What is Ransomware?
So what is Ransomware? Ransomware is a type of malicious program/application that gains access to your files or systems and blocks user access to those files or systems. Then, all files, or even entire devices, are held hostage using encryption until the victim pays a ransom in exchange for a decryption key. The key allows the user to access the files or systems encrypted by the program.
Ransomware is not new and has in fact been in global circulation for decades. Ransomware varieties have advanced in their capabilities especially evading detection, encrypting files, and coercing users into paying ransoms. Reverse engineering crypto files has also become harder as fraudsters have perfected their payload delivery and extortion techniques.
With ransomware holding steady as one of the most significant threats facing businesses and individuals today, it is no surprise that attacks are becoming increasingly sophisticated, more challenging to prevent, and more damaging to their victims.
How does Ransomware gain access?
Now that we have a loose definition of ransomware, let us go over a more detailed account of how these malicious programs gain access to a company’s files and systems. The term “ransomware” describes the function of the software, which is to extort users or businesses for financial gain. However, the program has to gain access to the files or system that it will hold ransom. This access happens through infection or attack vectors.
Malware and virus software share similarities to biological illnesses. Due to those similarities, deemed entry points are often called “vectors,” much like the world of epidemiology uses the term for carriers of harmful pathogens. Like the biological world, there are a number of ways for systems to be corrupted and subsequently ransomed. Technically, an attack or infection vector is the means by which ransomware obtains access.
Email & Social Media
Another means of deception employed by ransomware assailants is to message victims on social media. One of most prominent channels used in this approach is Facebook Messenger. Accounts that mimic a user’s current “friends” are created. Those accounts are used to send messages with file attachments. Once opened, ransomware could gain access to and lock down networks connected to the infected device.
Ransomware facts and figures
There’s a lot of money in ransomware, and the market expanded rapidly from the beginning of the decade. In 2017, ransomware resulted in $5 billion in losses, both in terms of ransoms paid and spending and lost time in recovering from attacks. That’s up 15 times from 2015. In the first quarter of 2018, just one kind of ransomware software, SamSam, collected a $1 million in ransom money [external link].
Some markets are particularly prone to ransomware—and to paying the ransom. Many high-profile ransomware attacks have occurred in hospitals or other medical organizations, which make tempting targets: attackers know that, with lives literally in the balance, these enterprises are more likely to simply pay a relatively low ransom to make a problem go away. It’s estimated that 45 percent of ransomware attacks target healthcare orgs, and, conversely, that 85 percent of malware infections at healthcare orgs are ransomware. Another tempting industry? The financial services sector, which is, as Willie Sutton famously remarked, where the money is. It’s estimated that 90 percent of financial institutions were targeted by a ransomware attack in 2017.
If you have anti-malware software installed it won’t necessarily protect you. Ransomware is constantly being written and tweaked by its developers, and so its signatures are often not caught by typical anti-virus programs. In fact, as many as 75 percent of companies that fall victim to ransomware were running up-to-date endpoint protection on the infected machines.
While ransomware has technically been around since the ’90s, it’s only in the past five years or so that it’s really taken off, largely because of the availability of untraceable payment methods like blockchain cryptocurrency e.g. Bitcoin.
Some of the worst offenders have been:
- CryptoLocker, a 2013 attack that launched the modern ransomware age and infected up to 500,000 machines at its height
TeslaCrypt, which targeted gaming files and saw constant improvement during its reign of terror.
- SimpleLocker, the first widespread ransomware attack that focused on mobile devices.
- WannaCry, which spread autonomously from computer to computer using EternalBlue, an exploit developed by the NSA and then stolen by hackers.
- NotPetya, which also used EternalBlue and may have been part of a Russian-directed cyberattack against Ukraine.
- Locky, which started spreading in 2016, was “similar in its mode of attack to the notorious banking software Dridex.”
How to prevent ransomware
There are a number of defensive steps you can take to prevent ransomware infection. These steps are a of course good security practices in general, so following them improves your defenses from all sorts of attacks:
- Patching – Keep your operating system patched and up-to-date to ensure you have fewer vulnerabilities to exploit.
- Application White listing – Don’t install software or give it administrative privileges unless you know exactly what it is and what it does. Makes sure you maintain an approved application list for the entire organization.
- Anti-virus/Malware Service, use a service which detects malicious programs like ransomware as they arrive. Some include whitelisting capabilities which prevent unauthorized applications from executing in the first place.
- Extend your Perimeter, use an email and social media filtering service preferably cloud based. This will detect malicious attachments, files and many ‘like Spambrella’ also scan URL’s for malicious actors.
- Adopt the 3:2:1 approach. Create three backup copies, on two different types of media, and store one copy securely off site on an air-gapped device – One that is not networked or accessible over the internet