Ransomware: A Detailed Analysis of an Emerging Threat
One of the most dangerous emerging trends in the malware world is ransomware. This hacking method has already wrought significant havoc on many businesses and individuals since becoming a credible threat a few years ago, and it seems to be growing in complexity and destructive potential with each passing day. This article will provide an in-depth look at ransomware: what it is, how it spreads, and how to protect yourself and your business from it.
What is Ransomware?
As the name implies, ransomware is a type of cyber attack which holds the victim’s data hostage unless they take a specific action – usually paying a hefty sum that can range from several hundred to tens of thousands of dollars, depending on the value of the data. This has proven to be a very lucrative strategy for hackers and dark-net mercenaries, with victims of ransomware having already paid hundreds of millions of dollars in ransoms to recover their information. In fact, CNN reports that over $209 million was paid to ransomware criminals in the first quarter of 2016 alone, with the average ransom demand increasing to $679, more than double the average in the previous year. As you might imagine, falling prey to such an attack can bring financial ruin to both individuals and businesses alike. No longer content with simply destroying an operating system or spamming your email contacts, hackers have become emboldened and are now blatantly holding data hostage in an attempt to extort money from the victim.
How Does Ransomware Work?
You might wonder how ransomware even accomplishes its goal – after all, it’s not like someone is breaking into your home or business and physically holding your PC hostage. Ransomware takes advantage of encryption by turning your files into unreadable, unusable formats unless you pay the ransom demand. This means that things like financial reports, medical records, and sensitive personal information would be completely useless and inaccessible to the victim since they would be converted into an encrypted format that only the hacker can unlock. While an individual would probably not be greatly affected by their photos or digital receipts being lost, a business can be totally ruined when stripped of its access to critical data. Thus, many organizations have no choice but to pay the ransom and hope that the attacker actually keeps their word and restores the data after being paid.
How is Ransomware Transmitted?
Malware authors no longer operate the way they used to. Instead of forcing their way into a network with a meticulously-crafted worm or backdoor, most attackers have shifted to social engineering to infiltrate a business, as it’s much easier and less expensive than older strategies. The most common transmission method by far is email, with about 60% of all ransomware infections coming from email sources. A hacker will write up a convincing email that claims to be from a trusted contact, such as a relative, government agent, or the CEO of the victim’s company. The email will usually ask the victim to perform an action, such as clicking a link or downloading an attachment, and the malware payload will immediately execute and infect the user’s PC. Once the attack has taken hold, some attacks (including the recent WannaCry worm) have a script that will search the PC for connections to other machines, such as network drives on a business computer, and will attempt to spread to those locations as well. This can lead to an entire infrastructure environment being crippled, with filesystems, VM hosts, and e-commerce applications brought to a halt.
Unlike malicious email of the past, these messages are usually written with proper English, are well-formatted, and appear legitimate in every way. Whereas an attacker’s strategy used to be blasting out low-effort spam email to whoever would open it, today’s threats are very deliberate and strategically targeted, making it easier for victims to trust the message they’re reading. Hackers are latching on to this social engineering strategy, and in force, too: IBM reports that emails containing ransomware increased by a staggering 6,000% in 2016 over the previous year, and the number continues to rise today.
How Can You Prevent Ransomware Attacks?
With such a devastating threat facing large and small businesses alike, how can you protect your organization from ransomware? Fortunately, there are smart steps you can take to stop these attacks before they even get through the door.
- Stay up to date on system updates and patches for your critical infrastructure. A significant number of attacks rely on vulnerabilities found in old software.
- Block all unnecessary inbound ports on your firewalls. This is one of the most basic security procedures, but you would be astounded at how many organizations have their ports completely open and susceptible to port scans and ping sweeps.
- Filter and block emails containing certain attachment file types. The most common file types used in ransomware attacks are EXE, RTF, and ZIP.
- Introduce a software solution like AppLocker to prevent users from running unknown programs on their PCs.
- Verify SMBv1 is disabled. This vulnerability is at the heart of the recent WannaCry outbreak, which takes advantage of weaknesses found in this old protocol, and future ransomware attacks are sure to follow in its steps. Check this registry key: HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\SMB1 and ensure it is set to 0. This assumes a Windows Server 2008 R2 server; the key for other systems may be different.
- Educate your users about cyber security and their role and responsibility in keeping your network safe. Common sense is the most effective antivirus product on the market, and it’s free. Develop training sessions that cover how to identify and report suspicious digital activity, and ensure users understand the material by testing them on it. You can even go one step further and implement phishing or social engineering simulations to test the effectiveness of your security training program.
- Have off-site backups that are tested regularly. This is by far the most important item on this list. Even if your entire network is compromised and locked down, having backups means you can simply wipe your infrastructure and reload it. Sure, this might involve a couple days of work, but it’s better than being at the mercy of an attacker who may or may not give your data back after you pay them. Have a regular testing schedule where you perform a full bare-metal restore to ensure your backups will work when you need them.