It is not if, it is when...

Ransomware is a type of?malicious software?(malware) that threatens to publish or blocks access to data or a computer system, usually by encrypting it, until the victim pays a ransom fee to the attacker. In many cases, the ransom demand comes with a deadline. If the victim doesn’t pay in time, the data is gone forever or the ransom increases.

Ransomware attacks are all too common these days. Major companies in North America and Europe alike have fallen victim to it. Cybercriminals will attack any consumer or any business and victims come from all industries.

Several government agencies, including the FBI, advise against paying the ransom to keep from encouraging the ransomware cycle, as does the?No More Ransom Project. Furthermore, half of the victims who pay the ransom are likely to suffer from repeat ransomware attacks, especially if it is not cleaned from the system.

History of Ransomware Attacks

Ransomware can be traced back to 1989 when the “AIDS virus” was used to extort funds from recipients of the ransomware. Payments for that attack were made by mail to Panama, at which point a decryption key was also mailed back to the user.

In 1996, ransomware was known as “cryptoviral extortion,” introduced by Moti Yung and Adam Young from Columbia University. This idea, born in academia, illustrated the progression, strength, and creation of modern cryptographic tools. Young and Yung presented the first cryptovirology attack at the 1996 IEEE Security and Privacy conference. Their virus contained the attacker’s public key and encrypted the victim’s files. The malware then prompted the victim to send asymmetric ciphertext to the attacker to decipher and return the decryption key—for a fee.

Attackers have grown creative over the years by requiring payments that are nearly impossible to trace, which helps cybercriminals remain anonymous. For example, notorious mobile ransomware Fusob requires victims to pay using Apple iTunes gift cards instead of normal currencies, like dollars.

Ransomware attacks began to soar in popularity with the growth of cyptocurrencies, such as Bitcoin. Cryptocurrency is a digital currency that uses encryption techniques to verify and secure transactions and control the creation of new units. Beyond Bitcoin, there are other popular cryptocurrencies that attackers prompt victims to use, such as Ethereum, Litecoin, and Ripple.

Ransomware has attacked organizations in nearly every vertical, with one of the most famous viruses being the attacks on Presbyterian Memorial Hospital. This attack highlighted the potential damage and risks of ransomware. Labs, pharmacies and emergency rooms were hit.

Examples of Ransomware

By learning about the major ransomware attacks below, organizations will gain a solid foundation of the tactics, exploits, and characteristics of most ransomware attacks. While there continues to be variations in the code, targets, and functions of ransomware, the innovation in ransomware attacks are typically incremental.

• WannaCry:?A powerful Microsoft exploit was leveraged to create a worldwide ransomware worm that infected over 250,000 systems before a killswitch was tripped to stop its spread. Proofpoint was involved in finding the sample used to find the killswitch and in deconstructing the ransomware.
• CryptoLocker:?This was one of the first of the current generation of ransomware that required cryptocurrency for payment (Bitcoin) and encrypted a user’s hard drive and attached network drives.?Cryptolocker?was spread via an email with an?attachment?that claimed to be FedEx and UPS tracking notifications. A decryption tool was released for this in 2014. But various reports suggest that upwards of $27 million was extorted by CryptoLocker.
• NotPetya:?Considered one of the most damaging ransomware attacks, NotPetya leveraged tactics from its namesake,?Petya, such as infecting and encrypting the master boot record of a Microsoft Windows-based system. NotPetya leveraged the same vulnerability from WannaCry to spread rapidly, demanding payment in bitcoin to undo the changes. It has been classified by some as a wiper, since NotPetya cannot undo its changes to the master boot record and renders the target system unrecoverable.
• Bad Rabbit:?Considered a cousin of NotPetya and using similar code and exploits to spread,?Bad Rabbit?was a visible ransomware that appeared to target Russia and Ukraine, mostly impacting media companies there. Unlike NotPetya, Bad Rabbit did allow for decryption if the ransom was paid. The majority of cases indicate that it was spread via a fake Flash player update that can impact users via a drive by attack.

How Ransomware Works

Ransomware is a type of malware designed to extort money from its victims, who are blocked or prevented from accessing data on their systems. The two most prevalent types of ransomware are encryptors and screen lockers. Encryptors, as the name implies, encrypt data on a system, making the content useless without the decryption key. Screen lockers, on the other hand, simply block access to the system with a “lock” screen, asserting that the system is encrypted.

Figure 1: How Ransomware tries to trick a victim into installing it

Victims are often notified on a lock screen (common to both encryptors and screen lockers) to purchase a cryptocurrency, like Bitcoin, to pay the ransom fee. Once the ransom is paid, customers receive the decryption key and may attempt to decrypt files. Decryption is not guaranteed, as multiple sources report varying degrees of success with decryption after paying ransoms. Sometimes victims never receive the keys. Some attacks install malware on the computer system even after the ransom is paid and the data is released.

While originally focused largely on personal computers, encrypting ransomware has increasingly targeted business users, as businesses will often pay more to unlock critical systems and resume daily operations than individuals.

Enterprise ransomware infections or viruses usually start with a malicious email. An unsuspecting user opens an attachment or clicks on a URL that is malicious or has been compromised.

At that point, a ransomware agent is installed and begins encrypting key files on the victim’s PC and any attached file shares. After encrypting the data, the ransomware displays a message on the infected device. The message explains what has occurred and how to pay the attackers. If the victims pay, the ransomware promises they’ll get a code to unlock their data.

Who is At Risk?

Any device connected to the internet is at risk of becoming the next ransomware victim. Ransomware scans a local device and any network-connected storage, which means that a vulnerable device also makes the local network a potential victim. If the local network is a business, the ransomware could encrypt important documents and system files that could halt services and productivity.

If a device connects to the internet, it should be updated with the latest software security patches, and it should have anti-malware installed that detects and stops ransomware. Outdated operating systems such as Windows XP that are no longer maintained are at a much higher risk.

The Business Impact from Ransomware

A business that falls victim to ransomware can lose thousands of dollars in productivity and data loss. Attackers with access to data will blackmail victims into paying the ransom by threatening to release data and expose the data breach, so organizations that do not pay fast enough could experience additional side effects such as brand damage and litigation.

Ransomware stops productivity, so the first step is containment. After containment, the organization can either restore from backups or pay the ransom. Law enforcement gets involved in investigations, but tracking ransomware authors requires research time that just delays recovery. Root-cause analysis identifies the vulnerability, but any delays in recovery impacts productivity and business revenue.