Ransomware Attack and Protection
What is Ransomware?
Ransomware is malicious encrypting software used by cybercriminals to target governments, healthcare providers, educational institutions, and other organisations worldwide. According to a survey, A company is expected to be hit by ransomware every 11 seconds by the end of 2021, causing up to $20 billion in damages. Ransomware is developed to encrypt the files on user devices, preventing them from accessing the files.
Ransom malware or ransomware was initially developed in the late 1980s, and the ransom was paid via snail mail but today, the ransom is demanded via cryptocurrencies. Ransomware has rapidly risen to prominence as the most visible and well-known form of malware. The WannaCry ransomware attack in 2017 kicked off the new era of ransomware attacks.
The latest spike in ransomware was driven by the COVID-19 pandemic. Organisations’ cyber defenses were disrupted as people quickly transitioned to working remotely. Hackers/Cybercriminals have taken advantage of these limitations to spread ransomware, resulting in a rise in ransomware attacks.
Some Popular Ransomware Variants
Several Ransomware variants have come and gone but, few of them have had a drastic impact on the organisation/industry with their unique characteristics making them stand out due to the success rate.
- WannaCry – In May 2017, a new strand of ransomware was discovered that exploited several corporate networks running on Microsoft Windows as a part of a massive global cyber attack. WannaCry exploited the EternalBlue security vulnerability in a variant of Windows’ Server Message Block (SMB) networking protocol to spread like a worm through targeted networks, requesting Bitcoin ransom payments.
- Ryuk – It is an example of a cleverly crafted ransomware variant. It is commonly delivered via spear-phishing emails or by using compromised user credentials to log into enterprise systems using the Remote Desktop Protocol (RDP).
- Sodinokbi – Another ransomware variant that targets large companies is Sodinokibi (also known as REvil). It has been vying with Ryuk for the title of most expensive ransomware variant for many years.
- Conti – We were alerted in February 2021 of a series of suspicious events linked to an attack by the Conti ransomware group. Conti is perhaps the successor to the well-known Ryuk ransomware family. Threat actors are increasingly disseminating the malware using the same methods they used to disseminate Ryuk in the past.
Asymmetric encryption is used by ransomware. This is a form of cryptography that encrypts and decrypts a file using a pair of keys. The attacker generates a specific public-private pair of keys for the victim, with the private key used to decrypt files stored on the attacker’s server.
The attacker usually only gives the victim the private key after the ransom is paid, but as recent ransomware campaigns have shown, this is not always the case. It’s almost impossible to decrypt the files being kept for ransom without access to the private key. Although the specifics of execution differ from one ransomware version to the next, most of the ransomware variants share the common three stages listed below:
- Infection and Distribution Vectors (Attack Vector) – There are various infection channels of ransomware including phishing email, remote desktop protocol (RDP), EternalBlue Vulnerability, and multiple infection vectors.
- Data Encryption – After gaining access to a device, ransomware can begin encrypting its files. Since an operating system includes encryption, all that is required is accessing files, encrypting them with an attacker-controlled key, and replacing the originals with the encrypted versions.
- Ransom Demand – After the files have been encrypted, the ransomware is ready to demand a ransom. Different ransomware variants execute this in a variety of ways, but it’s not unusual for the display context to be updated to a ransom note or for text files to be inserted in each encrypted directory containing the ransom note.
To protect and defend against ransomware attacks, please follow the below-mentioned tips & techniques:
- Secure Back up your data – performing a secure backup of the data on the critical servers to external hard drives or cloud will ensure even if the ransomware encrypts the files on the local machine, the data can be reloaded into the machine from the backup location.
- Keep security software up to date – Ensure that all of your computers and devices are covered by robust security software and that all of your software is current. Make sure you update your devices’ software regularly, as flaw fixes are usually included with each update.
- Practice safe browsing – Be cautious about where you click. Do not respond to unsolicited emails or text messages, and only download applications from reputable sources. This is critical since malware writers often use social engineering to persuade you to install malicious files.
- Use only Secure Networks – Avoid using public Wi-Fi networks because many of them are insecure, allowing cybercriminals to track your online activities. Instead, consider getting a VPN, which will offer you a safe internet connection no matter where you go.
- Implement a security awareness program – Every member of your company should receive daily security awareness training to help them prevent phishing and other social engineering attacks. Daily exercises and assessments should be conducted to ensure that preparation is being followed.
- Enable Ransomware Protection on windows – Microsoft has released a new feature on Windows 10 machines that allows Ransomware protection. Kindly refer to the upcoming blog to understand how to enable ransomware protection on the windows