Ransomware is a type of malware that encrypts the files on a user’s device or a network’s storage devices. To restore access to the encrypted files, the user must pay a “ransom” to the cybercriminals, typically through a tough-to-trace electronic payment method such as Bitcoin. Although security researchers have determined how to map the traffic flow of Bitcoin transactions, identifying which individual (or individuals) owns a Bitcoin account is extremely difficult.
Ransomware is most typically distributed through spam email attacks. The spam email will have an attachment disguised as a legitimate file or will include a URL link in the body of the email. If the former method is used, the ransomware program is activated as soon as the attachment is opened and within seconds, starts to encrypt files on the device. If the attack vector is a link, upon clicking it the user is taken to a web page where the ransomware is delivered to the device unbeknownst to the user. The malicious programs or sites often use exploit kits to detect if there are security vulnerabilities in the device’s operating system or applications that can be used to deliver and activate the ransomware. Additionally, cyber criminals may utilize existing exploits as seen in the recent WannaCry attack, which took advantage of a well-documented Windows vulnerability known as EternalBlue.
Over the last few years, there has been a dramatic increase in the number of large and successful ransomware attacks against organizations. Cybersecurity Ventures predicts that the global cost of ransomware will exceed $5 billion in 2017, 15 times higher than the cost in 2015.1 In that same time, the number of ransomware variants has grown thirty-fold.2
The impact of a ransomware attack on an organization extends far beyond the cost of the unlocking payment. Businesses absorb costs associated with loss of data, reduced or lost productivity, forensic investigation, restoration of data and systems, lost revenue, and reputational damage. For example, a leading global health and consumer goods company reported that it would see a 2% reduction in revenue growth for the quarter due to the impact of the recent Petya ransomware on its ability to invoice and ship products to its customers.3
CryptoLocker was one of the first widely-used ransomware families and dates back to 2013. The malware was often delivered as an obfuscated email attachment or installed on a device that had been previously compromised. When it was activated, the malware encrypted specific data files on local and network drives. The victim had to pay a $400 or Bitcoin equivalent ransom fee within a stated time period or the decryption key was deleted. Unsurprisingly, even when the ransom was paid, oftentimes the decryption key was never provided. The Gameover Zeus Botnet that was used to distribute the ransomware was taken down by an industry, law enforcement, and government agency collaboration named Operation Tovar.
Unsurprisingly, even when the ransom was paid, oftentimes the decryption key was never provided.
CryptoWall is a later variant of CryptoLocker that operates in the same way. The most serious attack was in Australia in late 2014 when phishing emails with malicious links “sent from” government agencies were used to distribute the malware.4 To avoid blocking by security products, the malicious actors used a Captcha form before the malware was downloaded.
Locky was first observed in early 2016 and was typically distributed via emails with an “invoice” attachment. Once the Word or Excel file was opened, the user was prompted to enable macros to view the invoice. By enabling macros, the file then ran an executable that downloaded the actual ransomware. Local and network files were encrypted and renamed with a .locky extension. To unlock the files, victims had to visit a website to download a browser that they could then use to access the malicious actor’s payment website. Payment was typically between half and one Bitcoin. Locky was one of the first ransomware attacks to gain broader, public media attention as a U.S.-based hospital had its patient data encrypted and paid to recover the files.5
WannaCry hit the headlines in May of 2017 when it affected a reported 400,000 computers across the world.6 Both public and private organizations were significantly impacted, including the UK’s National Health Service, a Spanish telecoms company, and a major German bank. Fortunately, due to security researcher who discovered a kill switch in the malware, the attack was halted within a few days. The attack was launched and spread via a known security vulnerability in Windows (EternalBlue). Although a security patch had been available for several months, many organizations had not yet installed it.
WannaCry hit the headlines in May of 2017 when it affected a reported 400,000 computers across the world.
NotPetya, a variant of Petya ransomware, quickly followed on the heels of WannaCry in June of 2017 and first surfaced in the Ukraine. Distributed as a PDF email attachment, the malware was spread using the same EternalBlue vulnerability as used in WannaCry. Again, public and private organizations around the globe were impacted, including a major U.S. pharmaceutical company, a multinational law firm, and the UK’s largest advertising firm. Unlike other ransomware, Petya infects the computer's master file table. It has been speculated that this attack was more about causing disruption in the Ukraine than financially motivated.7
Educate the weakest link. The vast majority of ransomware requires someone to take action to activate the payload. Educating employees about how to recognize and defend against cyber attacks is vital. Many attacks will use email and social engineering techniques to trick the employee into downloading malware or divulging their username and password. As such, training should focus on these common attack vectors. Exercises where employees are sent faux “phishing” emails are effective in coaching users to distinguish between a genuine supplier communication and a phishing email with the subject line “Invoice Attached - please open.”
Patch, patch, patch. Then patch again. As demonstrated by the recent WannaCry and Petya attacks, failing to implement a rigorous approach to patching known security vulnerabilities can leave an enterprise exposed. Even months after the EternalBlue vulnerability was exploited for the WannaCry and NotPetya ransomware attacks, it's estimated that at least 38 million PCs remain unpatched.8 It’s relatively simple for cybercriminals to identify unpatched devices and software on an enterprise’s network, and once identified, to take advantage of known vulnerabilities.
It's estimated that at least 38 million PCs remain unpatched.
Back up your data, and back up your backup. To some, this may sound obvious, but ransomware can encrypt backups stored on network servers. As a result, enterprises need to review their current approach to backups. Are employees backing up important files to a network drive? Are the backups from these devices and the file servers then backed up to a cloud backup service? Are you testing that the backups can be restored? That way, if ransomware encrypts all local files and backups, an enterprise can still restore them quickly with minimal impact to the business.
Relying on a single layer of security against this evolving barrage is not best practice.
Make it harder for the bad guys—have multiple layers of defense. Cybercriminals spend huge amounts of time and money developing ever-more sophisticated forms of advanced malware that are designed to bypass a company’s security defenses. Relying on a single layer of security against this evolving barrage is not best practice. Utilizing multiple security layers means that if one layer does not block an attack, you have additional overlays that can mitigate the threat. So, what layers of security defense does your company currently have in place? Do you have different security solutions to help mitigate risk during all stages of an attack? Are there current gaps in your security that malicious actors can exploit?