What is Ransomware?

Ransomware is a type of malware that encrypts a victim’s information and keeps it at ransom. After the malware attack is done, a ransom is demanded from the user to give them access back to their data. Ransomware is designed to spread as fast as possible and infect as many systems as possible.

ransomware-understanding
Ransomware red button on keyboard, 3D rendering

Understanding Ransomware As A Service (RaaS)

Ransomware-as-a-service is a cybercrime economic model that allows malware creators to generate money without having to disseminate their threats. Non-technical criminals purchase their merchandise and distribute the infections, with the developers receiving a cut of the profits. The developers take a little risk, and their clients perform the majority of the labour. Subscriptions are used in certain cases of ransomware-as-a-service, while registration is required in others.

For numerous reasons, these attacks and variations are rapidly developing to fight preventative technologies:

  • Malware kits are readily available and may be used to generate fresh malware samples on demand.
  • To construct cross-platform ransomware, employ well-known excellent generic interpreters (for example, Ransom32 uses Node.js with a JavaScript payload)
  • Using new approaches, such as encrypting the entire drive rather than just specific files

Thieves of today don’t even need to be tech-savvy. The market of this attach has sprung up online, selling malware strains to any would-be cybercrook while also generating extra revenue for malware developers, who frequently request a part of the ransom revenues.

Ransomware – The Working

After ransomware gains access to a user’s computer, it uses encryption to prevent a user from accessing their data. This typically works by the malware simply generating a random password and using that to encrypt the user’s files. Then, this attack shows itself to the user, explaining that their computer is now hacked and demands a ransom payment from the user to give them the decryption key and hence the access to their files.

ransom-working

However, even if the user pays the ransom, it is not guaranteed that they will get their files back. And it is usually the case, that all files are lost even if the user pays. Therefore, “What is ransomware?” might be the wrong question to ask to begin with, as most ransomware is simply malware.

There are many ways how ransomware can infect and penetrate a user’s computer. Typically it requires action from the user, such as opening and running a malicious file received via email or downloaded from a website. While malware and ransomware can infect a user’s computer by simply visiting a website and without downloading anything via so-called zero-day exploits, it is rare.

Ransomware usually takes some time to encrypt a user’s files and only after that it will present itself to the user, demanding the ransom to be paid. The payment is typically requested in Bitcoin or other cryptocurrency.

Why Are The More Ransomware Attacks?

Ransomware attacks are becoming more common, because of a few reasons:

  • Malware kits which allow easy development and deployment of custom ransomware are available and allow a low barrier of entry for malicious actors to create their own ransomware.
  • The use of cross-platform programming languages and technologies has enabled a wider selection of target systems, including Windows PCs, Apple macOS systems as well as iPhone and Android mobile phones.
  • Cryptocurrency payments becoming more mainstream, allowing the ransomware attackers to be paid with the high level of anonymity.
ransom-concept

Defending Against Ransomware

Follow these steps to avoid ransomware and limit the harm if you are attacked:

  1. Make a backup of your data. The easiest approach to avoid getting locked out of your vital data is to keep backup copies of them on hand, preferably on the cloud and on an external hard drive. If you do become infected with ransomware, you may wipe your computer or device clean and reload your contents from backup. This safeguards your data and prevents you from being persuaded to pay a ransom to the virus developers. Backups will not prevent ransomware, but they will help to lessen the dangers.
  2. Protect your backups. Ensure that your backup data is not modifiable or deletable from the systems where it is stored. Ransomware will hunt for backup data and encrypt or erase it, rendering it unrecoverable, thus utilizing backup methods that do not enable direct access to backup files.
  3. Use and maintain security software up to date. Ensure that all of your computers and gadgets are secured with comprehensive security software and that all of your software is up to date. Make careful to update the software on your devices on a regular basis, since fixes for weaknesses are normally included in each update.
  4. Surf with caution. Take caution where you click. Respond to emails and text messages from individuals you don’t know, and only download apps from reputable websites. This is significant because malware authors frequently employ social engineering to get you to install hazardous files.
  5. Use only secure networks. Avoid utilizing public Wi-Fi networks since many of them are insecure and fraudsters can eavesdrop on your online activity. Instead, try using a VPN, which gives a secure internet connection no matter where you are.
  6. Keep up to date. Keep up to date on the newest ransomware threats so you know what to avoid. If you are infected with ransomware and have not backed up all of your files, realize that certain decryption solutions are made accessible by computer businesses to assist victims.
  7. Create a security awareness programme. Every person in your organization should receive regular security awareness training to avoid phishing and other social engineering attacks. Regular drills and testing should be conducted to ensure that training is being followed.
ransom-encryption

6 Actions To Take In The Event Of A Ransomware Attack

If you believe you have been the victim of a ransomware attack, you must act swiftly. Fortunately, there are some actions you can take to offer yourself the best chance of reducing harm and rapidly resuming normal operations.

  1. Isolate the Infected Device: Ransomware that affects only one device is a minor annoyance. Allowing ransomware to infect all of your enterprise’s devices is a massive disaster that might put you out of business forever. The distinction between the two is frequently determined by reaction time. To guarantee the safety of your network, shared files, and other devices, unplug the afflicted device from the network, internet, and other devices as soon as possible. The sooner you do this, the less probable additional devices will get infected.
  2. Stop the Spread: Because ransomware spreads quickly—and the infected device isn’t always Patient Zero—immediate isolation of the infected device won’t ensure that the ransomware isn’t present elsewhere on your network. To successfully limit its extent, unplug all suspiciously acting devices from the network, even those running off-premises—if they’re linked to the network, they pose a risk no matter where they are. It’s also a good idea to turn off wireless connectivity (Wi-Fi, Bluetooth, etc.) at this time.
  3. Assess the Damage: To discover whether devices have been infected, search for newly encrypted files with unusual file extension names, as well as reports of abnormal behaviour. If you find any devices that haven’t been entirely encrypted, isolate and switch them off to help contain the assault and avoid future harm and data loss. You aim to compile an exhaustive inventory of all impacted systems, including network storage devices, cloud storage, external hard drive storage (including USB thumb drives), laptops, cellphones, and any other potential vectors. It is recommended to lock in shares at this time. If feasible, restrict all of them; if not, restrict as many as possible. This will interrupt any current encryption operations and prevent other shares from becoming infected while cleanup is carried out. However, before you do so, you should examine the encrypted shares. This can offer some important information: If one device has a much larger number of open files than normal, you may have discovered Patient Zero. Otherwise…
  4. Locate Patient Zero: Once you’ve located the source of the virus, tracking it down becomes much easier. Check for any notifications from your antivirus/antimalware, EDR, or any active monitoring platform to do so. Because most ransomware infiltrates networks via malicious email links and attachments, which require an end-user activity, interviewing individuals about their actions (such as reading strange emails) and what they’ve seen can also be beneficial. Finally, inspecting the attributes of the files themselves might reveal information—the person indicated as the owner is most likely the access point. (However, keep in mind that there may be more than one Patient Zero!)
  5. Determine the Ransomware: Before you proceed, you must determine the type of ransomware you are dealing with. One option is to go to No More Ransom, a global campaign in which Trellix is involved. The site provides a suite of tools to assist you with releasing your data, including the Crypto Sheriff tool: Simply upload one of your encrypted files, and it will search for a match. You can also utilize the following information from the ransom note: If it does not explicitly state the ransomware version, utilizing a search engine to query the email address or the message itself might be useful. Once you’ve discovered the ransomware and done some brief study on its behaviour, you should notify all unaffected staff as quickly as possible so they can recognize the indicators of infection.
  6. Report The Ransomware To Authorities: For various reasons, you should alert law enforcement as soon as the malware has been contained. First and foremost, ransomware is illegal, and it should be reported to the appropriate authorities like any other crime. Second, law enforcement may be able to employ legal authority and instruments that most organizations do not have. Partnerships with foreign law enforcement can be used to assist in the recovery of stolen or encrypted data and the prosecution of criminals. Finally, the assault may have compliance consequences: If you do not inform the ICO within 72 hours of a breach affecting EU citizen data, your company may face significant fines under the GDPR.
ransom-thumbnail

What To Do If You Have Been Attacked By Ransomware?

If you have been attacked by ransomware, the first and most important thing to do is not to panic. Ransomware wants you to act quickly and without rational thinking! Don’t fall into its trap. Instead, take a step back and analyze your situation.

Do not pay. The most obvious step would be to pay and simply get your data back, right? No. In many cases, even if you pay, you will not be given any decryption key to get your files back, or the key doesn’t work. And by paying, you are supporting organized crime who will use the money to attack others and the cycle keeps going and growing.

Disconnect. Remove the infected systems from the internet and any local network, so they cannot spread.

Finally, Perform a full system re-install and restore your backups.