Ransomware: EVERYTHING YOU NEED TO KNOW

Kurt Baker - July 20, 2021

What is Ransomware?

Ransomware is a type of malware attack that encrypts a victim’s data until a payment is made to the attacker. If the ransom payment is not made, the malicious actor publishes the data on data leak sites (DLS) or blocks access to the files in perpetuity.

Ransomware remains one of the most profitable tactics for cybercriminals, with the global cost of ransomware in 2020 estimated at $20 billion and the average ransom payment totaling $84,000.

Ransomware Resources

Latest Ransomware News

In 2020, CrowdStrike predicted that the ransomware threat would only worsen, and news since have borne this out. Hardly a day passes without news of another company, hospital, school district or municipal government temporarily brought to a halt by ransomware. Stories of attacks since the start of May 2021 alone include:

> All Ransomware Attack News

How Do Ransomware Attacks Work?

Today, ransomware is usually distributed through highly targeted phishing emails, social engineering schemes, watering hole attacks or malvertising networks. In most cases, the victim ends up clicking a malicious link, introducing the ransomware variant on their device.

After a device or system has been infected, ransomware gets to work immediately to identify and encrypt the victim’s files. Once the data has been encrypted, a decryption key is required to unlock the files. In order to get the decryption key, the victim must follow the instructions left on a ransom note that outline how to pay the attacker – usually in Bitcoin.

Threat actors count on individuals and enterprise users becoming so frantic about regaining timely access to data that they’ll be willing to shell out a hefty ransom for the decryption key necessary to unlock the data.

ransom letter from hackers demanding bitcoin

Ransom letter demanding payment in bitcoin

Types of Ransomware

Encrypting Ransomware: In this instance the ransomware systematically encrypts files on the system’s hard drive, which becomes difficult to decrypt without paying the ransom for the decryption key. Payment is asked for using BitCoin, MoneyPak, PaySafeCard, Ukash or a prepaid (debit) card.

Screen Lockers: Lockers completely lock you out of your computer or system, so your files and applications are inaccessible. A lock screen displays the ransom demand, possibly with a countdown clock to increase urgency and drive victims to act.
Scareware: Scareware is a tactic that uses popups to convince victims they have a virus and directs them to download fake software to fix the issue

Malvertising: Malvertising — or malicious advertising — is a technique that injects malicious code within digital ads

History of Ransomware

  • The First Attack: In the late 1980s, criminals were already holding encrypted files hostage in exchange for cash sent via the postal service. One of the first ransomware attacks ever documented was the AIDS trojan (PC Cyborg Virus) that was released via floppy disk in 1989.

  • Monetization: As cryptocurrencies started to gain more mainstream appeal, ransomware perpetrators recognized them as the method of monetary extraction they’d been seeking. Bitcoin exchanges provided adversaries the means of receiving instant payments while maintaining anonymity.
  • CryptoLocker Appears: In 2013, this revolutionary new breed of ransomware not only harnessed the power of Bitcoin transactions, but combined it with more advanced forms of encryption. It used 2048-bit RSA key pairs generated from a command-and-control server and delivered to the victim to encrypt their files, making sure victims had no way out unless they paid a tidy sum of about $300 for the key.

  • The Advent of Big Game Hunting: To optimize their efforts, ransomware operators decided to pivot from the “spray and pray” style of attacks that were dominating the ransomware space and focus on “big game hunting” (BGH). BGH combines ransomware with the tactics, techniques and procedures (TTPs) common in targeted attacks aimed at larger organizations.

Read On > The Detailed History of Ransomware

Who Does Ransomware Target?

Organizations of all sizes can be the target of ransomware. Although big game hunting is on the rise, ransomware is frequently aimed at small and medium-sized organizations, including state and local governments, which are often more vulnerable to attacks.

Small businesses are targeted for a number of reasons, from money and intellectual property (IP) to customer data and access. In fact, access may be a primary driver because an SMB can be used as a vector to attack a larger parent organization or the supply chain of a larger target.

The success of ransomware attacks on small businesses can be attributed to the unique challenges associated with smaller size and also the more ubiquitous challenges faced by organizations of any size: the human element. While a work-issued computer is common and even expected in larger organizations, smaller organizations do not always provide work computers and instead can rely on employees using their personal devices.

These devices are used both for work-related purposes, including accessing and storing privileged documents and information, along with personal activities such as browsing and searching. These dual-purpose machines contain high volumes of both business and personal information, including credit card information, email accounts, social media platforms, and personal photos and content.

Universities, for example, often have smaller security teams and a large user base that engages in a lot of file sharing, so defenses are more easily penetrated. Medical organizations may also be targeted because they often need immediate access to their data and lives may be at stake, leading them to pay right away. And financial institutions and law firms may be more likely to pay the ransom because of the sensitivity of their data—and to pay it quietly to avoid negative publicity.

Targeted Industries During COVID-19

The global pandemic has caused ransomware actors to prey on certain industries. One of their main targets are healthcare organizations. Data from the 2021 CrowdStrike Global Threat Report shows that over 100 healthcare organizations have already been targeted by Big Game Hunters during COVID-19. 

This comes after Big Game Hunters such as TWISTED SPIDER claimed they would refrain from infecting medical organizations until the pandemic has stabilized. As it turns out, TWISTED SPIDER was responsible for at least 26 successful healthcare ransomware infections with their Maze and Egregor families. 

Another interesting trend is the increasing number of attacks that use data extortion tactics. This is summarized within CrowdStrike’s Ransomware During 2020 Infographic. There were 1,430 attacks detected by CrowdStrike Intelligence services that used data extortion according to the 2021 CrowdStrike Global Threat Report. These attacks have been broken done by industry below: 

bubble chart displaying ransomware data extortion by industry

Industrials & engineering was the most attacked industry by data extortion tactics in 2020 (229 incidents). This was closely followed by manufacturing (228 incidents), technology (145 incidents), retail (142 incidents), and healthcare (97 incidents). 

Targeted Countries During COVID-19

Survey Data from the 2020 CrowdStrike Global Security Attitude Survey reveals that the following countries have been the most impacted by all types of ransomware attacks during 2020:

Table Showing The Countries Most Impacted By Ransomware During COVID-19

India has the most respondents reporting at least one ransomware attack in 2020 (74%). This is closely followed by Australia (67%), France (60%), Germany (59%), and the U.S. (58%).

In terms of data extortion, it’s clear there is a bias towards North America. According to CrowdStrike Intelligence & the 2021 CrowdStrike Global Threat Report, there were 947 incidents identified here, 117% higher than second place Europe (342 incidents). 

Global Map Showing The Distribution Of Ransomware Attacks That Used Data Extortion In 2020

Similar trends are expected in 2021, in fact 72% of recent surveyed cybersecurity experts in the 2020 CrowdStrike Global Attitudes Survey have said they are more worried about ransomware attacks as a result of COVID-19.

Should You Pay the Ransom?

The FBI does not support paying a ransom in response to a ransomware attack. They argue paying a ransom not only encourages the business model, but it also may go into the pockets of terror organizations, money launderers, and rogue nation-states. Moreover, while few organizations publicly admit to paying ransoms, adversaries will publicize that info on the dark web – making it common knowledge for other adversaries looking for a new target.

Paying the ransom doesn’t result in a faster recovery or a guaranteed recovery. There may be multiple decryption keys, there may be a bad decryption utility, the decryptor may be incompatible with the victim’s operating system, there may be double decryption and the decryption key only works on one layer, and some data may be corrupted. Less than half of ransomware victims are able to successfully restore their systems.

How to Protect Against a Ransomware Infection

Once ransomware encryption has taken place, it’s often too late to recover that data. That’s why the best ransomware defense relies on proactive prevention.

Ransomware is constantly evolving, making protection a challenge for many organizations. Follow these best practices to help keep your operations secure:

1. Train all employees on cybersecurity best practices:

Your employees are on the front line of your security. Make sure they follow good hygiene practices — such as using strong password protection, connecting only to secure Wi-Fi and never clicking on links from unsolicited emails.

2. Keep your operating system and other software patched and up to date:

Cybercriminals are constantly looking for holes and backdoors to exploit. By vigilantly updating your systems, you’ll minimize your exposure to known vulnerabilities.

3.Implement and Enhance Email Security

CrowdStrike recommends implementing an email security solution that conducts URL filtering and also attachment sandboxing. To streamline these efforts, an automated response capability can be used to allow for retroactive quarantining of delivered emails before the user interacts with them.

4. Continuously monitor your environment for malicious activity and IOAs:

CrowdStrike® Falcon Insight™ endpoint detection and response (EDR) acts like a surveillance camera across all endpoints, capturing raw events for automatic detection of malicious activity not identified by prevention methods and providing visibility for proactive threat hunting.

For stealthy, hidden attacks that may not immediately trigger automated alerts, CrowdStrike offers Falcon OverWatch™ managed threat hunting, which comprises an elite team of experienced hunters who proactively search for threats on your behalf 24/7.

5. Integrate threat intelligence into your security strategy:

Monitor your systems in real time and keep up with the latest threat intelligence to detect an attack quickly, understand how best to respond, and prevent it from spreading. CrowdStrike Falcon X automates threat analysis and incident investigation to examine all threats and proactively deploy countermeasures within minutes.

6. Develop Ransomware-Proof Offline Backups

When developing a ransomware-proof backup infrastructure, the most important idea to consider is that threat actors have targeted online backups before deploying ransomware to the environment.

For these reasons, the only sure way of salvaging data during a ransomware attack is through ransomware-proof backups. For example, maintaining offline backups of your data allows for a quicker recovery in emergencies.

7. Implement a Robust Identity Protection Program

Organizations can improve their security posture by implementing a robust identity protection program to understand on-premises and cloud identity store hygiene (for example, Active Directory, Azure AD). Ascertain gaps, and analyze behavior and deviations for every workforce account (human users, privileged accounts, service accounts), detect lateral movement, and implement risk-based conditional access to detect and stop ransomware threats.

Get to Know the Author

Kurt Baker is the senior director of product marketing for Falcon Intelligence at CrowdStrike. He has over 25 years of experience in senior leadership positions, specializing in emerging software companies. He has expertise in cyber threat intelligence, security analytics, security management and advanced threat protection. Prior to joining CrowdStrike, Baker worked in technical roles at Tripwire and had co-founded startups in markets ranging from enterprise security solutions to mobile devices. He holds a bachelor of arts degree from the University of Washington and is now based in Boston, Massachusetts.