Substitute your digital space for your home and encryption for the safe and you have what’s known as ransomware. Ransomware is a type of malware. After the initial infection, your files are encrypted, and a note appears demanding payment, which is usually in the form of cryptocurrency such as bitcoin because transactions can’t be stopped or reversed. Once your files are encrypted, you can’t access them until you pay the ransom.
Imagine a thief walks into
your home and rummages through your personal belongings. But instead of
stealing them, he locks all your valuables into a safe and forces you to pay a
ransom for the key to unlock the safe. What choice do you have?
Substitute your digital space
for your home and encryption for the safe and you have what’s known as
ransomware. Ransomware is a type of malware. After the initial infection, your
files are encrypted, and a note appears demanding payment, which is usually in
the form of cryptocurrency such as bitcoin because transactions can’t be
stopped or reversed. Once your files are encrypted, you can’t access them until
you pay the ransom.
The roots of ransomware can
be traced back to 1989. The virus, known as PS Cyborg, was spread through
diskettes given to attendees of a World Health Organization International AIDS
conference. Victims of PS Cyborg were to mail $189 to a P.O. box in Panama to restore
access to their data.
Historically, ransomware was
mass distributed indiscriminately which happened to be mostly personal machines
that ended up getting infected. Today, the big money is in attacking
businesses. Most of these infections go unreported because companies don’t want
to expose themselves to further attacks or reputational damage.
Criminals know the value of
business data and the cost of downtime. Because they service multiple SMB
customers simultaneously, managed service providers (MSPs) are now an
especially attractive target. A successful attack on an MSP magnifies the
impact of attacks and the value of the ransom.
Primary ransomware attack
vectors – with more detailed descriptions below – include:
- Phishing
- Cryptoworms
- Polymorphic malware
- Ransomware as a
Service (RaaS) - Targeted attacks
Want more
on ransomware and how it’s advancing? Click here for a new Community post.
Phishing: Still the No. 1 Ransomware threat
Ninety percent of all
Ransomware infections are delivered through email. The most common way to receive ransomware
from phishing is from a Microsoft Office attachment. Once opened the victim is
asked to enable macros. This is the trick. If the user clicks to enable the
macro, then ransomware will be deployed to the machine. Phishing remains a
significant and persistent threat to businesses and individuals. The Webroot 2020 Threat Report showed a 640% increase in the number of active
phishing sites since 2019.
Cryptoworms
Cryptoworms are a form of
ransomware that able to gain a foothold in an environment by moving laterally
throughout the network to infect all other computers for maximum reach and
impact. The most spectacular incarnation of a cryptoworm was WannaCry in 2017, where more than 200,000 computers were affected in 150 countries
causing hundreds of millions in damages.
Polymorphic malware
One of the more notorious
forms of ransomware circulating today is polymorphic malware, which makes small
changes to its signature for each payload dropped on machine – effectively
making it a brand new, never before seen file. Its ability to morph into a new
signature enables it to evade many virus detection methodologies. Studies show
that 95% of malware is now unique to a single PC. This is largely due to the shape-shifting abilities
of polymorphic malware code. Today, nearly all ransomware is polymorphic,
making it more difficult to detect with signature-based, antivirus
technologies.
Ransomware as a Service (RaaS)
Ransomware has become so
lucrative and popular that it’s now available as a “starter kit” on the dark
web. This allows novice cybercriminals to build automated
campaigns. Many of these kits are available free of charge for the payload, but
criminals owe a cut (around
30% but this can vary based on how many people you infect)
to the author for a ransom payment using their payload. Grandcab, also known as
Sodinokibi, was perhaps the most famous to use this tactic.
Targeted attacks
Cybercriminals are moving
away from mass distribution in favor of highly focused, targeted attacks. These
attacks are typically carried out by using tools to automatically scan the
internet for weak IT systems. They are usually opportunistic, thanks to the
vulnerability scanners used. Targeted attacks often work by attacking computers
with open RDP ports. Common targets include businesses with lots of computers
but not a lot of IT staff or budget. This usually means education, government
municipality, and health sectors are the most vulnerable.
Stay cyber resilient with multi-layered defense
As you can see, ransomware authors
have a full quiver of options when it comes to launching attacks. The good news
is, there are as many solutions for defending systems against them. The best
way to secure your data and your business is to use a multi-layered cyber
resilience strategy, also known as defense in depth. This approach uses
multiple layers of security to protect the system. We encourage businesses of
all sizes to deploy a defense-in-depth strategy to secure business data from
ransomware and other common causes of data loss and downtime. Here’s what that
looks like.
Backup
Backup with point-in-time
restore gives you multiple recovery points to choose from. It lets you roll
back to a prior state before the ransomware virus began corrupting the system.
Advanced threat intelligence
Antivirus protection is still
the first line of defense. Threat intelligence, identification and mitigation in the form of antivirus is still
essential for preventing known threats from penetrating your system.
Security awareness training
Your biggest vulnerability is
your people. Employees need to be trained on how to spot suspicious emails and
what to do in case they suspect an email is malicious. According our research, regular
user training can reduce malware clickthrough rates by 220%.
Patch and update applications
Cybercriminals are experts at
identifying and exploiting security vulnerabilities. Failing to install
necessary security patches and update to the latest version of applications and
operating systems can leave your system exposed to an attack.
Disable what you’re not using
Disable macros for most of
the organization as only a small percentage will need them. This can be done by
user or at the group policy level in the registry. Similarly, disabling scripts
like HTA, VBA, Java, and Powershell will also stop these powerful tools that
criminals use to sneak infections into an environment.
Ransomware mitigation
Make sure your IT staff and
employees know what to do when a ransomware virus penetrates your system. The
affected device should immediately be taken offline. If it’s a networked
device, the entire network should be taken down to prevent the spread of the
infection.
Want to learn more about how
to protect your business or clients from ransomware? Here are five actionable tips for better defending
against these attacks.