Innovate. Accelerate. Win.
September 18-19 | Las Vegas and Virtual
#MIMSummit2023 Join top security leaders looking to redefine what’s possible at the must-see industry event of 2023.
Ransomware is a type of malicious software (malware) that takes companies’ critical data and holds it at ransom. Once the victim’s data is accessed, cybercriminals prevent the organization from accessing the data by encrypting it on the sly. Only when the ransom is paid, will the company receive the decryption key for the data. Ransomware can be significantly damaging to organizations. They can completely lose access to databases, applications, files, and whatever else they need to run the organization efficiently.
How it works
While some ransomware attacks vary in the process, they normally all consist of these three parts: gaining access to the data, encrypting the data and demanding a ransom.
Gaining access to data
Cyber criminals use various types of vectors to gain access to critical information in a company. While there are numerous types of vectors, the most common vector used in ransomware attacks is phishing. Phishing is a malicious email spam campaign sent to employees with an attachment or download to click on. If the recipient falls for the phishing, the cyber criminal gains access to their computer.
Once the cyber criminal gains access to the data they want, they move onto the encryption stage. At this point in the process, cyber criminals start blocking the data from the owner. They normally will select certain files, encrypt them, create a decryption key, and then delete the original files that are not encrypted or any backups the company may have.
Soon after the encryption process is complete, the attacker will often leave a note or message of some kind to the computer user demanding a ransom. Normally this message will be displayed on the computer’s screen where it is easily seen from the computer user. The ransom will demand an amount, usually using crypoccurrecy, to have sent to them within a certain time span. This time span is usually within 48 hours or less. If the ransom amount is not paid within the given time frame, the ransom amount may increase or the data being held will be deleted completely and the company may never be able to get it back.
Why are ransomware attacks spreading?
Statistics show that over two thirds of organizations with 500 employees or more dealt with ransomware attacks in the last 12 months. This percentage rises up to 80% with organizations that have 3,000-4,999 employees. There are multiple factors encouraging the spread of ransomware attacks, but one of the most prevalent is the increase of remote work. The outbreak of COVID-19 was a great thing for ransomware attackers. Companies were forced to shift all work to remote work as soon as possible. Because of the instant shift, there were many holes left in the cyber security of organizations. These holes left openings for attackers to insert their ransomware.
Another cause for the ransomware attack surge is the ransomware marketplace, also known as Ransomware-as-a-Service (RaaS). Knowing technology is no longer necessary to hack into organizations' systems. Individuals who want to participate in ransomware now have access to malware strains created by malware developers. Malware developers often distribute their ransomware tools freely, asking only for a percentage of the gains. Because of this system, the developers have little to no risk, making it enticing to produce malware.
Examples of ransomware
- WannaCry uses an exploit called EternalBlue to attack Microsoft Windows operating systems. There was a WannaCry outbreak back in 2017 attacking organizations and demanding Bitcoin as payment. There was a software update available to protect against WannaCry but unfortunately many companies did not update their security software and were therefore exposed to the attack.
- CryptoLocker is a Trojan horse that spreads a virus through unknown attachments in employee emails. This malware strand uses encryption to block users from accessing the data. Microsoft Windows users are at risk with CryptoLocker, Mac users are not targeted. A countdown timer will begin as soon as your files have been encrypted.
- Bad Rabbit
- Bad Rabbit is a malware similar to WannaCry and Petya that began in 2017. The difference between the malwares is that Bad Rabbit can infect a computer through clicking on a website. If there is a compromised website, as soon as it’s clicked, the virus will block access to all files and demand a ransom, usually in Bitcoin.
- Ryuk is one of the most dangerous ransomwares out there. This is due to the amount the ransom requires. Some Ryuk attacks demand millions of dollars in order to get access back. Ryuk works like most malware, through phishing. Once it’s infected the system, it begins its work of shutting down processes on your computer.
- Maze is a tricky malware. While it does the same as all others, encrypting files and demanding a ransom, it takes it one step further. Once files have been encrypted and random is demanded, this form of ransomware makes copies of all data to sell on the Dark Web, and creates backdoors so hackers can continue to harass the establishment.
- REvil (Sodinokibi)
- REvil, also known as Sodinokibi, is a ransomware-as-a-service (RaaS) malware that targets businesses. REvil is one of the most widespread ransomware attackers out there in recent years. REvil has had so much success that even Presidents Joe Biden and Vladimir Putin have talked about it.
- Lockbit, also known as the ABCD virus, began attacking government organizations and businesses in September 2019. Lockbit is a global ransomware that functions as a ransomware-as-a-service (RaaS). This ransomware is unique in its ability to self spread. Unlike other malware, this strand has the ability to spread without manual assistance, making the attack and infection quicker.
- DearCry is a ransomware that attacks Microsoft Exchange servers that have not used patches to update their network. While DearCry seems to be created by an inexperienced hacker, it can still be dangerous to an organization.
How to prevent ransomware attacks
Employee education and trainings
The best thing an organization can do to defend against ransomware attacks is organization training on prevention. Employees are the key targets for the attacks, so it’s important they understand what to look out for. Since phishing is the top way malware is used, make sure each employee knows what those emails and attachments look like, so they can report it to the company and authorities.
Backup your data
Backing up your files is a crucial step to take in order to mitigate damage. If the attacker steals your information but you still have access to it all, they have no hold on you. But, be sure to secure those backups, because the attacker will know to look for backups to erase. A recommendation is to put your backup into the cloud or a hard drive so it is harder to access.
Invest in security software
Defending your organization requires the necessary security software made to prevent ransomware attacks. Get software that protects from phishing emails and provides safe web browsing.
Secure your digital certificates
Digital Certificates are like a computer identity, and are a way for a company network to communicate safely without being compromised. These digital certificates are used as a way to authorize devices in a system to safely send messages and other vital information. There are two keys with each digital certificate, the public and private key. The public key is what encrypts the data, and you can only gain access by using the private key.
Require all macros to be code signed
Code signing has been used for several decades to guarantee that the code of a macro, program, or software download has not been corrupted or tampered with after it was signed by the sender. When someone needs to send their work, they use a public/private key pair to keep it secure. This is a way to verify the authenticity of the certificate, proving the software was not affected during the send. If the original key given matches the one received, it’s safe.
Keep security software up to date
One important thing to keep in mind is to always have your security software up to date. Each software update includes patches to the previous version. Patching is crucial to keep attackers at bay.
How to respond to a ransomware attack
1. Isolate infected device(s)
Time is not on your side when a ransomware attack occurs. The longer the affected device is connected to the enterprise network, the more damage may transpire. The first thing to do when malware is discovered is to isolate the device or devices infected. If there is no longer a connection to the network, the other potential targets cannot be reached.
2. Prevent further infection
As soon as the known threat is isolated, it’s time to find any other possible infections throughout the network. Search for encrypted files or computers acting strange and shut them off to keep the data safe and stop the spread of the malware.
3. Locate source
Identify the source as soon as possible. This will help in tracking where the infection has spread. Ask employees if they’ve noticed any suspicious activity (especially in their email), and if they have clicked on any links or attachments in the suspicious emails. During your search, remember that there can be more than one source.
4. Report to authorities
Don’t forget to report the attack to your local authorities. Ransomware attacks are a crime and they must be treated as such. Law enforcement also may have access to tools that no one else has. A digital forensics expert will possibly be able to recover your encrypted data and catch the criminal, protecting your organization in the future.
5. Restore data through backups
Hopefully, prior steps were taken in the prevention process and backups were created. Assuming these backup files were not infiltrated, it’s time to restore the data. Wipe all infected devices clean and make sure the backups being uploaded will be protected. Once all devices have been properly examined, add the backup files to the drive. Hopefully, the backups were recent enough that there was minimal damage inflicted.
6. Check for decryption options
In the case where the backup files have been compromised or did not exist, look for possible decryptors. No More Ransom is a great source to find free decryptors and applications that could possibly help in your situation. While there is no guarantee, it is possible that you will find a decryption key that will work to restore your files.
How Venafi can help
Venafi can help protect against malicious software through automated detection and remediation of risks. With proper machine identity management, you can get a comprehensive view of all machine identities, maintain active control over machine identities, maximize threat detection in encrypted traffic, and centralize your machine identity governance.
Secure your digital certificates with Venafi’s Trust Protection Platform and protect the identity of each machine from compromise. Having visibility into your digital certificates not only protects against ransomware and cyberattacks but also eliminates certificate-based outages. To secure your code signing private keys, automate approval workflows, and maintain an irrefutable record of all code signing activities, check out CodeSign Protect.
Interested how are InfoSec leaders responding to the ransomware crisis? Download our Global Security Report to learn what security controls you need to stop the ransomware kill chain and prevent attacks on your organization.