Ransomware is a growing threat to organizations around the world as cybercriminals use it in targeted and damaging attacks. It is a type of malicious software that prevents the victims from accessing their documents, pictures, databases and other files by encrypting them and demanding a ransom to decrypt them back. A deadline is assigned for the ransom payment, and if the deadline passes, the ransom demand doubles or files are permanently locked.
Ransomware is an ever-increasing threat worldwide, claiming a new victim every 10 seconds. Here, we unpack the ransomware threat, discussing what ransomware is, how it works, how its use has changed in recent years, how to prepare for and prevent an attack, and what to do if you’re faced with a ransomware infection
Simply put, ransomware is a type of malicious software that prevents the victims from accessing their documents, pictures, databases and other files by encrypting them and demanding a ransom to decrypt them back. A deadline is assigned for the ransom payment, and, if the deadline passes, the ransom demand may increase or access to these files may be lost forever.
An understanding of what is ransomware and how it works is essential to preparing to protect against it. Ransomware is malware that encrypts a victim’s files and then demands a ransom to restore access to these files. In order to be successful, ransomware needs to gain access to a target system, encrypt the files there, and demand a ransom from the victim.
Ransomware, like any malware, can gain access to an organization’s systems in a number of different ways. However, ransomware operators tend to prefer a few specific infection vectors. One of these is phishing emails. A malicious email may contain a link to a website hosting a malicious download or an attachment that has downloader functionality built in. If the email recipient falls for the phish, then the ransomware is downloaded and executed on their computer.
Another popular ransomware infection vector takes advantage of services such as the Remote Desktop Protocol (RDP). With RDP, an attacker who has stolen or guessed an employee’s login credentials can use them to authenticate to and remotely access a computer within the enterprise network. With this access, the attacker can directly download the malware and execute it on the machine under their control.
The encryption of a user’s files is what sets ransomware apart from other malware variants. By encrypting sensitive and valuable data, the ransomware operator can demand a ransom in exchange for the decryption key with a reasonable belief that the victim will pay.
Ransomware typically makes use of two types of encryption: symmetric and asymmetric. Symmetric encryption requires the same key for encryption and decryption, while asymmetric cryptography uses a public key for encryption and a private key for decryption.
Ransomware variants carry a list describing the types of files that they should encrypt, whether listing certain file extensions, directories, or both. For each of these files, the ransomware uses symmetric encryption on the file and saves a copy of the symmetric key encrypted with a public key. The corresponding private key – which is needed to decrypt the symmetric key used to decrypt the files – is known only to the ransomware operator.
Once file encryption is complete, the ransomware is prepared to make a ransom demand. Different ransomware variants implement this in numerous ways, but it is not uncommon to have a display background changed to a ransom note or text files placed in each encrypted directory containing the ransom note. Typically, these notes demand a set amount of cryptocurrency in exchange for access to the victim’s files. If the ransom is paid, the ransomware operator will either provide a copy of the private key used to protect the symmetric encryption key or a copy of the symmetric encryption key itself. This information can be entered into a decryptor program (also provided by the cybercriminal) that can use it to reverse the encryption and restore access to the user’s files.
Now that we understand what is ransomware, let’s dive into why it’s getting so much attention. First and foremost, ransomware is one of the biggest and most well-known cyber threats in existence. In 2019, the cost of ransomware attacks was estimated to be $11.5 billion. This is expected to nearly double to $20 billion by 2021. Ransomware attacks affect a wide range of systems, including mobile devices such as smartphones and tablets. In 2019 alone, over 68,000 new trojans were detected that installed ransomware on mobile devices. A successful ransomware attack can cause significant costs, damage, and downtime for an organization since all impacted systems must be cleaned and restored. While all industries are targeted, cybercriminals tend to focus on critical infrastructure like hospitals, cities, and schools. For more information check out the recent ransomware attacks.
The first known ransomware attack was deployed in 1989. The very first known malware extortion was called the AIDS Trojan, aka PC Cyborg. This low-tech malware was distributed in over 20,000 floppy disks to AIDS researchers. It hid files on the drive and encrypted the file names, displaying a message to the user that their license to use a specific type of software had expired. As a ransom, the user was asked to pay $189 USD to receive a repair tool. The decryption tool was easily extracted directly from the code of the Trojan, rendering the malware flawed because it was not necessary to pay the extortionist.
Most ransomware variants follow the same steps to move from initial infection to ransom note. However, over the last few years, the ways in which ransomware has been used by cybercriminals has changed dramatically.
The earliest ransomware attacks took a “quantity over quality” approach to selecting targets. These attacks were designed to infect as many computers as possible with ransomware and ask for a relatively small ransom in exchange for the decryption key.
Wannacry is a prime example of this approach to ransomware. Wannacry is a ransomware worm: a piece of ransomware that exploits a vulnerability to spread itself rather than relying on phishing emails or taking advantage of weak credentials.
Wannacry took advantage of the EternalBlue vulnerability discovered by the NSA and leaked by the Shadow Brokers to infect over 200,000 computers within the course of four days. With a ransom demand of $300-$600, the attack could be expected to net the cybercriminals a significant sum of money even if only a fraction of victims paid. Learn more about Wannacry ransomware attack
Over time, ransomware attacks have largely shifted away from large-scale, random attacks. One of the issues with this strategy is that the average person lacks the know-how to pay a ransom in cryptocurrency. As a result, cybercriminals either never got paid or spent a significant amount of time walking people through the process.
Now, most ransomware attacks are much more targeted. The use of spear phishing emails and RDP as delivery methods has grown, making attacks more likely to succeed. These more targeted attacks also have higher ransom demands since the cybercriminals are focused on organizations that cannot afford to lose their data and have the resources necessary to pay the ransom, such as the aforementioned hospitals, schools, cities, and large enterprises.
The Ryuk ransomware is one of the most famous ransomware variants carrying out this new, more targeted attack. Ryuk ransomware infections are tailored to a particular organization and require victims to contact the attacker by email to negotiate a ransom payment. This more personal approach comes with a higher price tag as well with Ryuk consistently setting records for the highest ransom demands to date.
The most recent stage in the evolution of ransomware is designed to deal with the problem that ransomware victims are commonly choosing not to pay the demanded ransom. Many organizations have chosen to try to recover on their own, at much greater expense, rather than allow cybercriminals to profit from their attacks.
Ransomware operators, such as those behind the Maze and REvil ransomware variants, have responded to this trend by bundling data stealing functionality within their ransomware. Before encrypting data on a target computer, the malware exfiltrates some of it to use as leverage against the victim. If the target of the attack refuses to pay the ransom, this data may be publicly breached or sold to the highest bidder. This could result in a loss of competitive advantage or penalties under the General Data Protection Regulation (GDPR) or similar privacy laws, providing ransomware victims with an additional incentive to pay.
On April 2020, Cognizant, one of the largest tech and consulting companies in the Fortune 500, has confirmed it was hit by a Maze ransomware attack.
Maze is not like typical data-encrypting ransomware. Maze not only spreads across a network, infecting and encrypting every computer in its path, it also exfiltrates the data to the attackers’ servers where it is held for ransom. If a ransom isn’t paid, the attackers publish the files online. However, a website known to be associated with the Maze attackers, has not yet advertised or published data associated with Cognizant.
The FBI privately warned businesses in December of an increase in Maze-related ransomware incidents.
Since the warning, several major companies have been hit by Maze, including cyber insurer Chubb, accounting giant MNP, a law firm and an oil company.
Proper preparation can dramatically decrease the cost and impact of a ransomware attack. Taking the following steps can reduce an organization’s exposure to ransomware and minimize its impacts:
A ransom message is not something anyone wants to see on their computer as it reveals that a ransomware infection was successful. At this point, some steps can be taken to respond to an active ransomware infection, and an organization must make the choice of whether or not to pay the ransom.
Many successful ransomware attacks are only detected after data encryption is complete and a ransom note has been displayed on the infected computer’s screen. At this point, the encrypted files are likely unrecoverable, but some steps should be taken immediately:
Ransomware’s definition states that it is designed to put victims in a position where they have to choose between paying a ransom and losing access to their data forever. In many cases, the cost of a ransom is lower than trying to recover without paying.
However, cybersecurity best practices say not to pay the ransom. This is for a number of reasons:
Check Point’s Anti-Ransomware technology uses a purpose-built engine that defends against the most sophisticated, evasive zero-day variants of ransomware and safely recovers encrypted data, ensuring business continuity and productivity. The effectiveness of this technology is being verified every day by our research team, and consistently demonstrating excellent results in identifying and mitigating attacks.
SandBlast Agent, Check Point’s leading endpoint prevention and response product, includes Anti-Ransomware technology and provides protection to web browsers and endpoints, leveraging Check Point’s industry-leading network protections. SandBlast Agent delivers complete, real-time threat prevention and remediation across all malware threat vectors, enabling employees to work safely no matter where they are, without compromising on productivity.