Ransomware

What is ransomware?

Ransomware is a type of cyberattack in which an organizations files are encrypted or computer systems are locked out until a ransom is paid. Modern ransomware attacks have evolved beyond just blocking access; they also involve data exfiltration and the threat to expose the data to the public or to sell the data. The attackers typically demand payment in cryptocurrencies to make the transactions harder to trace.

A ransomware attack poses not only operational disruption but also the risk of reputational damage and legal consequences.

How does ransomware work? What does ransomware do?

Here’s how a typical ransomware attack unfolds:

1. Infection

The ransomware is delivered to the victim’s computer, often through a phishing email, malicious attachment, or by exploiting a vulnerability in the system.

2. Encryption and Data Exfiltration

Once executed, the ransomware encrypts files on the victim’s system using a strong encryption algorithm. It might target specific file types, such as documents, spreadsheets, and images, or encrypt entire drives. In some attacks, data is exfiltrated to the attacker’s computer.

3. Ransom Demand

After encrypting or exfiltrating files, the ransomware displays a message to the victim, demanding payment in exchange for the decryption key. The ransom is typically requested in cryptocurrency, such as Bitcoin, to make the transaction more difficult to trace.

4. Payment (Optional)

Victims may choose to pay the ransom in hopes of getting their files back. However, there’s no guarantee that the attacker will provide the decryption key after receiving payment, and paying the ransom encourages further attacks.

5. Decryption (Optional)

If the victim pays the ransom and receives the decryption key, they can attempt to restore their files. In some cases, security researchers are able to crack the encryption or obtain the decryption keys, and they may offer free decryption tools.

What are some examples of the types of ransomware?

Crypto Ransomware

Crypto ransomware encrypts files on a victim’s computer and demands a ransom payment in cryptocurrency to decrypt them. It is often spread through phishing emails or drive-by downloads.

Scareware

Scareware uses social engineering to trick users into downloading or buying unwanted software. It often appears as a pop-up window that warns the user that their computer is infected with a virus or other malware. The pop-up window may also demand that the user pay a fee to remove the infection.

Locker Ransomware

Locker ransomware is a type of malware that locks the victim’s computer and demands a ransom payment to unlock it. It is often spread through phishing emails or drive-by downloads. Paying the ransom is not always a guarantee of getting the computer unlocked.

What are some of the tactics that ransomware actors employ to force their victims to pay a ransom?

Ransomware actors use various tactics to manipulate and pressure their victims into paying the ransom. Some of these tactics include:

Deadline Pressure

Many ransomware notes include a countdown timer, threatening to increase the ransom amount or permanently delete the decryption key after a certain period. This sense of urgency pressures victims to pay quickly without seeking alternatives.

Threatening to Expose Sensitive Data

Some ransomware variants not only encrypt the victim’s files but also exfiltrate them. Attackers may threaten to release sensitive or embarrassing information publicly if the ransom is not paid.

Impersonating Law Enforcement or Government Agencies

Some ransomware screens pretend to be from a law enforcement agency, falsely claiming that illegal activities were detected on the victim’s computer. The ransom is then framed as a “fine” that must be paid to unlock the computer.

Social Pressure

By attacking high-profile targets such as hospitals or municipalities, attackers create public pressure and negative media attention that might urge the victim to pay the ransom quickly.

Offering “Support” or Negotiation

Some ransomware groups provide a “customer service” experience, guiding the victim through the payment process or even negotiating the ransom amount. This may make the payment process seem more legitimate or manageable.

Providing Evidence of Decryption Capability

To build trust, some attackers may offer to decrypt a small number of files for free as proof that they have the ability to unlock everything once the ransom is paid.

Targeting Critical Systems

By targeting essential business systems or critical infrastructure, attackers can bring operations to a halt, creating a crisis that pushes the victim to pay the ransom quickly.

What is ransomware-as-a-service (RaaS)?

Ransomware-as-a-Service (RaaS) refers to a business model where ransomware developers offer their malicious software and sometimes additional support services to other criminals for a fee or a share of the profits.

This arrangement allows individuals or groups with little or no technical expertise to launch sophisticated ransomware attacks, significantly lowering the barrier to entry in cybercrime. Even attackers with minimal technical skills can use RaaS to launch effective campaigns.

What are some examples of ransomware?

LockBit Ransomware

In May 2023, the LockBit ransomware group targeted the Taiwan Semiconductor Manufacturing Company (TSMC). The LockBit group was able to gain access to TSMC’s network through a phishing email that was sent to an employee. Once the LockBit group had access to TSMC’s network, they were able to encrypt the data on over 10,000 servers.

The LockBit group demanded a ransom of $70 million from TSMC in exchange for the decryption key.

CI0p Ransomware

In June 2023, the Cl0p ransomware group exploited a zero-day vulnerability in the MOVEit Transfer platform to steal data from several organizations, including British Airways, the BBC, and Boots. The group then encrypted the stolen data and demanded a ransom payment of $10 million from each victim.

What are some of the best practices to mitigate the risk of ransomware attacks?

Authenticate and Verify Software Sources

Ensuring that any software to be installed and used in the organization comes from trusted and verified sources is critical. This practice prevents the installation of malicious software disguised as legitimate applications. Using digital signatures and checksums can help verify the integrity of software packages before installation.

Install and Maintain Antivirus Protection

Antivirus software is essential for detecting and preventing malware. Modern antivirus solutions can even detect some forms of ransomware. Keeping antivirus programs up to date ensures protection against the latest threats. Regular scans and real-time protection can identify and neutralize ransomware before it causes harm.

Whitelist Trusted Software

Implementing application whitelisting ensures that only approved and trusted applications can run on systems. This reduces the risk of unauthorized or malicious software execution. Regularly reviewing and updating the whitelist is necessary to keep it current with organizational needs.

Regularly Back Up Data

Regular data backups are crucial for recovering from a ransomware attack without paying the ransom. Storing backups securely and offline, and regularly testing them for integrity and restoration capability, ensures reliable recovery. Having backups minimizes downtime and data loss.

Educate Employees on Security Practices

Employees should be trained to recognize phishing attempts and other common attack vectors used to deliver ransomware. Regular security awareness training ensures that employees follow best practices, such as not clicking on suspicious links or attachments. An informed workforce acts as a strong defense against cyber threats.

Implement a Comprehensive Security Solution

A multi-layered security approach combines various tools and strategies to protect against ransomware. This includes firewalls, intrusion detection systems, email filtering, and endpoint protection. An integrated solution ensures that all aspects of a network are covered, reducing vulnerabilities and enhancing overall security.

How can Acalvio help an enterprise counter ransomware attacks?

Deception technology powered by Acalvio is an important ingredient in an organization’s defensive strategy against ransomware. Acalvio’s Ransomware Protection solution provides a playbook of purpose-built deceptions that are designed to detect ransomware at any stage of the ransomware kill chain. For example, the solution deploys a special set of ransomware detection baits that enable detection of encryption actions performed by ransomware. These deceptions enable detection of known, zero-day, and unknown ransomware.

When ransomware infiltrates the network and tries to compromise an endpoint, a high-fidelity incident is immediately generated in the solution. Details of the endpoint along with evidence of the ransomware attack are displayed in the incident.

The solution carries out automated notification and response actions that have been configured by the Security team. These steps leverage prebuilt integrations with existing SOC workflows.

Frequently Asked Questions