Ransomware
A Growing threar for any Environment
A Growing threat for any environment
Ransomware
What is Ransomware?
Ransomware is a type of malicious software that gains access to files or systems and blocks user access to those files or systems.
Depending on the type of ransomware, all files, or even entire devices, are held hostage using encryption and malicious actors then demand ransom in exchange for a decryption key. This key allows the user to access the files or systems encrypted by the program.
Who are the Victims of Ransomware?
Any consumer and any business can be a victim of ransomware. Cybercriminals are not selective and are often looking to hit as many users as possible in order to obtain the highest profit.
History of Ransomware
First known ransomware date back to 1989 and that was named as AIDS Trojan which targeted Healthcare industry. To date, Healthcare industry remains a top target of Ransomware. So far, we have 1000+ variants of ransomware detected and the list is still
expanding.
New-age ransomware involves a combination of advanced distribution efforts such as pre-built infrastructures used to widely distribute new varieties. Also, the advanced development techniques used by attackers makes it’s extremely difficult to tackle.
The Economics on Ransomware
Ransomware is a sinister and costly form of malware that has taken the cybersecurity world and our businesses by storm. The top industries they see targeted against ransomware are healthcare, finance/insurance, government agencies, professional services, and education.
1. Location: Attackers target their highest ransom demands on developed Western economies, motivated by their perceived ability to pay larger sums.
2. Attack nature: There are many ransomware actors and many types of ransomware attack. Attackers who invest heavily in a targeted attack will be looking for high ransom payments in return for their effort.
3. Organization size: Ransomware actors adjust their ransom demand in line with their victim’s ability to pay, typically demanding higher payments from big companies.
The FBI and other government agencies recommend businesses never pay the ransom if attacked.
Downtime is costly than Ransom
Some of the Ransomware variants aims on disrupting the businesses completely and paying of ransom does not guarantee that the encryption files will be released.
According to few reports, downtime in the businesses are 50X costlier than the extortion amount.
How Does Ransomware Infect?
Attackers tries to break via any of the vulnerabilities in your environment to infect with ransomware. The worst part is, in some cases users and admins don’t aware how their environment affected with the ransomware. Most of the infection usually happens in following ways.
Attachment from the mails: Many breach to the enterprise are targeted via e-mail attachments. Attackers sends mail with attachments like PDF or word document and embed Ransomware on it. If the user tries to open the infected files, ransomware gets deployed automatically.
Mail Links: Malicious mail links is similar to infection with mail attachments. Attacker takes advantage by sending the mail to victims with link to sites which contains malware. If the user clicks on the link, they will be infected with ransomware even unknowingly.
Infected websites: Drive-by downloading occurs when a user navigates to the already infected website and the malware gets downloaded without the user’s knowledge.
Infection from Compromised systems: Systems which are already affected by the Ransomware will start spreading the infection to other systems within the network. This chain reaction may lead to compromise of entire systems in the environment.
What Happens if Ransomware Hits?
Ransomware leads to negative consequences like:
- Permanent loss of sensitive or proprietary information
- Disruption to the business operations
- Financial losses caused to restore the business
- Potential harm to the reputation of the organization
Following signs shows that you are affected by Ransomware:
An on-screen message pops up. You will likely see a pop-up message on the screen of the infected system.
This message will say something like “Oops your files have been encrypted” or “All files on your computer have been encrypted. You must pay this ransom within 72 hours to regain access to your data.”
- The message will tell you to pay an amount of money (usually several hundred, often thous ands of dollars) in bitcoin or similar crypto currency, to receive a code that will decrypt the files
- The message will threaten to delete the encrypted files if you do not pay within a given time span.
- Attackers instil fear and panic into their victims, causing them to click on a link or pay a ransom.
Ransomware generally adds an extension to the encrypted files, such as .aaa, .micro, .encrypted, .ttt, .xyz, .zzz, .locky, .crypt, .cryptolocker, .vault, or .petya, to show that the files have been encrypted—the file extension used is unique to the ransomware type.
5 Phases of Ransomware Encryption
- Phase 1 – Infection: Initial entry into the system by means of spam email, phishing attack or an exploit kit—readily available on the Dark Web
- Phase 2 – Delivery: This phase enables the ransomware to encrypt files at a later date without requiring additional actions on the part of the user or ransomware command-and control center.
- Phase 3 – Backup Attack: CryptoLocker and Locky, two ransomware variants, execute commands to remove all shadow copies from infected systems. Other variants search for folders holding backup files and remove them.
- Phase 4 – Encryption: During this step, encryption keys are not established on the local system.
- Phase 5 – User Notification/Settlement and Remediation : The ransomware notifies the user of infection, demands payment and presents instructions for payment.
Responding to Ransomware Infection:
If you are suspicious and believe your system has been infected with Ransomware:
- Isolate from the Networks: Unplug the ethernet cable and disable other network adapters. Put your device to Airplane mode. This helps in preventing the spread to shared files and other resources.
- Disconnect all external devices like USB drives, external hard drives to avoid them getting compromised.
- Report the incident: Report the incidents to your security Admins and/or respective law officers. Your reporting will helps limiting the damage to the environment and reduce to recovery efforts.
- Secure your backups. Ensure that your backup data is offline and secure.
- Consult your Service Provider: Consult with your security Service providers or reach iLink Security experts from this link.
We Determine Ransomware Strain – What strain/type of ransomware? For example: Ryuk, Dharma, SamSam, etc. We collect as much information as possible about the incident, including log files, system images, samples of the encrypted files and the ransom note (if applicable) which may be useful for analysis.and provide support for recovery.
