Whether it’s end users who represent your greatest Achilles heel, vulnerabilities in your endpoint security, or a combination of both—ransomware attackers will find ways to exploit them. In order to effectively protect your business-critical data, you must understand how ransomware works.
At its most basic, a ransomware attack follows this process:
- Cyber criminals leverage a ransomware attack vector, like an infected email, to trick end users into granting them access to your business’ workstations and servers
- Once in, they hold your data hostage by encryption or lockscreen—or take control of your network
- The cyber criminal then offers a decryption key, but it comes with a price: a demand for ransom
It’s called cryptoviral extortion, and it’s as awful as it sounds.
Recognizing ransomware attack vectors is critical
Typically, ransomware attacks occur via Trojans—malicious files disguised as photo .zip files, work resumes, free software, or other seemingly legitimate files, which end users are deceived into opening or downloading. The ransomware then runs a payload in order to render the system unusable—or at least it threatens to do so (think scareware program)—and the chaos begins.
Let’s take a look at some common modes of entry.
Despite the cost to launch ransomware attacks, email is still the most prevalent ransomware attack vector worldwide.
- Email filters are easily bypassed when attackers attach Word, Excel, or PDF files, for example—or links to software for download
- These attachments are often falsely labeled with a “harmless” sounding title or with multiple, confusing file extensions
It’s absolutely critical that end users never view or download email attachments from unknown sources.
USB storage devices
Attackers will also employ analog methods to gain access to your data.
- Infected USB flash drives are being increasingly used as a portal for ransomware to gain access to your network
- Reports of these flash drives being planted in business parking lots is not uncommon
Simply put: Avoid using USB storage devices from an unknown source.
Internet ads and exploit kits
Exploit kits are commonly available to would-be ransomware attackers at bargain prices. These kits infect websites via vulnerabilities in popular web applications, like Java and Adobe Flash, often deploying malvertising or abusing ad space with infected content.
- Exploit kits and malvertising are difficult for end users to monitor, as not only can questionable sites be infected, but legitimate sites, as well
- Malvertising can appear to be strikingly authentic
Once discovered, these vulnerabilities are often quickly rectified by software vendors, but cyber criminals can do irreparable harm before the infection is detected
Visiting compromised websites with either unpatched third-party applications or outdated browsers or software plug-ins can leave you vulnerable to a ransomware infection. So, be diligent to not only avoid interacting with questionable links, popup ads, and websites—but be sure to immediately run software updates and patches, as well.
The proverb, “never look a gift horse in the mouth,” most definitely does not apply when it comes to free software.
- “Free software” attack vectors may come in the form of free games, software, screensavers, and even online game “cheats”
- Because the software is downloaded by the user, ransomware attackers bypass firewalls and email filters, gaining unrestricted access to your system
Before you take advantage of an offer that’s most definitely too good to be true, consider this: Not long ago, a ransomware attack took aim at the popular game Minecraft. The attackers offered a “mod” to payers, and weeks later, a sleeper version of the ransomware was activated on their machines.
Ransomware encryption technology is increasingly powerful stuff
Ransomware attacks are quickly becoming more and more sophisticated, and hybrid encryption—or AES ransomware—is the latest.
Now, the random symmetric key generated by the malware encrypts the user’s data—and the public key in the malware is used to encrypt the symmetric key. The result?
Data that’s impossible to recover by brute force decryption.
Is your encrypted data protected from ransomware?
Many—including IT professionals—believe that if a file is already encrypted, it’s protected from ransomware.
Encrypted files are still vulnerable to ransomware attack, making it absolutely critical that IT departments are well-informed about the scope of attack methodologies and data vulnerabilities.
Understanding ransom demands and ransomware recovery
After a ransomware infection, the cyber extortion begins.
Now, the victim is left in the unenviable position of deciding whether or not to pay up in the hopes they’ll be granted the decryption key.
Usually, the ransom demand is in the form of untraceable Bitcoin. The attackers goal, of course, is to get their ransom quickly and easily with very little risk of trace. While wire transfers, high-rate text message, voucher services, and even Amazon and iTunes gift cards have been requested, Bitcoin has become the payment of choice.
Because Bitcoin is a public transaction system—without government or bank regulation—the account holder may remain anonymous. As a result, it’s become popular among illicit drugs and arms dealers and, you guessed it, ransomware attackers. It’s become so popular, in fact, that a 2016 survey commissioned by Citrix found that larger businesses were holding Bitcoin as part of their contingency plans.
Once the ransomware attacker receives payment, he or she may deliver the decryption key. (Emphasis on “may.”)
Because you’re dealing with a cyber criminal, ransom payment does not guarantee data recovery. Some attackers receive their payment and are never heard from again. Others may up the ante, demanding a second, larger payment. And, if you do regain access to your data, there’s no guarantee that it won’t be corrupted or incomplete.
Worse, if you pay, you’ve shown cyber attackers that you’re a willing participant in their malicious game—you’ve now got a target on your back.
Today, the best cure is an insurance policy—a clean backup. If you have an advanced backup and recovery solution in place, you’ll be empowered to remove the ransomware and restore a clean copy of your data without ever caving to ransomware attackers’ demands.
Why ransomware is so effective
When cyber criminals found a way to sell illegal products and services in a seemingly more legitimate way, the underground economy took note. Cybercrime grew quickly. And, because cyber criminals had more accessible and efficient avenues to learn the “trade”, the doors opened wide to less experienced criminals.
Ransomware attackers now peddle:
- Ransomware-as-a-service, complete with tech support
- Social networks with escrow services
- Botnets for rent by the hour
- Zero-day exploit markets
And, all of these criminal opportunities support higher-quality, more effective malware; more efficient supply chains; and the formation of co-conspirators, which makes it more difficult to pin blame and assign jurisdiction.
There is no question cybercrime of this kind isn’t going anywhere anytime soon; your best protection is a three-pronged approach to ransomware prevention and remediation:
- End user education
- Endpoint security
- Backup and recovery
The art of the scam is nothing new. While ransomware attacks now fuel a continuous stream of breaking news, we only have to think back to the many distraught Nigerian princes—all who suffered the loss of their uncles and were desperate to find safe places to stash their unexpected inheritances—to remember how long these “spray…
If the ransomware threat wasn’t already keeping you up at night, surely the attack on Atlanta has left you questioning the strength of your cyber defenses and disaster recovery. Now, it should be abundantly clear to all who work in local government that you are under attack. And, it’s up to you to ensure critical…
Once again, cyber attackers are proving no one is safe from a ransomware attack. This time, it’s the City of Atlanta that has fallen victim. So, what do we know? Experts suggest Atlanta may have been infected by a variant of SamSam ransomware; the same family deployed against governments and hospitals since 2015. In this…
Like a terrible foot fungus, and not nearly as pleasant, SamSam ransomware just won’t go away. This customized ransomware strain first entered the scene in 2016 and, today, it’s powering the types of targeted cyber attacks that should give all of us pause—especially those in the healthcare industry. Just consider this: In the past three…