Covered in this Article:
- What is Ransomware
- Who creates Ransomware
- How does Ransomware infect
- Spam emails and unsolicited email attachments.
- Infected removable drives.
- Bundled with other software.
- Compromised webpages.
- What are the different types of ransomware?
- Locker ransomware.
- Crypto ransomware.
- Who is targeted by ransomware?
- Should you pay?
- Should a ransomware attack be reported?
- How do I avoid ransomware?
- Prevention is good.
- Protection is better.
- Backup is a must.
- What to do once infected?
What is ransomware?
Ransomware is a malicious software virus that infects a computer, network or data. During the infection, your computer will either be locked or your data encrypted, held hostage, and the only way you can regain access is by paying a “ransom”. Ransom is typically demanded in Bitcoin, a largely anonymous currency, which is often used in cyber black markets. Ransomware is classified as a “denial of access” attack, denying the victim access to the electronic device or data stored on the device until a ransom is paid. Distributing ransomware is a criminal activity, and even though the technology it utilises is quite sophisticated, the prevalence of ransomware hinges on the exploitation of the human element – as do most criminal activities. Malware such as ransomware is not a new phenomenon, but it has become increasingly widespread and invasive in recent years.
Who creates ransomware?
Ransomware is created by criminals with the intent to vandalise, swindle, blackmail or demand ransom from victims. These criminals violate technology to create a platform to engage in criminal activity and are usually referred to as cybercriminals. Criminals use coercion tactics to ensure they get what they want. Some coercion tactics involve scaring victims into thinking they have committed a crime by visiting a restricted website or threatening to delete some data every 30 minutes until the ransom is paid. What exactly is it that they want? Ransomware is inflicted for two main reasons: monetary gain and acquiring sensitive data to sell on online black markets.
The ransomware business model today is so mature that cybercriminals are going as far as working to provide a pleasant “customer” experience (strange as it may sound) to ensure that it is as easy as possible for victims to convert money into Bitcoin and pay the ransom in question. In some cases, this includes the provision of telephone support. Other “professionals” have identified the opportunity to commoditise it and have begun offering “ransomware-as-a-service”. This means they offer the virus for sale, or they offer to run and administrate the ransomware operation on behalf of someone else for a fee or percentage of the ransom. The impact of which is that attacks are increasing and becoming more prevalent as criminals don’t even need to be able to write code to jump on the bandwagon.
How does ransomware infect?
With the landscape of technology increasing and expanding – the prevalence of smart mobile devices, the internet of things expanding, and humans relying on technology for everyday operational activities – ransomware is granted a rich playing field in which to populate.
There are 4 most common ways that ransomware can gain access to your computer.
Spam emails and unsolicited email attachments.
An easy and popular way for ransomware to spread is via emails and unsolicited email attachments. The emails trick the user into opening it or opening the attachments (usually by making the content appear enticing for the user, or using “spear phishing” techniques). Spear phishing is the newest version of phishing. Phishing is a method whereby cybercriminals and attackers attempt to obtain sensitive personal information from individuals via electronic communication to launch a malware attack. Phishing coaxes individuals to surrender personal information by presenting bait, or the promise of appealing incentives. Spear phishing depends on familiarity with the person targeted and can resort to measures as extreme as using a person’s web presence (their online activity, favoured websites, social network interaction, etc.) against them. This means cybercriminals will often monitor their victims, learning about them and then tailoring and personalising the content used in the attack before striking. By doing this, they increase the odds of succeeding in getting the victim to engage with the malware.
Infected removable drives.
Malware can spread through removable drives (USB flash drives and external hard drives). It is usually created to automatically install on any machine that it is connected to. If a computer or any other type of device is connected to a network, the malware can spread through the network to other machines. When an infected digital device connects to wireless internet connections, this can also pose a huge threat to the rest of the devices connected to that wireless network, and infection can spread rather quickly. Some creations can spread easily without being detected by anti-virus software.
Bundled with other software.
Ransomware can be bundled together with other software applications that are downloaded and installed. The victim may think they are only downloading a certain legitimate application, not knowing that it is a trojan horse designed to trick them into activating the malware on their device. For this reason, make sure that any software application that is downloaded is done so from a safe source and is secure and trustworthy to install. Most anti-virus and anti-malware software can verify the integrity of applications before they are installed.
Ransomware can take advantage of software vulnerabilities to infect a computer. When the victim visits a compromised or hacked website, the ransomware can utilise pop-ups or other malicious tactics that mimic online advertisements to engage with the victim. Sometimes not even a click is needed for it to covertly seize control of the computer. Simply viewing the page with an unpatched vulnerability on your device is all it needs.
What are the different types?
There are two main types of ransomware: Locker and Crypto
Locker ransomware typically locks access to the computer interface, only allowing the user to interact with the ransom demand. It generally doesn’t attack the underlying operating system or data, only denies access to it.
Crypto ransomware is the more malicious one of the two and is designed to encrypt all valuable data stored on the computer or network. It moves fast, it stays undetected until ransom demands are made and it is a bigger threat to data loss.
Who is targeted by ransomware?
Ransomware is becoming more and more aggressive in its application and ransomware creators are constantly generating creative new methods of fooling victims into engaging with malware, or bullying them into paying. Individuals, home users, consumers – this was the typical, historical profile of a victim of ransomware/ This was likely due to individual home users not being well informed about cybercrime and malware and potentially being more likely and willing to pay ransoms to recover their treasured family photos.
Over time, there has been a slow but steady increase in the targeting of businesses and larger corporations with highly focused, personalised attacks. Leading researcher Cybersecurity Ventures predicts the cost of damages of ransomware to businesses globally will
that ransomware is no longer a mostly consumer-focused crime.
It should be noted that ransomware does not only provide attackers with a monetary gain in the form of a ransomware payment from the victim. Cybercriminals also rely on gathering valuable data and sensitive information from the computer held hostage. So even if the victim pays the ransom in order to receive the encryption key, the information has probably already been compromised and they have no guarantee that the encryption key is correct, or that they will get their data back. Credit card information is a valuable commodity on the black market but even more so is personal records such as medical and school records. The reason for this is that credit card details can be changed, but personal records are more static. This information can fetch alarmingly high prices on cyber black markets and is wildly popular. So if personal and sensitive data is stored on a device it is at risk of a ransomware attack. These personal records are most likely used for identity theft and other fraudulent activities.
Another reason why medical and educational industries are targeted regularly by ransomware is that they are likely to have the funds available to pay a ransom. They are also more likely to be willing to pay because of the high value of their data and the importance of their IT systems remaining operational. For medical institutions, it can be a matter of life and death.
It is important to note that mobile ransomware attacks are also increasing exponentially, with the UK listed as one of the top ten countries affected by mobile ransomware attacks.
Should you pay?
Most authorities don’t support paying a ransom in response to a ransomware infection. Paying won’t guarantee that a victim receives any data back and will encourage cyber criminals behind ransomware attacks to continue their activities, perpetuating the market for this illegal activity.
Sometimes the ransomware attack places a time limit on the victim, threatening to delete a certain amount of data every 30 minutes until the requested ransom has been paid. This can be very stressful and traumatic for the victim affected by the ransomware attack and might result in the victim feeling they have no other choice but to pay.
The best advice is to be well prepared for an attack, enabling a victim to recover files by restoring to before the infection occurred. If that is impossible, then paying the ransom may be the only hope of restoring access.
Should an attack be reported?
It’s never fun to have an egg on one’s face. Most companies and individuals bitten by ransomware will refrain from reporting it to avoid reputational damage and bringing their competence into question. Although avoiding a ransomware attack may sound easy in theory, the reality is that it only takes one moment of poor judgement or pure bad luck to become a victim. Ransomware distribution is a criminal activity, and it should not mean that an individual or institution is incompetent if an attack takes place. Ransomware damage costs will rise to $20 billion by 2021. However, it is difficult to report accurate statistics because not all ransomware victims report the attack.
Ransomware should most definitely be reported. Every attack report will help not only to draw up reliable statistics but also to gather information for the relevant organisations to combat ransomware-distributing cybercriminals. Contact your local law enforcement organisations to find the correct channels to report a ransomware attack. Even though it may seem that law enforcement can’t be of much help to recover from a ransomware attack, the information provided is extremely valuable to prevent similar future attacks.
How do I avoid ransomware?
There is no fool-proof method of avoiding ransomware but there are steps you can take to minimise the threat it poses.
Prevention is good.
There is a varied array of things you can do to avoid coming into contact with ransomware. The first is to practice proper email hygiene. Avoid opening any suspicious-looking emails. Be cautious of clicking links or opening attachments in emails you are not familiar with. This is the easiest way for malware to infect your electronic device. If you suspect anything suspicious is happening on your computer, disconnect from the internet immediately. This will prevent any unwanted transmission of data or information.
Protection is better.
A great way to protect your electronic devices is to invest in reputable anti-virus software and implement a robust firewall. Keeping your security software up to date will help you with the early detection of ransomware infiltration. Some ransomware types have been so creative as to mimic anti-virus software interfaces and fool the victim to “run a security scan”. For this reason, be sure that you use a trustworthy security software provider. Do proper vetting, and don’t compromise your digital safety for a cheaper option. Enable pop-up blockers in your browser and be sure that your security software offers browser security extensions as well. Pop-ups are an easy way to get a victim to engage with and allow ransomware to populate.
Backup is a must.
The number one piece of advice that anti-ransomware specialists offer is to back up all data, outside of your own Local Area Network (LAN). It is important that you can recover an entire system and that your backup is isolated from your network to keep it safe from infection. If you back up in this manner and you happen to be unfortunate and suffer a ransomware attack, you can format everything to rid yourself of the ransomware infection and then do a full system recovery. This way you will not have to engage with the ransomware at all and you can restore your computer to the way it was before it was compromised.
It is also important to check the integrity of your backups regularly, test your restores and ensure you’re comfortable with the
process. Choose the correct backup solution for you and ensure that your backup service provider is reputable, competent and has its protection in place against such attacks. If all these proper backup precautions are taken, ransomware could be overcome with minimal interruption and downtime.
What to do once infected?
When a machine has been infected, the first thing to do is to take that device off the network and offline. This ensures that the infection can’t spread further than this device and doesn’t risk compromising other users’ data. Once the infection has been contained and removed from your environment, it’s time to retrieve your data from secure backups. The FBI’s tips for a business continuity plan that helps combat the effects of ransomware is to make regular backups of data, verify the integrity of backups frequently and mirror backups to a secure server. A comprehensive backup solution is your best chance of surviving a ransomware attack.
Some industries, however, feel that a full system restore could take too long and that it would be easier and quicker to gain access to the encrypted or locked data by paying the ransom. The truth is there is no guarantee that the cybercriminals will not continue to extort you, give you the correct encryption key, or not delete your data. For this reason, it is important to make sure that your backup service provider has the ability and functionality to quickly and effectively restore critical data. We advise you to read more about Redstor Backup Pro’s InstantData and FSR (Full System Recovery) features. With these two options you can have immediate access to critical data affected by ransomware, and also do a full system restore to revert to your computers’ state before the ransomware attack occurred.
Turrito offers many cyber security solutions that can help you guard your business against ransomware. If you can’t find the solutions you are looking for, give us a call. If you need help implementing cyber security solutions, contact Turrito.
Our managed cyber security solutions are designed with your business in mind. We can tailor every IT solutions to suit your business needs. We want your business to succeed, so we give you the technology that helps it grow.
Some of the solutions Turrito offers to help guard your business include: