Ransomware is a form of malware designed to encrypt files on a device, rendering any files and the systems that rely on them unusable. Malicious actors then demand ransom in exchange for decryption.
Common Ransomware Variants
-
In March 2021, Microsoft released patches for four vulnerabilities within Microsoft Exchange servers.
DearCry is a new ransomware variant designed to exploit four recently disclosed vulnerabilities in Microsoft Exchange.
The DearCry ransomware encrypts certain types of files.
Once the encryption is finished, DearCry will show a ransom message instructing users to email the ransomware operators to learn how to decrypt their files.
-
Lapsus$ is a South American ransomware threat actor group that has been linked to cyberattacks on some high-profile targets.
The Lapsus$ group is known for extortion, threatening the release of sensitive information, if demands by its victims aren’t made.
The Lapsus$ group has boasted of breaking into the networks of Nvidia, Samsung, Ubisoft and others.
The Lapsus$ group uses stolen source code to disguise malware files as trustworthy.
-
LockBit is a data encryption malware in operation since September 2019 and a recent Ransomware-as-a-Service (RaaS).
The LockBit ransomware was developed to encrypt large organizations rapidly as a way of preventing its detection quickly by security appliances and IT/SOC teams.
-
The Maze ransomware is famous for being the first ransomware variant to combine file encryption and data theft.
When targets started refusing to pay ransoms, Maze began collecting sensitive data from victims’ computers before encrypting it.
If the ransom demands were not met, this data would be publicly exposed or sold to the highest bidder.
The potential for an expensive data breach was used as additional incentive to pay up.
While the group behind the Maze ransomware officially ended its operations, variants of Maze are believed to still exist in Egregor ransomware, and the Egregor, Maze, and Sekhmet variants seem to have a common source.
-
The REvil group (aka Sodinokibi ) is another ransomware variant that targets large organizations.
REvil ransomware is one of the most well-known ransomware families on the net.
In use by the Russian-speaking REvil threat actor group since 2019, REvil ransomware has been behind many big breaches such as ‘Kaseya‘ and ‘JBS’.
While REvil began as a traditional ransomware variant, it has evolved over time - REvil is known to have demanded $800,000 ransom payments.
REvil is known to use the Double Extortion technique to steal data from businesses while encrypting the files—often demanding a ransom to decrypt data, and then threatening to release the stolen data if a second payment is not made.
-
Ryuk is an example of a very targeted ransomware variant.
Commonly delivered via spear phishing emails or by using compromised user credentials, Ryuk uses the Remote Desktop Protocol (RDP) to log into enterprise systems.
Once a system is infected, Ryuk encrypts certain types of files (avoiding those crucial to a computer’s operation), then presents a ransom demand.
Ryuk is well-known as one of the most expensive types of ransomware in existence, with ransom demands typically exceeding over $1 million.
As a result, the cybercriminals behind Ryuk primarily focus on large enterprises that have the resources necessary to meet their demands.
-
In 2017, the WannaCry malware spread for three days across the globe, causing billions of dollars in damage.
WannaCry spreads independently rather than being carried by malicious emails or installed via malware droppers.
WannaCry’s worm functionality comes from using the EternalBlue exploit, which takes advantage of a vulnerability in Windows’ Server Message Block (SMB) protocol.
The EternalBlue vulnerability was first discovered by the National Security Agency (NSA) and publicly leaked by the Shadow Brokers.
As a ransomware variant, WannaCry is designed to deny a user access to their files on a computer unless a ransom is paid.
WannaCry uses encryption, to transform data in a way that is only reversible with knowledge of a secret key known to the ransomware operator, forcing a victim to pay the ransom to retrieve their data.
WannaCry is configured to search for and encrypt a set list of file extension types on a computer, minimizing the malware’s impact on a system’s stability.
A computer infected by WannaCry may be unable to run if the wrong files are encrypted, making it impossible for the victim to pay a ransom or retrieve their files.
How Ransomware Works
-
Ransomware, like any malware, can gain access to an organization’s systems in a number of different ways.
Ransomware operators tend to prefer a few specific infection vectors and most ransomware variants use multiple infection vectors.
One of the favorite attack vectors is phishing emails, whereby a malicious email may contain a link to a website hosting a malicious download or an attachment with downloader functionality.
In phishing schemes, once the email recipient falls for the phish, the ransomware is downloaded and executed on their computer.
Another popular ransomware infection vector takes advantage of services such as the Remote Desktop Protocol (RDP).
With RDP, an attacker who has stolen or guessed an employee’s login credentials are used to authenticate to and remotely access a computer within the enterprise network.
Once this access is given, the attacker can directly download the malware and execute it on the machine under their control.
Recently, we have seen attacks that attempt to infect systems directly increase in popularity, with one notable example being the WannaCry ransomware that exploited the EternalBlue vulnerability.
-
After ransomware has gained access to a system, it can encrypt its files.
Since encryption functionality is built into an operating system, this simply involves accessing files, encrypting them with an attacker-controlled key, and replacing the originals with the encrypted versions.
Most ransomware variants are cautious in selecting files to encrypt to ensure system stability.
Some variants will also take steps to delete backup and shadow copies of files to make recovery without the decryption key more difficult.
-
Once file encryption is complete, the ransomware is prepared to make a ransom demand.
Different ransomware variants implement the ransom demand this in numerous ways, but it is not uncommon to have a display background changed to a ransom note or text files placed in each encrypted directory containing the ransom note.
Typically, these notes demand a set amount of cryptocurrency in exchange for access to the victim’s files.
If the ransom is paid, the ransomware operator will either provide a copy of the private key used to protect the symmetric encryption key or a copy of the symmetric encryption key itself.
This information can be entered into a decryptor program (also provided by the cybercriminal) that can use it to reverse the encryption and restore access to the user’s files.
-
While these three core steps exist in all ransomware variants, different ransomware can include different implementations or additional steps.
For example, ransomware variants like Maze perform file scanning, registry information, and data theft before data encryption, and the WannaCry ransomware scans for other vulnerable devices to infect and encrypt.
How to Protect Against Ransomware
-
Proper preparation can dramatically decrease the cost and impact of a ransomware attack.
Taking the following best practices can reduce an organization’s exposure to ransomware and minimize its impacts:
Cyber Awareness Training and Education: Ransomware is often spread using phishing emails. Training users on how to identify and avoid potential ransomware attacks is crucial. As many current cyber-attacks start with a targeted email that does not contain malware but only a socially engineered message that encourages the user to click on a malicious link, user education is often considered one of the most important defenses an organization can deploy.
Continuous data backups: Ransomware’s definition says that it is malware designed to make it so that paying a ransom is the only way to restore access to the encrypted data. Automated, protected data backups enable an organization to recover from an attack with minimal data loss and without paying a ransom. Maintaining regular backups of data as a routine process is a very important practice to prevent losing data and to recover it in the event of corruption and to minimize the risk of disk hardware malfunction. Functional backups can also help organizations recover from ransomware attacks.
Patching: Patching is critical in defending against ransomware attacks, as cyber-criminals will often look for the latest uncovered exploits in the available patches and then target systems that are not yet patched. As such, it is critical that organizations ensure that all systems have the latest patches applied to them, as this reduces the number of potential vulnerabilities within the business for an attacker to exploit.
User Authentication: Accessing services like RDP with stolen user credentials is a favorite technique of ransomware attackers. The use of strong user authentication can make it harder for an attacker to make use of a guessed or stolen password.
-
With the high potential cost of a ransomware infection, prevention is the best ransomware mitigation strategy.
You can reduce the number of ways your organization can be attacked by addressing:
Phishing Messages
Unpatched Vulnerabilities
Remote Access Solutions
Mobile Malware
-
The need to encrypt all of a user’s files means that ransomware has a unique fingerprint when running on a system.
Anti-ransomware solutions are built to identify those fingerprints.
Common characteristics of a good anti-ransomware solution include:
Wide variant detection
Fast detection
Automatic restoration
Restoration mechanism not based on common built-in tools (like ‘Shadow Copy,’ which is targeted by some ransomware variants)
-
Many successful ransomware attacks are only detected after data encryption is complete and a ransom note has been displayed on the infected computer’s screen.
At this point, the encrypted files are likely unrecoverable, but some steps should be taken immediately:
Quarantine the Machine: Some ransomware variants will try to spread to connected drives and other machines. Limit the spread of the malware by removing access to other potential targets.
Leave the Computer On: Encryption of files may make a computer unstable, and powering off a computer can result in loss of volatile memory. Keep the computer on to maximize the probability of recovery.
Create a Backup: Decryption of files for some ransomware variants is possible without paying the ransom. Make a copy of encrypted files on removable media in case a solution becomes available in the future or a failed decryption effort damages the files.
Check for Decryptors: Check with the No More Ransom Project to see if a free decryptor is available. If so, run it on a copy of the encrypted data to see if it can restore the files.
Ask For Help: Computers sometimes store backup copies of files stored on them. A digital forensics expert may be able to recover these copies if they have not been deleted by the malware.
Wipe and Restore: Restore the machine from a clean backup or operating system installation. This ensures that the malware is completely removed from the device.