What Does Ransomware Allow Hackers to Do?
In a ransomware attack, hackers use malware to encrypt, delete or manipulate data, intellectual property or personal information. This allows attackers to hold the information, device or system digitally hostage until the victim meets the cybercriminal’s ransom demands, which usually involve secure, untraceable payment.
Ransomware remains one of the most profitable tactics for cybercriminals, with increasing ransom demands often ranging from $1 million to $10 million USD. It is important to note that paying the hacker’s ransom demand is no guarantee that the system will be restored or that stolen data will not be shared or sold on the dark web.
Types of Ransomware
Ransomware variants take many forms. Here we review some of the most common types of ransomware:
- Crypto ransomware or encryptors encrypt files and data within a system, making the content inaccessible without the decryption key.
- Lockers completely lock the user out of their system, rendering files and applications inaccessible. A lock screen displays the ransom demand.
- Scareware is fake software that claims to have detected a virus or other issue on the computer or mobile device and directs the user to pay to resolve the problem. Scareware can also lock a computer or flood the screen with pop-up alerts without actually damaging files.
- Doxware or leakware threatens to distribute sensitive personal or company information online, thus motivating victims to pay the ransom to prevent private data from falling into the wrong hands or entering the public domain. One variation is police-themed ransomware, wherein the cybercriminal masquerades as law enforcement and warns that illegal online activity has been detected and urges users to avoid jail time by paying a fine.
- RaaS (Ransomware as a Service) refers to malware hosted anonymously by a “professional” hacker who handles all aspects of the attack, from distributing ransomware to collecting payment and restoring access.
- Fileless Attacks or fileless ransomware are attacks in which the initial tactic does not result in an executable file written to the disk. Fileless ransomware uses pre-installed operating system tools, such as PowerShell or WMI, to allow the hacker to perform tasks without requiring a malicious executable file to be run on the compromised system.
How Do Ransomware Attacks Work?
Despite the wide variety of ransomware attack types, most work in the same way. Typically, malware is introduced into the network as an infected file, which is downloaded via email attachment. The file launches the ransomware program, which infects the system. Typically, in ransomware attacks, the malware is programmed to encrypt data and add a file extension, making the files inaccessible to the owner.
Other ways a ransomware attack is initiated include:
- Malvertising: Attacks that originate with a user clicking on a fake or infected online ad.
- Drive-by ransomware attacks: A more sophisticated form of ransomware, a drive-by attack leverages vulnerabilities in various browser plugins to launch the attack. It does not require any human action.
- Backup system attacks: Malware attacks that target the user’s backup systems to eliminate the chance that the victim can restore data personally.
- Mobile ransomware: Ransomware attacks that specifically target mobile devices, such as smartphones and tablets.
- Social engineering: Ransomware hackers may combine other attack techniques, such as phishing, to gather personal information and tailor their outreach, thus increasing the likelihood of success.
What Happens During a Ransomware Attack?
Though there is some variety in the types of ransomware attack, most follow the same basic pattern. Here we review the seven basic stages of a ransomware attack:
The first stage of a ransomware attack, this is when the attacker lays the foundation for their activity. This stage may include conducting email phishing or other social engineering techniques, researching network, browser or software vulnerabilities that can be exploited, or setting up malicious websites. Generally, the cybercriminal initiates the attack by goading the user to click on a malicious link, downloading an infected file or otherwise interacting with a compromised asset to install the malicious software on the system or device.
In this stage of the attack, the malicious code establishes a line of communication with the attacker. This channel can also be used to install additional malware on the system. The ransomware infection phase may be brief, or it can last months or even years, as the cybercriminal waits for the optimal time to launch an attack. Given the growing sophistication of hackers, it is possible that the organization may not even be aware that an attack is in progress. To mitigate risk, it is crucial to identify the attack as soon as possible, ideally in the infection phase when the malware is still dormant. If the organization misses that window, then a comprehensive response plan is needed to minimize damage.
Following infection, the attacker will activate the attack. During this phase, the malware will begin to encrypt data or files. Depending on the type of attack, the user’s device may become locked or inaccessible.Since it is virtually impossible to decrypt data without the decryption key, most ransomware victims have three choices at this point: 1. Surrender the data. 2. Recover lost data from a backup system or twin. 3. Pay the ransom.
4. Ransom demand
In this stage, the cybercriminal initiates contact with the ransomware victim to regain control of their data or device. The communication will usually include detailed instructions for how to pay the ransom via untraceable cryptocurrency such as Bitcoin. In this stage, individual victims are unlikely to be able to access their data or encrypted files; for corporations or other organizations, this phase may impact operations, leading to significant revenue losses.
5. Payment and recovery
In this phase, the victim pays the ransom demand. The ransom payment is usually coordinated through a secure channel chosen by the ransomware attacker; payment is delivered via cryptocurrency. In the best-case scenario, ransom payment will result in the restoration of the user’s data and files and does not involve the sale of copied information on the dark web. It is important to realize that many cybercriminals do not possess a strong sense of integrity. Paying a ransom, however big, is no guarantee that their system will be restored.
Just as paying a ransom does not guarantee system restoration, it also does not mean that ransomware attackers will remove all instances of malware from the system. This means that organizations that have been breached in the past are at heightened risk of facing such an event in the future. During this stage, organizations should work with their cybersecurity partner to analyze the type of attack that occurred and ensure that all instances of the malware have been removed from their network. The cybersecurity firm may help the organization isolate affected areas of the network to remove malware and minimize the risk of reactivation during the restoration process.
Once the malware has been safely removed, the system can resume normal operation. As part of this process, the organization may want to work with their cybersecurity partner to develop more robust security measures to help prevent ransomware attacks (and other types of cyberattacks) in the future. Organizations may also want to develop a sophisticated recovery method which can lead to system restoration without the need to pay the ransom in the event of future attacks.
Who Is A Ransomware Target?
Organizations of all sizes can be the target of ransomware. Although “big game hunting” is on the rise, ransomware is frequently aimed at small and medium-sized organizations, including state and local governments, which are increasingly seen as prime targets due to their relatively small security teams or a perceived lack of security maturity.
Ideal targets for ransomware include:
- Any group that is believed to have a small security team or relatively lax security practices. This may include universities and institutions of higher learning as they often have a lower level of security, a large, evolving user base, and high level of network activity, including file sharing and asset creation.
- Organizations with the ability to pay a ransom and who face significant reputational harm from not doing so. For example, banks, utilities, hospitals and government agencies are severely impacted by even a brief interruption of network service, in terms of lost revenues or, in some cases, loss of life or human suffering. These organizations also face significant reputational harm by falling victim to a high-profile or extended cyberattack.
- Organizations that hold sensitive data, including intellectual property, trade secrets, personal data or medical records. These organizations may be more likely to pay the ransom not just to regain access to their system, but also to avoid the bad publicity and public embarrassment that can be associated with being the victim of a data breach.
How to Protect Against A Ransomware Attack
Once ransomware encryption has taken place, it’s often too late to recover that data. That’s why the best ransomware defense relies on proactive prevention.
Ransomware is constantly evolving, making protection a challenge for many organizations. Follow these best practices to help keep your operations secure:
- Train all employees on cybersecurity best practices
- Keep your operating system and other software patched and up to date
- Implement and enhance email security
- Continuously monitor your environment for malicious activity and IOAs
- Integrate threat intelligence into your security strategy
- Develop ransomware-proof offline backups
- Implement an identity and access management (IAM) program
Preventing Ransomware Attacks with CrowdStrike
CrowdStrike Falcon® offers protection against ransomware. This feature becomes increasingly valuable as the popularity of ransomware continues to rise. Our approach with this feature is to actually stop ransomware from infecting a system and encrypting its files. We believe a prevention approach is absolutely necessary because decryption is often impossible, and because nobody wants to pay the ransom or restore from backups.
CrowdStrike uses its endpoint sensor to detect ransomware behaviors and then terminates the offending process before it can accomplish its goal of encrypting files. This is done using CrowdStrike indicator of attack (IOA) patterns on the endpoint. These work both online and offline, and are effective against new variants and polymorphic variants of ransomware that often bypass legacy antivirus signatures.