RANSOMWARE

RANSOMWARE

Ransomware is a malware designed to deny a user or organization access to files on their computer. By encrypting these files and demanding a ransom payment for the decryption key, cyberattackers place organizations in a position where paying the ransom is the easiest and cheapest way to regain access to their files. Some variants have added additional functionality – such as data theft – to provide further incentive for ransomware victims to pay the ransom.

Ransomware has quickly become the most?prominent?and visible type of malware. Recent ransomware attacks have impacted hospitals’ ability to provide crucial services, crippled public services in cities, and caused significant damage to various organizations.

Why Are Ransomware Attacks Emerging?

The modern ransomware craze began with the WannaCry outbreak of 2017. This large-scale and highly-publicized attack demonstrated that ransomware attacks were possible and potentially profitable. Since then, dozens of ransomware variants have been developed and used in a variety of attacks.

The COVID-19 pandemic also contributed to the recent surge in ransomware. As organizations rapidly pivoted to remote work, gaps were created in their cyber defenses. Cybercriminals have exploited these vulnerabilities to deliver ransomware, resulting in a surge of ransomware attacks. In Q3 2020,?ransomware attacks increased by 50%?compared to the first half of that year.

Popular Ransomware Variants

Dozens of ransomware variants exist, each with its own unique characteristics. However, some ransomware groups have been more prolific and successful than others, making them stand out from the crowd.

1. Ryuk

Ryuk?is an example of a very targeted ransomware variant. It is commonly delivered via spear phishing emails or by using compromised user credentials to log into enterprise systems using the Remote Desktop Protocol (RDP). Once a system is infected, Ryuk encrypts certain types of files (avoiding those crucial to a computer’s operation), then presents a ransom demand.

Ryuk is well-known as one of the most expensive types of ransomware in existence. Ryuk demands ransoms that?average over $1 million. As a result, the cybercriminals behind Ryuk primarily focus on enterprises that have the resources necessary to meet their demands.

2.?Maze

The?Maze?ransomware is famous for being the first ransomware variant to?combine file encryption and data theft. When targets started refusing to pay ransoms, Maze began collecting sensitive data from victims’ computers before encrypting it. If the ransom demands were not met, this data would be publicly exposed or sold to the highest bidder. The potential for an expensive data breach was used as additional incentive to pay up.

The group behind the Maze ransomware has?officially ended its operations. However, this does not mean that the threat of ransomware has been reduced. Some Maze affiliates have transitioned to using the Egregor ransomware, and the Egregor, Maze, and Sekhmet variants are believed to have a common source.

3.REvil?(Sodinokibi)

The REvil group (also known as Sodinokibi )?is another ransomware variant that targets large organizations.

REvil is one of the most well-known ransomware families on the net. The ransomware group, which has been operated by the Russian-speaking REvil group since 2019, has been responsible for many big breaches such as ‘Kaseya‘ and ‘JBS’

It has competed with Ryuk over the last several years for the title of the most expensive ransomware variant. REvil is known to have?demanded $800,000 ransom payments.

While REvil began as a traditional ransomware variant, it has evolved over time-

They are using the Double Extortion technique- to steal data from businesses while also encrypting the files. This means that, in addition to demanding a ransom to decrypt data, attackers might threaten to release the stolen data if a second payment is not made.

4. Lockbit

LockBit is a data encryption malware in operation since September 2019 and a recent?Ransomware-as-a-Service (RaaS). This piece of ransomware was developed to encrypt large organizations rapidly as a way of preventing its detection quickly by security appliances and IT/SOC teams.?

5. DearCry

In March 2021, Microsoft released patches for four vulnerabilities within Microsoft Exchange servers. DearCry is a new ransomware variant designed to take advantage of four recently disclosed vulnerabilities in Microsoft Exchange

The DearCry ransomware encrypts certain types of files. Once the encryption is finished, DearCry will show a ransom message instructing users to send an email to the ransomware operators in order to learn how to decrypt their files.

6. Lapsus$

Lapsus$ is a South American ransomware gang that has been linked to cyberattacks on some high-profile targets. The cyber gang is known for extortion, threatening the release of sensitive information, if demands by its victims aren’t made. The group has boasted breaking into Nvidia, Samsung, Ubisoft and others.?The group uses stolen source code to disguise malware?files as trustworthy.

How Ransomware Works

In order to be successful, ransomware needs to gain access to a target system, encrypt the files there, and demand a ransom from the victim.

While the implementation details vary from one ransomware variant to another, all share the same core three stages


  • Step 1. Infection and Distribution Vectors


Ransomware, like any malware, can gain access to an organization’s systems in a number of different ways. However, ransomware operators tend to prefer a few specific infection vectors.

One of these is phishing emails. A malicious email may contain a link to a website hosting a malicious download or an attachment that has downloader functionality built in. If the email recipient falls for the phish, then the ransomware is downloaded and executed on their computer.

Another popular ransomware infection vector takes advantage of services such as the Remote Desktop Protocol (RDP). With RDP, an attacker who has stolen or guessed an employee’s login credentials can use them to authenticate to and remotely access a computer within the enterprise network. With this access, the attacker can directly download the malware and execute it on the machine under their control.

Others may attempt to infect systems directly, like how WannaCry exploited the EternalBlue vulnerability. Most ransomware variants have multiple infection vectors.


  • Step 2. Data Encryption


?After ransomware has gained access to a system, it can begin encrypting its files. Since encryption functionality is built into an operating system, this simply involves accessing files, encrypting them with an attacker-controlled key, and replacing the originals with the encrypted versions. Most ransomware variants are cautious in their selection of files to encrypt to ensure system stability. Some variants will also take steps to delete backup and shadow copies of files to make recovery without the decryption key more difficult.


  • Step 3. Ransom Demand


Once file encryption is complete, the ransomware is prepared to make a ransom demand. Different ransomware variants implement this in numerous ways, but it is not uncommon to have a display background changed to a ransom note or text files placed in each encrypted directory containing the ransom note. Typically, these notes demand a set amount of cryptocurrency in exchange for access to the victim’s files. If the ransom is paid, the ransomware operator will either provide a copy of the private key used to protect the symmetric encryption key or a copy of the symmetric encryption key itself. This information can be entered into a decryptor program (also provided by the cybercriminal) that can use it to reverse the encryption and restore access to the user’s files.

While these three core steps exist in all ransomware variants, different ransomware can include different implementations or additional steps. For example, ransomware variants like Maze perform files scanning, registry information, and data theft before data encryption, and the WannaCry ransomware scans for other vulnerable devices to infect and encrypt.

?

要查看或添加评论,请登录

Amrita Chandra sinha的更多文章

  • C++

    C++

    C++ Programming Language C++ is the most used and most popular programming language developed by Bjarne Stroustrup. C++…

  • ARTIFICIAL INTELLIGENCE

    ARTIFICIAL INTELLIGENCE

    What Is Artificial Intelligence? Artificial intelligence (AI) is the simulation of human intelligence in machines that…

  • GENERATIVE AI

    GENERATIVE AI

    What is generative AI? Generative AI or generative artificial intelligence refers to the use of AI to create new…

  • WORKING CAPITAL

    WORKING CAPITAL

    What Is Working Capital? Working capital is calculated by subtracting current liabilities from current assets, as…

  • Apache Kafka

    Apache Kafka

    Apache Kafka is defined as an open-source platform for real-time data handling – primarily through a data…

  • SHELL SCRIPT

    SHELL SCRIPT

    A shell script is a text file that contains a sequence of commands for a UNIX-based operating system. It is called a…

  • Azure Data Factory

    Azure Data Factory

    What is Azure Data Factory? Azure Data Factory is a cloud-based data integration service that allows you to create…

  • QUALITATIVE DATA

    QUALITATIVE DATA

    What is qualitative data? Qualitative data is defined as data that approximates and characterizes. Qualitative data can…

  • Computer Vision

    Computer Vision

    What is computer vision? Computer vision is a field of artificial intelligence (AI) that uses machine learning and…

  • Monte Carlo Simulation

    Monte Carlo Simulation

    What is Monte Carlo Simulation? Monte Carlo Simulation is a type of computational algorithm that uses repeated random…

社区洞察

其他会员也浏览了