Ransomware is a malware payload that is maliciously loaded onto a computer system to encrypt files. The attacker then demands payment for the privilege to unlock the files. The ransomware epidemic is one of the most concerning cybersecurity threats to have emerged throughout the last decade.
The awareness of ransomware is certainly growing, and there is rarely a week that goes by where the latest attack isn’t being reported in the media. Reports suggest that the severity of each outbreak is ever-increasing and recent research hints that the number of ransomware infections will continue to rise sharply for many years to come.
How does it happen?
The ransomware payload must be installed prior to infecting computer infrastructure. The attackers must gain compromised access to the system first, in order to deliver the payload. There are three common attack vectors associated with every ransomware outbreak:
- Malicious access gained by exploiting a vulnerability on the system
- Access gained by deception
- Access provided by rogue employee(s)
Vulnerabilities, exploit kits and weak security are inherent weaknesses that are commonly exploited in computer operating systems and software. Unpatched systems are exploited by a hacker to gain unauthorised access to a system.
Exploit kits are software utilities that target known weaknesses in software, such as an RDP attack on port 3389, authentication exploits in Adobe Flash or backdoors in Java applications. Combine these vulnerabilities with a weak security policy and you may as well leave the door wide open.
Deception is an extremely common method of gaining unauthorised system access. Spam emails, phishing, fake phone calls, fake websites, and fake software sites are all common ways to deceive an organisation. The sophistication of deception tactics has increased significantly, making some of the more advanced malware attacks difficult to spot, even for technically aware employees.
An insider, or rogue employee, is still a problem for cybersecurity professionals. Employees are trusted with privileged access to systems, but on rare occasions, this access can be abused or credentials sold on the dark web.
Why is it thriving?
Evidence suggests that the number of victims deciding to pay the ransom is increasing. In 2019, it was estimated that 15 per cent of all ransomware victims chose to pay the ransom. The hacking communities appear to be increasingly targeting enterprise and government organisations. This might be because the perceived financial rewards are greater.
Private sector businesses are still major targets, but more recently, the federal government, healthcare providers and the education sector have been frequently targeted. The trend of recent attacks focuses on causing major disruption to vital public facilities, such as city services or local government agencies.
The aim of the attackers is nearly always financial gain. They are in it to make money. We have observed that ransomware tactics are changing to fulfil this aim. Businesses that are known to have insurance policies for a ransomware outbreak protection are deliberately targeted.
Hackers have also started releasing sensitive business data to try and force the victims to pay up quickly. It is thought that damaging the victim’s professional reputation is a quick win to being paid the ransom. It is always advised to never pay a ransom. It only enforces the notion that ransomware works and thus hackers will continue to exploit it.
How to avoid it?
Once infected by ransomware, it is very difficult to recover a system unless you have a good backup. Security experts are not able to crack the encryption keys and release decryptor tools. This is simply because the AES and RSA encryption methods used are near impossible to break.
Most of the successful decryptors capitalised on poorly designed malware. Ransomware such as Dharma had a decryptor available for early builds of the malware, however, this created a so-called ransomware "arms race" where hacking teams would update the malware so the decryptor is rendered useless.
Removing ransomware is not impossible. Many affected organisations bring aboard a third-party security team to help. An incident response firm’s up-close experience with ransomware can sometimes uncover unconventional recovery and restoration opportunities. Third-party resources also can guide organisations through the remediation process in order to reduce the risk of future attacks.
Most of the advice available to avoid ransomware is advisory actions that protect the Infrastructure in the best possible way. Protective measures such as ensuring your organisation has a satisfactory backup strategy with offsite data retention.
Disaster recovery capabilities, being able to stand up replacement infrastructure in the event of catastrophic failure, can give an organisation the edge combating ransomware. Being able to continue core business operations will keep revenue flowing and your customers happy.
Other tips include ensuring that all computer infrastructure is patched with the latest security updates, enforcing a strict security policy for hardened passwords and complexity. Change default passwords on hardware and public-facing servers.
Investing in employee security training is a paramount challenge for any organisation. Employees are the gatekeepers to all internal computer systems. Training about the latest security threats and attack vectors such as phishing, whaling, and spoofing will prepare the company to prevent intrusion from spamming and phishing campaigns.
The tactics being used by hackers are ever-changing. AI/ML technology is helping to personalise ransomware specific to a targeted organisation, introducing problems such as personalised invoice demand to an accounts team, or spoofed emails targeting the executive teams.
The sophistication improvements of ransomware payloads have resulted in more believable deception techniques. Techniques that result in increasing the probability of someone opening a malware payload or downloading an attachment on a campaign email as it meant something personal to the victim.
Christopher Gerg, CISO and Vice President of Cyber Risk Management, Tetra Defense