How Does Ransomware Work?
Ransomware begins by gaining an initial infection on the system of an individual or employee at work. There are two common ways for ransomware to infect a device: through malicious emails or URLs.
Malicious emails, often called phishing or malspam emails, often contain an infected attachment. Attachments have intriguing or urgent names to encourage users to open them, often related to taxes, false invoices, fake package tracking or current events.
Sometimes malicious URLs are used in emails to lure users into clicking in order to deliver web-based attacks with drive-by downloads or malvertising.
Let’s look at how an early version of ransomware, CryptoWall, works once it gains a presence on an endpoint. With the laptop infected, CryptoWall corrupts explorer.exe, the part of Windows with the start menu, taskbar, desktop, and file manager, and restarts it. It then deletes the shadow copies, installs malware, disables services, and so on. It will establish persistence, so restarting the device won’t get rid of it.
Then CryptoWall communicates with its command and control server to get the encryption key to lock up files. With the key, all files are encrypted on the local system, as are any files reachable on connected network drives. Because of how ransomware works, the only way to regain access to them is with the encryption key obtained by paying the ransom to the group behind CryptoWall.
Who are the Perpetrators?
Advanced ransomware attacks can come from authors who take existing ransomware variations and alter them enough to get passed malware scanners. However, ransomware attackers are not always coders. Some bad actors purchase malware software from authors and pay the developer a percentage of the earnings. This is known as ransomware-as-a-service (RaaS). These criminals are difficult to track down in the age of anonymous cryptocurrency.
Why is Ransomware Spreading?
Reported ransomware incidents increased 62% in 2021 compared to 2020. Ransomware attacks are rapidly increasing for several reasons.
In the age of RaaS, attackers don’t need to be technical coders. This widens the pool of people who have the tools to become cyber criminals. There are also many open-source code and drag-and-drop platforms that have the ability to create ransomware variants.
In addition, more users are working from home and possibly on non-company computers. This opens the door for phishing emails and malicious downloads.
Examples of Ransomware Attacks
To proactively prevent ransomware, it’s important for organizations to understand the tactics and characteristics of common ransomware attacks.
WannaCry is ransomware that spreads on its own. The attack leveraged the EternalBlue exploit, developed by the NSA, used to compromise machines, load malware, and propagate to other machines. Specifically, it took advantage of a vulnerability in Microsoft Server Message Block (SMB) used for tasks like file sharing between Windows computers. EternalBlue would then install DoublePulsar to execute malicious code on an infected system.
Microsoft had released patches at the time of the attack. However, many organizations targeted had not patched these older systems past their end-of-life.
Given its ability to spread, it is estimated to have infected more than 200,000 systems globally.
With the world still reeling from WannaCry, NotPetya made an appearance in late June 2017, and became the most devastating attack the world had seen to date.
NotPetya appeared to be ransomware at first glance, but turned out to be wiper malware designed only to destroy, with irreversible encryption. The attack began by bad actors compromising the Ukrainian tax accounting software called MeDoc. MeDoc had hundreds of thousands of customers, primarily in Europe, who used the software to do business in Ukraine. Like all software, MeDoc pushed out an unknowingly compromised update to customers, who implicitly trusted this vendor update. This was a supply-chain attack, exploiting trust between software vendors and customers, that leveraged a compromised piece of software, MeDoc, as a beachhead on systems. The attack was then launched with an updated version of the Petya ransomware, dubbed NotPetya.
The attack spread laterally using EternalBlue and EternalRomance for unpatched systems or stolen credentials via password harvesting techniques to enable the use of tools like PsExec and WMI to spread to more systems. Total global damages tied to NotPetya, now seen as a geopolitical cyber weapon, have been estimated to be in the $10 billion dollar range.
What does Lady Gaga have to do with new ransomware attack techniques?
Her unsuspecting role in double extortion.
Ransomware attacks have become even nastier as some attacks may now add additional extortion. First, attackers will gain a foothold, find sensitive data, and exfiltrate it to their own servers. With sensitive data stolen, attackers then proceed to encrypt systems. Not only are systems locked up, but the sensitive information can be leaked publicly unless victims pay up, amounting to additional pressure for organizations to pay ransoms.
Recently, attackers targeted an entertainment law firm, stealing data related to high-profile clients like Lady Gaga, Bruce Springsteen, and Christina Aguilera. They initially released contracts related to Lady Gaga as proof of their possession of sensitive information.
The group behind the attack threatened to release more celebrity data if the law firm declined to pay the ransom ask, which reached some $42 million.
The Business Impact of Ransomware
Ransomware has a massive impact on business productivity. Attackers will blackmail companies by threatening to release sensitive data if the company doesn’t pay the ransom quickly. In 2016, SamSam ransomware gave the world an unpleasant surprise when it unveiled a new fearsome capability: built-in lateral movement or self-propagation. Why? Attackers can effectively target entire enterprise networks to encrypt vast amounts of mission-critical data and, in turn, demand larger ransom payments. In the case of SamSam, attackers found their way in via exploitation of a dated server vulnerability. Once inside, SamSam moved laterally by seeking out additional network connected systems in order to encrypt them.
How is Ransomware Spreading?
Ransomware that is capable of spreading on its own has generated considerable attention, however, many recent ransomware attacks seem to be more methodical and attacker-controlled.
These attacks don’t move as quickly as ransomware with lateral movement built-in, but they are just as devastating due to long dwell time for surveilling an environment. US municipalities have reported a wave of attacks in recent years – and many more were likely not reported at all. In most cases, attackers case environments for weeks prior to the ransomware encryption.
These attacks gain a foothold, via phishing or brute-forcing poorly-configured services like Remote Desktop Protocol (RDP), used for remote access to Windows. Once inside, attacks are methodical, attempting peer to peer lateral movement via open ports, for example exploiting RDP or WMI, to ideally reach a domain controller.
Credential harvesting, also present in NotPetya, is also used to move laterally. Tools like Mimikatz facilitate this, allowing for privilege escalation, so attackers have greater levels of permission in the network.
Either way, attackers often reach domain controllers, making them an IT admin in the company they are attacking.
At this point, they “live off the land,” using existing IT admin frameworks like PsExec, used to execute processes on other systems, or PowerShell, used to automate tasks operating system management tasks, to drop malicious files onto systems.
How to Prevent Ransomware Attacks
How can you protect yourself? It is a tall order seeing that many attacks use newly created malware or live-off-the-land to largely evade detection. There are a few best practices to reduce the risk of major ransomware attacks.
Here are some of the leading ways to reduce ransomware risk, according to US-CERT:
- Segment your laptops and networks to ensure the first laptop infected is also the last so attacks can’t move beyond the initial system.
- Patch all systems regularly to avoid vulnerable applications and OSs from being targeted.
- Use effective email and endpoint security tools to stop as many phishing emails from reaching inboxes or malicious activity associated with ransomware from reaching endpoint and encrypting files.
- Train users to open email attachments carefully and be wary of email attachments from unknown senders.
- Back up systems often and store backups separately to be able to restore to previous states if need be, with backups that cannot be accessed from a network.
Responding to Ransomware Attacks
If you suspect that your device has been infected with malware, there are a few steps you should take to prevent further damage. First, disconnect the infected device from the network and other devices as quickly as possible. This will stop the spread of the ransomware from one device to another. Companies can prevent malware from spreading quickly by using Zero Trust Segmentation, including micro-segmentation, to isolate workloads from each other.
The next step is to contact the authorities. Infecting devices with ransomware is against the law. They may also have tools that will help you get your files back.
If you’ve backed up your files to a different location, then you’ll be able to get your files back. This is one of the many reasons why regular file backups are crucial. If you don’t have backups, then research online to try and find a ransomware decryption key. Unfortunately, if you aren’t able to find the right key you may have to accept that your files are gone.
Should I Pay the Ransom?
Never pay the ransom to get your files back. There is no guarantee that they’ll actually give you the decryption key, and you’ll be funding criminal activities. Paying will also make you a recurring target. Now that the criminals know they can get money from you, they’ll continue infecting your devices in the future.
Being able to identify potential malware in phishing emails and malicious URLs could save your files from being destroyed. After reading this article, you can answer the next time someone asks you, “What is ransomware?” You’re also prepared to prevent attacks and know the steps to take if your devices are infected.