The What, How, and Why of Ransomware.

What is Ransomware?

Ransomware is malware that employs encryption to hold a victim’s information at ransom. An organization’s critical data is encrypted so that they cannot access files, databases, or applications, a ransom is then demanded to provide access. How the malware gets into the systems depends on the type used, email phishing attacks are one of the most common ways. You may only need one employee to open the wrong email and click on the wrong link for the organization to be attacked, ransomware is a growing threat generating billions of dollars in payments to cybercriminals and inflicting substantial damage and expenses for the organization.

An old wooden door locked with a big vintage padlock. True vintage style

Covid and Ransomware

The coronavirus pandemic has also been a factor driving the increase in ransomware infections. Working from home has increased in the past year due to covid-19 however, remotely work has opened the floodgates to ransomware, The transition that we’re seeing to working from home has contributed dramatically to the rise in successful ransomware attacks. Ransomware attacks against the education system are rapidly growing and the cyber-risks faced by the education sector are at an ultimate high. Malicious actors are also increasingly attacking smaller organisation as they are seen as softer targets and tend to have a lower level of security training.

According to Kasperky, 56% of ransomware victims paid a ransom in 2020, only 28% of ransomware victims were able to restore all their encrypted files following the attack. Amongst ransomware victims who paid a ransom, 50% lost at least some files, whereas 32% lost the majority of their files and 18% of ransomware victims lost all their data. ransomware attacks are increasing in severity and volume, and organizations must plan accordingly.

The Future and Ransomware

With ransomware contributing to over 80% of financially motivated attacks in 2020, it has transitioned from mere actions of groups looking to gain a buck to now being a key pillar in the Malware as a service market. This allows anyone to rent ransomware from malicious organisations and launch an attack regardless of technical skill. Competition brings innovation with ransomware developers now creating bespoke versions to try to hunt for secured backups and pushing toward targeting smaller softer targets in volume to maximise returns. 

Such customisations make signature and heuristics based defence system less effective, with true content live analysis of network traffic being the optimum way of detecting and blocking malware before reaching the internal network of an organisation.  

Flavours of Ransomeware

CryptoLocker botnet is one of the oldest forms of cyberattacks which has been around for the past two decades. The CryptoLocker ransomware came into existence in 2013 when hackers used the original CryptoLocker botnet approach in ransomware.

WannaCry is the most widely known ransomware variant across the globe. The WannaCry has infected nearly 125,000 organizations in over 150 countries.

Bad Rabbit is another strain of ransomware that has infected organizations across Russia and Eastern Europe. It usually spreads through a fake Adobe Flash update on compromised websites.

Cerber is another ransomware variant that targets cloud-based Office 365 users. Millions of Office 365 users have fallen prey to an elaborate phishing campaign carried out by the Cerber ransomware.

Crysis is a special type of ransomware that encrypts files on fixed drives, removable drives, and network drives. It spreads through malicious email attachments with double-file extensions. It uses strong encryption algorithms making it difficult to decrypt within a fair amount of time.

CryptoWall is an advanced form of CryptoLocker ransomware. It came into existence in early 2014 after the downfall of the original CryptoLocker variant. Today, there are multiple variants of CryptoWall in existence. It includes CryptoDefense, CryptoBit, CryptoWall 2.0, and CryptoWall 3.0.

GoldenEye is similar to the infamous Petya ransomware. It spreads through a massive social engineering campaign that targets human resources departments. When a user downloads a GoldenEye-infected file, it silently launches a macro that encrypts files on the victim’s computer.

Jigsaw is one of the most destructive types of ransomware which encrypts and progressively deletes the encrypted files until a ransom is paid. It starts deleting the files one after the other on an hourly basis until the 72-hour mark- when all the remaining files are deleted.

Locky is another ransomware variant that is designed to lock the victim’s computer and prevent them from using it until a ransom is paid. It usually spread through a seemingly benign email message disguised as an invoice.

Contact us now to find out how CTSS can protect you from ransomware and more with WedgeARP