Ransomware is a type of malicious software that disrupts computers, servers, and other devices. After installing itself, ransomware software blocks access, deletes, or otherwise compromises legitimate data and applications.
Human-operated ransomware refers to attacks in which a human threat actor employs active hacking techniques, along with the deployment of malware, to advance a ransomware attack. Most ransomware demands a payment, or ransom, to “unlock” the computer and grant full access to the device and any related data and applications.
There are several different types of ransomware, including:
Block access to data and applications by encrypting files and devices.
Completely block access to a computer system.
Claims to identify other malware like viruses on your computer, and then demands money to remove them.
Steals sensitive information from your computer and threatens to release it online.
Also known as “hands-on-keyboard,” are when cybercriminals actively navigate through targeted infrastructure.
An increasingly common ransomware business model. This refers to the practice of an attacker paying a ransomware service operator a subscription fee to use ready-packaged ransomware toolkits/malware. In RaaS, the ransom payout is shared between the ransomware owners and their affiliates. The affiliates are the entities who execute the ransomware payload and the owners are the purveyors of the RaaS malware.
Ransomware operators will typically scan for unsecured, open ports to start their attack. Internet-exposed Remote Desktop Protocol (RDP) endpoints continue to be cited in threat reports as the number one entry point for ransomware.
Some remote access technologies, such as VPNs, can give attackers a back door to gain broad access to an organization's network and deliver ransomware payloads. Phishing emails with infected attachments or malicious links also continue to play a key role in the ransomware attack chain.
In 2020 and into 2021, ransomware threats have seen a massive resurgence. In 2020, ransomware surged 150%. Moreover, 35% of breaches across all industries were ransomware-related in 2020. In 2021, ransomware has been a constant presence in the news and had a tangible impact on everyday consumers. New instances of widespread disruption, such as the Colonial Pipeline attack by the DarkSide hacker group, gripped headlines for weeks. The attack took 45% of the U.S. East Coast's fuel supply offline. This quickly induced panic buying, fuel shortages, and increased the price at the pump. Hospitals and other medical providers, cryptocurrency exchanges and miners, and smaller, niche businesses continue to be lucrative targets for ransomware attacks.
The way criminals use ransomware is also changing. The ransomware-as-a-service model is increasing in popularity. As BeyondTrust Labs reported in their Malware Threat Report, the latest generation of RaaS is better at staying hidden within a network it has breached. Often the operator will leverage common pen testing tools – such as Cobalt Strike or PowerShell Empire – to perform network reconnaissance and spread. The ransomware then leverages privilege escalation techniques to gain control of critical systems and disable security controls, before finally encrypting key systems and exfiltrating data.
Nation-state actors launching ransomware attacks as part of international cyber warfare in another unsettling trend.
DarkSide is a hacker group leveraging the RaaS model. The group has deployed ransomware attacks across financial, legal, manufacturing, and other sensitive industries.
Famously, the DarkSide ransomware group was responsible for the Colonial Pipeline Company incident in May 2021. The cybercriminal group found stolen credentials that provided access to a dormant Colonial Pipeline VPN account. Unfortunately, this VPN account was still connected to the network. It’s likely the credentials found by DarkSide were re-used across multiple systems. After the payload was executed, critical pipeline systems and infrastructure were forced to go offline. This resulted in the shutdown of nearly 45% of the fuel supply of the East Coast of the United States.
In a slightly unusual move, DarkSide apologized for the disruptions caused by the attack, saying “We are apolitical. We do not participate in geopolitics. Our goal is to make money and not creating problems for society."
Also known as DEV-0537, Lapsus$ is an international hacker group who gained notoriety for breaching prominent tech companies, including NVIDIA, Microsoft, Ubisoft, and Okta.
The modus operandi of the Lapsus$ group hinges on acquiring credentials from privileged employees — either by recruitment or via social engineering. In the case of Okta, they targeted a third-party Technical Support Engineer who had access to some Okta systems. In other instances, the cybercriminal group has targeted help desks, resetting passwords and performing SIM swaps to bypass multi-factor authentication protocols. One of the group’s bolder tactics involves paying employees of large companies to run remote access tools or hand over credentials. Lapsus$ uses a channel on the messaging app Telegram to identify targets, share information, and ultimately recruit accomplices.
WannaCry is a ransomware payload that was grafted onto a vulnerability discovered by the NSA and leaked by Shadow Brokers. The WannaCry ransomware crypto worm unleashed a worldwide attack in May 2017. Emergency patches by Microsoft, along with discovery of a kill switch, helped stop the spread within a few days.
However, an estimated 200,000 computers across 150 countries were still affected, and damages ranging from hundreds of millions to billions of dollars. The hackers leveraged the vulnerabilities (nicknamed EternalBlue and DoublePulsar) and grafted WannaCry (real name WanaCrypt0r) as the payload. WannaCry does not need any user interaction to infect a host. The payload contains its own network scanner that can discover new hosts and self-propagate. Analysts have attributed this to the payload's ability to spread quickly, without anyone clicking on a link or browsing a malicious website.
Like WannaCry, Petya attacks involved the exploitation of the EternalBlue vulnerability. Petya and its variants (such as NotPetya) proliferates through malicious Office attachments and email. Once the malware is installed, it seeks out other systems to exploit.
On June 27, 2017, a number of Ukrainian companies received the brunt of Petya ransomware attacks. Power grids, nuclear facilities, and other key infrastructure companies were targeted. Radiation monitoring systems at Ukraine’s Chernobyl Nuclear Power Plant were knocked offline. The NotPetya variant has been dubbed the “most costly cyber-attack in history.” Damage spiraled into billions of dollars, affecting large businesses and governmental organizations worldwide.
While not the first ransomware, CryptoLocker brought ransomware into the public eye. The CryptoLocker ransomware attack, perpetrated by the Gameover Zeus Botnet, occurred from September 2013 to May 2014, infecting more than 250,000 systems. CryptoLocker leveraged a trojan targeting Microsoft Windows computers and spread via infected spam email attachments. While CryptoLocker could be eliminated from systems easily, encrypted files were unable to be recovered even after the ransom payment was made.
The top ransomware attacks typically leverage one or more of the following vectors to install themselves on computers and other devices:
In recent years, RDP has been a top entry point, allowing ransomware operators to gain a foothold in an environment. RDP allows users—and thus, ransomware actors—to remotely control computers or virtual machines over a network connection.
Users are contacted by criminals and persuaded to install software on their machines.
Users open an email attachment that contains malware that is then installed on their machine.
Macros in Microsoft Office and other apps can install ransomware.
Certain downloaded software can have a hidden “payload” of ransomware.
Mapped network drives allow the ransomware to spread to other machines.
Certain websites can install malware when they are visited, especially if you have not patched your browsers or turned on proper browser security. This includes popup online ads.
Root or administrative access can allow malware to spread quickly through your organization.
Ransomware may use fileless malware techniques to stay hidden as it advances through the network.
By applying the following ten best practices, individuals and organizations can reduce the risk of ransomware infection. Or at the very least, limit its spread and potential damage if an infection should occur.
Train users in popular social engineering techniques. Inform them about the dangers of macros, Office documents, email attachments, and downloads, and give them techniques to identify these threats.
Newer versions of MS Office have options to disallow any macros that are not digitally signed. Make sure you enable this option by default.
Patch and Update Software and OS Vulnerabilities
Some malware targets identified vulnerabilities. Ensure you have a thorough patching process that quickly identifies and fixes software and OS flaws.
Apply Least Privilege Policies
Least privilege requires assigning application and data access privileges based on job roles to ensure users do not have more access than they need. This includes removing administrator rights. Most ransomware (albeit not macro-based ransomware and some other forms, such as with WannaCry) requires administrator privileges to launch.
Use Vulnerability Scanning and Patch Management
Regularly scan your IT ecosystem for potential vulnerabilities and have a robust vulnerability management process to fix any issues.
Enforce Stricter Application Controls
Prevent installation or usage of applications unless they are vetted and approved by your IT security team.
Protect Trusted Applications from Misuse
Trusted Application Protection is a security capability that goes beyond simple application control. It involves adding context to the process tree and allowing the restriction of common attack chain tools, such as PowerShell and Wscript. These are spawned from commonly used applications, such as browsers or document handlers.
Apply Network Segmentation
Network segmentation divides resources in such a way so that an infection can be contained, rather than jumping throughout the entire network. This is particularly useful in preventing and isolating dangerous server-side ransomware attacks.
Make Regular Backups
If you are impacted by a ransomware infection, you will need to recover applications and data. Have a robust data backup process in place that combines live mirroring, periodic backups, hard drive imaging, and incremental backups.
Have Disaster Recovery Processes
If you are impacted, it is vital everyone understands what they need to do. Develop a working disaster recovery process for identifying and resolving ransomware attacks, reinstalling machines, and recovering data.
Cyber insurance (also referred to as cyber liability insurance or data breach insurance) provides insurance coverage for events including data breaches, downtimes, and ransomware attacks. In the event of a ransomware attack, cyber insurance policies are designed to offset damages. Actual offerings and coverage will vary depending on the policy issuer.
A rash of successful ransomware attacks over the past couple years has roiled the cyber insurance marketing. Cyber insurance premiums spiked to record highs in 2021. The large number of ransomware attacks, combined with skyrocketing payouts has even put some cyber insurers out of business altogether.
According to the Council of Insurance Agents & Brokers, the average premium for cyber insurance coverage increased 27.6% during Q3 2021. This was in addition to an increase of 25% in the previous quarter. As a result, brokerages and underwriters are demanding stricter cybersecurity postures from their policyholders to qualify for coverage. Many organizations are now struggling to qualify for cyber insurance due to the higher scrutiny insurers are placing on potential and existing policy holders.
Your risk of falling victim to a ransomware attack will depend on how closely your organization adheres to prevention best practices. Unfortunately, threat actors are continuously adapting their attack strategies to overcome even the most advanced defense measures. If the worst does happen and your organization is subjected to a ransomware attack, here is what to do.
Implement Your Disaster Recovery Program
Limit the further spread of the ransomware and start your disaster recovery process.
Wipe and Reinstall Machines
Close any impacted machines, wipe them, and reinstall the OS and applications.
Recover Uncompromised Data
Use backup data from your last known “good” data set.
Apply a “Lessons Learned” Approach
Revise security procedures and staff training to stop these issues from happening again.
Identify Security Gaps to Brace for the Future
Take measures to develop new organizational policies and deploy new solutions to increase your organization's cyber defenses.