Ransomware Information

What is Ransomware?

It is a sort of malicious software (malware) in which the attacker threatens to publish or block access to data or a computer system unless the victim pays ransom money to the attacker. Ransomware is typically distributed via the Internet. In many instances, the ransom demand is accompanied by a deadline. If the victim does not pay the ransom in time, the data will be lost forever, or the ransom will grow in price.

Ransomware assaults have become all too regular in recent years. Many major corporations in both North America and Europe have fallen prey to this scam. Cybercriminals will target any consumer or business, and their victims come from a diverse range of industries.

Several government institutions, including the FBI, have advised against paying the ransom to avoid perpetuating the ransomware cycle, and the No More Extortion Project has also advised against paying the ransom. Furthermore, 50% of the victims who pay the ransom are likely to be subjected to other ransomware assaults in the future, particularly if the malware is not removed from the system.

History of Ransomware Attacks

The origins of ransomware can be traced back to 1989 when the “AIDS virus” was used to extort money from those who had been victimized by the ransomware. Payments for that attack were sent through the mail to Panama, after which the user received a decryption key in the mail.

In 1996, Moti Yung and Adam Young from Columbia University coined the term “cryptoviral extortion” to describe ransomware, which was then shortened to “ransomware.” This concept, which originated in academics, demonstrated the development, strength, and invention of current cryptography instruments. Yung and Young gave a presentation at the IEEE Security and Privacy Conference in 1996, where they demonstrated the first crypto virology assault. In addition to containing the attacker’s public key, their infection also encrypted the victim’s data. The malware then asked the victim to send an asymmetric ciphertext to the attacker, who would decipher it and return the decryption key in exchange for a charge, which the victim agreed to pay.

Attackers have become more inventive over time, requiring payments that are practically hard to trace, which allows cybercriminals to remain anonymous while conducting their operations. For example, the infamous mobile ransomware Fusob forces victims to pay using Apple iTunes gift cards rather than traditional currencies such as dollars to be released.

Ransomware attacks gained in popularity as a result of the rise in popularity of cryptocurrencies such as Bitcoin. Digital money, or cryptocurrency, is a type of digital currency that uses encryption techniques to authenticate and protect transactions while also controlling the production of new units. In addition to Bitcoin, there are several other popular cryptocurrencies that attackers encourage their victims to use, including Ethereum, Litecoin, and Ripple, among others.

Throughout history, ransomware has targeted institutions in practically every industry, with the attacks on Presbyterian Memorial Hospital in Philadelphia being one of the most well-known examples. This attack brought to light the possible harm and risks associated with ransomware. Laboratories, pharmacies, and emergency departments were all affected.

Attackers that use social engineering techniques have become increasingly creative over time. As reported by The Guardian, new ransomware victims were required to have two additional users install a link and pay a ransom to have their files decrypted to receive their files back.

More information about the Locky ransomware may be found here.

Attack on Presbyterian Memorial Hospital Using Ransomware >

Examples of Ransomware

The significant ransomware attacks described below will provide organizations with a firm foundation of knowledge regarding the strategies, exploits, and features of the vast majority of ransomware attacks. While ransomware attacks continue to evolve in terms of code, targets, and functionality, the majority of innovations in ransomware attacks are incremental.

It took a formidable Microsoft hack to launch the WannaCry ransomware virus, which infected over 250,000 systems before a killswitch was activated to prevent it from spreading further. Proofpoint was engaged in the discovery of the sample that was utilized to identify the killswitch as well as the deconstruction of the ransomware. Read on to learn more about Proofpoint’s role in thwarting WannaCry’s spread.
The ransomware known as CryptoLocker was one of the first of the current generation of ransomware to demand payment in Bitcoin, and it encrypted a user’s a hard disc as well as any network drives attached to the computer at the time of infection. Infected computers were infected by Cryptolocker using an email that contained an attachment that appeared to be FedEx and UPS tracking notices. In 2014, a decryption tool was made available for this purpose. However, according to numerous estimates, CryptoLocker extorted upwards of $27 million from its victims.
This ransomware assault, known as NotPetya, is considered to be one of the most catastrophic in recent memory. NotPetya used tactics similar to those used by its namesake, Petya, including infecting and encrypting the master boot record of a Microsoft Windows-based system. It used the same vulnerability as WannaCry to spread quickly, and it demanded payment in bitcoin to remove the alterations made by the malware. As a result of its inability to undo its changes to the master boot record and the fact that the target machine is rendered unrecoverable, NotPetya has been labeled a wiper by some.
Bad Rabbit — Considered a cousin of NotPetya and spreading using exploits and code that was identical to NotPetya, Bad Rabbit was visible ransomware that appeared to target Russia and, mostly affecting media organizations in those countries. If the ransom was paid, Bad Rabbit, in contrast to NotPetya, did allow for decryption to take place. The vast majority of reports indicate that it was disseminated by a bogus Flash Player update, which has the potential to infect users through a drive-by attack.
An attack program known as REvil was developed by a gang of financially motivated attackers. It exfiltrates data before encrypting it so that targeted victims can be blackmailed into paying a ransom if they do not provide the ransom in a timely fashion. The attack was made possible by a flaw in the IT management software that was being used to patch Windows and Mac infrastructure. Attackers gained access to the Kaseya software, which was used to infect business systems with the Ravil ransomware.
Ryuk — Ryuk is a ransomware application that is manually spread and is primarily employed in spear-phishing attacks. Targets are carefully selected through the use of reconnaissance. All files hosted on the infected system are encrypted when email messages are sent to the victims who have decided to be targeted.

How Ransomware Works

Ransomware is a sort of virus that is aimed to extort money from its victims by preventing them from accessing data on their computers or by blocking access to their systems. Encryptors and screen locks are the two types of ransomware that are most commonly encountered. Encryptors, as the name implies, encrypt data on a computer’s hard drive, rendering the data unusable unless the decryption key is provided. On the other hand, screen lockers simply prevent access to the system by displaying a “lock” screen and claiming that the system is protected by encryption.

An illustration of a ransomware attack

In Figure 1, you can see how ransomware attempts to fool the victim into installing it.

In many cases, victims are prompted to purchase a cryptocurrency, such as Bitcoin, to pay the ransom charge, which is displayed on a lock screen (this is common to both encryptors and screen lockers). Customers will receive the decryption key once the ransom has been paid and will be able to attempt to unlock files after paying the ransom. Decryption is not assured, as many sources have reported differing degrees of success with decryption after paying ransoms to various organizations. Victims may never receive the keys in some cases. Some ransomware attacks continue to infect the computer system even after the ransom has been paid and the data has been freed.

While initially focusing mostly on individuals’ personal computers, encrypting ransomware has increasingly targeted business users, as organizations are willing to pay significantly more than individuals to restore access to crucial systems and restart normal operations.

The majority of enterprise ransomware attacks or viruses begin with a phishing email sent by a hostile party. An unwary person opens an attachment or clicks on a URL that is dangerous or has been compromised because the attachment or URL has been compromised.

At that time, a ransomware agent is placed on the victim’s computer, and the ransomware begins encrypting important data on the victim’s computer as well as any attached file shares. The ransomware then shows a message on the affected device after it has finished encrypting the data. The message outlines what has occurred and how to make restitution to the perpetrators. If the victims pay the ransom, the ransomware promises that they will receive a code that will allow them to restore their data.

Who Is At Risk?

Any device that is linked to the internet is at risk of becoming the next ransomware victim, according to the FBI. Ransomware examines a local device as well as any network-connected storage, which implies that a vulnerable device makes the entire local network a potential victim of the ransomware infection. If the local network is a business network, the ransomware has the potential to encrypt key papers and system files, causing services to stop and productivity to suffer.

Any device that connects to the internet must have the latest software security patches installed, as well as anti-malware software that detects and prevents ransomware from being downloaded. Operating systems that are no longer supported, such as Windows XP, are at a significantly higher risk of being compromised.

The Business Impact from Ransomware

If your company becomes a victim of ransomware, you could lose thousands of dollars in productivity and data. If the attackers have gained access to the data, they will blackmail the victims into paying the ransom by threatening to leak the data and expose the data breach. Organizations that do not pay the ransom promptly may suffer further consequences such as brand harm and litigation.

Containment is the first stage in dealing with ransomware, which impedes work. Following containment, the organization has the option of restoring data from backups or paying the ransom. Law enforcement is involved in investigations, but tracking down ransomware creators involves extensive research time, which only serves to prolong the recovery process. The vulnerability is identified through root-cause analysis, but any delays in recovery hurt productivity and business revenue.