Ransomware is a clear and growing threat to both individuals and businesses. A successful execution of a ransomware attack enables a malicious actor to illegally access one or more servers, computers, and/or mobile devices, encrypt the local data, and deny all legitimate user access to the data until a ransom is paid to decrypt it. Both individuals and businesses need to understand what ransomware is, how it works, and how to detect and prevent it.
Ransomware is a form of malicious software or malware. After gaining access to a computer, server or mobile device, it takes control of the machine and locks the owner out. The hacker who initiated it then demands a ransom, often in the form of digital currency, to restore the owner’s access.
Ransomware comes in two main varieties:
Locker ransomware, which hijacks basic computer functions
Crypto ransomware, which encrypts individual files to stop a legitimate user from accessing them.
The files cannot be unlocked without a private key known only to the attacker.
Ransom is usually demanded in bitcoin because it is anonymous and can easily be traded digitally. Some organizations that otherwise have little to do with cryptocurrencies buy these currencies in the event they are infected with ransomware and need a way to pay the fee demanded.
One of the most well-known ransomware attacks took place in 2017. The WannaCry malware spread by email scams and affected hundreds of thousands of people and organizations worldwide, including FedEx, Nissan and Renault. It led to losses of US$4 billion worldwide, with attackers demanding around US$300 to release hijacked files.
A ransomware attack typically follows three stages: infection, encryption, and ransom demand.
Infection of the victim’s device is often achieved through watering hole attacks or phishing emails. An email may contain a link to a website that hosts the malware or may have an attachment with a download function. Clicking on the website link in the email or opening the attachment downloads the ransomware to the device and executes it.
Following the initial infection, the ransomware may try to spread throughout a network to other connected devices, servers, or drives.
Other techniques include ‘malvertising’, which is essentially the use of fake ads that a user clicks on, giving the malware access to their system. Even the most trusted sites, such as The New York Times, can inadvertently host malvertising attacks.
Encryption of the user’s files is the next stage. After gaining access to the device, ransomware installs a malicious binary file, which is executable code that contains instructions for the malicious malware program to run on the victim’s device.
Ransomware makes use of asymmetric encryption, a cryptographic method that uses two keys–a public and a private key– to encrypt and decrypt a file. The private key to decrypt the file is stored on the attacker’s own server and is only made available to the victim once released by the attacker.
Most ransomware variants are selective of the files to encrypt to maintain the stability of the system. Some may also delete backup copies of the selected files to make it more difficult to recover them without access to the private key.
The next stage is the ransom demand itself. This often takes the form of a display changed to look like a ransom note. The most common demand is for the victim to transfer an amount of cryptocurrency in return for retrieving access to the victim’s files.
If the ransom is paid, the attacker sometimes provides either the private key used to protect the symmetric encryption key or a copy of the symmetric encryption key itself. The attacker provides a decryption program for the victim to enter this information into to restore access to their information. However, as the ransomer holds the power in all situations where victims have not taken protective measures to restore the data without the decryption key, some attackers do not provide the key even after the ransom is paid. In other cases, the attackers sell data they extracted prior to encrypting the database on the dark web in order to get secondary payment related to the initial attack. Depending on what data was stolen, this can be as bad or worse for victims.
The money demanded by attackers is growing rapidly, making this type of attack even more lucrative for attackers. Recent research by the Unit 42 security consulting group suggests that average ransomware demands increased by 518% and payouts by 82% in the first half of 2021.
Perhaps the most common ransomware detection method, and the main one used by antivirus products, is signature-based detection.
All programs, software, files, and apps have their own digital footprint or signature, usually unique to each one. This is usually in the form of a hash file, which is a numerical representation of data designed to protect it. To detect malware, antivirus products scan a computer and compare the signatures it finds to those on a database of known malware. If it discovers such a footprint, the antivirus product will either delete it or quarantine it.
A company’s security team can also use software tools to get a file’s hash and compare it to known malware.
Although useful and highly effective, signature-based detection is only an initial line of defense. Ransomware developers are constantly evolving and updating their malware to evade signature-based detection. Even adding a single byte to a file creates a completely new hash, making malware harder to detect. For this reason, although signature-based methods are good at finding established ransomware, they can struggle to find newer threats.
Some antivirus products also support behavior-based detection. Malware behaves differently than legitimate software, and antivirus products can detect this, even before the malware has executed.
Manual checks can also reveal suspicious activity that is indicative of ransomware. One of these indicators is excessive file renaming. Some renaming happens every day, but if hundreds of files are being renamed, it could indicate the presence of ransomware.
Security teams can also analyze traffic to see whether any software is connecting to dubious websites, particularly file sharing sites. Increases in the volume of traffic can also be an indicator, as ransomware needs to connect to offsite servers to receive instructions and exchange decryption keys.
Analyzing traffic can be time consuming, and because it is not as accurate as behavior-based detection, it may also yield false positives. Attackers might also use legitimate file sharing sites to avoid detection.
A third technique is to use deception by creating a honeypot, setting up a file server to act as bait for attackers. Because legitimate users do not access this server, any activity on it is likely to be the result of an attack and thus can warn teams of a pending attack before or during execution.
A number of techniques can be used in ransomware prevention.
Probably the most important is to back up important files regularly. These backups should ideally be kept offline and offsite, separate from regular networks. Multiple copies of files should be made using different backup solutions and storage locations.
Preventing ransomware from being delivered can be achieved by:
filtering to allow only expected file types
blocking known malicious websites
using signatures to block known malicious code
inspecting content for malware.
Ransomware can also be prevented from running on devices if it breaches these security measures. Good practice includes managing devices centrally to allow only trusted applications to run. Consider using enterprise anti-malware products, keeping these products up to date, and providing security awareness training for staff.
One of the strongest anti-malware measures is to adopt a zero-trust approach based on repeated reaffirmation of a person’s identity. Each request is assessed separately to avoid giving automatic, comprehensive access to someone who might have ill intent.
The holy grail of attackers is to get unfettered access to a victim organization’s apps and servers. Identity authentication stops this by granting authorized users access to individual apps rather than the whole network.
The method employs techniques such as multi-factor authentication, single sign-on and zero-trust policies to build a strong authentication system. Permissions are continually evaluated to ensure access is still valid, preventing attackers from moving across the network to hunt for data and spread ransomware.
Two-factor authentication is considered best practice. With this approach, users are authenticated with a username and either a hardware or software token or secondary verification via a separate channel, such as SMS. Even more advanced technologies utilize real-time risk signals to seamlessly analyze traffic and behaviors that can provide a frictionless end user experience while still ensuring that necessary authentications and authorizations take place.
In today’s threat landscape, the old username and password methods can no longer provide the security needed. Identity authentication allows organizations to verify every employee and device before granting access, which makes it far less likely that attackers can gain the access necessary to wreak havoc with a company’s network.
Would you like a desktop notification when a new blog is published?
