The ransomware attack: what it is and how it works

Published on:
May 19, 2022

Ransomware is that used to deny companies access to their data and demand a ransom for their data. Hackers can make a lot of money from this practice. Ransomware can have extreme consequences for businesses, from the cost of the ransom to reputational damage. These types of attacks are one of the most common types of malware. Moreover, ransomware continues to spread and new variants are being developed all the time.

ransomware attack jimber

What is a ransomware attack?

Ransomware is a type of malware that encrypts victims' files. It denies users or an organization access to files, databases or applications on their computer. To regain access to this data, a ransom must be paid. If you don't pay this, hackers can steal your data. If you do not pay the ransom on time, the data may be lost forever or the ransom may increase. The cost of the ransom can range from a few hundred dollars to thousands of dollars. This ransom is usually demanded in crypto coins. When you pay the ransom, there is a chance the hackers will give you a decryption key to decrypt your data. But you can never be sure if hackers will effectively fulfill their part of the deal.Ransomware affects business continuity, generates high costs and damages sensitive data. Many large companies are affected by ransomware software. These attacks take place in all kinds of industries, even hospitals and public services. Hackers can attack any consumer or business.Most government agencies and cybersecurity organizations advise against paying the ransom. This reduces the incentive for hackers to continue using ransomware software. Organizations that pay this ransom may also be more likely to face repeated ransomware attacks.

what is ransomware jimber

The history of ransomware

Encrypting ransomware

The first malware spoofing attack was the "AIDS trojan" written by Joseph Popp in 1989. The "AIDS trojan" hid files on hard drives, encrypted the names and displayed a message about a particular piece of software that had expired. Then the victim was asked to pay to get repair tools. However, this attack had a major flaw. It relied exclusively on symmetric cryptography. This fatal flaw means that the decryption key can be extracted from the Trojan. Thus, there was no need to pay the hackers at all. The hacker behind this extortion was deemed unfit to be tried for this. He promised to donate his profits to the fund for AIDS research. Hence the name "AIDS Trojan".The idea of using public key cryptography for this type of attack was introduced by Adam L. Young and Moti Yung in 1996. They criticized the failed "AIDS Trojan" that relied solely on symmetric cryptography. Young and Yung created a cryptovirus using public key cryptography and they referred to this attack as a "cryptoviral extortion".Around 2006, spoofing ransomware became more prominent and they started using more advanced RSA encryption schemes and key sizes kept increasing. One example is Trojans such as Gpcode, TROJ.RANSOM.A, Krotten, Archiveus, Cryzip, and MayArchive.

The rise of CryptoLocker

Encrypting ransomware became more prominent back in late 2013 with the emergence of CryptoLocker. This ransomware used the Bitcoin digital currency platform to collect the ransom. In January 2015, ransomware attacks took place on individual websites through hacking. Then hackers began using ransomware with a two-part payload (the user is tricked into running a script that downloads and executes the software). Hackers used proxies connected to Tor's hidden services to hide their location. They also began offering their technology as a service on the dark web.

encryption ransomware attack jimber

Non-encrypting ransomware

In August 2010, Russian authorities discovered a ransomware Trojan known as WinLock. WinLock did not use encryption. Instead, it restricted access to the operating system by displaying pornographic images. They asked users to send a premium-rate text message to receive a code that could be used to unlock the computer.An example of this type of ransomware is a ransomware trojan that mimicked the Windows product activation notification. It worked by putting a call on hold, which caused large international, long distance charges. Another example is the ransomware Trojan based on the Stamp.EK exploit kit that was distributed through sites hosted on project hosting services.

Exfiltration (Leakware/Doxware)

A variation on the typical ransomware infection was a cryptovirus attack invented by Adam L. Young. This attack threatened to publish stolen information rather than deny the victim access to it. The attacker threatens to publish the information unless a ransom is paid. This is a leadware or doxware attack.

leakware doxware malware jimber

Mobile ransomware

Ransomware began to grow in popularity. It also began targeting mobile operating systems. Mobile ransomware usually targets the Android platform because it allows third-party apps. Thus, it is easier to exploit. This attack will usually look like a blocking message on top of all other applications. However, IOS devices can also be exploited through vulnerabilities in iCloud accounts and the Find My iPhone system.

mobile ransomware attack jimber

How does a ransomware attack work?

Ransomware uses asymmetric encryption. This means that two keys are used to encrypt and decrypt a file. The attackers create these keys. They keep the private key on their own server and give this key to the victim only when the victim has paid the ransom. However, this is not always the case.There are many different ransomware variants and they all have different implementation details. But they all have the same three core phases.

malicious software jimber

Step 1: Infection and Distribution Vectors.

Hackers spread ransomware in many different ways, such as through targeted attacks or through email spam attacks. Ransomware attacks always require an attack vector to establish their presence on an endpoint. Ransomware operators prefer a few specific infection vectors.Phishing emails are one of them. A phishing email is an email in which you find a link to a website with a malicious download or attachment. If the recipient falls for this trick, the ransomware downloads and executes itself.

malware infection via phishing jimber

Another example is ransomware that uses services such as the Remote Desktop Protocol. In this way, an attacker can steal someone's credentials, gain access to a network and directly download and execute ransomware.

Step 2: Data Encryption

After the ransomware exploits the system, it drops malicious code on the infected system and executes this code. This code searches for valuable files and encrypts the victim's files. This encrypted data can be Microsoft Word documents, databases, images, and so on. Some ransomware variants will also delete backup copies of files to make recovery without the decryption key more difficult. The ransomware can also spread further to other systems.

data encryption jimber

Step 3: Ransom

Ultimately, the user must pay the ransom (expressed in cryptocurrency) within a certain amount of time. Otherwise, the files may be lost forever. Usually this will look like a ransom note on your desktop. Or text files placed in each encrypted folder with the ransom note.

ransom demand ransomware attack jimber

How do you recognize a ransomware attack?

You may immediately realize your mistake after downloading an attachment that looked harmless. But many people don't realize that their computer is suffering from a malware infection. At first, there's a good chance nothing will happen. You will still have access to your files and as far as you know, everything is working perfectly. After a while, the ransomware will start encrypting your files behind the scenes. Before you know it, you will no longer be able to access your files and you will get a ransom note on your computer screen.It is almost always too late if you have already downloaded the ransomware. That's why you need to watch out for suspicious and unsafe websites. You should also watch out for emails with suspicious attachments. One way to spot these types of emails is to look at the sender of the email, the spelling, a hyperlink to an unfamiliar website and a generic greeting. Another way to recognize these emails is if the sender creates a sense of urgency or if they are trying to get at your personal information.Obvious signs that your computer has a malware infection:

  • The encrypted data cannot be cracked.
  • File names are distorted.
  • File extensions changed.
  • A message is displayed on your computer.
  • The ransom is expressed in crypto coins.
  • Payment must be made within a certain amount of time.
  • The ransomware cannot be detected by a standard antivirus program.
  • Ransomware can spread to the network to which the computer is connected.

How does ransomware infect your computer?

Social engineering

These are all kinds of tricks hackers perform to trick you into downloading a fake attachment or clicking on a fake link. The malicious files may look like normal files. They can also look like orders, receipts, invoices or messages. Victims think these files come from a company with a good reputation. Once you download the file, it's already too late. Your computer is now infected with malware.

Malvertising

Hackers buy ad space to trick you into downloading ransomware by clicking one button. This can range from popular websites like youtube to well-known social media networks. Hackers will do everything they can to get at your sensitive data.

malvertising ransomware attack jimber

Exploit kits

This is ready-to-use programming code neatly packaged in a hacking tool. Anyone can use these kits to exploit security holes in outdated software.

Drive-by downloads

There are malicious websites that take advantage of outdated browsers and apps. They download ransomware in the background when you surf to these innocent-looking websites.

Why are you more vulnerable to a ransomware attack?

Anyone can be the target of a ransomware infection. Usually ransomware targets a particular software program that many people use. Ransomware targets a particular vulnerability in that software to find victims.A patch or update would solve this kind of problem. But this is not so easy for everyone. Many companies use custom software, and that complicates matters. This custom software can stop working, which ultimately causes a delay in the software patch or update.Every device on the network that is connected to the Internet is at risk.Some organizations may look more tempting to hackers than others. For example, government agencies, medical institutions and law firms may be more likely to pay.There are many other reasons why a hacker may find it easier to steal your data. Perhaps:

  • hardly ever back up
  • Don't know much about Internet security or the dangers of a cyber attack
  • have no idea how to defend yourself against dangers of the Internet
  • don't want to spend money on cybersecurity solutions for your computer
  • do you believe that a standard antivirus will protect your computer
  • don't believe a cyber attack could happen to you

The impact of ransomware on businesses

Companies that fall victim to ransomware infections can lose thousands to millions of dollars. They may also experience additional side effects, such as brand damage and lawsuits when hackers expose the breach of their data.

ransomware attack impact jimber

Why do ransomware attacks arise?

Or perhaps a better question: Why is ransomware spreading?Ransomware attacks are evolving rapidly for many different reasons. First, many more people are working from home, which increases phishing. Phishing emails are easy and convenient to spread ransomware. Malware kits make it easier to create new malware. Hackers also create cross-platform ransomware and they use new techniques. Ransomware is spreading because it has become so easy. Even if you know nothing about ransomware, you can buy ransomware as a service.

What is ransomware-as-a-service or RaaS?

RaaS is an economic model that allows malware developers to sell their creations without having to distribute them themselves. This makes it easy for them to make money and avoid the repercussions of cyber attacks. Criminals can pay these developers for their creations or they can pay them in the form of a percentage of their profits.

Why is it so difficult to find the perpetrators behind ransomware attacks?

Because hackers ask for ransoms in cryptocurrency, such as bitcoin, it is almost impossible to follow the money trail and track criminals. Cybercriminals are also devising ransomware scams to make a profit as quickly as possible. Easily available platforms to develop ransomware have accelerated the creation of newer and better variants. These newer variants can bypass simple standard security solutions.

cryptocurrency ransomware attack jimber

Types of ransomware

  1. Crypto malware or encryptors are a common type of ransomware and they can cause a lot of damage. This encryptor goes to work secretly to invade your computer, then it waits for a good time to encrypt the files. You may even lose access to disk drives connected to your PC. This means you will no longer be able to access files on these hard drives and files stored in the cloud, such as OneDrive. WannaCry is an example of this type of ransomware. This ransomware exploited victims for more than $50,000 and it denied hospitals access to their patient data.
  2. Lockers infect your operating system and lock you out completely. This means you can no longer use your computer and you lose all access to your apps and files. Every time you start your computer, a message appears telling you that you have to pay the ransom to regain access to your computer.
  3. Scareware is fake software like antivirus software. This scareware warns you that something is wrong with your computer and demands money to fix the problem. Some variants of scareware lock your computer, while others bombard you with irritating warnings and pop-ups.
  4. Doxware or leakware is a type of ransomware that threatens to post your stolen information online if you don't pay the ransom.
  5. RaaS (Ransomware-as-a-Service) is a type of ransomware that allows malware developers to make money through non-technical criminals. These criminals buy the ransomware, distribute it and launch it. They pay the developers a percentage of their earnings. This type of ransomware is less risky for developers and less time-consuming.

Ransomware variants 2020 - 2021

There are many ransomware variants that all work in different ways. However, there are a few notable ransomware variants that stand out.

Ryuk

Ryuk is a highly targeted ransomware variant. It is usually delivered via spear-phishing emails or by using the Remote Desktop Protocol (RDP) method. Ryuk encrypts files that are not vital to a computer's operation and then presents a ransom demand. This ransomware variant is known as one of the most expensive types of ransomware. Ransom demands can reach about $1 million.

Maze

Maze is known as the first ransomware variant to combine data theft and file encryption. It began making data public and selling it to the highest bidder when ransom demands were not met. The hacker group behind the Maze ransomware ended their operations, but some partners switched to other ransomware.

REvil (Sodinokibi)

The REvil group is a ransomware variant that also targets large organizations. This group is also known as Sodinokibi. They are one of the best-known ransomware families and they are responsible for many large data breaches. REvil is also fairly expensive, sometimes demanding up to $800,000. They use the double exploit technique. This means they demand a ransom to decrypt the data and threaten to release the stolen data if a second ransom is not paid.

revil ransomware variant jimber

Lockbit

Lockbit was first known as data encryption malware and has since evolved into Ransomware-as-a-Service (RaaS). This ransomware is designed to quickly encrypt large organizations to avoid detection.

DearCry

DearCry takes advantage of four recently disclosed security vulnerabilities in older Microsoft Exchange software. This ransomware encrypts certain types of files and displays a ransom note instructing victims to send an email to the ransom claimants. Victims receive an email back with instructions on how to decrypt their files.

New ransomware threats

Ransomware developers are constantly inventing new variants to avoid detection. Companies must stay abreast of these new methods to stay one step ahead of hackers. For example, hackers can use DDL side loading and services that resemble legitimate functions. They can also target Web servers. A new method to watch out for is spear-phishing. Spear-phishing is performing reconnaissance on potential targets for their high-powered network access.

How to protect yourself from a ransomware attack

Preventing ransomware usually involves backups and security programs. There are a number of steps you can take to reduce the cost and impact of ransomware. Certain best practices can reduce exposure to ransomware.

How to protect yourself from ransomware jimber

Use best practices

Continuous data backups

Paying the ransom is not the only way to protect your data. Regular, automated data backups ensure that you can recover from a ransomware attack. Even beyond ransomware protection, it's a good idea against corruption or disk hardware failures. By backing up files to the cloud and to an external hard drive, you can clean up your computer and reinstall your files in the event of a ransomware attack. It is also a good idea to secure your backups by making sure they cannot be modified or deleted.

Patching

Another important best practice is patching. Cybercriminals will often look for vulnerabilities mentioned in patches and target systems that have not yet implemented that patch. Therefore, it is important to always update and patch your systems as soon as possible.

Protecting your email from phishing and spam

Email phishing and spam are the most common ways ransomware is spread. You can use a tool such as Secure Email Gateways with targeted attack protection to detect and block malicious emails. If you don't use this type of tool, you should always look at the sender of the emails and other signs of phishing. Other signs of phishing include poor spelling of the e-mail, a suspicious hyperlink to an unknown Web page or an unsolicited attachment. Phishing attacks always try to create a sense of urgency.

Cyber Awareness training and education

Ransomware is often spread because people are unaware of the dangers. Employees are often tricked by phishing emails or social engineering. Learning how to identify and prevent ransomware attacks is critical. It is also important to stay abreast of the latest ransomware threats.

User Authentication

Hackers like to use the Remote Desktop Protocol (RDP). Therefore, strong user authentication is important. This can make it harder for hackers to guess or steal passwords.

Protect your mobile devices from ransomware with mobile attack protection products

Combined with Mobile Device Management (MDM) tools, it can analyze applications that could compromise the environment.

Defend your Internet traffic against ransomware

Use secure Web gateways to scan Internet traffic and identify harmful Web ads. Be careful what you click on and don't install software from untrusted sources. Other tips for surfing the Web safely include avoiding public Wi-Fi networks and to consider using a VPN.

Monitoring

Monitor your server and network with monitoring tools to detect unusual activity.

Install antivirus software and implement anti-ransomware solutions

Install antivirus software to detect malicious programs and install whitelisting software to prevent unauthorized applications from running. Also, implement anti-ransomware solutions to prevent ransomware attacks.

Why it's best not to pay the ransom

After your files are encrypted, a ransom note is displayed on the screen. This note states the amount that must be paid. Victims are usually given a specific amount of time to pay the ransom. Hackers may also threaten to expose the data breach to the public.Most experts advise against paying the ransom because you can never be sure you will receive the key to decrypt the data. Companies that pay the ransom are also more likely to be attacked again.

How to remove ransomware

No one wants to see a ransom note on their computer. If you suspect you have been infected by ransomware, it is important to get to work quickly. There are still several steps you can take to minimize the damage.

Isolate the infected device and stop the spread

It is important to disconnect the affected device from the network, Internet and other devices as soon as possible. This way you can prevent infections on your other devices. It is also important to investigate other devices that may be infected and isolate them. Any device connected to the network can be a threat no matter where they are. At this time, it is also a good idea to shut down wireless connections (Wi-Fi, Bluetooth, etc.).

Assess damage and find patient zero

Determine which devices are infected by checking your files. Recently encrypted files have strange file extension names and filenames. You may also experience problems opening these files. When devices are not fully encrypted, you should isolate and disable this device to prevent more damage. You should always investigate these attacks. Make a list of all infected devices and systems. To find patient zero, look for the device with the highest number of opened files. You can also check your antivirus or monitoring platforms for alerts. Most malware gets into the system through emails, so investigating your employees is also a good idea.

Identify the ransomware and report the attack to authorities

First of all, it is important to find out which ransomware variant you are dealing with. You can find multiple tools online to analyze encrypted files to find out which ransomware variant you are dealing with. Another option is to use a search engine to look up the ransom note email address to find out which ransomware variant you are dealing with. Once you find out which variant you are dealing with, you can warn all involved and tell them about the signs of this ransomware infection. You can contact experts in incident response or computer forencics to help you deal with this attack. But most importantly, you must report this attack to law enforcement.You must also follow your country's GDPR laws and report the personal data leak to the appropriate authorities. Otherwise, your company could face heavy fines.

Evaluate your backups and examine your decryption options

Ideally, you will have backed up your system. This means you can clean up your system with an antivirus or antimalware solution and restore your files. If you can't use a backup, there may still be a chance to get your data back. There is a small chance that you can find the decryption key for your ransomware variant online. If you have exhausted all your options, it may be time to accept your loss.

how to remove ransomware jimber