What is Ransomware and How Does it Work?
Ransomware is a type of malicious software (malware) that encrypts files on a device and demands payment in order to decrypt them. The ransom is usually demanded in cryptocurrency, such as Bitcoin, to maintain anonymity.
- Ransomware typically spreads through phishing emails, compromised websites, or drive-by downloads. The user unknowingly downloads and executes the ransomware on their system.
- Once executed, the ransomware encrypts files on the infected device and any connected drives or networks. Encryption essentially scrambles the data in the files, making it inaccessible without the decryption key.
- A ransom note is displayed demanding payment within a short timeframe. If the ransom is not paid, the files remain encrypted forever. Even if paid, criminals may not decrypt the files.
- Ransomware not only targets personal devices but also organizations, hospitals, and businesses. This can result in massive disruption and financial damages.
A Brief History of Ransomware Attacks
Ransomware has been around for decades in various forms:
- The first ransomware emerged in 1989 called the AIDS Trojan. It hid files on the system and demanded payment for them to reappear.
- In the mid-2000s, early ransomware samples like GPCode, Archiveus, and Krotten began using encryption. However, these were simplistic and decryption keys could be recovered.
- Modern ransomware exploded around 2013 with families like CryptoLocker and CryptoWall being distributed widely. These used robust encryption schemes and cryptocurrency payments.
- Major attacks like WannaCry and NotPetya caused worldwide disruption in 2017 by targeting vulnerabilities in Windows systems.
- Currently, ransomware is extremely prevalent, evolving into data leak extortion tactics and increasingly targeting businesses.
Ransomware Families
There are numerous ransomware variants, but some major families include:
- Locky – Emerging in 2016, Locky was delivered via phishing emails with malicious Word documents. Infection spread rapidly across organizations.
- Cerber – Active since 2016, Cerber offered ransomware-as-a-service to affiliates for distribution. It was known for using .cerber file extension.
- SamSam – Discovered in 2016, SamSam infiltrated networks via vulnerable RDP connections instead of phishing. It hit several high-profile organizations.
- Ryuk – First seen in 2018, Ryuk is tailored to target enterprise networks and encrypt entire systems. It has been used in some of the largest attacks.
- REvil – Also known as Sodinokibi, REvil has been active since 2019 using exploit kits and affiliate programs. It extracts high ransom demands.
Common Ransomware Variants to Watch Out For
Some ransomware variants to watch for currently include:
- Conti – The Russia-linked Conti ransomware group has attacked hundreds of organizations demanding millions in ransom.
- Avaddon – Avaddon first appeared in 2019 and offers ransomware-as-a-service to affiliates. It uses double extortion tactics.
- DarkSide – DarkSide focuses on big game targets like critical infrastructure and has made headlines with the Colonial pipeline attack.
- MedusaLocker – MedusaLocker emerged in 2020 and abuses legal software like ConnectWise and cloud storage apps to spread.
- BlackMatter – Thought to be a successor of DarkSide, BlackMatter uses stealthy tactics to infiltrate networks undetected.
How to Prevent Ransomware Attacks
Preventing ransomware comes down to layered security and user awareness:
- Keep all software up-to-date, especially OS and applications. Ransomware often exploits known vulnerabilities.
- Use antivirus software to detect and block known malware. Also utilize firewalls to monitor network traffic.
- Backup critical data regularly. Store backups offline to recover files if encrypted.
- Enable multi-factor authentication everywhere to prevent account breaches.
- Exercise caution around emails, links, and downloads. Look for typos or grammatical errors.
- Restrict software installations on work devices to approved sources only.
- Develop a cyber incident response plan for deploying if an attack occurs.
How to Detect Ransomware
Acting fast if ransomware infiltrates systems is key to minimizing damage. Watch for these indicators:
- Unable to access certain files that state they are corrupted or encrypted
- A ransom note left in folders, desktop or splash screen demanding payment
- Increased CPU usage or sluggish performance as encryption runs
- Changes to files such as .encrypted extensions or odd filenames
- Disabled security tools or inability to access antivirus console
- Network issues like drives and printers becoming inaccessible
What to Do If You’re Hit With Ransomware
If you discover ransomware on your system or network:
- Isolate the infected device immediately by disconnecting from other devices and networks which may spread infection.
- Determine the strain if possible and research from trusted sources like the US CERT on appropriate steps.
- Alert cybersecurity professionals and leadership within your organization.
- Check backups to see if files can be restored through them. Do not restore before infected systems are cleaned.
- Consult law enforcement and cybersecurity experts on recommended actions, which may include full system formats.
- For businesses, alert customers and partners of potential exposure if personal data was impacted.
Should you Pay the Ransom?
Paying the ransom is controversial:
- Files may still remain encrypted after payment. Criminals do not always honor arrangements.
- It emboldens and funds criminals to continue attacks on others.
- It is not officially endorsed by law enforcement, and may be illegal.
- However, for businesses facing costly disruptions, paying can provide decryption keys to resume operations quickly in a crisis.
- Maintaining backups provides leverage in negotiations and the option not to pay.
How to Remove Ransomware
Removing ransomware requires removing all traces of infection:
- Boot the infected system into Safe Mode to prevent full encryption or damage.
- Use an offline, bootable antivirus scanner to clean the system fully without the ability for ransomware to defend itself.
- Backup files and then reset the system to factory settings or reimage if necessary for full disinfection.
- Change all account passwords and enable MFA after removing ransomware to prevent reinfection.
- Patch vulnerabilities, tighten permissions, and implement additional security controls like email filtering before rebooting systems.
How to Recover From Ransomware
To recover after a ransomware attack:
- Restore data from clean, uninfected backups once all traces of ransomware are removed from the system.
- If certain files must be rebuilt, cloud-synced content or external drives off the network during the attack may hold valid data.
- Leverage file versioning through cloud storage if enabled to roll back encrypted files.
- Consult a data recovery specialist if options are limited for extracting data from encrypted files.
- Update incident response plans with learnings, ensure backups are air-gapped, and provide training on ransomware prevention.
Ransomware presents a severe threat to businesses today. By keeping systems patched and updated, training employees on security best practices, and implementing layered defenses, organizations can protect themselves against attacks. Maintaining reliable backups provides the most effective defense against loss of data due to encryption. With the right preparation, businesses can limit damage and quickly restore operations if impacted by ransomware.
The importance of ongoing cybersecurity awareness training cannot be overstated. Employees are an organization’s first line of defense against ransomware, by recognizing suspicious emails and activity. Providing regular training ensures security protocols are understood and followed consistently across teams. A strong security culture built through education is crucial for keeping this devastating threat at bay.