What is Ransomware and how does it work?

Introduction

As the frequency of attacks is growing, so is the threat actors’ drive for more profit. In some real cases, attacks affected not only the target company’s finances, but affect lives (an example of ransomware attack, that took place in Dusseldorf’s hospital).

What is Ransomware?

Ransomware is a type of malicious software which is used by cybercriminals. When a device is infected with ransomware malware it can block access to the system and encrypt data. It is performed to hold the victim’s information at ransom until the intruder gets the money. Ransom threat is steadily growing and has generated billions of dollars in damage.

Various industries are exposed to ransomware attacks. By far, the list is dominated by the industrial sector, education and healthcare, followed by:

• education
• retail
• business
• legal services
• IT
• financial services
• central government

Ransomware attacks can affect both individual and big companies. That’s why, building defenses against ransomware should to be a top cybersecurity concern.

What are the most common types of ransomware?

Ransomware is, inarguably, one of the most evasive cyber threats. It has variants or strains may evolve and take several forms, some of which are:

Locker ransomware: this is when malware used by attackers blocks access to the main functionality of the device. The only active option remains to pay the ransom. However, the locker does not target critical files, but only blocks access to them.

Crypto ransomware: the main goal of crypto ransomware is to encrypt your important data without interacting with the attacked device’s main functionality. The victim can’t get access to the files, and in most cases the intruder creates a deadline for ransom paying. The main pre-condition of the attack is that if the victim doesn’t pay in time, the data is threatened to be deleted.

RaaS (Ransomware-as-a-Service): in the contemporary world, almost any action can be transformed into a service. Unfortunately, this is the current evolution phase of ransomware. Attackers now don’t need to write their own code for the malware, as it can be completely ordered. A special platform gives offenders everything they need to conduct a ransomware attack.

Big Game Hunting: attackers are aware that the larger the target, the greater the profit. That’s why the last few years have witnessed a visible increase in attacks on big companies from different industries such as banks and financial institutions, private/ public industries, healthcare,IT, etc. A well-known example is the OldGremlin group.

Double Extortion technique:  this  involves both encrypting the victim’s data and publishing it on a Dedicated Leak Site (DLS). Today, ransomware operators usually first publish a small amount of data to show the scope of the attack and promise to delete the data after the ransom is paid. However, there have been cases where the links that lead to compromised files remain available even after the demand is met.

Scareware/Fake ransomware: a type of malicious software that disguises itself as a ransomware attack but does not encrypt any data. Instead, it intimidates the victim into paying a ransom by claiming their files or devices has been infected, when it isn’t the case. The goal of scareware is to trick the victim into paying the ransom, without having to provide any means of data recovery.

Ransomware: The Evolution Timeline

The first ransomware attack took place in 1989 which was initiated through a physical disk.  Today we can only ridicule the delivery method that uses a physical disk, but back in the day it brought grave repercussions. Ransomware has, since then, grown more evasive.

These are the most popular ransomware attackers, but are just a part of the bigger picture. Let’s see how attackers’ have changed their targets and tactics through the years:

2006 – the most popular ransom type was crypto where victims needed to buy something to get the password to their data.

2008 – to prevent the extortion, the Bitcoin currency was created. That event was a major mark in the ransomware history.

2009 – 2012 – the crypto-ransomware gained momentum, leading to a spike in the victim intimidation tactics. Some inferences are the Vundo virus, Reveton worm and Citadel toolkit.

2013 – 2015 – the first RaaS appeared and ransomware attacks became more sophisticated. The number of victims grew constantly.

2016 – 2017 – ransom attacks became multiplatform and the losses soared to $4 billion.

2018 – 2019 – attacks targeted cloud infrastructures. They leveraged advanced detection evasion and post-attack analysis obstruction features.

2020 – 2021 – Big Game Hunting trend appeared. State-sponsored actors also gained traction.

2021 – 2022 – increased focus on data exfiltration and developing tools for hybrid infrastructure. Ransomware attacks started developing tailored approaches for key targets.

The current target patterns

Big companies

Attackers have become less concerned about the industries, and more about the scale and scope of their attacks. The main target for modern attackers are large enterprise networks, as they eye the largest possible ransom in case of successful attacks.

New tools

The ability to conduct multiplatform attacks encourage ransomware to grow and capture more areas, all too expand the profits. It was established that through covering Windows, Linux and mobile operating systems, attackers achieve their goals faster and more efficiently.

More RaaS

More and more ransomware families are being created by the recruiters from underground forums, and not by the attackers. This makes it increasingly difficult to track the authors of the malware. Law enforcement in this case may be delayed to an indefinite period.

Commodity malware

Ransomware operators use malware to deliver weaponized content. Group-IB Threat Intelligence specialists and their research states the most popular malware used in the last few years.

Group-IB specialists produce unique stream of insights for security professionals and stakeholders to understand the current threat landscape and pivot their cybersecurity strategies accordingly. Our Ransomware reports (you can view current reports of 2020-2021 and 2021-2022 years) can help monitor and analyze the most-persistent security threats specific to businesses, watch their evolution and develop countermeasures accordingly.

State-sponsored actors

In the recent years, more ransomware state-sponsored actors have appeared on the scene. They conduct espionage campaigns along with different cases of open military confrontation. In some situations, it can lead to the complete destruction of an entire company. State-sponsored attackers become less isolated and use public tools and information from underground forums more often.

Rebranding

Some ransomware activity attracted a lot of attention, even from the government. As a  consequence, the attackers started a new trend – old and well-known malware were tagged with new names, and RaaS programs were rebranded.

Business Hindrance

The expected result of any successful ransomware attack is a safety threat to the victim’s assets, income and operability. By blocking access to the company’s assets, intruders affect not only the company itself but also the clients. It can reduce the company trust level and its future performance. Also, when an attacker enters a corporate infrastructure, his actions block any company’s operations. Such downtime can lead to giant losses and irreparable consequences.

Personal data

By depriving the victim the ability to access confidential/important documents and files, the intruder’s strategy is to wait for the panic to strike and then ask for a ransom in return for the  access.

How can you defend your business against Ransomware?

Ransomware is a serious threat that organizations worldwide need to defend against. Here’s how:

• Enable comprehensive protection: stakeholders need to review/revamp their information security infrastructure and enable multiple-layered defense capabilities.
• Integrate advanced information security abilities: the best defense against cyber threats is a good offense. Therefore, organizations’ need to constantly monitor their company’s assets and have all necessary tools to detect and rapidly respond to incidents. Learn how Group-IB’s Managed XDR, an automated solution, covers a range of attack vectors to keep your assets secured from all ends.
• Employee training: Educate your employees about the risks pertaining to the organziation’s network, assets, devices and infrastructure. The human factor has always been one of the greatest vulnerabilities. Organizations’ can prevent employees from making mistakes with regular training and safety awareness checks.
• Control vulnerabilities: do not turn a blind eye to the possible vulnerabilities. Checking your infrastructure annually with a technical audit performance is not only a good habit, but also adds a much-needed protection layer. Infrastructure integrity needs to be monitored repeatedly.
• Never pay the ransom: the main rule in case of an attack, and if your data is confiscated by the offender, is to not pay the ransom. Cybercriminals are money-driven and have a list of tricky methods to make you pay more. Even if one attacker gives your data back, the other will know about your gullibility and readiness to pay, all leading to the increase in the number of attacks. The best next step is to  contact the Incident Response experts as soon as possible.

Conclusion

Organizations and individuals can take preliminary actions to prevent ransomware attacks. But in most cases, they do not have necessary resources to respond strategically in case of  an attack. That’s where the experts’ pitch in to help make your IT security robust and impenetrable by building a multilayered approach to monitoring, detecting and responding to incidents. Learn how Group-IB’s next-gen technology solutions  help organizations strengthen their security stance, advance their response capabilities and promptly mitigate attacks of varying nature and degree.

Build an end-to-end ransomware protection strategy with our experts.