Ransomware is big money and is a rapidly growing cyberattack strategy. The market has expanded massively since the advent of secure and untraceable payment methods such as Bitcoin. Emsisoft estimates that ransomware costs for US organizations in 2019 was in excess of $7.5 billion. Compare this to four years prior when in 2015 ransomware damages totalled around $300 million.
Some markets are particularly prone to ransomware attacks such as medical organizations and public services. And there have been several high profile cases involving these industries over the last few years. Attackers know that with lives literally on the line organizations in these fields are likely to simply pay the ransom to make the problem go away. Most recently Garmin technology company has been held to ransom with attackers using the WastedLocker ransomware seeking a ransom of USD$10 million.
In this article, we explore in detail what ransomware is, how cybercriminals utilize and what strategies organizations can employ to ensure they are protected from ransomware attacks.
What is Ransomware?
Ransomware is a form of malware. It can take various forms but generally it functions in one of two ways:
Crypto ransomware. This malware encrypts the files on a computer so that the user cannot access them.
Locker ransomware. This malware locks the victim out of their device or out of particular files, preventing them from using it.
One thing all ransomware attacks have in common is that the target won’t be able to regain access to their files unless they pay the attackers a hefty ransom to unlock the files.
Ransomware has grown in popularity over the last few years in the wake of cryptocurrencies which makes it safe to receive their ransom payments. The cost of a ransomware attack can range from a few hundred to thousands of dollars depending on who the target is and how valuable the attackers believe the files they have locked out of reach are.
Probably the most common delivery system for ransomware is phishing scams. For examples, a virus masquerading as an email attachment can, once downloaded and opened, easily take over a victims computer. Another strategy is through social engineering which is growing in popularity with cybercriminals because of the better strike rate. A recent example of a successful social engineering attack was perpetrated against Twitter employees. Attackers were able to get aways with an estimated 12.85BTC, nearly US$120,000.
The encryption strategy for malware is the more common of the attacks. The result of this attack is that the victim will not be able to decrypt their files without a mathematical key known only to the attacker. The user will be presented with a message when they attempt to open their files saying that their documents are now inaccessible and will only be decrypted if the victim sends an untraceable cryptocurrency payment to the attacker’s wallet.
To encourage prompt payment attackers might masquerade as law enforcement and demand the payment as a fine. If the victim does have illegal or illicit files or programs on their device, such as pornography or pirated software or movies, then they may be more likely to pay without asking questions and without reporting the attack.
12 Ransomware Examples from the Last Decade
Ransomware has been around for decades. However, it was only after the advent of cryptocurrencies that it began being a favoured strategy for cybercriminals. Cryptocurrencies allow for them to collect untraceable completely anonymous payments. Some of the worst offenders have been:
CryptoLocker is an older malware threat, and while it isn’t in broad circulation anymore during it’s peak it infected some half a million machines. Cryptolocker is a Trojan horse that infects a device computer and then searches the computer as well as additional connected media including; external hardrives, cloud storage, and USB sticks, for files to encrypt.
TeslaCrypt is a variation or copycat of CryptoLocker. TeslaCrypt started by using social engineering to infiltrate devices and later used phishing emails as well. It heavily targeted gaming files and saw numerous upgrade improvements during its reign of terror.
SimpleLocker was another CyrptoLocker styled malware. However, it’s key difference was that it focused it’s targeting on Android devices.
WannaCry is a ransomware worm. What this means is that it spreads autonomously from computer to computer using EternalBlue, an exploit developed by the NSA and then stolen by hackers.
NotPetya also used the EternalBlue exploit. It is thought to be part of a Russion-directed cyberattack against the Ukraine. However, it expanded autonomously to infect a broad range of organizations.
Leakerlocker was first discovered in 2017 and targeted Android devices. Rather than encrypt files, it threatens to share your private data and browsing history unless you pay the ransom.
WYSIWYE, stands for “What You See Is What You Encrypt”. Discovered in 2017, this ransomware scans the web for open Remote Desktop Protocol (RDP) servers. It then allows for a customized attack with an interface through which it can be configured according to the attacker’s preferences.
SamSam has been around since 2015 and has affected devices in a number of waves of attacks. It utilizes vulnerabilities in remote desktop protocols (RDP), Java-based web servers, file transfer protocol (FTP) servers or brute force against weak passwords It would then spread to numerous devices. It primarily targeted public services and healthcare effectively bringing entire organizations to halt.
Ryuk first appeared in 2018. It is specifically used to target enterprise environments. It is often used in combination with other malware like TrickBot for distribution.
Maze was first discover in 2019. The MAZE ransomware has been used in attacks that combine targeted ransomware use, public exposure of victim data, and an affiliate model. The ransomware was initially distributed via spam emails and exploit kits before later shifting to being deployed post-compromise.
GandCrab currently holds a large portion of the ransomware market and may well be the most lucrative ransomware ever. Its developers, which sold the program to cybercriminals, claim more than $2 billion in victim payouts as of July 2019.
Thanos is a Ransomware-as-a-Service (RaaS) operation which allows affiliates to customize their own ransomware through a builder offered by the developer. It was first discovered by security professionals being talked about on a Russian darknet forum. It is the first to use the RIPlace technique, which can bypass many anti-ransomware methods.
Dealing with Ransomware
Prevention is always the best policy when it comes to dealing with cyber attacks. Using tools such as Signal you can stay up to date with the most common strategies and one step ahead of cybercriminals. However, if you become the victim of a ransomware attack, it is advisable not to pay the ransom. If you do so there is now guarantee that the cybercriminal will return your data, they are thieves after all. Additionally, it fuels the profitability of the ransomware business making future attacks more likely. So what can you do?
Decryption
For many ransomwares, especially the older ones there are decryption tools which have been developed. The first step then is to contact your internet security vendor and determine if decryption is possible. If this initial strategy fails you can visit nomoreransom.org. The No More Ransom site is an industry-wide initiative designed to help all victims of ransomware.
Recovery
It’s good practice to back-up your data regularly on both external hard drives as well as on cloud storage. If you have done this it becomes possible to simply recover the data which is currently being held hostage. There are of course some scenarios where this won’t be possible, for example, if the malicious actor is threatening to share private information rather than having simply encrypted your device.
Preventing Ransomware Attacks
Good security practices will help prevent you from falling victim to ransomware. These defensive steps will additionally help protect you against other generic cyber attacks.
Four basic steps that every organization should take to mitigate the threat of cyber attacks are:
Keep all operating systems up to date and patched. Doing this will ensure that there are few potential vulnerabilities that malicious actors can exploit.
Do not allow a software admin privileges unless you are confident in its safety and know exactly what it is and what it does.
Ensure you have an active and up to date anti-virus software installed on all devices. This will allow you to detect and block malicious programs like ransomware as they arrive.
And, as we said in the section above, back up all your files regularly. This last point won’t help protect against ransomware or other malware but can help mitigate the damages that your organization might suffer.
The Role of OSINT in Defending Against Ransomware
While open source intelligence tools can’t prevent ransomware, they can help organizations mitigate the potential damages.
Securing the supply chain
Supply chains can stretch across continents with potentially hundreds of suppliers and manufacturers all around the world bearing responsibility. Should any single part or resource be in short supply, then assembly lines can be brought to a halt resulting in costly delays at the very least.
There are numerous threats to the supply chain, one of which is malware and in particular regard to this article, ransomware. A key example of this is when the shipping giant Maersk had their IT systems taken out by a malware NotPetya. This resulted in their IT systems being down for days and many deliveries being delayed despite Herculean logistical efforts by the company.
Using OSINT tools you can learn whether an organization on your supply chain has been affected by ransomware in real-time which will allow you to take the necessary actions to mitigate the damage this has as their production or logistics is slowed.
Industry Targeting
It’s not unusual for malware to exploit weaknesses which are specific to an industry. For example, the Healthcare industry is particularly susceptible to ransomware as a delay in returning their operations to normal could result in patients deaths. Indeed a leading medical-research institution working on a cure for Covid-19 were forced to pay hackers a $1.14m USD ransom because of a ransomware attack.
Using OSINT tools you can monitor your own specific industry to determine what strategies and exploits are currently being used by cybercriminals against like companies. Determining this will allow you to take extra and specific precautions to fend off similar attacks which could potentially be turned on you.
Detect New Ransomware and Strategies
Cybercriminals are continuously evolving and updating their strategies and the ransomware that go with them. We are unlikely to see the end of this development.
By using OSINT to monitor darknet forums and market places security professionals are able to learn about the newest strategies being employed, the most recent weaknesses being exploited, and the most current software being utilized. Armed with this knowledge they are much more able to develop effective countermeasures as well as actively prevent ransomware infection.