Ransomware is a type of malware that denies access to your system and personal information, and demands a payment (ransom) to get your access back.
Payment may be required through cryptocurrency, credit card or untraceable gift cards — and paying doesn’t ensure that you regain access. Even worse, victims who do pay are frequently targeted again. And just one infection can spread ransomware throughout an entire organization, crippling operations. It’s maddening, panic-inducing — and effective.
With ransoms ranging from hundreds of dollars to tens of thousands, cybercriminals have extracted billions from victims across all industries in recent years. In fact, Cybersecurity Venture predicts that ransomware damage will exceed $11 billion in 2019. One reason it’s so effective is that it takes many guises, and you have to be aware of all of them in order to effectively protect your data and your entire network.
How Do Ransomware Attacks Work?
There are several ways ransomware can get into your computer or system. One of the most common is via email phishing and spam — messages that include either a malicious attachment or a link to a malicious or compromised website. Once an unsuspecting user opens the attachment or clicks the link, the ransomware can infect the victim’s computer and spread throughout the network.
Another route is using an exploit kit to take advantage of a security hole in a system or program, like the infamous WannaCry worm that infected hundreds of thousands of systems worldwide using a Microsoft exploit. It can also take the form of a fake software update, prompting users to enable admin capabilities and install malicious code.
Once ransomware has infected the system, it generally either blocks access to the hard drive or encrypts some or all of the files on the computer. You may be able to remove the malware and restore your system to a previous state, but your files will remain encrypted because they’ve already been made unreadable, and decryption is mathematically impossible without the attacker’s key.
The ransom itself is set at a level that’s low enough to be payable, but high enough to make it worthwhile for the attacker, prompting companies to do a cost-benefit analysis of how much they’re willing to pay to unlock their systems and resume daily operations. Cyber criminals may also target certain organizations or industries to exploit their specific vulnerabilities and maximize the chances of a ransom being paid.
Universities, for example, often have smaller security teams and a large user base that engages in a lot of file sharing, so defenses are more easily penetrated. Medical organizations may also be targeted because they often need immediate access to their data and lives may be at stake, leading them to pay right away. And financial institutions and law firms may be more likely to pay the ransom because of the sensitivity of their data—and to pay it quietly to avoid negative publicity.
What Are the Different Types of Ransomware?
Ransomware takes many forms, but they all have one thing in common — they demand a ransom in exchange for restored access to your system or files. It’s also important to remember that you’re dealing with criminals, they don’t always follow through with their end of the “deal.” Ransomware attacks are designed to prey on people’s desperation and fear in order to convince victims to pay.
Here are the most common types:
1. Crypto malware or encryptors are one of the most well-known and damaging variants. This type encrypts the files and data within a system, making the content inaccessible without a decryption key.
2. Lockers completely lock you out of your system, so your files and applications are inaccessible. A lock screen displays the ransom demand, possibly with a countdown clock to increase urgency and drive victims to act.
3. Scareware is fake software that claims to have detected a virus or other issue on your computer and directs you to pay to resolve the problem. Some types of scareware lock the computer, while others simply flood the screen with pop-up alerts without actually damaging files.
4. Doxware or leakware threatens to distribute sensitive personal or company information online, and many people panic and pay the ransom to prevent private data from falling into the wrong hands or entering the public domain. One variation is police-themed ransomware, which claims to be law enforcement and warns that illegal online activity has been detected, but jail time can be avoided by paying a fine.
5. RaaS (Ransomware as a Service) refers to malware hosted anonymously by a “professional” hacker that handles all aspects of the attack, from distributing ransomware to collecting payments and restoring access, in return for a cut of the loot.
Below are just a few examples of some infamous ransomware detected over the last few years:
NotPetya was first detected in 2017 rapidly infiltrating systems across multiple countries. What’s particularly nasty about this family of ransomware is its use of stealthy propagation techniques that allow it to swiftly move laterally to encrypt other systems across an organization. NotPetya ransom notes have demanded $300 USD for each infected machine. For a deep dive on this family of ransomware, check out our in-depth technical analysis on Notpetya or watch our Notpetya postmortem webcast.
Developed and operated by the cyber adversary, BOSS SPIDER, SamSam has been observed using unpatched server-side software to enter an environment. Most notably, SamSam was behind the 2018 ransomware attack on the city of Atlanta, Georgia. The attack left 8,000 city employees without their computers, and citizens were unable to pay their parking water bills and parking tickets. To read more about the SamSam attack on Atlanta, Georgia, visit our blog post on the lessons learned from SamSam.
Also referred to as WCry, WanaCrypt, or Wanna, WannaCry was identified in May 2017 during a mass campaign affecting organizations across the globe. WannaCry has targeted healthcare organizations and utility companies using a Microsoft Windows exploit called EternalBlue, which allowed for the sharing of files, thus opening a door for the ransomware to spread. To learn more about how an attack unfolds, check out our technical analysis of WannaCry.
Other notable ransomware examples include:
- BitPaymer: Targets enterprise organizations using the Dridex loader module to gain an initial foothold in the victim’s network
- Dridex: A strain of banking malware that leverages macros in Microsoft Office to infect systems
- Hermes: RaaS first distributed in 2017 — in mid-August 2018, a modified version of Hermes, dubbed Ryuk, started appearing in a public malware repository
- KeRanger: First ransomware targeting Mac OS X, was also able to encrypt Time Machine backup files
- Petya: Encrypts the master file table (MFT) to make the entire system inaccessible
- PowerWare: Encrypts hostage files through “fileless” infection
- Ryuk: Similar to Samas and BitPaymer because it targets enterprise organizations and uses PowerShell — PsExec is used to push out its binary
- Samas: Leverages vulnerable JBOSS systems to spread across a network and even attack backup files on the network — targets large organizations per BGH
History of Ransomware
Following the evolution of ransomware, from a petty crime to a major economic windfall for global criminal enterprises, underscores why businesses should be deeply concerned about the threat. While its explosive growth over the past few years may make it seem otherwise, ransomware didn’t come out of nowhere.
Ransomware first cropped up around 2005 as just one subcategory of the overall class of scareware that includes fake AV and phony computer-cleaning utilities. While it showed some promise early on, it took a few changes in technical and economic conditions before the pump was truly primed for peak ransomware profit.
First of all, the early methods used by the criminals to obfuscate or block access to data were fairly rudimentary and easy to bypass. As a result, the percentage of victims willing to pay the ransom remained fairly low. Even more tricky, though, was the problem of payment logistics.
In ransomware’s early days there was no simple, anonymous and ubiquitous way to receive payment from victims. With fake AV and utilities, crooks could operate under a thin veil of legitimacy, setting up shell corporations to receive credit card payments as semi-legitimate card merchants. Since ransomware was out-and-out fraud, that option wasn’t available to receive funds. However, once the FTC, attorneys general and law enforcement officials started catching up with the scareware ventures around the 2008 timeframe, the cost of business for fake AV and utilities providers started to climb.
At that point it made more economic sense for the criminals to opt for the simplicity of ransomware’s overt blackmail and begin exploring alternative avenues of payment. That’s likely one of the reasons why from about 2010 through 2012 more ransomware scams started cropping up that had victims pay small ransoms through prepaid cash cards, retail shopping cards and even premium SMS texts. These campaigns saw middling success that lead to an increasing but not necessarily explosive growth curve.
Then Bitcoin changed everything. While it had been under development for several years prior, it wasn’t until the end of 2012, when Bitcoin Foundation was formed and Bitcoin Central was recognized as a licensed European bank, that Bitcoin started to hit its stride as a viable form of currency.
As it started to gain more mainstream appeal, ransomware criminals recognized it as just the method of monetary extraction they’d been seeking. Bitcoin exchanges provided adversaries the means of receiving instant payments while maintaining anonymity, all transacted outside the strictures of traditional financial institutions.
The table was set perfectly for the entrance of CryptoLocker in 2013. This revolutionary new breed of ransomware not only harnessed the power of Bitcoin transactions, but combined it with more advanced forms of encryption. It used 2048-bit RSA key pairs generated from a command-andcontrol server and delivered to the victim to encrypt their files, making sure victims had no way out unless they paid a tidy sum of about $300 for the key.
The Gameover Zeus banking trojan became a delivery mechanism for CryptoLocker. The threat actors behind the botnet were among the first to truly realize the potential value of ransomware with strong encryption, to extend their profits beyond traditional Automated Clearing House (ACH) and wire fraud attacks that target the customers of financial institutions. CryptoLocker’s backers had hit pay dirt, kicking off ransomware’s criminal Gold Rush.
Cryptolocker Gameover Zeus was shut down in an operation spearheaded by the FBI and technical assistance from CrowdStrike researchers. Even though it was out of operation within seven months of starting, it served as proof to the entire cybercrime community of ransomware’s tremendous business upside. This was the true inflection point for ransomware’s hockey-stick growth.
Within a few months, security researchers were finding copious numbers of CryptoLocker clones in the wild and criminals from all over the world were scrambling to get a piece of the action. Since then, many organized crime gangs have shifted investments and resources from older core businesses, including fake AV, into ransomware operations. The criminal technologists have been working overtime to serve these potential customers by cranking up specialized operations to develop better ransomware code and exploit kit components, flooding Dark Web marketplaces with their wares.
The Advent of Big Game Hunting
Now that the momentum has built to a critical mass, criminals are innovating their techniques and expanding their markets. They’re getting too rich off ransomware to stop anytime soon.
Cybercriminals recognized that if consumers or one-off business users are willing to pay $300 to $500 to unlock run-of-the-mill data on a single endpoint, businesses and other organizations would likely be willing to pay much more for mission-critical data, or to unlock an entire fleet of endpoints held hostage in a single instance.
So to optimize their efforts, eCrime operators decided to pivot from the “spray and pray” style of attacks that were dominating the ransomware space and focus on “big game hunting” (BGH). BGH combines ransomware with the tactics, techniques and procedures (TTPs) common in targeted attacks aimed at larger organizations. Rather than launching large numbers of ransomware attacks against small targets, the goal of BGH is to focus efforts on fewer victims that can yield a greater financial payoff — one that is worth the criminals’ time and effort.
This transition has been so pronounced that BGH was recognized as one of the most prominent trends affecting the eCrime ecosystem in the CrowdStrike 2020 Global Threat Report. Recent eCrime statistics show that while the volume of ransomware attacks has decreased, the sophistication of these attacks has increased substantially.
Who Does Ransomware Target?
Organizations of all sizes can be the target of ransomware. Although big game hunting is on the rise, ransomware is frequently aimed at small and medium-sized organizations, including state and local governments, which are often more vulnerable to attacks.
Small businesses are targeted for a number of reasons, from money and intellectual property (IP) to customer data and access. In fact, access may be a primary driver because an SMB can be used as a vector to attack a larger parent organization or the supply chain of a larger target.
The success of ransomware attacks on small businesses can be attributed to the unique challenges associated with smaller size and also the more ubiquitous challenges faced by organizations of any size: the human element. While a work-issued computer is common and even expected in larger organizations, smaller organizations do not always provide work computers and instead can rely on employees using their personal devices.
These devices are used both for work-related purposes, including accessing and storing privileged documents and information, along with personal activities such as browsing and searching. These dual-purpose machines contain high volumes of both business and personal information, including credit card information, email accounts, social media platforms, and personal photos and content.
How to Avoid & Prevent Ransomware
Once ransomware encryption has taken place, it’s often too late to recover that data. That’s why the best defense relies on proactive prevention. Robust backup is, of course, a foundational best practice to prepare in case of an attack, but newer malware variants can also delete or damage backups.
Ransomware is constantly evolving, making protection a challenge for many organizations. Follow these best practices to help keep your operations secure:
1. Train all employees on cybersecurity best practices:
Your employees are on the front line of your security. Make sure they follow good hygiene practices — such as using strong password protection, connecting only to secure wifi and being on constant lookout for phishing — on all of their devices.
2. Keep your operating system and other software patched and up to date:
Hackers are constantly looking for holes and backdoors to exploit. By vigilantly updating your systems, you’ll minimize your exposure to known vulnerabilities.
3. Use software that can prevent unknown threats:
While traditional antivirus solutions may prevent known ransomware, they fail at detecting unknown malware threats. The CrowdStrike Falcon® platform provides next-gen antivirus (NGAV) against known and unknown malware using AI-powered machine learning. Rather than attempting to detect known malware iterations, Falcon looks for indicators of attack (IOAs) to stop ransomware before it can execute and inflict damage.
4. Continuously monitor your environment for malicious activity and IOAs:
CrowdStrike® Falcon Insight™ endpoint detection and response (EDR) acts like a surveillance camera across all endpoints, capturing raw events for automatic detection of malicious activity not identified by prevention methods and providing visibility for proactive threat hunting.
For stealthy, hidden attacks that may not immediately trigger automated alerts, CrowdStrike offers Falcon OverWatch™ managed threat hunting, which comprises an elite team of experienced hunters who proactively search for threats on your behalf 24/7.
5. Integrate threat intelligence into your security strategy:
Monitor your systems in real time and keep up with the latest threat intelligence to detect an attack quickly, understand how best to respond, and prevent it from spreading. CrowdStrike Falcon X automates threat analysis and incident investigation to examine all threats and proactively deploy countermeasures within minutes.
What’s the Next Step?
CrowdStrike is a leader in next-generation endpoint security, threat intelligence and incident response. CrowdStrike’s core technology, the CrowdStrike Falcon platform, stops breaches by preventing and responding to all attack types.
Watch the video below to learn how CrowdStrike Stops WannaCry Ransomware:
To find out more about how CrowdStrike prevents ransomware, click the button below: