Ransomware Explained (Part 1): What is it and how to prevent it

By Yael Spindel, Cyber Threat Intelligence Team Leader

Intro

The rise of ransomware attacks over the past decade has been nothing short of meteoric. Like other forms of malware, ransomware has been in existence for decades and generally poses a threat to all your personal and company devices and data. What makes up a ransomware attack? Why is it potentially one of the most feared cyber-attack types globally? How it became so common that it turned into a service (RaaS)? The following explores all you need to know about ransomware attacks, how they operate, and some of the steps you can take to prevent or mitigate them.

What is a Ransomware Attack? 

Ransomware is essentially malware that uses encryption to hold a victim’s data at ransom. Generally, a user or organization’s data is encrypted, thereby preventing them from accessing their files, databases, or applications. A ransom is subsequently demanded to provide access to the encrypted data. Payments are typically made with cryptocurrency.

In reality, many ransomware attacks like WannaCry are designed to infiltrate and spread across company networks, targeting databases and file servers. This ultimately allows them to paralyze business operations within a short time. Interestingly, some of the most devastating ransomware attacks in recent times were perpetuated by ransomware gangs, a large network comprised of several cybercriminal groups.

How does a ransomware attack work?

Between June 2020 and June 2021, there was a 93% increase in ransomware attacks reported globally. Ransomware gangs are also becoming more daring in their ransom demands. Small and medium-sized businesses are far too often on the receiving end of these attacks and will need to reevaluate their cybersecurity positioning in response to this development.

For a ransomware attack to be successful, the attacker first needs to gain access. Upon gaining access and executing, here are some actions that ransomware typically takes.

Encryption of sensitive files

The most common action by most ransomware is the encryption of sensitive files. This prevents the victim from accessing the files and possibly the entire system. Sensitive files can include databases, source codes, pictures, and videos. Although the encryption technique will vary from one ransomware attack to another, a decryption key is usually needed to regain access to the encrypted files.

Data exfiltration

In some cases, ransomware can exfiltrate your data. For instance, where the ransomware uses the double extortion technique, the attacker or gang could perform an unauthorized data transfer from your system. For victims, this could result in intellectual property theft and other devastating effects.

Spread across the network

Some ransomware can also spread across networks once executed. For instance, the WannaCry ransomware from 2017 managed to spread across 230,000 computers in over 150 countries worldwide. By exploiting a vulnerability in Windows, this ransomware essentially spread across networks unhindered.

What are the initial access points mostly used in launching ransomware attacks? 

To launch a ransomware attack, the attacker must first find an entry point into the victim’s system. Understanding the initial access points most used by hackers will ultimately help businesses to understand how to prevent or mitigate ransomware attacks.

Phishing

Just like ransomware, phishing attacks have been rising in recent times and it’s no surprise. Phishing emails are currently the most used vehicle for delivering ransomware. Attackers generally use these carefully crafted emails to lure victims into downloading the malware or disclosing access information.

While basic phishing attacks can be spotted and ultimately stopped, more sophisticated attempts may be harder to detect. It’s important to understand that this threat landscape is constantly changing and businesses must respond appropriately to prevent their likelihood of success. Fortunately, phishing education especially via simulations has largely been successful over the years in helping businesses limit or prevent attacks. This is especially vital for small and medium businesses that may not have the budget to run a full-on IT department or deploy sophisticated anti-phishing technologies.

Initial Access Brokers

More sophisticated ransomware attackers now rely on initial access brokers for acquiring access to vulnerable company systems. Initial access brokers essentially offer access as a service to ransomware operators by obtaining initial access or business systems and selling off to cyber attackers.

They typically provide ransomware gangs and attackers with vast amounts of victims to compromise. You can imagine an initial access broker as a middleman that finds access to vulnerable organizations and sells them to the highest bidder. This trade has been known to occur on the dark web.

What is a Double Extortion ransomware attack? 

What is a Double Extortion ransomware attack?

The double extortion ransomware attack is a rising trend in the cybersecurity landscape where in addition to encrypting your sensitive files, an attacker also threatens to expose your data if you refuse to pay the ransom. In the past,  extortion ransomware attacks typically involved encrypting files and deleting them when victims failed to pay the ransom. However, as more companies continue to invest in backup solutions, cybercriminals have had to evolve.

Double extortion ransomware attacks now have malicious actors first exfiltrating or transferring out data, and then subsequently releasing them in the public domain or blackmailing businesses where they refuse to pay the ransom demand. Ransomware gangs have also been known to contact victims’ clients and partners to add pressure to make them pay.

For instance, the famous ransomware gang REvil recently attacked Quanta, a supplier for Tech giant and leading smartphone manufacturer Apple. To increase the pressure on Quanta to pay the demanded ransom, REvil leaked the blueprints for some Apple products and contacted Apple directly, demanding a $50 million ransom.

What are the main Ransomware gangs currently operating 

What are the main Ransomware gangs currently operating

Here are the top 5 ransomware gangs in terms of their most recent activity and size.

REvil (aka Sodin or Sodinokibi)

REvil has been responsible for some of the most brazen ransomware attacks in recent times. For instance, experts like Blackfog believe that this gang is responsible for one in every thirteen ransomware attacks carried out in 2021 so far. From attacks on Apple and Acer to those on U.S. Healthcare providers and IT MSPs, the REvil ransomware gang leaves devastation in its wake.

Also, Revil is reportedly responsible for the ransomware attack on Kaseya, an IT solution provider for MSPs and companies. This attack on Kaseya led to the encryption of servers and workstations from over a thousand businesses worldwide. The ransomware attack leveraged a vulnerability in Kaseya’s VSA software against several MSPs and their customers. This means that around 800-1500 small and medium-sized businesses would have been affected by the  via their MSPs. REvil’s provision of a decryption key for $70 million is perhaps a confirmation of their responsibility.

This gang openly claims to have made $100 million in 2020 and hopes to make $1 billion. REvil is believed to operate out of Russia and it’s perhaps why it hardly targets victims within the country; to avoid local law enforcement action.

Conti (aka Ryuk or Wizard Spider)

Popularly called Ryuk, the Conti ransomware gang is known to have launched 235 attacks on US hospitals since 2018. According to a report from the Wall Street Journal, Ryuk collected around $100 million in ransom payments in 2020 alone. Ryuk uses disposable email addresses in communicating with their victims and speaks without a voice or personality during those communications. Their recent victims include King of Prussia, Pa.-based Universal Health Services, and the DCH Health System. Since there have been known reports of the Conti ransomware gang targeting victims in Russia, they are believed to operate outside the country.

Darkside

Darkside is a relatively new ransomware gang with most of its attacks taking place this year. However, its attacks already account for 11.5% of all ransomware attacks this year. By engaging in a lot of PR, Darkside attempts to professionalize its ransomware gang. It’s therefore not surprising that it provides a customer service division to convince victims that their systems and files will be restored once they pay the ransom.

CLOP (aka FANCYCAT)

The CLOP ransomware gang was the first to demand a $20 million ransom after an attack. The victim, German IT provider Software AG ultimately refused to pay. In May 2021 alone, CLOP accounted for 11.5% of all ransomware attacks. Some alleged members of this gang were recently arrested in Kyiv in the aftermath of an international investigation. However, the arrest hasn’t stopped the gang from releasing victim’s data online.

Egregor

This ransomware gang is believed to have been founded by members of the now-defunct Maze gang which is credited for inventing the double extortion technique. The double extortion technique is one where the attacker simultaneously threatens to publish the victim’s data online and lock down their systems. Although the Egregor ransomware gang first emerged in September 2020, their malware accounted for 8.2% of attacks in May this year.

Conclusion

In Conclusion

As ransomware attacks continue to rise, it is critical to understand exactly what you’re up against and how to protect your business. There is no denying that ransomware gangs will constantly find ways to breach systems.

Stay tuned for part 2 of this two-part dive into ransomware, where you will learn how to defend yourself from these attacks, and what you should do in case your company falls victim to one.