the intent wasn’t to gain financial gain but to destroy data, even though you have bitcoins in your stockpile, you won’t be able to get your data back.
The Department of Homeland Security also warned victims against negotiating with hackers. The conflicting advice has led to a debate over whether the FBI encourages hacker behavior.
Kristen Setera, an FBI spokesperson, declined to comment on whether FBI officials suggested paying ransom to hackers in a Wall Street Journal interview.
Varonis can help with mitigation methods for IT administrators
Varonis Data Security Platform is the perfect front-line defense against ransomware attacks to primary data storage. Varonis had the detection system and prevention system in place when the first ransomware attack occurred in 2014.
Monitor File System Activity
Varonis monitors file system activity and keeps a complete audit trail of any activity on those storage systems. This allows for analysis and forensics if needed.
Ransomware attacks encrypt files and generate a lot of file activity. Varonis can see one user changing hundreds of files simultaneously. This could even include a file name that contains ‘encrypt’, or something similar. This provides valuable insight into the file-level events during ransomware incidents, which is crucial for recovery and remediation efforts.
Response and Threat Detection
Varonis does more than just alert you to the ransomware attack. Varonis detects the threat and can stop it from causing more damage.
Let me repeat that: Varonis stops ransomware attacks from flying and detects them.
alert detects file monitoring events and matches them to the ransomware threat model. The alert then neutralizes the attack. Although the alert informs the team about the attack, the delay between notification and response could lead to thousands of more files being encrypted. We have automated the ransomware response.
alert triggers a PowerShell script when it detects the ransomware attack. This disables the account and shuts down the victim’s machine. an alert has many actions that can be triggered by an alert. This PowerShell script is one of the most popular for ransomware.
Imagine how great it would be to stop a ransomware attack that encrypted only a few hundred files, instead of your entire storage. You know what files were encrypted so you can restore them from backup.
The model with the lowest privilege
Varonis can also help you prepare your network for ransomware attacks before they occur. DatAdvantage collects all user permissions for folders on storage devices both on-premises and in the cloud. It also shows you files that are exposed by Global Access, excessive permissions, or broken ACLs.
Varonis automates then the removal of Global Access, fixing broken ACLs and removing excessive and unnecessary permissions for users and groups to move toward the least-privileged permissions set up.
Files that are not accessible to users can’t be modified by them. It is well-known. Ransomware has no access to the files the infected user can view. Ransomware can only cause minimal damage by encrypting files that users have access to.