What are the Ransomware Attacks and How They Work?

The phenomenon of Ransomware Attacks continues to dominate the threat landscape and affect important sectors (hospitals, banks, universities, government, law firms, mobile users) and various organizations equally worldwide.

Ransomware attacks occur daily and have a high success rate because they use advanced technology by implementing a decryption key after a specific ransom has been paid. Cybercriminals also use social engineering techniques to find their following targets, infect different computers, and access valuable information. Such attacks are disrupting businesses and forcing them to take cybersecurity seriously.

According to a recent study by Google, ransomware victims have spent more than $25 million in prizes over the last two years, addressing the ransomware ecosystem as an unfavorable yet profitable cyber attack.

Evolution and Types of Ransomware Attacks

While Ransomware is still affecting and causing data leakage and significant financial losses for both organizations and home users, Remember that since 1989 (28 years ago), when Ransomware first appeared under the name AIDS Trojan, which was introduced via floppy disks to systems, it has been around.

The invasion of Ransomware has increased dramatically since then, and in the malware economy, there are various variants of cyber threats available that have caused much damage.

There are now two main types of Ransomware in circulation that you should know about:

1. Encrypting Ransomware (datalogger) includes advanced encryption algorithms and has been designed to block system files and ask for money to return the victim’s key to decrypt the blocked content. Examples are CryptoLocker, Locky, or CryptoWall.
2. Locker ransomware (computer lock) locks the victim’s operating system, making it difficult to access any applications or files until a ransom is paid until the attackers unlock the infected device miles of Petya Satan include some examples of such Ransomware.
3. The most common and alarming cyber attack of the moment is Encrypting Ransomware (crypto-ransomware). Keeping all the online items up to date is essential, concentrating on always providing a backup of all information on an external hard drive or another source.

Other types of Ransomware that you need to stay away from are Master Boot Record (MBR), Android mobile ransomware, IoT ransomware, or Ransomware that encrypts web servers.

All of these cyber threats can target anyone, anywhere, and at any time, so remember that knowledge and prevention are the best anticipations to protect your sensitive data.

How does Ransomware spread?

Cybercriminals are trying to find different extorting personal data and infecting a person’s computer with malware, requiring a ransom to unlock the data. If you haven’t been the victim of a cyber attack yet, consider yourself lucky. It is essential to be proactive and keep your system up to date to ensure maximum protection.

Online criminals usually look for the easiest way to infect a system or network and use the backdoor to spread a malicious code.

It is, therefore, safe to check the most common ways cybercriminals use to spread ransomware infection:

1. Spam email campaigns that include malicious links or attachments.
2. Take advantage of security exploits in vulnerable software.
3. Internet traffic is redirected to malicious websites.
4. Legitimate websites with malicious code injected into their web pages.
5. Malvertising campaigns.
6. Text Messages SMS (Smishing).
7. Use of botnets for malicious purposes.
8. Capacity for self-propagation (spreading from one infected computer to another).

These cyber-attacks began to happen more often than not, as online criminals improved their methods daily, using a mix of technical knowledge and psychological manipulation.

The Ransomware Target

In the light of the recent cyber-attacks that we have witnessed, the question then arises: “Who is targeting it? “The short answer is “everyone,” whether a small or large organization, a home user or a public institution.

The longer answer isn’t that simple, because the vulnerability to a potential cyber threat can depend on different user data factors and how attractive it is to online criminals, how vulnerable a system or network is, or how fast companies/users can respond to a ransom request, and much more.

The most common Ransomware targets are:

1. The healthcare sector – Hospitals in particular – is a crucial target for cybercriminals. As per the Verizon Data Breach Investigations New Report (DBIR), this sector is at greater risk than other marks, with 72% of all malware incidents targeting the health care system

Why are they vulnerable? Because patient data is vital to hospitals and could be a life-and-death situation, so cybercriminals know they could be paid for the ransom. An excellent example of this is the Hollywood Presbyterian Medical Center’s case, which paid approximately $17,000 to cybercriminals for the decryption key to unlock their files.

2. Government institutions: Another vulnerable industry to ransomware attacks involves government agencies and public service organizations that operate and hold very important and sensitive personal data.

Why are they vulnerable? Cybercriminals know that government institutions need to be efficient and operational, so they are more likely to pay the ransom and arrange their data back. A recent example is the outbreak of Petya, which affected essential organizations, including government departments in Ukraine and members who claimed they were unable to access their computers.

3. Education: According to the BitSight Insights report, education and, for the most part, higher education institutions have been the primary target for ransomware attacks. Researchers have found that the education sector has the highest rate of Ransomware, “with at least one in ten experiencing this cyber attack on their network.”

Why are they vulnerable? Education is becoming an easy target for cybercriminals, mainly because of its weak IT hierarchy. Thousands of students connect every day or the ease with which to launch a spear-phishing campaign. Other than that, educational institutions do not have qualified system administrators to do this, nor do they have financial resources to invest in cybersecurity. A recent example is University College London, which has seen its shared drives and student management systems taken down by cybercriminals.

4. Law firm

Why are they vulnerable? Legal firms are another sector at risk of being a secure target for online criminals because they are responsible for sensitive and confidential customer data and may have the resources to pay for ransom. The global law firm, DLA Piper, was also a Petya ransomware victim, seeing their computers infected with malware.

5. MACs and Mobile Users

According to Forrester Research, “the number of global smartphone subscribers is anticipated to reach 3.8 billion by 2022, reaching 50% of the population for smartphone penetration by 2017 and reaching 66 per cent by 2022.”

This means that our dependence on mobile devices will continue to grow, as will the volume of data stored on our devices, making them vulnerable to cyber-attacks. Another Kaspersky Lab report revealed that mobile malware is increasing and detected 218,625 portable ransomware files in the first quarter of 2017.

Why are they vulnerable? While you may be tempted to say that Windows computers are the main target for cybercriminals, it seems that Ransomware has also hit Mac OS users. FortiGuard Labs has recently discovered Ransomware-as-a-Service (RaaS) targeting Mac computers.

WannaCry and Petya, the latest cyberattacks

For the cybersecurity industry, May and June may have been “two black months” and a reality check for all to remind us of the value of being vigilant and keeping our system up to date all the time.

In May 2017, the WannaCry ransomware outbreak first targeted and infected hundreds of thousands of Windows-running computers running an obsolete version of their operating system in more than 100 countries. By using the EternalBlue exploit, which takes advantage of a flaw of Microsoft SMB to propagate and infect computers rapidly, it spread quickly.

Similar to WannaCry, in June 2017, Petya (Petya. A, Petya.D, or PetrWrap) Ransomware emerged and used the same EternalBlue hack, but had self-replicating abilities as well. Petya turned out to be a data wiper disguised as Ransomware at a later stage.

Unlike WannaCry, the critical differentiator used numerous attack vectors and a malware cocktail to encrypt and steal as much sensitive data as possible. Petya encrypts users’ files, overwrites the master boot record, and encrypts it (MBR).

Big companies (Telefonica, Renault, Maersk, Saint-Gobain, Mondelez) and public institutions, banks, hospitals across Europe and the rest of the world were affected by the WannaCry Petya ransomware outbreaks.

Why are ransomware attacks still going to be successful?

The number of Ransomware strikes happening on an alarming scale and putting millions of users and machines at risk worldwide is a legitimate question.

The first answer would be that victims – whether a large/small company or a home user – are still willing to pay money (ransom) to get back the valuable data they have lost.

Security experts recommend not to do so, as payment is merely an incentive for malicious actors who will continue to work on more sophisticated cyber attacks. Besides that, there is no guarantee that victims will get their files back and that they may become a target for a future cyber-attack.

More reasons why ransomware attacks are still thriving and are growing at an alarming rate:

• The malware economy has evolved like any other market. However, it has been – and still is – heavily sustained by ransoms paid to those victims who needed immediate access to their valuable data. Many software vulnerabilities are found in many computers that appear because people don’t update their software.
• There is no exception to all vulnerabilities in software and Windows operating system. Hackers are taking advantage of these flaws found in Microsoft Windows and encrypting valuable data for users. That’s why most ransomware attacks happen. Mysterious Shadow Brokers hacking group leaked NSA tools/documents used in the global WannaCry cyber attack and warned to trigger even more hacking tools.
• Lack of recovery plans testing is another reason for a successful ransomware attack. Without a well-tested recovery plan to detect if everything is working correctly, your business operations may have downtime and critical recovery issues.
• The ageing (outdated) public and private companies’ infrastructure is linked to security breaches and potential new cyber attacks. Old PCs can run obsolete software that makes them vulnerable to online threats. Criminals use more advanced and sophisticated techniques to launch a cyberattack, and companies with outdated infrastructure are the most exposed to such attacks. Businesses need to upgrade their infrastructure and close different cybersecurity gaps.
• Lack of user safety training and necessary cybersecurity skills exposed both organizations and individuals to online attacks. Without a minimum level of cybersecurity knowledge, people cannot discern the good from the bad, so they can easily click on a malicious website or link. In such cases, cybersecurity education is essential and can create a safer online environment for anyone. Because it is not a solitary mission, the authorities and cybersecurity organizations must join forces to fight against the ransomware phenomenon that makes victims. For instance, the No More Ransom initiative is intended to add to the global battle against Ransomware. Security programs for awareness and advanced courses may help deter such attacks.
• Companies do not have a well-structured data backup plan to protect their business against cybersecurity incidents, making it easier to target ransomware attacks.
• Users/employees need to learn to be sceptical and increase the level of paranoia when receiving suspicious attachment emails or any other online scams they may find on social media.
• There is no doubt that most cyberattacks are linked to a human factor that hasn’t changed much recently. People still have the same way of thinking and responding to the same stimuli, which means cybercriminals can plan to use these reactions methodically, over and over again.
• Unfortunately, people are still delaying and neglecting to keep their systems patched and up-to-date or to use a proactive safety solution for maximum protection.
• Malware is becoming more sophisticated and advanced as cybercriminals improve their hacking skills and develop advanced ransomware attacks.

Anti-Ransomware business Checklist

Business-wise, a ransomware attack might have devastating consequences for its continuity. Therefore, preventing and avoiding the spread of infection is vital for any business interested in keeping its sensitive data safe and secure.

Please read this helpful ransomware attacks prevention checklist:

• Use a proactive multi-layer protection system that keeps all business endpoints up-to-date and tracks your everyday online behavior.
• Every day, back up and encrypt all your data and store it using external sources such as a hard drive or in the cloud (Google Drive, Dropbox, etc.). Read this informative handbook on how to do it.
• Use and apply the company’s security awareness systems to stop clicking on unknown email links and attachments that could be routed to malicious websites.
• Encourage staff to report back to you when suspect emails are noticed.
• If you have a VPN or use encryption tools, do not use public Wi-Fi connections.
• Regular updates and use of the most current version of your browser and operating system.
• Apply a patch management framework and ensure complete patching of the compromised third-party applications such as Java, Flash, and Adobe.
• Limit employees’ access to only the data they need and use and limit their permission to install software programs.

Anti-Ransomware checklist for Home Users

Prevention is the best weapon that a home user can have against ransomware attacks. It is also essential to be proactive and to take all necessary measures to protect these sensitive data.

• Don’t store your sensitive data exclusively on your PC, and make sure you have at least two external source backups of your data;
• Update, update, update! Having all the latest updates installed for your applications, software programs, and operating systems is vital.
• Please try not to use the administrator account every day and remember to disable the macros in the Microsoft Office Package.
• Never open (spam) or download email (messages) from untrusted sources that might infect your device. Don’t click on suspicious links, either.
• Ensure you have a paid antivirus product that is up to date or consider using a proactive safety product (you can check what Thor Foresight can do for you).
• It also helps to remove risky plugins from the browsers you are using: Adobe Flash, Adobe Reader, Java, and Silverlight.

What is the future of Ransomware?

These days, Ransomware is not just a trend but a lucrative business model that is increasingly common and profitable for cyber attackers who extort money from people and organizations alike.

Examples of active cyberattacks include the most recent ransomware outbreaks, Petya and WannaCry, which have impacted many businesses and users. Still, there have been others before them, and we assume these malware threats will not end here.

We should assume that such efforts will be much more common in the future now that attackers have successfully tested strains that include self-replicating abilities. This means that cyber-attacks will also be vulnerable to more companies and home users alike. Not only would ransomware writers learn more sophisticated strategies, but they will also threaten larger businesses that will be more likely to pay for the ransom.

The more familiar the attack, the greater the possibility malicious hackers return for on investment. And if they manage to exfiltrate any confidential data, that gives them extra flexibility in their attempts to extort them.

We highly recommend that businesses invest in cyber protection and train workers to protect their privacy online. These days, awareness campaigns are becoming critical, so we agree that cybersecurity businesses and practitioners should continue to concentrate on education because education is essential to making the Internet a safer place for all.

Check out: Common Network Security Vulnerabilities