2019: A Refresher Course in Ransomware
Ransomware has now been a major threat to businesses and other organizations for several years, and 2019 has been no different.
It had been a sign of some relief when ransomware attacks grew less common throughout 2018, and it seemed that maybe efforts to contain these attacks had been successful…, however, according to data collected by McAfee Labs, and published in their August 2019 Threat Report, ransomware is back with a vengeance.
In the first quarter of 2019 ransomware attacks grew by 118%; new ransomware families were detected, and threat actors used new, innovative techniques.
McAfee’s data reports that the 118% increase in ransomware attacks included the discovery of new ransomware families utilizing new, innovative techniques to target and infect enterprises. The dramatic increase in ransomware attacks is being driven primarily by three families of ransomware: Ryuk, GrandCrab, and Dharma.
Ryuk is a scary bit of code that has been used to lock down entire large corporations and government agencies. It was originally credited to North Korea, but subsequent research points to the malware as being the work of a highly sophisticated cybercrime syndicate, rather than the product of a nation-state.
GrandCrab is a relatively new arrival on the ransomware scene, first emerging in 2018. Often described as one of the most aggressive families of ransomware, the original authors of the code have leased it out to other hackers around the world in exchange for a cut of the profits.
Dharma is the oldest family of the big three, first emerging on the scene in 2016. Originally, it was an offshoot of another, even older ransomware family known as Crysis. However, since branching off, it has become a potent threat in its own right, and the hackers who control the code regularly release new updates and continue to enhance its capabilities.
McAfee researchers observed cybercriminals are still using spear-phishing tactics, but an increasing number of attacks are gaining access to a company that has open and exposed remote access points, such as RDP and virtual network computing (VNC). RDP credentials can be brute-forced, obtained from password leaks, or simply bought in underground markets. Where past ransomware criminals would set up a command and control environment for the ransomware and decryption keys, most criminals now approach victims with ransom notes that include an anonymous email service address, allowing bad actors to remain better hidden.
So why-exactly-is ransomware such a threat to your data?
For those who don’t know, ransomware is a form of malicious software (malware) that threatens the elimination of hijacked and encrypted data if a user doesn’t pay a ransom. It is known to be one of the most prolific and pervasive threats seen on the Internet today. Ransomware has evolved over the past several years, so let’s look at what the future of ransomware looks like, and what you can do to protect yourself against it.
Unlike most other malware threats, ransomware isn’t designed to gain access to a system to steal data. It’s also not really a con, as anyone that is inundated with ransomware is in a real threat to lose their data (or their money). Ransomware is basically one of two types of malware. Some are computer viruses that target the CPU. These are called “locker” ransomware. The other prevalent type, called “crypto” ransomware, target and encrypt access to file systems.
Whichever strand you get (and there are dozens of different strands) the basic premise is the same. After it is unpackaged to the user’s machine (or network) it encrypts access to data/processing/both and gives the system’s user instructions on how to proceed. The user then has a decision to make, pay the ransom or try to restore the data from their backup platform.
Ransomware is such a departure from normal malware in that most strands of malware tries to camouflage itself inside a user’s system or network. Ransomware makes sure you know it’s there. The past few years has seen a huge uptick in the amount of ransomware that has been deployed, both in variant, and in frequency. These attacks have hit many municipalities, businesses, and other organizations, with one purpose, to extort money. For example, the city of Atlanta spent more than $2.6 million on emergency efforts to respond to a ransomware attack that infected their municipal operations in 2018.
So how-exactly-are these attacks carried out? The answer may surprise you.
You may think that such a devastating computer virus would have to be delivered by those black hat hackers who sit in a basement someplace carrying out some well-concocted scheme to defraud your company. Or maybe it’s sabotage by a disgruntled former worker who didn’t get his/her 25% raise and inexplicably still had access to the network. The truth is that, while it could be either one of those examples, it is most likely the result of an honest act of negligence by someone who has access to your network.
Most ransomware attacks are perpetrated by hackers that try to spoof legitimate company’s emails. Since these emails seem to be coming from a legitimate place, unwitting end-users click on links or download attachments from these emails, resulting in the malware attached being deployed on the system. The code then goes to work encrypting files or the hard drive. These attacks are commonly known as “spear phishing.”
In a spear phishing attempt, a perpetrator needs to know some details about the victim. Using these details, the fraudster aims to instill trust in the victim and get as far as possible with the scam. So where do they find these details? These could be gleaned from a previous phishing attempt, a breached account, or anywhere else they might be able to find out personal information. Social media, in particular, is a hotbed of information regarding both individuals and businesses.
So, what does a Ransomware attack look like?
Once the ransomware has inundated the system and the file (or drive) is encrypted, the server will send a message to the victim. Typically, the user will get a notice that their files/computer has been encrypted and the only way to get the file back is to follow the instructions given in the notice. This includes payment arrangements and the dreaded countdown meter. If the user doesn’t meet the demands outlined in the notice, their data will be deleted forever, or their computer will be locked. This, of course is a terrible situation.
What the user doesn’t see, however, is that the hacker, who has control over this data or infrastructure is probably not letting this end-user off the hook. The ransomware is bad enough, to exacerbate things for this foolish user, the hacker can now do what they please with that machine. Sometimes they will include directions that will allow the hacker to steal the victim’s credentials. Even if the ransom is paid, and the files/system is returned to user as agreed upon, many of these attackers will load additional malware onto the system, allowing them to further persecute a person whose only mistake was clicking on a link they thought was a legitimate source.
So how do you avoid Ransomware?
Firstly, it is important to have enough security on your machine/network to ensure that any potential threat is eliminated before it can be a problem. A Unified Threat Management tool is a great solution to mitigate network problems. Not only does it have a firewall and antivirus, it comes with a spam filter that can help users from being exposed to emails rife with malware in the first place.
Secondly, training your staff on how to determine the legitimacy of any message is important. Ransomware can be deployed through email, messaging services, and social media, so educating them on how to avoid these situations is an integral step in keeping these threats off your organization’s network.
Lastly, having a powerful and up-to-date backup of your organization’s data can be a life-saver in situations like the one outlined above. eGuard Tech Services’ Total Backup Care provides any organization the data protection they need through redundancy. Not only is your data backed up at regular intervals locally, it is also backed up in an offsite data center. Having up-to-date backups on hand could save your hide in several different situations.
For more information about ransomware, what you must do to keep from experiencing it, and how to protect yourself from all manners of online threats, download our Ransomware Business Guide here: