Ransomware has consistently been called one of the biggest cyber threats in the past few years.
Most people have heard of ransomware attacks on the news. The information sticks since ransomware variants tend to have pretty weird and unique names.
But quirkiness aside, ransomware attacks go far and beyond regular computer viruses.
Substantial financial losses, data breaches, long service downtimes; these are just the more straightforward consequences of ransomware.
In other cases, human lives are at risk in clinics and hospitals.
So why is this?
Here’s your comprehensive guide to what ransomware is, what it does, and what you can do if you’re ever facing an infection.
What is ransomware
Ransomware is a type of malware – malicious software. Its name is a portmanteau of ‘ransom’ and ‘malware.’
Ransomware infects your computer and displays messages demanding payment for your system to work again.
You can get malware from:
- Suspicious links
- Emails attachments
- DM attachments or links
- Phishing websites
What makes ransomware different from other types of malware is locking down a device and encrypting files with a password.
Ransomware is a criminal moneymaking scheme. Perpetrators only decrypt files after being paid a hefty sum, or at least, that’s what they promise.
The concept of digital ransom started taking shape in 2012. Five years later, in 2017, ransomware took center stage when the WannaCry cryptoworm hit the news.
The WannaCry attack targeted computers running Windows. It encrypted data and demanded ransom payment in Bitcoin cryptocurrency.
The attack is estimated to have affected more than 200,000 computers across 150 countries. The damages exceed hundreds of millions to billions of dollars.
It was a disaster, as state institutions, private businesses, and even healthcare facilities were affected.
Security experts believed from preliminary evaluations of the worm that the attack originated in North Korea.
8 types of malware you should know about
The WannaCry attack marked the beginning of a new era in the world of cybersecurity threats.
Ever since 2018, ransomware attacks have increased at an unprecedented rate. Security experts don’t see any chance of ransomware attacks slowing down in the coming years.
As it became a very lucrative criminal business, ransomware was the most common threat in 2020.
Let’s take a closer look at some of the types of malware out there.
The REvil ransomware
REvil is a file encryption virus that encrypts all the files on a device and demands Bitcoin payments. If the victim does not pay the ransom within the specified time frame, the ransom doubles.
You might have heard of REvil, since it was the ransomware that targeted Grubman Shire Meiselas & Sacks, the law corporation, leading to their data leak.
Reports also claim that hackers got the personal information of Drake, Robert De Niro, Elton John, Mariah Carey, and other stars with REvil.
The Nemty ransomware
Nemty is a ransomware service you might see advertised online. It’s spread primarily through phishing emails, but clients can also choose other methods.
When a victim pays the ransom, 30% goes to Nemty’s developers and the rest to the client.
The Nephilim ransomware
Nephilim is considered Nemty’s successor, and it started making waves in March 2020.
Nephilim attackers usually target organizations that use unpatched or poorly secured Citrix remote-access technology.
As part of their MO, hackers demand two encrypted files from the victim. They decrypt and send them back, hoping to prove they’re the only ones who can do this.
The Sodinokibi ransomware
Sodinokibi is a type of REvil ransomware that uses a zero-day vulnerability in the Oracle Weblogic servers. It often bypasses antivirus software.
What makes Sodinokibi particularly dangerous is that it can reinstall itself if the original ransom code is not deleted.
The Ryuk ransomware
Ryuk is one of the most active types of ransomware. It uses other malware to infect targeted systems and can access TrickBot and Remote Desktop Service systems.
Ryuk was tailored to target enterprise environments and is capable of removing anti-analysis checks.
Ryuk reared its ugly head in August 2019. Since then, the hackers operating it have netted over 705.80 BTC from 52 transactions for a total current value of $3,701,893.98.
The Maze ransomware
Maze is considered to be one of the most destructive types of malware.
Previously known as ChaCha, it threatens victims it’ll release sensitive information if the ransom is not paid.
Cognizant, Canon, Xerox, and some healthcare companies have all been Maze’s victims.
The NetWalker ransomware
NetWalker is a new addition to the ransomware family.
It started operating during the pandemic by targeting victims through coronavirus phishing emails and taking advantage of people working remotely.
NetWalker attackers targeted remote employees of governmental agencies, healthcare organizations, and corporations alike.
Hackers also gained unauthorized access to larger organizations’ networks by:
- Manipulating unpatched VPN business apps
- Cracking weak Remote Desktop Protocol passwords
- Exploiting web app vulnerabilities.
The DoppelPaymer ransomware
So far, researchers have discovered eight different variations of the Doppelpaymer ransomware.
Although attackers haven’t targeted many people, they made a profit of about 142 bitcoins, roughly $1,200,000.
Ransomware is a thriving business
The sheer number of ransomware variations shows they’ve carved a massive market for themselves. And it’s no wonder since businesses are willing to shell out millions of dollars to decrypt their data.
Surveys have shown that losses for businesses can average $2,500 for each incident. But ransom demands regularly hit seven or even eight-figures.
The highest known ransom paid to date was over $930,000 in an attack in 2018. Attackers going after large businesses or governments usually demand around $13,000 per ransom.
As you could see, most ransomware variations are programmed to keep doubling sums until the ransom is paid. For victims, this acts as an incentive to pay, despite law enforcement agencies’ advice.Find more statistics at Statista
All this led to a vicious cycle.
Paying the ransom empowers attackers to invest more resources into developing better ransomware tools. And the better the ransomware tool, the harder it is to decrypt documents. It also leaves little room for legal prosecution.
For example, the city of Atlanta, Georgia, experienced a massive cyberattack in 2018 when it got infected with the SamSam ransomware. Following the attack, the city cooperated with the FBI, Department of Homeland Security, and Secret Service. They also hired security firms such as SecureWorks to investigate.
Despite all hands on deck, by June 2018, a third of Atlanta’s software was still offline or partially disabled.
Considering all the contractors, law enforcement, and damage caused by the downtime, the city of Atlanta ended up spending over $17 million in the aftermath. In contrast, the ransom was a $51,000 demand.
However, this doesn’t mean that paying the ransom is the best course of action.
The FBI does not support paying a ransom in response to a ransomware attack. Paying a ransom doesn’t guarantee you or your organization will get any data back. It also encourages perpetrators to target more victims and offers an incentive for others to get involved in this type of illegal activity.FBI’s Scams and Safety webpage
Paying the ransom is risky. But companies bent on salvaging high-value, business-critical assets sometimes cave in and pay up. It’s all a matter of cost-benefit to the affected organizations.
The pros and cons of paying ransom
There is still a lot of debate about what course of action is best when it comes to a ransomware attack. That’s because neither paying ransom nor hiring specialists guarantees file decryption.
But let’s have a look at these polarizing viewpoints.
People who argue in favor of going with the ransom can name some benefits, like the fact that paying up is the least costly option.
Hiring cybersecurity experts and threat researchers can be quite expensive and challenging, especially when companies don’t have a robust IT department and a Chief Information Security Officer (CISO) to lay the foundation.
What’s more, a payment could be in the best interest of the stakeholders. Not having access to essential business files can cause massive financial loss. It’s estimated that ransomware downtime costs organizations more than $64,000 on average.
Continuing this train of thought, paying the ransom might prevent a data breach. This feels like a more compelling argument when the attackers threaten to publish customer data or significant business assets.
Payment could prevent confidential information from being made public. When attackers go after government organizations, there is always the risk of having classified information leaked, with disastrous consequences.
Paying ransom also comes with some severe side effects.
Paying the ransom does not guarantee that the attacker will actually send over the right decryption tools. Attackers don’t have an incentive to hold up their end of the bargain. Some might even try to get a second ransom.
In addition, ransom funds the attacker’s encryption tools. Pouring more resources into development can make the ransomware more resilient to third-party decryption program, bypass security software more efficiently, and infect more networks.
Besides, paying the ransom does not prevent further attacks. The honor system of cybercriminals is shady, to say the very least. No matter the promises, you’d still be relying on a hacker’s promise.
Transferring the payment can also pose a risk in itself. Attackers leave precise instructions on how organizations can get their files back. More often than not, victims need to purchase Bitcoin through unofficial channels that can expose their financial data.
Paying the ransom can also be damaging to a company’s public image. Let’s take Blackbaud, a cloud computing provider, for example. They paid the ransom, but the cybercriminal copied a subset of data from their self-hosted environment. So Blackbaud was sued in 23 proposed consumer class action cases in the US and Canada over a lack of transparency in handling customer data.
When you factor in all the pros and cons, both options look bleak.
Decryption tools aren’t always the safest bet
There’s this popular idea that hackers would lose their income and be forced to move on if no one ever paid the ransom.
So victims might feel compelled to look for a third-party alternative. After all, there are companies out there that specialize in purging ransomware. But do they really work as advertised?
From 2015 to 2018, SamSam ransomware paralyzed US and UK businesses left and right, creating a new market for ransomware solutions.
Proven Data and MonsterCloud were two of the companies that tackled ransomware attacks. While they charged quite a bit for their “cutting-edge tech,” they promised their customers that they’d be ethically decrypting the files.
In the end, it was discovered that they simply paid the ransom.
Popular antivirus solutions also started developing decryption tools. The No More Ransom initiative now provides free decryption tools for ransomware.
But cybercriminals were quick to catch on.
Now shady websites are filled with free ransomware decryption tools, with some of them being actual malware.
For example, Zorab’s ransomware creators made sure their victims couldn’t decrypt their files through legitimate means. They developed a free fake decryption tool that, in fact, double-encrypted files affected by the attack!
Security experts believe more fake decryption tools are out there. This is why you should always exercise caution when downloading software and apps and ensure they come from a trustworthy source.
Ransomware is here to stay
The coronavirus pandemic has changed the digital landscape, and no one was ready for this. More people than ever are now working remotely, and hackers are after them. Personal devices tend to be easier to compromise than office hardware.
There’s been an increase in:
As long as extortion payments continue to be made and cybercriminals continue to profit from these schemes, targeted ransomware attacks that enlist the pay-or-get-breached method will likely continue well into and beyond 2021.Kacey Clark, Threat Researcher at Digital Shadows
Weak cybersecurity and phishing emails with malicious attachments continue to be the most common ransomware infection and attack vectors.Find more statistics at Statista
But unlike the ‘spray and pray’ mass attacks of the past, attackers are now putting more effort into remaining undetected on a breached network after gaining entry.
When hackers lay low on a network, they try to escalate privileges and leverage permissions to push ransomware onto as many devices as possible.
They can also use this time to identify critical network resources, such as system backups, network segments storing sensitive data, and other vital systems that can be used to spread their ransomware.
Cybersecurity Ventures predicts ransomware will cost $6 trillion annually by 2021 and that an attack will take place every 11 seconds on average.
Ransomware operators will no doubt continue to find new ways to breach networks and plant their malicious code.
But the real challenge isn’t catching perpetrators or decrypting files. It’s promoting good cybersecurity practices to prevent such attacks from happening.
9 tips to protect yourself from ransomware
Ransomware is tricky to deal with, and getting rid of it is no small feat. The best and least costly option is to try and prevent attacks.
Here’s what you can do:
- Update your operating system regularly. You don’t want to miss any critical security patch.
- Keep your apps, software, and IoT devices up to date. This is the best way to prevent exploits and vulnerabilities.
- Update your antivirus and run malware scans regularly. Take care of any threats your antivirus might report and delete any suspicious files.
- Have back-ups of your data. This will give you the freedom to reset any device to factory settings without worrying about what you’re losing.
- Create a continuity plan. People, just like businesses, should prepare themselves to avoid financial loss.
- Use a VPN. It will add a layer of encryption to your internet connection and prevent man-in-the-middle attacks.
- Keep your usernames and passwords safe. Don’t share your credentials in emails, private messages, or video calls.
- Never use installers from untrusted sources. Installers from shady websites, email attachments, or file-sharing sites can be ripe with malware.
How are you protecting your devices against online threats? What ransomware prediction surprised you most?
Until next time, follow the Privacy Hub for updates and stay safe and secure!