The cybersecurity world is constantly evolving to new forms of threats and vulnerabilities. But ransomware proves to be a different animal—most destructive, persistent, notoriously challenging to prevent, and is showing no signs of slowing down.
Falling victim to a ransomware attack can cause significant data loss, data breach, operational downtime, costly recovery, legal consequences, and reputational damage.
In this story, we have covered everything you need to know about ransomware and how it works.
What is ransomware?
Ransomware is a malicious program that gains control over the infected device, encrypts files, and blocks user access to the data or a system until a sum of money, or ransom, is paid.
Crooks’ scheme includes a ransom note—with amount and instructions on how to pay a ransom in return for the decryption key—or direct communication with the victim.
While ransomware impacts businesses and institutions of every size and type, attackers often target healthcare, education, IT, government, and finance sectors with deeper pockets—causing damages ranging from hundreds of millions to billions of dollars.
Ransomware attacks started picking up in 2012, and since then, it has become the most pervasive cyber-attacks across the world.
For instance, HelloKitty ransomware hit Polish video game developer CD Projekt Red last week with quite a popular tactic, i.e., attackers threatened the company to leak the source code of games, including Cyberpunk 2077, Witcher 3, Gwent, and along with confidential files in the company.
And it’s actually happened! After CD Projekt announced that they would not be paying the ransom, attackers created an auction for the stolen data on a hacker forum.
And it isn’t the only example. Ransomware has always been one of the most popular kinds of malicious samples uploaded in malware analysis sandbox ANY.RUN. Over 124,00 interactive sessions with ransomware were analyzed online only in 2020.
From a locker to the enterprise
One of the ways to protect from attacks is awareness. We believe it is a must for enterprise executives and employees to understand this type of threat.
In this article, we’ll take a look at the history of ransomware:
The first ransomware
The first known ransomware attack was carried out in 1989 by an AIDS researcher, Joseph Popp, who distributed malicious 20,000 floppy disks to AIDS researchers spanning more than 90 countries, claiming that the disks contained a survey program. Since then, the ransomware threat has evolved a lot and acquired more features.
Locker ransomware
In 2007, Locker ransomware, a new category of ransomware malware, appeared that does not encrypt files; instead, it locks the victim out of their device, preventing them from using it.
Similar to this, WinLock demanded a $10 ransom for the unlocking code. Later, Citadel, Lyposit, and Reveton worm controlled a screen with a fine message from a fake law enforcement agency.
This typically takes the form of locking the computer’s or device’s user interface and then asking the user to pay a fee to restore access to it.
Scareware
In later years, attackers changed their strategy to capitalize on fear by spreading faking applications and antivirus (AV) programs. The attack involves a pop-up message displayed to victims saying that their computers have been infected with viruses.
It lures victims to a website where they’re asked for money to pay for software to fix the problem. Everything looked trustworthy: logos, color schemes, and other copyrighted materials.
From that moment, criminals understood that it was much easier to compromise several websites, focus on phishing, and get the whole process automated.
Crypto ransomware
In 2013, CryptoLocker emerged as the first cryptographic malware that typically arrives as an email attachment. The Gameover ZeuS botnet was responsible for these attacks. CryptoLocker encrypts files, and after that, a bitcoin payment was required to unlock them.
If the ransom wasn’t received in 3 days, the ransom doubled. CryptorBit, CryptoDefense, CryptoWall, WannaCry enlarged decoy variations and even used system weaknesses to infect computers.
The latest step in that evolution is the arrival of ransomware-as-a-service, which first appeared in 2015 with the Tox toolkit launch. It gave would-be cybercriminals the option to develop custom ransomware tools with advanced evasion capabilities.
Enterprise ransomware
Ransomware attackers leveled up and went to the enterprise stage. They preferred to deal with large organizations and scare them of a possible outbreak.
For example, a target got an email with a threat of distributed denial-of-service (DDoS) attack. To avoid it, victims needed to pay a ransom.
One more case is the data compromise ransom. A criminal threatens a target to exploit compromised information to the public unless a ransom is paid. The following tactic is effective on the enterprise level, as companies don’t want to put their reputation at stake.
Now it’s clear that malware will continue to evolve. And maybe it will acquire hybrid attacks, including other malware families.
Attack in details
As we now know the history and types of ransomware, now it’s time to understand how it works.
- Deployment: In the first step, attackers distribute essential components used to infect, encrypt, or lock the system, downloaded without the user’s knowledge, using phishing, or after exploiting targeted system flaws.
- Installation: When the payload is downloaded, the next step is infection. The malware drops a small file that is often capable of defense evasion. The ransomware executes and attempts to gain persistence on the infected system by putting itself to autorun the registry keys, allowing remote attackers to control the system.
- Command-and-Control: The malware then connects to the attackers’ command and control (C2) server to receive instructions and, primarily, to deposit the asymmetric private encryption key out of the victim’s reach.
- Destruction: Once files get encrypted, the malware deletes original copies on the system, and the only way to restore them is to decrypt encoded files.
- Extortion: Here come ransom notes. The victim gets to know that his data is compromised. The payment range varies according to the type of target. To confuse and scare a victim, attackers may delete several files from the computer. However, if a user pays the ransom, it isn’t a guarantee that the information will be restored or ransomware itself will be deleted.
Source: The Hacker News
Claudio Bannwart da Check Point alerta sobre os principais riscos do “ransomware das coisas”
North Korea-Linked Hackers Are Now Spreading Their Own Ransomware