We have seen a significant increase in Ransomware attacks over the past 24 months – and there looks to be no slowing down!
These attacks can be devastating to businesses and while the best remedy is prevention, it pays to understand exactly how these attacks occur, and what action to take when they do!
Ransomware typically spreads via spam, phishing emails, or through social engineering activity. It can also be transmitted via websites or malicious downloads to infect an endpoint and penetrate the network – although this can be less common.
Attack methods are constantly evolving – but one thing they have in common is that once they are in place, the ransomware then locks all files it can access using strong encryption. A demand for a ransom is then issued to decrypt the data.
Encrypting ransomware or “Crypto ware” is the most common variety of ransomware we have seen to date.
However, some other types are:
•Non-encrypting ransomware – which simply restricts access to files and data instead of encrypting them.
•Ransomware that encrypts the Master Boot Record (MBR) of a drive or Microsoft’s NTFS, which prevents computers from being booted up in a live OS environment.
•Leak ware or extortion ware – which steals compromising or damaging data that attackers threaten to release. •Mobile device ransomware – infects mobile phones through malicious downloads or fake apps). Note: Ransomware for mobile phones is increasing and this promises to be a huge market for attackers in the very near future – it is also very often overlooked as part of the network security strategy for many businesses!
•We have, in recent years, also seen the emergence of ransomware as a service (RaaS) – so cybercriminals can stage an attack without even having the skills required! It also reduces the cost of staging an attack, making it even easier (and more lucrative) to do so.
Brief Summary of the Steps in a Typical Ransomware Attack
An overview of the typical steps in a ransomware attack are:
After it has been delivered to the system (via an email attachment, phishing email, infected application or other method) the ransomware installs itself on the endpoint and any network devices it can access.
2. Control Contact
The ransomware activates and contacts the control server operated by the cybercriminals behind the attack to generate the keys to be used to encrypt your systems.
The ransomware starts encrypting any accessible files on the network.
Encryption done, the ransomware displays a notification of the encryption and demands or instructions for a ransom payment, usually threatening destruction or leak of data if a payment is not made.
Businesses can then either pay the ransom or attempt recovery by removing infected files and systems from the network and restoring data from clean backups.
This is where having a strong backup and recovery strategy is crucial – as negotiating with cyber criminals can be unreliable. A recent study found that almost half of organisations who paid a ransom did not get their files decrypted.