Targeted Ransomware
The History and Evolution of Ransomware
Early Years
Cases of ransomware infection were first seen in Russia between 2005 and 2006. Trend Micro published a?report?on a case in 2006 that involved a ransomware variant (detected as TROJ_CRYZIP.A) that zipped certain file types before overwriting the original files, leaving only the password-protected zip files in the user’s system. It also created a text file that acted as the ransom note informing users that the files can be retrieved in exchange for US$300.
In its earlier years, ransomware typically encrypted particular file types such as .doc, .xls, .jpg, .zip, .pdf, and other commonly used file extensions.
In 2011, Trend Micro published a report on an?SMS ransomware?threat that asked users of infected systems to dial a premium SMS number. Detected as?TROJ_RANSOM.QOWA, this variant repeatedly displayed a ransomware page to users until they paid the ransom by dialing a certain premium number.
Another notable report involved a ransomware type that?infects the Master Boot Record (MBR)?of a vulnerable system, preventing the operating system from loading. To do this, the malware copies the original MBR and overwrites it with malicious code. It then forces the system to restart so that the infection takes effect and displays the notification (in Russian) once the system restarts.
How Does Ransomware Spread ?
Users might encounter this threat through a variety of means.?Ransomware?can be downloaded onto systems when unwitting users visit malicious or compromised websites. It can also arrive as a payload that is either dropped or downloaded by other malware. Some ransomware are delivered as attachments from spammed email, downloaded from malicious pages through malvertisements, or dropped by exploit kits onto vulnerable systems.
Once executed in the system, ransomware can either lock the computer screen or, in the case of cryptoransomware, encrypt predetermined files. In the first scenario, a full-screen image or notification is displayed on an infected system's screen, which prevents a victim from using their system. This notification also details instructions on how a user can pay the ransom. In the second scenario, ransomware prevents access to potentially critical or valuable files like documents and spreadsheets.
Ransomware?is considered "scareware" as it forces users to pay a fee (or ransom) by scaring or intimidating them. In this sense, it is similar to?FakeAV malware, but instead of capturing the infected system or encrypting files, FakeAV shows fake antimalware scanning results to coax users into purchasing bogus antimalware software.
Ransomware infections were initially limited to Russia, but due to ransomware’s popularity and profitable business model, it soon found its way to other countries across Europe. By March 2012, Trend Micro observed a continuous spread of ransomware infections across Europe and North America. Similar to TROJ_RANSOM.BOV, this new wave of ransomware displayed a notification page (supposedly from the victim’s local police agency) instead of the typical ransom note (discussed more thoroughly in the section titled “The Rise of Reveton and Police Ransomware”).
During this period, different tactics were used to spread ransomware. A case in 2012 involved the website of a popular?French confectionary?that was compromised to serve TROJ_RANSOM.BOV. This watering hole tactic resulted in widespread infections both in France and Japan, where the shop also had significant fan bases. It is also worth noting that instead of the usual ransom note,?TROJ_RANSOM.BOV?displayed a fake notice from the French police agency, Gendarmerie Nationale.
The Rise of Reveton and Police Ransomware
Reveton is a ransomware type that impersonates law enforcement agencies. Known as “police ransomware” or “police trojans,” these malware are notable for showing a notification page purportedly from the victim’s local law enforcement agency. This page informs them that they were caught doing an illegal or malicious activity online.
To know which local enforcement agency is applicable to users, Reveton variants track the?geographical location?of their victims. Thus, affected users living in the US receive a notification from the FBI, while those located in France are shown a notice from the Gendarmerie Nationale.
Reveton variants also employ a different payment method compared to early ransomware attacks. Once a system is infected with a Reveton variant, users are prompted to pay through UKash, PaySafeCard, or MoneyPak. These payment methods afford ransomware perpetrators their anonymity, as both Ukash and PaySafeCard have a?faint money trail.
In 2012, different types of Reveton variants were seen exhibiting new techniques. In the latter part of the same year, Trend Micro reported on variants that played an?audio recording?using the victim’s?native language, as well as another variant that used a?fake digital certificate.
The Evolution to CryptoLocker and Cryptoransomware
In late 2013, a new type of ransomware that encrypted files aside from locking a system emerged. The encrypted files ensured that victims were forced to still pay the ransom even if the malware itself was deleted. Due to its new behavior, it was dubbed as “CryptoLocker.” Like previous ransomware types, cryptoransomware demands payment from affected users in exchange, this time, for a decryption key to unlock the encrypted files. Although the ransom note in CryptoLocker only specifies “RSA-2048” as the encryption method used, analysis shows that the malware uses AES + RSA encryption.RSA is asymmetric key cryptography, which means it uses two keys. One key is used to encrypt the data and another is used to decrypt the data (one key, called the public key, is made available to any outside party; the other is kept by the user and is called the private key.) AES uses symmetric keys, which means that it uses the same key to encrypt and decrypt information.
The malware uses an AES key to encrypt files. The AES key for decryption is written in the files that are encrypted by the malware. However, this key is encrypted with an RSA public key embedded in the malware, which means that a private key is needed to decrypt it.Further research revealed that a?spam campaign?was behind the CryptoLocker infections. The spammed messages contained malicious attachments that belonged to TROJ_UPATRE, a malware family characterized by its small file size and simple downloading function — it downloads a ZBOT variant, which then downloads the CryptoLocker malware.Near the end of 2013, a?new variant of CryptoLocker?emerged — this time, with propagation routines. This variant, detected as?WORM_CRILOCK.A, can spread via removable drives, a routine unheard of in other CRILOCK variants. This means that the malware can easily spread compared to other variants. Additionally, it does not rely on downloader malware like CRILOCK to infect systems; rather, it pretends to be an activator for software used on peer-to-peer (P2P) file-sharing sites. Technical differences have led some researchers to believe that this malware was produced by a copycat.Afterward, another file-encrypting ransomware type soon came into the picture. The cryptoransomware known as CryptoDefense or CryptorBit (detected as?TROJ_CRYPTRBIT.H) encrypts database, web, office, video, image, script, text, and other non-binary files. It also deletes backup files to prevent the restoration of encrypted files and demands payment for a decryption key for the locked files.
Files to Encrypt
Earlier cryptoransomware types targeted .doc, .xls, .jpg, .zip, .pdf, and other commonly used files to encrypt them. Cybercriminals have since included a number of other file types that are critical to businesses, like database files, website files, SQL files, tax-related files, CAD files, and virtual desktop files.
The Foray into Cryptocurrency Theft
Ransomware soon began to incorporate yet another element: cryptocurrency (such as bitcoin) theft. In 2014, Trend Micro saw two variants of a new malware called?BitCrypt. The first variant,?TROJ_CRIBIT.A, appends “.bitcrypt” to any encrypted files and displays a ransom note in English. The second variant,?TROJ_CRIBIT.B, appends the file name with “.bitcrypt 2″ and uses a multilingual ransom note in 10 languages. CRIBIT variants use the encryption algorithms RSA(426)-AES and RSA(1024)-AES to encrypt the files and specifies that the payment for unlocking files be made in bitcoins.
It was also discovered that a variant of the?Fareit information stealing malware,?TSPY_FAREIT.BB, downloads TROJ_CRIBIT.B. This Fareit variant can steal information from various cryptocurrency wallets, including wallet.dat (Bitcoin), electrum.dat (Electrum), and .wallet (MultiBit). These files contain important information such as transaction records, user preferences, and accounts.
The Bitcoin Connection
With the exception of some ransomware families that demand high amounts, ransomware variants typically ask for 0.5 to 5 bitcoins (as of 2016) in exchange for a decryption key. This is important to note for two reasons: First, some variants increase the ransom the more time lapses that it remains unpaid. Secondly, the Bitcoin exchange rate is on the rise. In January 2016, one bitcoin was worth US$431. Bitcoin's value has risen dramatically since then, topping out at US$20,217.10 as of July 5, 2022, 4:15 AM UTC.
Ransomware as a Service
When the?ransomware?as a service (RaaS)?model entered the picture, it made it easier for a variety of attackers, even those who have little technical knowledge, to wield ransomware against targets. RaaS?involves selling or renting ransomware?to buyers who are called affiliates, and this model can be credited as one of the primary reasons why ransomware attacks have been proliferating rapidly.
The RaaS-operating criminal group first needs to develop or acquire the ransomware software and infrastructure. They then proceed to recruit affiliates through online forums, Telegram channels, or personal connections, with some operators investing as much as US$1 million for?recruitment efforts. Once enlisted, affiliates can then launch their own attacks. RaaS provides a win-win situation and a?high payout?for both operators and affiliates. Affiliates can earn payouts without having to develop the ransomware themselves, while operators can directly make a profit from their affiliates. The payouts are normally organized using a revenue model for RaaS subscriptions. The possible?revenue models?besides subscription are one-time payments, profit sharing, and affiliate marketing.
What is Modern Ransomware
After the shift to cryptoransomware, extortion malware has continued to evolve, adding features such as countdown timers, ransom amounts that increase over time, and infection routines that enable them to spread across networks and servers. Threat actors continue experimenting with new features, such as offering alternative payment platforms to make ransom payments easier, routines that threaten to cause potentially crippling damage to non-paying victims, or new distribution methods, all of which are part of what makes a modern ransomware attack.
Targeted Ransomware and Double Extortion
These developments eventually lead to the appearance of targeted ransomware. Targeted ransomware is also known as big-game hunting and human-operated attacks. By taking a targeted approach, threat actors have found a new way of revitalizing ransomware variants. As with targeted attacks, modern ransomware variants are tailored for specific victims and take more preparation and research. This means that threat actors have had to narrow down their targets to entities that are more likely to lead to bigger payoffs if attacked.Present iterations of targeted ransomware have the added challenge of?double extortion. Through their targeted approach, threat actors come to know which data is most valuable to their targets. By adding double extortion to their attacks, they coerce their victims into complying with their demands. Threat actors force victims into compliance not only by encrypting files but also by threatening to publicize stolen sensitive data if their demands are not met.
The following are some of the most notable modern ransomware groups in 2022:
Conti?is reportedly the successor of Ryuk. Known as one of the most notorious ransomware groups in history, Conti had the highest number of victim counts among its counterparts from November 2019 to March 2022, amassing?805 victim organizations. Following a Ukrainian researcher’s leak of some of the ransomware group’s files on March 2, 2022,?Conti started shutting down their operations. In June 2022, the ransomware operation has?reportedly?shut down its last public-facing infrastructure.
LockBit, which?version 2.0?surfaced in July 2021, is capable of automatic encryption of devices across Windows domains by abusing Active Directory (AD) group policies, prompting the operators behind it to claim that it’s one of the fastest ransomware variants in the market today. In the period of?Q1 2022, LockBit had the most number of victim organizations among double extortion ransomware groups, claiming 220 successfully breached organizations. The ransomware group released?LockBit?3.0?in?June 2022.?One of the significant things about the release of?LockBit?3.0 is the announcement of a bug bounty program.
BlackCat?has?successfully compromised at least 60 organizations?around the world as of March 2022. BlackCat is notable for being the first professional ransomware family to be written in Rust, which is considered?a more secure programming language?that is capable of concurrent processing. As?a cross-platform language, Rust also makes it easier for threat actors to tailor malware to different operating systems like Windows and Linux.
Black Basta?has garnered notoriety for?its attacks on 50 organizations around the world?and its use of?double extortion since it became operational in April 2022. The?ransomware?group continues to improve its tactics and techniques: In?June 2022, the group was found using the banking trojan?QakBot?as a means of entry and movement, and taking advantage of?the PrintNightmare vulnerability (CVE-2021-34527)?to perform privileged file operations.
AvosLocker?emerged in July 2021. It started to make a name for itself in early 2022, seemingly filling the void left by?REvil.?US Federal Bureau of Investigation (FBI) released an?advisory?on AvosLocker for it has been observed targeting critical infrastructure in different sectors of the US. In?May 2022, AvosLocker operators were found abusing a driver file to disable antivirus solutions and scanning for?Log4Shell, the Apache Log4j remote code execution (RCE, with ID CVE-2021-44228) vulnerability.
Clop?got on the double extortion bandwagon in 2020, when its operators publicized the data of a?pharmaceutical company. Since then, the ransomware’s extortion strategies have become progressively devastating, such as going after top executives and customers.Though ransomware routines are not altogether new, they still work and so are still used by operators. Case in point: The ransomware variant WannaCry (aka WCry), which originally spread via malicious Dropbox URLs embedded in spam, took an unexpected turn in May 2017, when it began exploiting a recently patched vulnerability in the Server Message Block (SMB). In turn, this has led to the biggest ransomware attack to date and, in 2020,?WannaCry remained one of the most detected ransomware families across the globe.Even before?WannaCry?reared its ugly head, companies and individuals worldwide had already been suffering the dire consequences of such threats. We document all of this in our report titled, “Ransomware: Past, Present, and Future.”?
The Future of Ransomware
Were ransomware to change in a few years, it would not be surprising. In terms of potential, they can evolve into malware that disable entire infrastructures until a ransom is paid. It is worth emphasizing that these infrastructures could be critical not only to a business’s operation, but also to that of a city or even a nation. Cybercriminals might also soon further develop attacks on industrial control systems (ICSs) and other critical infrastructures to paralyze not just networks but also ecosystems. At present, ransomware campaigns are already taking on high-profile and critical targets in the healthcare, transportation, and government sectors.
Organizations need to be prepared for the possibility of more threat actors or groups shifting to and joining the ransomware bandwagon. The theme of double extortion seems to indicate how ransomware operators will continue to find new ways of increasing the stakes for their victims and cornering them into meeting their demands instead of just walking away. Legitimate tools or living-of-the-land components will likely continue to be part of attacks in the future, with threat actors choosing key components based on the profile of their targets.
With enough preparation and by using the techniques of targeted attacks, cybercriminals might aim for even bigger targets, like the industrial robots that are widely used in the manufacturing sector, or the infrastructures that connect and run today’s smart cities. Online extortion is bound to develop from taking computers and servers hostage to eventually doing the same to any type of insufficiently protected connected device, including smart devices and critical infrastructures. The return on investment (ROI) and opportunities for development that the targeted approach has opened will ensure that it continues in the future.
Ransomware Solutions
Although there is no silver bullet with regard to?stopping ransomware, a multilayered approach that prevents it from reaching networks and systems is the best way to minimize the risk.
For enterprises, email and web gateway solutions such as?Trend Micro? Deep Discovery? Email Inspector?and?Trend Micro? InterScan? Web Security?prevent ransomware from reaching end users. At the endpoint level,?Trend Micro Smart Protection Suites?features behavior monitoring and application control, as well as vulnerability shielding to minimize the risk of getting infected by ransomware threats.?Trend Micro Deep Discovery Inspector?detects and blocks ransomware on networks, while?Trend Micro? Deep Security?stops ransomware from reaching enterprise servers — whether physical, virtual, or in the cloud.
Organizations can also consider?Trend Micro Cloud One? – Workload Security, which has a virtual patching feature that can protect the system from exploits. Since some of the malware’s techniques can bypass signature-based security agents, technologies like Trend Micro Behavior Monitoring and Machine Learning (ML) can be used to prevent and block those threats.
Enterprises can also take advantage of?Trend Micro XDR, which collects and correlates data across endpoints, emails, cloud workloads, and networks, providing better context and enabling investigation in one place. This, in turn, allows teams to respond to similar threats faster and detect advanced and targeted threats earlier.
For small and medium-sized businesses,?Trend Micro Worry-Free Services Advanced?offers cloud-based email gateway security through?Trend Micro? Hosted Email Security. Its endpoint protection also delivers several capabilities such as behavior monitoring and a real-time web reputation service that detects and blocks ransomware.
For home users,?Trend Micro Security 10?provides robust protection from ransomware by blocking malicious websites, emails, and files associated with this threat.
Ransomware?is a type of malware that prevents or limits users from accessing their system, either by locking the system's screen or by locking the users' files until a ransom is paid. More modern ransomware families, collectively categorized as cryptoransomware, encrypt certain file types on infected systems and force users to pay the ransom through certain online payment methods to get a decryption key.
What is Targeted Ransomware ?
Targeted ransomware is an advanced type of malware that can affect organizations of all shapes and sizes. Sadly, the ideal target for hacking is a company without many security measures. A good defense against cybercrime is cybersecurity. In quest of larger payments, skilled criminals have moved to targeted ransomware techniques. These attackers use specialized strategies, approaches, and processes to target extremely particular companies depending on their capacity (or need) to pay significant ransoms. This is frequently referred to as "big game hunting".These attackers are extremely innovative, frequently going to considerable efforts to learn a victim's technological stack to locate and exploit weaknesses, as well as pick the most valuable data to encrypt and hold for ransom. They're also exceedingly patient, raising privileges to bypass security measures and avoid detection for months — if not years — before installing malware.The Hades ransomware assaults are a recent example of this long-tail, targeted technique. According to?ZDNet, ransomware operators are targeting huge multinational corporations with yearly sales of over $1 billion and have successfully targeted at least three enterprises in the transportation, retail, and industrial industries.?Since ransomware initially made headlines in the security world, the scene has fundamentally shifted.
Since the past few years, more sophisticated ransomware attackers have shifted to targeted ransomware approaches to find organizations willing to?pay larger ransoms. These attackers go after particular organizations based on their ability (or need) to pay hefty ransoms, using customized tactics and techniques designed for them.?
These attackers are creative, going to great lengths to learn about your victims and exploit vulnerabilities in their systems. They will identify the most valuable data on the victim’s computer and encrypt it, holding it for ransom until they’re paid. These attackers are also very patient and take months or more before deploying ransomware payloads.Attackers who do this know full well that they will be compensated for getting in the extra work-they demand $15 million or more in ransom from 2015-2019, with that number increasing to as high as $30 million in 2020.Recent examples of this long-tail, targeted approach have appeared in ZDNet’s coverage of the?Hades ransomware attacks. Hades ransomware operators have successfully breached three multinational profit organizations with annual revenues of over $1 billion. Among them are a transportation company, a retail company, and a manufacturer.
Based on the analysis of the latest Hades ransomware attacks by Accenture’s researchers, threat actors followed a familiar attack path. First, they stole valid credentials from a corporate identity to access company data via?Remote Desktop Protocol?(RDP) or Virtual Private Network (VPN).?
Once inside, they escalated their privileges and?moved laterally?to establish persistence on the network. Once they had data, they exfiltrated it and deployed the Hades ransomware to encrypt files. Finally, they demanded hefty ransoms as part of a one-two,?double extortion?punch.
The researchers noted, “We observed significant effort by the threat group to disable or bypass endpoint defenses, including?Endpoint Detection and Response (EDR)?tooling.”There are some very troubling things about targeted ransomware attacks. One of these is that just because an organization has been targeted once doesn’t mean it won’t happen again.?
To maintain persistence on target networks, attackers often construct backdoors that allow them to reenter at will. As a result, most companies can’t afford to withstand the business impact of one ransomware attack, never mind two.
Why Targeted Ransomware Is So Dangerous ?
Cybercriminals use targeted ransomware attacks because they know that the organization contains vulnerabilities. If this attack hits a company, it’s highly likely to succeed. Cybersecurity experts state that cybercriminals usually attack companies with an insecure RDP connection.
It’s important to note that this connection escalates privileges and eventually gets administrator controls. This allows them to deactivate security solutions and ultimately infect the system with ransomware.
One significant difference between ransomware attacks and targeted ransomware attacks is that in a typical mass ransomware campaign, the attacker sends out the virus and waits for responses.?
However, in targeted ransomware attacks, the attackers are always there: they are responsible for infecting the system, even if they don’t know who their victim will be.?
These attacks are an example of live hacking, where the attacker is much more resourceful than traditional security measures and sometimes even manages to get around them.
Why is ransomware so pervasive, and how can these attacks continue to be successful? To answer that, we must first understand how opportunistic and targeted ransomware attacks work.
What Is Opportunistic Ransomware ?
Unlike targeted ransomware attacks, opportunistic attacks are meant to be accessible by anyone. For example, they may come through a mass mailing or an exploit kit that targets vulnerabilities on certain websites.
The 2020 Verizon Data Breach Investigations Report found that?86%?of all breaches were financially motivated. Attackers know that ransomware is one of the quickest, easiest ways to turn a profit. With do-it-yourself (DIY) kits readily available on the dark web and with low barriers to entry, more attackers are likely to start using this tactic.
Since ransomware is delivered in bulk, attackers can infect many organizations and target as many desktops, laptops, and servers as they want with just one attack. Furthermore, once deployed, ransomware prevents users from accessing their files or systems until the attacker receives a ransom payment — usually in the form of cryptocurrencies like Bitcoin.
2017 was a challenging year for many businesses. One of the most notable examples was the April?WannaCry ransomware?attack, which infected over 200,000 devices in 150 countries. Although this attack affected many sectors, it impacted healthcare companies the most. Imagine someone’s livelihood being at risk because their emergency medical facility isn’t open for
business.Opportunistic or targeted ransomware attacks start and happen on the endpoint. They use desktops, laptops, and servers that are inadequately protected from stealing and encrypting data.One thing that becomes clear when examining ransomware attacks is that more than relying on one solution for endpoint security is needed.?
Instead, we recommend an eyes-wide-open approach to be vulnerable — plenty of organizations are wise to adopt this mentality to reduce the likelihood that their system will be attacked by ransomware.?It’s also important to layer various security controls to reduce gaps, exposure, and overall vulnerability through a defense-in-depth strategy. This means that one plus one can equal three regarding endpoint security.Organizations can minimize risk by managing the privileges on their endpoints by combining endpoint detection and response with anti-virus/NGAV, application patching, OS patching, and privileges management.?
A typical targeted ransomware attack is broken down into a number of individual phases, which combined make up the entire attack process. This division is called a “Cyber Kill Chain”, which maps out a sequence of chronologically required stages an attacker must complete to be successful. Accordingly, an attack could potentially be prevented if the hackers are stopped during merely one of the stages. The report makes references to specific ID numbers from MITRE’s ATT&CK? terminology of attack and defence techniques. MITRE is a non-profit organization engaged in cyber security, who has developed an analysis framework called ATT&CK?. The references serve as a shared frame of reference, and organizations can find additional information on each attack and defence technique on MITRE’s website. Figure 1 illustrates how a typical targeted ransomware attack plays out supplemented with ID numbers of the attack techniques most commonly used by hackers within each attack stage.
Whether opportunistic or targeted,?ransomware attacks start on the endpoint. Inadequately protected desktops, laptops and servers are pervasive — and each one provides a potential entry point for attackers to steal and encrypt data.
By examining numerous ransomware attacks, one thing is abundantly clear: relying on a single endpoint security solution — endpoint detection and response, anti-virus or otherwise — is not enough to stop every threat. In fact, organizations are wise to?adopt an assume-breach mindset?to reduce the chances of ransomware encrypting files, even if it does enter their environments. And ultimately, a?defense-in-depth approach?is necessary, layering a variety of security controls to eliminate gaps, reduce exposure and strengthen overall security posture. When it comes to endpoint security,?one plus one really does equal three.Privileged Access Management?is a critical, yet often overlooked, component of an?effective endpoint security strategy. If a malicious attacker or insider gains access to a privileged credential, he or she will appear to be a trusted user. This makes it very difficult to detect risky activity.
Ransomware facts and figures
Ransomware is big business.?There's a lot of money in ransomware, and the market expanded rapidly from the beginning of the decade. In 2017, ransomware resulted in?$5 billion in losses, both in terms of ransoms paid and spending and lost time in recovering from attacks. That's up 15 times from 2015. In the first quarter of 2018, just one kind of ransomware software, SamSam,?collected a $1 million in ransom money.
Some markets are particularly prone to ransomware—and to paying the ransom.?Many high-profile ransomware attacks have occurred in hospitals or other medical organizations, which make tempting targets: attackers know that, with lives literally in the balance, these enterprises are more likely to simply pay a relatively low ransom to make a problem go away. It's estimated that?45 percent of ransomware attacks target healthcare orgs, and, conversely, that?85 percent of malware infections at healthcare orgs are ransomware. Another tempting industry? The financial services sector, which is, as Willie Sutton famously remarked, where the money is. It's estimated that?90 percent of financial institutions were targeted by a ransomware attack in 2017.??
Your anti-malware software won't necessarily protect you.?Ransomware is constantly being written and tweaked by its developers, and so its signatures are often not caught by typical anti-virus programs. In fact, as many as 75 percent of companies that fall victim to ransomware were?running up-to-date endpoint protection on the infected machines.
Ransomware isn't as prevalent as it used to be.?If you want a bit of good news, it's this: the number of ransomware attacks, after exploding in the mid '10s, has gone into a decline, though the initial numbers were high enough that it's still. But in the first quarter of 2017, ransomware attacks?made up 60 percent of malware payloads; now it's down to 5?percent.?
Should you pay the ransom?
If your system has been infected with malware, and you've lost vital data that you can't restore from backup, should you pay the ransom??
When speaking theoretically, most law enforcement agencies urge you not to pay ransomware attackers, on the logic that doing so only encourages hackers to create more ransomware. That said, many organizations that find themselves afflicted by malware quickly stop thinking in terms of the "greater good" and start doing?a cost-benefit analysis, weighing the price of the ransom against the value of the encrypted data. According to research from Trend Micro, while 66 percent of companies?say?they would never pay a ransom as a point of principle, in practice 65 percent actually do pay the ransom when they get hit.
Ransomware attackers keep prices relatively low — usually between $700 and $1,300, an amount companies can usually afford to pay on short notice. Some particularly sophisticated malware will detect the country where the infected computer is running and adjust the ransom to match that nation's economy, demanding more from companies in rich countries and less from those in poor regions.
There are often discounts offered for acting fast, so as to encourage victims to pay quickly before thinking too much about it. In general, the price point is set so that it's high enough to be worth the criminal's while, but low enough that it's often cheaper than what the victim would have to pay to restore their computer or reconstruct the lost data. With that in mind, some companies are beginning to build the potential need to pay ransom into their security plans: for instance, some large UK companies who are otherwise uninvolved with cryptocurrency are?holding some Bitcoin in reserve?specifically for ransom payments.
There are a couple of tricky things to remember here, keeping in mind that the people you're dealing with are, of course, criminals. First, what looks like ransomware may not have actually encrypted your data at all; make sure you aren't dealing with so-called "scareware" before you send any money to anybody. And second, paying the attackers doesn't guarantee that you'll get your files back. Sometimes the criminals just take the money and run, and may not have even built decryption functionality into the malware. But any such malware will quickly get a reputation and won't generate revenue, so in most cases — Gary Sockrider, principal security technologist at Arbor Networks,?estimates around 65 to 70 percent of the time?— the crooks come through and your data is restored.
Ransomware examples
While ransomware has technically been around since the '90s, it's only taken off in the past five years or so, largely because of the availability of untraceable payment methods like Bitcoin. Some of the worst offenders have been:
Top Ten Hacking Countries
1.China41 percent (of the world's attack traffic)
2.U.S.10 percent
3.Turkey4.7 percent
领英推荐
4.Russia4.3 percent
5.Taiwan3.7 percent
6.Brazil3.3 percent
7.Romania2.
8 percent8.India2.3 percent
9.Italy1.6 percent
10.Hungary1.4 percent
Actions to Prevent Ransomware Attack
There are some actions you can take to help prepare your organization from potential malware and ransomware attacks.
Action 1: make regular backups
Up-to-date backups are the most effective way of recovering from a ransomware attack, you should do the following.
·??????Make regular backups of your most important files - it will be different for every organisation - check that you know how to restore files from the backup, and regularly test that it is working as expected.
·??????Ensure you create offline backups that are kept separate, in a different location (ideally offsite), from your network and systems, or in a cloud service designed for this purpose, as ransomware actively targets backups to increase the likelihood of payment. Our blog on?'Offline backups in an online world'?provides useful additional advice for organisations.
·??????Make multiple copies of files using different backup solutions and storage locations. You shouldn't rely on having two copies on a single removable drive, nor should you rely on multiple copies in a single cloud service.
·??????Make sure that the devices containing your backup (such as external hard drives and USB sticks) are?not?permanently connected to your network. Attackers will target connected backup devices and solutions to make recovery more difficult.
·??????You should ensure that your cloud service protects previous versions of the backup from being immediately deleted and allows you to restore to them. This will prevent both your live and backup data becoming inaccessible - cloud services often automatically synchronise immediately after your files have been replaced with encrypted copies.
·??????Ensure that backups are only connected to known clean devices before starting recovery.
·??????Scan backups for malware before you restore files. Ransomware may have infiltrated your network over a period of time, and replicated to backups before being discovered.
·??????Regularly patch products used for backup, so attackers cannot exploit any known vulnerabilities they might contain.
There have been cases where attackers have destroyed copied files or disrupted recovery processes before conducting ransomware attacks. Ideally, backup accounts and solutions should be protected using Privileged Access Workstations (PAW) and hardware firewalls to enforce IP allow listing.?Multi-factor Authentication?(MFA) should be enabled, and the MFA method should not be installed on the same device that is used for the administration of backups.?Privileged Access Management (PAM) solutions?remove the need for administrators to directly access high-value backup systems.
Action 2: prevent malware from being delivered and spreading to devices
You can reduce the likelihood of malicious content reaching your devices through a combination of:
·??????filtering to only allow file types you would expect to receive
·??????blocking websites that are known to be malicious
·??????actively inspecting content
·??????using signatures to block known malicious code
·??????regularly review and remove user permissions that are no longer required, to limit the malware's ability to spread
·??????ensure system administrators avoid using their accounts for email and web browsing (to prevent malware being able to run with their high level of system privilege)
·??????practice good asset management, including keeping track of which versions of software are installed on your devices so that you can target security updates quickly
·??????keep devices and infrastructure patched, especially security-enforcing devices on the network boundary (such as firewalls and VPN products)
Action 3: prevent malware from running on devices
A 'defence in depth' approach assumes that malware will reach your devices. You should therefore take steps to prevent malware from running. The measures required will vary for each device type, OS and version, but in general you should look to use device-level security features. Organisations should:
·??????centrally manage devices in order to only permit applications trusted by the enterprise to run on devices, using technologies including?AppLocker, or from?trusted app stores (or other trusted locations)
·??????consider whether enterprise antivirus or anti-malware products are necessary, and keep the software (and its definition files) up to date
·??????provide security education and awareness training to your people,
·??????disable or constrain scripting environments and macros, by:
·??????enforcing PowerShell Constrained Language mode via a User Mode Code Integrity (UMCI) policy - you can use?AppLocker?as an interface to UMCI to automatically apply Constrained Language mode
·??????protecting your systems from?malicious Microsoft Office macros
·??????disable autorun for mounted media (prevent the use of removable media if it is not needed)
In addition, attackers can force their code to execute by exploiting vulnerabilities in the device. Prevent this by keeping devices well-configured and up to date. We recommend that you:
·??????install security updates as soon as they become available in order to fix exploitable bugs in your products
·??????enable automatic updates for OSs, applications, and?firmware?if you can
·??????use the latest versions of OSs and applications to take advantage of the latest security features
·??????configure host-based and network firewalls, disallowing inbound connections by default
Action 4: prepare for an incident
Malware attacks, in particular ransomware attacks, can be devastating for organisations because computer systems are no longer available to use, and in some cases data may never be recovered. If recovery is possible, it can take several weeks, but your corporate reputation and brand value could take a lot longer to recover. The following will help to ensure your organisation can recover quickly.
·??????Identify your critical assets and determine the impact to these if they were affected by a malware attack.
·??????Plan for an attack, even if you think it is unlikely. There are many examples of organisations that have been impacted by collateral malware, even though they were not the intended target.
·??????Develop an internal and external communication strategy. It is important that the right information reaches the right stakeholders in a timely fashion.
·??????Determine how you will respond to the ransom demand and the threat of your organisation's data being published.
·??????Ensure that incident management playbooks and supporting resources such as checklists and contact details are available if you do not have access to your computer systems.
·??????Identify your legal obligations regarding the reporting of incidents to regulators, and understand how to approach this.
·??????Exercise your incident management plan. This helps clarify the roles and responsibilities of staff and third parties, and to prioritise system recovery. For example, if a widespread ransomware attack meant a complete shutdown of the network was necessary, you would have to consider:
·??????how long it would take to restore the minimum required number of devices from images and re-configure for use
·??????how you would rebuild any virtual environments and physical servers
·??????what processes need to be followed to restore servers and files from your backup solution
·??????what processes need to be followed if onsite systems and cloud backup servers are unusable, and you need to rebuild from offline backups
·??????how you would continue to operate critical business services
·??????After an incident, revise your incident management plan to include lessons learnt to ensure that the same event cannot occur in the same way again.
?Always keep software updated on all the devices you use to prevent ransomware from exploiting vulnerabilities.
1.??Focus your defense strategy on detecting lateral movements and data exfiltration to the internet. Pay special attention to outgoing traffic to detect cybercriminal connections.
2.??Back up data regularly. Make sure you can quickly access it in an emergency when needed.
3.??Carry out a cybersecurity audit of your networks and remediate any weaknesses discovered in the perimeter or inside the network.
4.??Explain to all employees that ransomware can easily target them through a phishing email, a shady website or cracked software downloaded from unofficial sources. Ensure staff remain vigilant at all times and check their knowledge with tests.
5.??Along with proper endpoint protection, dedicated services can help against high-profile ransomware attacks.?
If your organisation has already been infected with malware, these steps may help limit the impact:
1.?????Immediately disconnect the infected computers, laptops or tablets from all network connections, whether wired, wireless or mobile phone based.
2.???In a very serious case, consider whether turning off your Wi-Fi, disabling any core network connections (including switches), and disconnecting from the internet might be necessary.
3.???Reset credentials including passwords (especially for administrator and other system accounts) - but verify that you are not locking yourself out of systems that are needed for recovery.
4.???Safely wipe the infected devices and reinstall the OS.
5.???Before you restore from a backup, verify that it is free from any malware. You should only restore from a backup if you are?very?confident that the backup?and?the device you're connecting it to are clean.
6.???Connect devices to a clean network in order to download, install and update the OS and all other software.
7.???Install, update, and run antivirus software.
8.???Reconnect to your network.
9.???Monitor network traffic and run antivirus scans to identify if any infection remains.
Preventions for Ransomware
?Based on what we know about these assaults, it appears that the adversaries executed a targeted and manual attack with the intention of holding files for ransom. Some of the approaches utilized appear to be an attempt to avoid discovery.?Although there is no one-size-fits-all solution to preventing such assaults, effective security procedures can assist. The following measures are recommended:
·??????Install security upgrades as soon as possible:?The entry point appears to be leveraging a known weakness in third-party software. This illustrates the need of following rigorous methods when it comes to operating system and application software upgrades, especially for systems that are exposed to the outside world.
·??????Install up-to-date security software:?When a malware, such as ransomware, is detected, up-to-date security software may be able to identify it.
·??????Implement a solid backup/recovery strategy:?Good backup and recovery are crucial in the event of a targeted attack or another catastrophic incident. The data should be kept in a safe and separate place, and the recovery process should be evaluated regularly.
·??????Conduct a cybersecurity Audit: Conduct a?cybersecurity?audit of your networks and address any flaws detected at the perimeter or within the network.
·??????Educate Employees: Inform all workers that ransomware may easily attack them via a phishing email, a dubious website, or cracked software obtained from unauthorized sources. Maintain staff vigilance at all times, and test their knowledge.
Ransomware Tracking : https://malwaretech.com
https://threatmap.checkpoint.com/
https://www.comparitech.com/blog/information-security/global-ransomware-attacks/
What do i think ?
I am really intrigued ,fascinated by Ransomware Attacks in a good way, have been trying to learn & grasp as much as I could from some short courses i did like a Mitre attack framework from a Turkish Website which was a not really a Simulation based but more on the theoritical part again my curiosity doesn't stops here, I do wish to be able to learn and reverse engineer or stop an attack hopefully someday, I have posted some links which claim to update the Worldwide Ransomware attacks on a daily basis not sure though, also my inspiration behind this writeup is a Movie Flick called Blackhat, there is more to come in next
Disclosure & Legal Disclaimer Statement? : Some of the Content has been taken from Open Internet Sources just for representation purposes.