Ever since the mid-2000s, industries around the world constantly have one fear in the back of their mind in regards to information security: ransomware.
What Is Ransomware?
Ransomware is a type of malicious software that either prevents access to existing files or to the computer entirely until a ransom is paid. It is so widespread that individuals are hit with ransomware every 10 seconds and businesses are infected every 40 seconds.
Ransom can vary depending on who is infected. A single user’s computer that is infected may have a ransom of $1,000 ransom, while an enterprise may be asked for a ransom of upwards of $15,000. These ransoms are almost always requested in the form of cryptocurrency to prevent the hacker from being identified.
Because of the fear of downtime in their computer systems, 70 percent of businesses paid the ransom to their attackers in 2016. Overall, businesses reportedly paid more than $301 million in ransom during that year. For many who are infected, it may seem like an easy fix to prevent downtime, but the reality is the infected computers are only restored 19% of the time after the ransom is paid.
Who Is Targeted?
Ransomware attacks have been such a threat in the security world because everyone is at risk for infection if poor security practices are being used. No matter how small or big a business may be, they can be infected with ransomware.
Security researchers have seen trends in the industries targeted. In 2017, businesses and professional services were the most targeted field for ransomware, followed by government agencies and healthcare. These fields are most commonly targeted because hackers recognize the severity of downtime allowing for a quick payment of the ransom. When infected with ransomware, 72% of businesses lost access to their data for two or more days.
How Ransomware Is Spread
Much like other malware, ransomware is commonly spread through social engineering techniques such as phishing. Victims of ransomware are usually tricked into download malicious email attachments, or by visiting a link that attempts to download a file containing ransomware. Hackers typically take one of two approaches when phishing; they either pretend to be someone the victim knows by using an email with a nearly-similar domain name or by using scare tactics against the victim. They may claim that they have access to the user’s private information and to prevent the release of this information, they must run the malicious file.
Depending on the type of ransomware and the time the computers were last patched for security updates, ransomware may be able to spread across your networks with no additional help from the victim. In 2017, WannaCry began infecting systems using a newly released exploit called EternalBlue. Using EternalBlue, WannaCry was able to spread through a company’s network infecting every vulnerable machine with the ransomware. The EternalBlue vulnerability is still often found during network security assessments. To ensure there are no vulnerable computers in your network, it is recommended to conduct routine network security assessments.
What Are The Steps Of A Ransomware Infection?
Stage 1 – Infection
This is when the ransomware software is opened and executed through an email attachment or downloaded from a malicious website.
Stage 2 – Incubation
Next, depending on the ransomware, it may stay hidden from the user for a set amount of time. During this time, it may attempt to further hide itself and replicate to other computers on the network.
Stage 3 – Execution
Now the ransomware will begin to perform its main task. It will first delete existing shadow copies from the device to prevent recovery of files, then begin to encrypt as many files as possible.
Stage 4 – Calling Back Home
Now the ransomware software will send the private encryption key back to the command-and-control server. This will allow the hacker to decrypt the files if payment is received and the hacker chooses to do so.
Stage 5 – Scare Tactics
The last step is notifying the victim of steps they need to now take. The ransom screen will now appear and give detailed instructions on where the ransom needs to be sent. The ransom screen will often have a time limit between 24 and 72 hours.
Types of Ransomware
Locker Ransomware – When infected with locker ransomware, access to the user interface is locked. The hacker may also prevent the use of the mouse and limit the use of certain keys on the keyboard, only allowing access for payment of the ransom.
Crypto Ransomware – When infected with crypto ransomware, the files on the device are encrypted. This means the user interface can be accessed but not any of the existing files.
Mobile Ransomware – Mobile devices are also vulnerable to ransomware attacks. These attacks have been seen affecting Android devices through fake and malicious apps.
What to Do If You Get Infected:
If you are infected by ransomware, the first and most important step is to remove the infected device from the network. This may prevent the spread of the ransomware across your network.
After removing the device from the network, the next step is report the incident to the proper individuals. Afraid of getting in trouble, employees will often hide the ransomware and try to pay the fee on their own. This may be a temporary fix, but malware may still be hiding on the computer, or spreading through the network.
The last action that should be taken is contacting a network security team such as Schneider Downs. Depending on the type of ransomware, the team may be able to unlock the files, ensure your networks are free of the ransomware, and provide phishing simulations to help prevent another infection of malware.
Schneier on Security: https://www.schneier.com/blog/archives/2017/05/the_future_of_r.html