Trading in Fear: The Anatomy of Ransomware

Ransomware is an epidemic. Every day, more businesses, consumers, government, and other organizations are finding their critical data held hostage and collectively paying millions of dollars to get it back. In some cases — such as attacks on hospitals — it is literally threatening lives. Ransomware is mutating like a nightmare virus, while the world’s cybersecurity forces work feverishly to stop it.

As with the COVID-19 pandemic, it’s important to understand how the disease attacks and how it spreads so organizations can protect themselves and practice safer cyber hygiene. Let’s dive deeper to look at some of the “strains” of ransomware and how they infect computers, networks, and other devices.

eBook: What to Do When Your Data is Held Hostage

Ransomware in a Nutshell

Most ransomware either locks the interface or encrypts files on a computer or network, sends users a ransom message, and (ideally) releases the interface or decrypts the data after the ransom is paid. The details of ransomware can and do vary widely, partly to keep attackers ahead of security experts and partly to keep victims off balance and paying.

According to The ICIT Ransomware Report, the first ransomware appeared in the 1980s, and ironically, until 10 years ago, most of it was fake. Fraudulent spyware removal tools and performance optimizers scared users into paying to fix problems that didn’t really exist.

Think of ransomware as falling into two main categories: commodity ransomware and human-operated ransomware. Commodity ransomware is fully automated in carrying out its mission once the malware is on the system, reports ThreatPost. Its “business model” is based on infecting thousands of systems and expecting a percentage of the victims to pay. What it does is it evolves and spreads: once launched, it searches for network drives and encrypts more files. Ultimately, it combines with a worm, which is self-replicating malware. As you can imagine, it rapidly infects neighboring systems and so on.

Human-operated ransomware is more sophisticated, typically resulting in a large ransom. This type of attack starts with an initial foothold in the organization and requires many manual steps to encrypt the data, requiring several weeks to pull off. This type of ransomware has been used to attack hospitals, municipalities, healthcare systems, and universities. There are several types of ransomware that have made their rounds in recent years:

Darkside was behind the attack that encrypted Colonial Pipeline’s IT network, confirmed by the FBI. While unknown at the time, it is well-known now, causing massive disruption.

Sodinokibi, also known as REvil, is responsible for encrypting the networks of large, high-profile organizations, according to ZDNet. Those behind Sodinokibi are known to demand payment of millions of dollars in exchange for decrypting the data and threaten to publish stolen information if the victims don’t pay up.

Maze ransomware was one of the most successful families of ransomware in 2020. This combined regular updates to the malware code with threats to leak stolen information.

Wannacry, aptly named, is still regarded as one of the biggest ransomware attacks to date. It caused chaos across the globe, beginning in 2017. It is reported that more than 300,000 victims in 150 countries fell victim to this ransomware.

How does ransomware infect systems? Common vectors include email, drive-by download, remote desktop protocol (RDP), and free software, according to Splunk.

The success of any given ransomware variant depends on the technology and how skillfully the attackers are able to exploit the fears of the victims. On the technical side, successful ransomware needs to evade detection by security software long enough to install itself and do its dirty work, and it needs to employ locking or encryption strong enough that it can’t be easily broken. But powerful ransomware is widely available, so any “script kiddie” (a technically unsophisticated would-be hacker) can mount an attack in return for giving the developer a share of the profits. The successful cyber-extortionist is also able to work the psychological scam — via phishing attempts —scaring victims into paying rather than taking defensive measures and giving them reasonable confidence that their systems will be restored plus enough technical support that they can figure out how to pay in cryptocurrency.

Ransomware Attack Vectors

As with other malware, the spread of ransomware often depends on lack of awareness, and cyber-extortionists have come up with new ways to infiltrate systems. Typical ransomware attack vectors include:: Phishing is the number one delivery vehicle for ransomware, according to Deloitte. How it works: an email is sent to an unwitting user that lures its victims and prompts them to download malicious content (ransomware) that encrypts their data and demands a ransom. Layered attacks: Criminals who have already infected a system sometimes sell access to ransomware criminals. The undetected malware on the so-called “zombie” machine can download the ransomware and remain after the ransom is paid, waiting for another opportunity to steal data or extort payment.

Embedded: Ransomware is sometimes embedded in seemingly legitimate downloads such as software updates or resume files. Even something seemingly as innocent as opening an email attachment could enable malicious macros or downloading a ZIP file could contain a malicious file.

Self-propagation: Once inside a network, some ransomware can seed itself through the network, to additional computers or other devices via SMS messages, a USB device, or a user’s contact list.

Fighting Fear Itself

At this point, the technology behind ransomware is formidable, as developers employ stronger encryption and more tactics to elude detection. Eventually, security technologies will catch up, but in the meantime, organizations and individuals need to avoid giving into fear because that is the ransomware criminal’s greatest weapon. Just as the earliest forms of ransomware extorted users with non-existent threats —much of today’s ransomware is not as invincible as it seems —which is why attackers keep coming up with scarier tactics for their malware. What are the most common types of malware? Viruses, worms, Trojan horse, spyware, adware, and ransomware. As we have outlined, cybercriminals profit greatly from ransomware. One of the most brutal forms of malware is polymorphic malware, with the ability to constantly change its code and encryption keys to evade detection. This sounds like reality mimicking the latest sci-fi movie. While there is no perfect defense against ransomware, there are remedies that your organization can try before facing the ultimate question, “To pay or not to pay.” Let’s look at some steps you should take, possible ransomware cures, and steps to take after the crisis has passed.

eBook: What to Do When Your Data is Held Hostage