Ransomware attacks have been the most prominent threat to enterprises, SMBs, and individuals alike in the last decade. In the last few years, organizations the world over have experienced a sharp uptick in ransomware attacks. From CryptoLocker to WannaCry and NotPetya, ransomware attacks highlights the evolution of ransomware over the years.
Ransomware is a type of malicious program that denies the victims access to their files or systems. It holds the victims' files or the entire devices hostage using strong encryption until the victim pays a ransom.
While ransomware has been around since the beginning of this century, ransomware variants have grown increasingly advanced in their capabilities; like spreading more quickly, evading detection, encrypting files with strong encryption, and forcing victims into paying ransoms.
New-age ransomware are carried out using a combination of advanced distribution methods. Cybercriminals have started to use pre-built infrastructures to distribute new ransomware variants. These variants come preloaded with crypters which make reverse-engineering extremely difficult.
Also known as ransom malware, ransomware is a form of malware that limits your access to your system or personal files. Cybercriminals take control of your system and demand ransom to allow you to access it.
Types of Ransomware Attacks
- CryptoLocker Ransomware
- WannaCry Ransomware
- Cerber Ransomware
- CryptoWall Ransomware
- Locky Ransomware
- GoldenEye Ransomware
- Jigsaw Ransomware
CyptoLocker botnet is one of the oldest forms of cyber attacks which has been around for the past two decades. The CyptoLocker ransomware came into existence in 2013 when hackers used the original CryptoLocker botnet approach in ransomware.
CyptoLocker ransomware is the most destructive form of ransomware since it uses strong encryption algorithms. It is often impossible to decrypt (restore) the Crypto ransomware-infected computer and files without paying the ransom.
WannaCry is the most widely known ransomware variant across the globe. The WannaCry ransomware attack has affected nearly 125,000 organizations in over 150 countries. Some of the alternative names given to the WannaCry ransomware are WCry or WanaCrypt0r.
Cerber ransomware targeted cloud-based Office 365 users. Millions of Office 365 users have fallen prey to an elaborate phishing campaign carried out by the Cerber ransomware.
CryptoWall is an advanced form of CryptoLocker ransomware. It came into existence since early 2014 after the downfall of the original CryptoLocker variant. Today, there are multiple variants of CryptoWall in existence. It includes CryptoDefense, CryptoBit, CryptoWall 2.0, and CryptoWall 3.0.
Locky is another ransomware variant which is designed to lock the victim's computer and prevent them from using it until a ransom is paid. It usually spread through a seemingly benign email message disguised as an invoice.
GoldenEye is similar to the infamous Petya ransomware. It spreads through a massive social engineering campaign that targets human resources departments. When a user downloads a GoldenEye-infected file, it silently launches a macro which encrypts files on the victim's computer.
Systems from falling prey to ransomware virus attacks, because it encrypts and progressively deletes the encrypted files until a ransom is paid. It starts deleting the files one after the other on an hourly basis until the 72-hour mark- when all the remaining files are deleted.
When a user opens the email attachment, the invoice gets deleted automatically, and the victim is directed to enable macros to read the document. When the victim enables macros, it begins encrypting multiple file types using AES encryption.
Apart from the list of ransomware mentioned above, Petya, NotPetya, TeslaCrypt, TorrentLocker, ZCryptor, etc., are some of the other ransomware variants that are well-known for their malicious activities.
Ransomware is a critical threat to your computer and your data. By practicing safe computing habits and by using up to date security software, you can protect your systems from falling prey to ransomware attacks.
How Ransomware Functions Work
Ransomware works in a variety of ways to gain control over your computer. The most common involves phishing spam-attachments. These are sent to the victim’s email and appear to be files that can be trusted.
Hence, the victim downloads and opens the files and that is when everything goes south. The cybercriminals who sent the malware take over the victim’s computer system and shut the user out.
This is possible especially if the system has built-in social engineering tools. These trick you into approving administrative access.
Other attacks are quite aggressive as they target security breaches in the targeted system. They do not have to trick users into allowing administrative access.
Once the malware is in control of your system, it can perform several functions including encrypting some of your files. You will not be able to decrypt your files without a mathematical key only accessible to the attacker.
The nefarious fellow sends you a message to let you know that they control your system. Consequently, your files are inaccessible. The only way you can access them is by making a cryptocurrency payment that cannot be tracked.
Yet another form of ransomware attack involves the attacker posing a law enforcement agency. They will claim to be in the process of shutting your computer down because of reasons such as the following:
- Your computer contains pornography
- Your computer contains pirated software
They will demand a fine to probably discourage you from reporting the attack to authorities. However, many of the ransom attacks skip the pretense.
There are also attacks known as leakware or doxware. The cybercriminal threatens to leak sensitive data on your hard drive unless you pay a ransom.
Of all these attacks, encryption ransomware is the most common. Many attackers will not bother to pose as authorities. Also, finding and extracting data from hard drives is not a straightforward process. Hence, encryption is the preferred variation for many attackers.
Many attackers target organizations and they have various ways of choosing their victims. If they find an opportunity, they will not pass it up. They will go in. Learning institutions may be prime targets, for instance, for a couple of reasons:
- Their security teams are smaller
- The user base is diverse
With a diverse user base, there is a lot of file sharing. This makes it easy for cybercriminals to access an institution’s security systems.
Huge and established conglomerates may also be prime targets because they are likely to pay ransoms fast. They have to protect their interests and cannot afford to halt operations for a long period.
Financial institutions have a lot to lose if their customers’ data falls into the wrong hands. Government agencies as well as medical institutions must be able to access their files immediately.
Organizations that deal with sensitive data may be up quickly to halt the leakage of the said data. Establishments such as law firms are especially vulnerable to leakware attacks. Celebrities may also be vulnerable to ransomware attacks. Several of them such as Bette Midler, Lady Gaga, Bruce Springsteen, and more may have been victims.
Do not assume you are safe because you do not fall into any of the mentioned groups. Ransomware does not discriminate and it spreads automatically all over the internet.
How to Stop Ransomware
To prevent ransomware:
- Update your operating system regularly and always fixed
- Avoid installing software or allowing administrative access unless you know it and its functions
- Install good antivirus software that can detect malicious software and block it from accessing your system
- Backup your files regularly and make it automatic
While you may not completely stop a malware attack, you reduce the damage that would be caused by one.
How to Remove Ransomware?
If cybercriminals managed to take control of your system via a ransomware virus attack, you must get control back fast. Follow the following steps to regain control:
- Set your Windows 10 to safe mode
- Install antimalware software
- Scan your operating system for ransomware software
- Restore the computer to a previous state
While you may succeed in removing the malicious program, your files will not be decrypted. They have already been converted to unreadability. Also, if the malware used is sophisticated, you may need access to the key the attacker used to decrypt your files.
By removing the malware and regaining control, you avoid paying the ransom demanded by the attackers. Therefore, you cannot access the key to decrypt your files as only the attackers have that.
Ransomware Raw Numbers
Ransomware fetches huge amounts of money for attackers. For instance, SamSam earned a whopping $1 million in ransom money in the first few months of 2018. As mentioned earlier, some organizations, such as financial institutions and law firms, are more likely to pay up fast.
Experts estimate that up to 90% of ransom is paid by financial institutions. They are very popular with attackers and are regularly targeted. At least 75% of organizations have fallen prey to ransomware virus attacks. This is despite having installed up-to-date anti-malware programs.
You will be relieved to learn that the number of ransomware attacks has reduced in recent times. They were up by 10% at the beginning of 2017 and were responsible for 60% of malware payloads. That figure has gone down to 5%.
Is Ransomware Dead?
Ransomware may be on the decline and this may be thanks to bitcoin as it the preferred currency by cybercriminals. Not all victims pay up. Also, some may want to but have no idea how to go about paying via cryptocurrency.
Nevertheless, this does not mean ransomware is dead. Attackers come in two different categories:
- Commodity: they strive to infect systems by volume and have the audacity to offer ransomware platforms that can be accessed by cybercriminals.
- Targeted groups: their focus is on vulnerable markets and organizations.
Also, the price of bitcoin is dropping and this may result in a spike in ransomware attacks.
Why Pay the Ransom?
Naturally, law enforcement agencies would advise you not to pay. This only encourages cybercriminals to launch more attacks. Many organizations are forced into a tight corner and consider the economic effect of the attack.
Many organizations refuse to pay on principle. However, a large number of companies succumb to the pressure. As you weigh your options (to pay or not to pay) ensure that you are not reacting to scareware.
Also, remember criminals do not always play fair. Paying up is no guarantee that you will regain access to your files. Criminals have been known to renege on their end of the deal. However, serious malware will keep their word because word will get around.
If you an enterprise user, Comodo Advanced Endpoint Protection (AEP) is the ideal solution to protect your endpoint from ransomware. With a built-in containment engine and 'Default Deny' platform, Comodo AEP provides 360-degree protection against any malware threat including ransomware.
Unlike other endpoint security solutions in the market, Comodo Advanced Endpoint Protection (AEP) leverages its unique auto-containment technology which operates from a “default deny” approach. Comodo AEP keeps the unknown or harmful files "contained" within a controlled environment while the Valkyrie Verdict engine determines whether they are malicious or not.