How ransomware works
Ransomware is malicious software that threat actors use to extort money. This type of cyber aggression is one of the most popular criminal business models. Ransomware attacks can be costly for organizations and can take hundreds of hours to repair the devices and restore any data lost during an attack.Organizations learn of cyber-attacks when they get a notification from infected machines informing them that their data was targeted. A typical ransomware attack typically involves only a few steps. To install the ransomware, the first step is to compromise the control server or system. The ransomware encrypts the data and then takes control. Next, the compromised computer displays a message with a “ransom note”, which contains the attacker’s demands. It informs the victim or company that encrypted files are not available until payment is made.
Although payment is often demanded in cryptocurrency, gift cards, or credit cards, it doesn’t guarantee that the victim will be granted access again. The attackers may provide the decryption keys to allow the victim to access their data if the victim pays the ransom. Sometimes, the victim can pay the ransom, but the attackers are unable to provide the decryption keys. This can lead to both financial and data loss. Sometimes, victims choose not to pay the ransom and rely on data backups and system rebuilds to restore their IT operations. Cybercriminals often target victims who have been previously targeted, especially if they are willing to pay.
According to “Combatting Destructive Malware”, a ransomware attack on a single computer system costs large multinational corporations USD 239 million. It also damages 12,316 computers. Due to the complexity of networks and remote virtualization, as well as the IoT, the cyber threat landscape continues to evolve and expand with new ransomware.
Combatting destructive malware (2,4 MB)
What causes a ransomware infection?
Phishing, social engineering, and other tactics
Ransomware is a threat that has existed since 1989.
Ransomware is often introduced to organizations through phishing emails that include malicious attachments and links to malicious websites. Locky Ransomware, for example, infects victims via phishing emails that contain malicious attachments or links to malicious sites.
Ransomware is difficult to defeat. However, a combination of user education, proactive, practiced incident response planning, basic security hygiene like aggressive patch management, endpoint protection solutions, and user education can help. Cyber resilience is a practice that includes data protection, data recovery, and resilience best practices. It also includes ransomware training for users. Tools such as cloud encryption are useful for organizations that have moved their data to the cloud or used the cloud as a backup location. This can reduce the risk of ransomware attacks and the cost.
Combatting destructive malware (2,4 MB)
Types of ransomware attacks
There are two main classes of ransomware, and both are intended to disrupt business operations for financial gain for the attackers.
Crypto ransomware prevents access to files or data through encryption with a different randomly generated symmetric key for each file. The symmetric key is then encrypted with a public asymmetric key; attackers then demand the ransom payment for access to the asymmetric key.
Doxware is a form of crypto-ransomware where victims are threatened with not only losing access to their files but also having their private files and data made public through “doxing”.
Learn more about Doxware
Locker ransomware locks the computer or device by preventing users from logging in; an infected machine can display an official-looking message warning the user. This type of malware does not actually encrypt files on the device.
If you have an infected computer
The Department of Homeland Security issued an alert on ransomware and recent variants with advice for organizations and individuals. Their top recommendation is to have a secure data backup and recovery process.
The DHS advised organizations to:
- Implement a backup and recovery plan for all critical data;
- Regularly test backups to limit the impact of a data breach and accelerate the recovery process; and
- Isolate critical backups from the network for maximum protection if network-connected backups are affected by ransomware.
Recovering from ransomware is all about maintaining control of your data as efficiently and securely as possible. Regulations such as GDPR in Europe and the California Consumer Privacy Act are imposing new requirements for data breach notifications that affect how you should handle a ransomware attack. The FBI recommends reporting any ransomware attacks to federal law enforcement so they can coordinate with local the United States law enforcement agencies to track attacks and identify attackers.
If you are experiencing a cybersecurity incident, contact the IBM Security X-Force team for immediate help.