What is Ransomware: A Recap
Ransomware is a type of malicious software, or malware, which prevents or limits users from accessing systems or data. This is typically accomplished either by limiting or restricting access to systems (locker ransomware) or by encrypting files on infected systems (crypto-ransomware). Often referred to as a ransom demand, attackers then make a demand in exchange for the decryption keys or the tools required to decrypt or unlock affected systems or data.
While executing the ransomware may be the initial goal of a novice attacker, a more advanced attacker may not immediately deploy ransomware and encrypt victim systems following the initial compromise. Rather, attackers may choose to bide their time and conduct reconnaissance to identify critical systems where data is stored (e.g., backup storage locations, other critical datasets, etc.). The attackers can then leverage vulnerabilities and establish persistence mechanisms to extract target datasets for later extortion attempts, waiting only until the attack is detected or until they have satisfied their objectives before executing the ransomware.
The ransom demand may vary based on the victim or the attacker’s end goal(s). Some attackers may only request payment to unlock encrypted files or systems. However, a dual or double extortion scheme involves the attacker demanding payment to not only decrypt or unlock systems and data but also a separate demand to prevent public disclosure or sale of extracted data from the victim network. These demands may include physical payments, digital payments, or a combination of both. Digital payments, commonly facilitated through digital currencies (e.g., bitcoin) are by far the most popular due to limitations in governance and tracking mechanisms for payments.
The ransomware threat has evolved significantly over the last decade to become one of the most significant, high-profile, and prevalent cyber threats to organizations today. The cost and impact on both organizations and individuals cannot be understated, resulting in millions of dollars in losses per year.
How Does Ransomware Spread?
Arguably, the most common vector for ransomware delivery has been facilitated through phishing emails. These emails attempt to entice users into opening attachments containing malicious code or following a URL redirecting victims to a malicious website for entering organizational credentials or downloading malware. Phishing is relatively inexpensive and easy to widely distribute, whether a weaponized attachment or a suspicious URL in an email. After all, it only takes one employee to enter their credentials or execute downloaded malware.
However, there are other common vectors for delivering ransomware, which include downloading unwanted or unauthorized programs from untrusted sites, introducing compromised USB devices (e.g., phone, USB, tablet, etc.), malvertising, or via exploits of vulnerabilities from outdated software.
How Does Ransomware Work?
Unfortunately, ransomware can be customized to accomplish a variety of tasks, which makes it particularly lucrative for use by attackers.
Once ransomware is successfully downloaded and executed on a victim system, specific code within the malware can be designed to complete a number of checks prior to initiating the encryption process. This may include seeking out certain file types, system configurations, and application settings to assist in the initial stages of deployment. Other actions may include bypassing security solutions, like host anti-virus, or enumeration of specific file types, like critical system files, data backup files, or individual file extensions (e.g., .ppt, .doc, etc.).
If the checks are passed, the ransomware initiates the encryption routine to lock out individual files, entire datasets, or the system entirely. As a final action, the ransom demand is issued to the victim, which may be accomplished through a text file on the desktop, changing the victim’s background, or an email sent from the attacker.
Ransomware Groups
The CyberMaxx team of cyber researchers conducts routine threat research independent of client engagements. The purpose of our research is to help foster collective intelligence among the cybersecurity community.
While conducting their research, the team discovers and analyzes ongoing ransomware attacks occurring in the wild. Read the report here.
CyberMaxx researchers have identified the following ransomware groups:
- 8base
- akira
- bianlian
- blackbyteclop
- cryptnet
- cyclops
- darkrace
- everest
- lockbit3
- malas
- medusa
- moneymessage
- noescape
- play
- ragnarlocker
- rancoz
- ransomhouse
- royal
- stormous
- unsafe
Types of Ransomware
- BadRabbit: A variant of malware reportedly appeared in 2017. This malicious code propagated itself via drive-by downloads by assuming the appearance of an Adobe
- Flash Installer. Once a victim has downloaded BadRabbit, the virus locks private data until a ransom is paid, usually through Bitcoin.
- BitPaymer: Appearing to have been created by professional coders, BitPaymer was first detected in 2017, and has been reported to be a particularly nefarious strain of malware to be infected. BitPaymer, once inside a system, encrypts user data and generates a ransom note specifying the requested amount of money needed to regain access. Even with the decrypter, the process of regaining personal files is a laborious undertaking with BitPaymer.
- Cerber: As a part of a new extortion paradigm, Cerber is a ransomware application that is set up to be used as a service. Simply put, affiliates will purchase the application from the developers and help propagate the virus for a split in the profits. This allows for quicker dissemination and flows of profits that would otherwise be achieved by a single source spreading the malware.
- Conti: Reportedly detected in 2020, Conti is a strain of malware believed to be propagated by a Russian cybercriminal group. Conti can devastate an operating system with its encryption speed and has been observed to be spread to users by phishing attacks.
- Cryptolocker: Noted to have been a threat between 2013 to 2014, the Cryptolocker strain of ransomware acted from a trojan downloaded from infected email attachments. Once in a system, Cryptolocker would encrypt files stored on hard drives and connected
- Dharma: Another example of ransomware-as-a-service was first reported in 2016. Dharma has been observed to select targets from individual to medium-sized businesses. The Dharma strain of malware allows partition development and target identification into two demains: developer and affiliate. This means a Dharma attack will always come from a different perpetrator.
- DoppelPaymer: Propagated by the cybercriminal group known as Indrik Spider, which has been reportedly active since 2014. This strain of malware, like many others, is proliferated by infected emails. Once the malicious code is downloaded into a system, users are quickly locked out of their data as well as having sensitive information be compromised and used as leverage for higher Ransomes.
- GandCrab: First spotted in 2018, GandCrab is another example of malware as a service, and as such, utilizes affiliates to propagate attacks amongst both consumer and business targets to encrypt files and demand a ransom.
- Locky: Observed back in 2016, Locky was once one of the largest malware threats on the internet, but has since gone extinct. Locky not only holds a user’s files hostage but encrypts essential files as well, rendering window OSes virtually inoperable.
- Maze: Maze is can be considered one of the more sophisticated ransomware out there, and has been observed as an active threat since May 2019. Maze specializes in spreading via infected emails, brute force attacks, or exploit kits. Like much other ransomware, Maze priorities businesses across a wide variety of sectors, demanding cryptocurrency in exchange for the decryption of essential files.
- MeduzaLocker: The MedusaLocker strain of ransomware was first observed in September 2019. MedusaLocker ran rampant in the healthcare industry during the COVID-19 pandemic, encrypting essential data, and crippling business procedures unless a ransom was paid.
- NetWalker: Proliferated by paying affiliates, NetWalker is a particularly savage strain of malware first sighted in 2019, and suspected to be created by the cybercriminal group known as Circus Spider. Not only does NetWalker encrypt user data, but additionally threatens to leak sensitive information onto the dark web unless a hefty ransom is paid.
- NotPetya: Detected in 2017, NotPetya, a new variant of the Petya strain of malware emerged during a global cyberattack. NotPetya is thought to be held responsible by the Russian government, especially as Ukranian systems were in large part prioritized.
- Petya: Discovered in 2016, Petya is a malware strain that targets windows operating systems with the capability of preventing windows from booting. Like many others, Petya demands a ransom paid in Bitcoin to regain access.
- REvil: Thought to be authored by a Russian-based hacking group, REvil encrypts a user’s files demanding a ransom be paid in Bitcoin. If the Ransom is not paid in time, the amount demanded doubles.
- Ryuk: Thought to be created by the cybercriminal group known as WIZARD SPIDER in 2019, Ryuk devastated a range of industries from healthcare, and manufacturing, to governments. Ryuk is known for its incredibly steep ransom of $12.5 million dollars.
- SamSam: Taking to the art of covert operations, SamSam takes its time to ‘spy’ on a user system for a period of time before detection. The creators of SamSam utilized the malware to attack large organizations such as educational institutions or hospitals for a better chance of receiving a ransom payment.
- WannaCry: The WanaCry ransomware was a plague back in May 2017. This malware spread like wildfire across outdated Windows operating systems and demanded a ransom of $300 dollars in Bitcoin be paid, or have all encrypted files be deleted.
Conclusion
Unfortunately, even the most secure organizations are vulnerable to ransomware. Fortunately, there are a variety of security controls and frameworks available to assist in mitigating the organization’s risk and reducing the attack surface, including:
- Never click links from unknown sources or open files from untrusted senders
- Avoid disclosing personal information or credentials
- Do not open suspicious email attachments or follow links from untrusted sources
- Never use unknown or unauthorized USB sticks
- Keep your programs and operating system up to date – both mobile and desktop devices
- Only download authorized files from trusted and reputable sources
- Use VPN services for public Wi-Fi networks
- Periodic cybersecurity awareness training (e.g. phishing, ransomware, safe computing practices, acceptable use, etc.)
Among other actions, these controls should be documented within an organization’s incident response plan or playbooks. Since the cyber threat landscape is continuously evolving, organizational response documentation should be reviewed and tested on a scheduled basis to assist in identifying additional gaps and opportunities for improvement.