If you have been following our Cyber Security Awareness Month series, we applaud you for taking steps to become #CyberAware. We want you to be in best position to keep your organization safe and prevent the next attack.
If you're just joining us, no worries! We will walk you through the actions you should be taking to prevent attacks like ransomware from gaining a footholinside your network.
Around 1.5 percent of spam emails contain malicious attachments or URLs, along with content designed to manipulate people into opening them. This technique, known as phishing, has become an overwhelming favorite of threat actors in the past few years, primarily because it’s a cheap, effective, and a fast way to compromise targeted networks. Phishing has been far and away the most popular delivery method for ransomware, and the continued evolution of text-based social engineering attacks has been a significant factor in the rise of ransomware.What should we do about it? For starters, we must stop being easy targets. Education is the key. Here you will find a comprehensive list of resources for fighting back. Let's get started!
Your Ransomware #CyberAware Resources List:
- Webinar: Spear Phishing and the Ransomware Threat
- Webinar: Trends in Ransomware and How to Fight Back
- A Spotter’s Guide to Ransomware
- So You've Been Infected with Ransomware...
- How to Defend Against Ransomware
- Alma Ransomware with Decrypter
For a deep-dive on the topic, download a free copy of our Ransomware Whitepaper where we explore the growing threat of ransomware, and what you can do to keep your organization secure.
Where Did Ransomware Begin?
Put simply, ransomware is malicious software (malware) that restricts access to computer systems or files, and demands that the victim pay a ransom in exchange for restored access.
Recent examples of widespread ransomware include CryptoLocker and CryptoWall, but it’s important to realize that this is not a new concept.
The very first ransomware, known as the “AIDS” Trojan, was created in 1989 and functioned very similarly to modern versions. Even in the modern Internet age ransomware has been around for over a decade, and by mid 2008 some versions used such advanced encryption methods that retrieving files computationally became almost impossible.
But while ransomware itself isn’t new, its wholesale popularization is.
In late 2013, with Bitcoin as its payment currency, CryptoLocker burst onto the scenes and quickly inspired a variety of copycats with its high-profile success.
Up until this point payment had been a significant headache for the groups responsible for creating ransomware, due to the inherently traceable nature of traditional currencies. But by demanding payment in Bitcoin, and taking a few precautionary measures, the group behind CryptoLocker made millions of dollars in ransoms before their distribution botnet was taken down by a joint force of law enforcement agencies (including the FBI and Interpol), security software vendors, and universities.
Despite this victory, though, ransomware is only growing in popularity. More and more organizations are falling prey to ransomware, and most security vendors agree that the trend will continue to grow during 2016.
Should I Be Worrying Right Now?
We field a lot of questions about ransomware, but there’s one in particular that comes up time and time again.
“Are we at risk from ransomware?”
It’s not a difficult question to answer. Yes, you’re at risk… Everybody is at risk.
You see, there are plenty of ways for threat actors to spread ransomware. They create fake online advertisements and pop-ups, exploit known vulnerabilities to gain access to corporate networks, and even drop USB sticks loaded with ransomware in car parks and restrooms.
But above all other distribution methods, phishing is the threat actor’s weapon of choice. Phishing emails loaded with ransomware are being sent to consumers and corporations alike, and worse, the quality of the writing is getting better all the time.
A few years ago, most phishing emails were pretty easy to spot, with their dodgy spelling and conspicuous use of ‘Sir’ or ‘Madam’. These days, though, it’s not unheard of for threat actors to use espionage tactics against corporations and their partners purely to inform bespoke spear phishing campaigns.
They’re pulling out all the stops to infect your systems with ransomware, so yes, you need to be concerned.
But there’s no point in just being concerned. You need to do something. That’s why we’ve decided to run through the anatomy of a typical ransomware attack, so you’ll know what to look for, and what to avoid.
Who Shall We Extort Next?
Although mass spam campaigns are still a concern, the majority of corporate cases start with targeted attacks. Threat actors are surprisingly organized, and often focus their attention on a specific organization or group.
If this happens to you, expect your attackers to research your organization in detail, looking for information about your systems, partners, and services to provide ammunition for their campaign.
And it doesn’t end with a few phishing emails.
Threat actors target privileged users and use social engineering tactics to gain access to as many of your assets as possible before they initiate a ransomware attack. In this way, they maximize your losses in the hopes that you’ll quickly cave and agree to pay the ransom.
Click Here to Lose Access
Once the target (you) has been chosen, and enough access has been granted, the ransomware will be deployed. The trigger might have been a malicious link in an email, a successful social engineering campaign, or a ransomware-ridden USB stick, but ultimately the result is the same.
Your files are locked up tight, and it seems like you either pay up, or shut up.
In reality it’s a bit more complex than that, and we’ll go through your options in a later article, but for now let’s keep it simple. Instead, let’s try to understand exactly how this locking process happens.
You see, most people assume the ransomware they’re infected with works all on its own. Some very simple ransomware packages do work in isolation, but they’re pretty ineffective and have largely fallen out of use. If a threat actor attempted to infect your network with a self-contained ransomware package, almost any security system would quickly identify and prevent it.
Instead, when activated, most ransomware packages attempt to contact so-called command and control (C&C) servers for further instruction. These instructions range from simply providing encryption keys to initiating further exploration and vulnerability scanning within your network.
And where early ransomware packages used static C&C servers, the latest versions include dynamic algorithms that attempt to connect to hundreds or even thousands of servers. This dramatically improves their chances of success, and makes defending yourself much more challenging.
OK Guys… What Have We Lost?
The very earliest versions of CryptoLocker simply encrypted the files on an infected user’s local computer. Annoying, yes, but usually not the end of the world unless the user happens to be your CEO.
But we’re well beyond that point now.
As we’ve already alluded to, the most sophisticated ransomware packages can identify other areas of your network to spread to, scan for vulnerabilities, and even prioritize the most recently accessed files and folders for encryption in case the process is interrupted.
They also, sadly, specifically search for and encrypt your backups.
When ransomware made a comeback in 2013, one of the earliest popularized defenses was to ensure users’ data was backed up regularly. That way, in the event of a ransomware attack, losses would be minimal.
Sadly, as always, threat actors catch on quickly. Your can almost guarantee that any backups saved on infected machines or servers will be among the first files to be targeted.
Pay Up or Shut Up
Chances are everything up to this point has gone completely unnoticed. The first you’ll know about the attack is when a pop-up fills your screen demanding a ransom in exchange for your files.
You’re kicking yourself for opening that email. For playing along. For not taking ransomware seriously until now.
But it’s too late for that.
Your attackers will let you know what they want, and by when. They’ll tell you exactly what you’ll do if you want to regain access to your files. Sometimes they’ll even allow you to decrypt a file or two, just to prove they’re for real.
And once you’ve paid, and your attacker has verified the payment, you’ll receive the private key and automatic decryption will start. Let’s just hope nothing goes wrong with the decryption process… because threat actors aren’t usually in the business of providing additional support.