What is the type of virus that locks a target system until a ransom is paid?

Last Updated: September 26, 2022

A ransomware attack is defined as a form of malware attack in which an attacker seizes the user’s data, folders, or entire device until a ‘ransom’ fee is paid. This article aims to give a comprehensive understanding of what a ransomware attack is, its types, encryption techniques, and best practices to prevent and protect from a ransomware attack.

Table of Contents

What Is a Ransomware Attack?

A ransomware attack is a form of malware attack in which an attacker seizes the user’s data, folders, or entire device until a ‘ransom’ fee is paid. Ransomware attack exploits the open security vulnerabilities by infecting a PC or a network with a phishing attack, or malicious websites. A ransomware attack compromises a user’s computer by either locking the user out of the system or encrypting the files on the computer and then demanding a payment (usually in Bitcoin) to restore the system or files. 

This form of attack takes advantage of system networks and system users and exploits software vulnerabilities to infect and hijack the victim’s device. The victim’s device may include a computer, a smartphone, a wearable device, a point-of-sale (POS) electronic unit, or any other endpoint terminal.

A ransomware attack can target an individual, an organization, or a network of organizations and business processes. The attacker can spread malware to a network of computers using various distribution techniques, such as attachments or links in phishing emails, by infected websites. This is done using a drive-by download or via infected USB sticks, pop-ups, social media, malvertising, infected programs, a traffic distribution system (TDS), self-propagation, etc. According to the Vectra 2019 Spotlight Report, recent ransomware attacks have targeted cloud, data center, and enterprise infrastructures.

How Does a Ransomware Attack Work?

Ransomware attacks usually begin with a conventional phishing email that serves as a pathway for the infected file to reach the victim’s machine. In general cases, ransomware inflicted infection happens by a downloadable PDF file, DOC file, XLS file, etc. 

Once the victim’s device is exposed to the malicious code residing in the infected files, the ransomware code takes control of the device or the system. Ransomware may remain dormant on the device until the device is vulnerable, and the user acts on it. Once the user acts on the malicious code, ransomware may run its course and attack the files, folders, or the entire computer depending on its configuration.

Learn More: What Is Malware? Definition, Types, Removal Process, and Protection Best Practices

The generalized stages of a ransomware attack are as elaborated below:

1. Infect

Ransomware is secretly downloaded and installed on the device. Once the infected file is opened, a malicious code is installed on the system. It is important to understand that the installation can run independently without the activation of the ransomware. Thus, the ransomware attack can be prepared in advance but can be activated later.

2. Execution of malicious code

Here, the ransomware scans and maps the target file types and determines their respective locations on the local device or the network-accessible systems where the malicious code may be executed.

3. Cryptographic encryption

Ransomware activation depends on encryption. Here, a key exchange event is performed by the ransomware with the Command and Control Server, by using an encryption key to encrypt the files identified during the execution step. Furthermore, the ransomware locks access to the victim’s data.

Upon activation, ransomware becomes operational, and the encryption processes are initiated. Individual files, folders on a standalone system, or a network of computers in an organization or even cloud can be encrypted. From this instance, the user loses his admin rights and no longer has access to certain files or the entire computing device. Hereon, the attacker or the hacker takes control over the system.

4. User notification

Post encryption, a notification is generated on the victim’s screen. The hacker via this notification demands a ransom to resolve or remove the ransomware. On completion of this process, the attacker has to wait for the victim to make the payment. The attacker can pressurize the victim by associating the ransom payment with a deadline. In scenarios wherein the victim fails to meet the deadline, the attacker may initiate the process of corrupting, terminating or deleting the target data files through ransomware. In some cases, the attacker may increase the demand price.

In short, at this stage, the ransomware adds instruction files detailing the pay-for-decryption process and then uses those files to display a ransom note to the user.

Learn More: What Is Malware Analysis? Definition, Types, Stages, and Best Practices

5. Delete operation

In this stage, the ransomware generally terminates and deletes its footprint. However, the payment instruction files that disclose the pay-for-decryption information are retained.

6. Ransom payment

At this stage, the victim clicks on one of the payment instructions files and is directed to a new web page, which provides instructions to make the payment. Such communications are usually hidden by utilizing TOR services to encapsulate and prevent detection by traffic monitoring services operating in a network.

7. Cryptographic decryption

On complete payment of the ransom, the victim may receive the decryption key for unlocking the files or the entire system. The victim may still be vulnerable as the victim is not assured of receiving the decryption key on ransom payment. In some instances, the cyber thief might claim to be from a law enforcement department and thereby lock the victim’s system on encountering pirated software versions or pornography. The cybercriminal may then demand the payment of a ‘monetary fine’, which would make the victim less likely to report the cyber activity to the concerned authorities. 

Leakware or doxware is another version of malware in which the attacker blackmails the victim of publicly disclosing his/her sensitive data. 

Learn More: What Is Social Engineering? Definition, Types, Techniques of Attacks, Impact, and Trends

Ransomware Encryption Techniques

The ransomware types that affected most countries in 2017 include WannaCry, Petya, NotPetya, and Locky, where the malware was observed to use a hybrid encryption technique, in combination with AES and RSA encryption algorithms. Encryption techniques can be broadly classified into symmetric and asymmetric techniques. Here are some commonly used encryption methods by modern ransomware.

.aligmentchange p {display: inline-block !important; width: 100% !important;}

Symmetric and Asymmetric Encryption
Source: WeLiveSecurity 

1. Symmetric encryption ransomware

Advanced encryption standard (AES) is a symmetric algorithm used by ransomware for encryption mechanisms. The ransomware encrypts user files by using AES encryption and store the keys on the disk. As the user makes the ransom payment, the decryptor accesses these files from the disk and decrypts the target files.

2. Client asymmetric encryption

In this approach, the asymmetric cryptographic algorithm, i.e., Rivest–Shamir–Adleman (RSA), is used to perform cryptographic encryption and decryption. The ransomware generates an RSA key pair, wherein the malware encrypts the target files with a public key and sends the private key to the server. Here, for the victim’s computer to restore itself or recover its files, it needs to be connected to the internet and the server where the private key is stored. On payment of ransom, the private key may be used by the victim to decrypt the ransomware-infected files

3. Server asymmetric encryption

In this approach, the server generates a key pair, and the ransomware may be hardcoded with the public key. Here, the victim’s files are encrypted using the server’s public key, and the victim can recover the infected files by only using the server’s private key.

4. Server and client asymmetric encryption + symmetric encryption

This is a hybrid approach, wherein both ransomware and server generate their own RSA key pair and use their respective keys for cryptographic encryption and decryption. Such hybrid encryption techniques are adopted by modern ransomware today, which do not necessarily need an Internet connection during encryption. However, internet connectivity is required during the decryption process.

Learn More: What Is Application Security? Definition, Types, Testing, and Best Practices

Ransomware Statistics

We’re all well aware that ransomware attacks are on the rise. In 2017, ransomware inflicted monitory losses incurred by global enterprises, in terms of ransom paid and recovery process, equated to about $5 billion. The loss is 15 times that in 2015. In Q1 of 2018, SamSam ransomware alone bagged a $1 million ransom benefit.

Hospitals, healthcare organizations, and medical institutions were found to be the most susceptible markets wherein the attacker is aware that such ransomware hotspots are more likely to pay the ransom with lives in the balance. As per the estimations, 45 percent of ransomware attacks target healthcare organizations, and 85 percent of malware infections at healthcare organizations is ransomware. In the financial service sector, it is estimated that 90 percent of financial institutions were targeted by a ransomware attack in 2017. According to Coveware, the average ransomware demand amount increased to $84,116 in Q4 of 2019 in comparison to Q4 of 2018. The highest ransom payment reported by the company is about $780,000 for a large enterprise.

Here are some of the top ransomware stats relating to costs:

1. According to a 2020 market report by Marketsandmarkets, the global cybersecurity market is expected to grow from $183.2 billion in 2019 to $230 billion by 2021.
2. As per a 2019 Emsisoft report, the cost of ransomware attacks surpasses $7.5 billion in 2019.
3. According to a 2020 report from Coveware, the average cost of ransomware attacks in the fourth quarter of 2019 reflected a staggering 104% increase from $41,198 in Q4 2018.

Learn More: Top 8 Ransomware Attacks Businesses Should Watch Out for in 2021

Types of Ransomware

Categorically, there are two types of ransomware attacks — crypto ransomware and locker ransomware. Let’s look at both in detail. 

Types of Ransomware

Crypto ransomware

Crypto ransomware encrypts files on a computer so that the computer user is handicapped and does not have access to those essential files. Thus, in crypto ransomware, cyber thieves acquire money by demanding the victims pay a ransom in return for the locked and encrypted files.

Let’s look at some examples of crypto ransomware attack types that heavily impacted businesses and markets.

1. BadRabbit ransomware

This crypto ransomware first emerged in 2017 that spread across media companies in Eastern Europe and Asia.

In Bad Rabbit ransomware attacks, cybercriminals undertake ‘drive-by attacks’, wherein vulnerable and insecure websites are compromised. As per the analysis of Kaspersky Labs, in situations where the target is visiting a legitimate website, a malware download process gets underway from the threat actor’s infrastructure.

For instance, consider the malware disguised as an Adobe Flash installer. As the legitimate-looking file is opened, the malware takes control and starts locking the device. These days, flash download is observed to be present on websites, where it is operational via JavaScript that is injected into the HTML files or Java files of the compromised websites. On such websites, malware is not installed automatically. It needs user action, such as a click on the malicious file.

Now, as a user clicks on the suspicious installer – with the number of Flash updates issued, it is highly probable that the computer gets locked. The ransom note and payment demands for certain dollars in Bitcoin surface on the screen along with the payment deadline. Thus, the user is locked out of the computer until the ransom is paid.

Learn More: Application Security Engineer: Job Role and Key Skills for 2021

 2. Cerber ransomware

Cerber is ransomware-as-a-service (RaaS), which first appeared in July of 2016 and caused damage of about $200,000. This crypto ransomware exploited the vulnerability of Microsoft to infect and target networks.

Cerber ransomware explicitly interacts with its victims. The hackers get victims to download Cerber via two methods. In the first method, a double-zipped file with a windows script file (WSF) is sent as an attachment in the malicious email. In the second method, an unsubscribe link embedded in the phishing email serves as a point, wherein the unsubscribe link is observed to be located at the bottom of the mail and essentially links to the same attachment ZIP file.

Cerber first verifies the geographic location of the victim. If the victim’s computer resides in countries, including Armenia, Azerbaijan, Belarus, Georgia, Kyrgyzstan, Kazakhstan, Moldova, Russia, Turkmenistan, Tajikistan, Ukraine, Uzbekistan; Cerber terminates itself and does not encrypt the victim’s computer. However, if it is identified that the victim’s computer resides in any other country except these, Cerber installs and renames itself as a Windows executable.

As the victim logs into Windows, Cerber starts automatically. It executes as a screensaver when the victim’s computer is idle at least once every minute. Such intermittent execution may show as a false system alert. Now, as the system is restarted, the computer will reboot into Safe Mode with Networking. Further, as the victim logs in, the system will automatically shut down again and reboot back into normal mode. Once the booting process executes in regular mode, the ransomware begins the encryption process using AES-256 and RSA encryption. It scans for any unmapped Windows shares and encrypts 442 different file types found there.

Cerber ransomware then drops three file types on the victim’s desktop called “# DECRYPT MY FILES #.” These files typically contain instructions for the ransom payment. Amongst the three files, one file contains a Visual Basic Script that converts text into an audio message elaborating on what happened to locked-up files. Currently, Cerber Ransom amounts to the sum of 1.24 bitcoins or around $500.

Learn More: Top 10 Application Security Tools for 2021

3. Cryptolocker ransomware

Cryptolocker ransomware infects computers via email, sharing websites, and unprotected file downloads. It was first seen in 2013 and affected more than 500,000 computers. 

This crypto ransomware has a significant impact on data-driven organizations. On execution of the code, the ransomware encrypts files on the desktop and network shares and locks them for ransom in return. The ransomware further prompts any user trying to access the file to pay a certain fee to decrypt it.

CryptoLocker malware can enter a protected network via vectors, such as email, file sharing sites, or downloads. CryptoLocker, on execution, begins to scan mapped network drives that the host is connected to for folders and documents (various affected file-types), and renames and encrypts those files that it has permission to modify, as determined by the credentials of the user who executes the code.

CryptoLocker uses an RSA 2048-bit key to encrypt files and renames them by appending an extension, such as .encrypted or .cryptolocker or .[7 random characters], depending on the variant type. Finally, the malware creates a file in each affected directory linking to a web page with decryption instructions that require the user to make a ransom payment (e.g., via bitcoin). Instruction file names are typically DECRYPT_INSTRUCTION.txt or DECRYPT_INSTRUCTIONS.html.

In the recent past, it has been observed that the new variants of CryptoLocker have successfully eluded antivirus and firewall barriers that act as preventive measures against cyber threat attacks.

Learn More: What Is Data Loss Prevention (DLP)? Definition, Policy Framework, and Best Practices

4. GandCrab ransomware

GandCrab, which was first seen in 2018, launches extortion attacks by encrypting files on the user’s machine and demanding a ransom in return. GandCrab encrypts victims’ files and demands a ransom payment to regain access to their data. GandCrab explicitly targets consumers and businesses with devices (i.e., PCs) running Microsoft Windows.

The malware does not infect machines in certain countries such as Russia or the former Soviet Union. This, in itself, is an indicator that the creator or creators of the ransomware are based in the region. Apart from this, very little is known about the GandCrab crew.

GandCrab uses an affiliate marketing business model, which is also known as ransomware-as-a-service (RaaS), wherein the cybercriminals find new victims while the threat authors are free to improve and enhance their creation.

Legitimate business operations, such as Amazon, employ affiliate models at all times. For example, consider a scenario wherein there is a review article on electronic gadgets — such as smartphones, laptops, smartwatches, etc. The review article provides a unique link for each gadget that directs them to Amazon to buy the featured item. In exchange for sending the buyer to Amazon, you get a percentage of the purchase price.

With GandCrab, the threat authors give their technology away to other enterprising cybercriminals (i.e., affiliates). From this point, the onus lies on the affiliates to decide how they’ll find new customers (i.e., victims). In general scenarios, any ransom amount paid is split between the affiliate and the GandCrab crew 60/40 or 70/30 for certain affiliates.

With affiliate models, cybercriminals with limited knowledge can handle ransomware activities. And with amateur criminals or hackers, those responsible for identifying and infecting machines, GandCrab’s authors can zero-in on revising their software, adding new features, and enhancing its encryption technology. Currently, there are five different versions of GandCrab.

In a GandCrab attack, ransom notes are placed prominently on the victim’s computer, and the victim is directed to a website on the Dark Web. Further, the cryptocurrency used in GandCrab payments is called Dash. Dash is valued by cybercriminals as it is known to keep the privacy factor intact. 

Ransom demands are usually decided by the affiliate, which fall between $600 and $600,000. Upon successful payment, victims can immediately download the GandCrab decryptor and restore access to their infected files. Furthermore, if victims have any issues with paying the ransom or downloading the decryptor tool, GandCrab provides 24/7 “free” online chat support for such masses.

Learn More: What Is Digital Rights Management? Definition, Best Practices with Examples

5. Locky ransomware

Locky is a type of ransomware that was first released in 2016. Locky can encrypt about 160 file types, which are used by engineers, designers, and testers. Locky ransomware is spread by phishing methods. This type of ransomware is delivered through email asking for payment through an attached invoice of a malicious ‘Microsoft Word’ document that runs infectious macros.

A simple social engineering technique is used to trick the victim and pass the infection forward. The Microsoft Word document is not presented in a readable format. Instead, the victim is shown a dialog box when they try to open the document. The dialog box reads, “Enable macro if data encoding is incorrect.”

As the user enables the macros, the malware author runs a binary file that installs the encryption trojan on the device. This trojan locks all the files that have specific extensions. Furthermore, the filenames are changed to a combination of letters and numbers. Once the files are encrypted, the malware demands to download the Tor browser. Upon download, the malware instructs you to enter a specific website that is malicious and suspicious. The malware also demands to pay a ransom to unlock the encrypted file.

Locky ransomware is capable of infecting a variety of file formats created by a plurality of professionals like designers, developers, engineers, and testers. However, it has been observed that Locky ransomware attacks mainly target small businesses. The top countries affected by Locky include Spain, Germany, U.S., France, Italy, Great Britain, Czech Republic, Canada, and Poland.

6. SamSam ransomware

SamSam has been around since 2015 and primarily targets healthcare and medical organizations. It is a narrowly distributed type of ransomware. 

SamSam does not have any specific infecting components that cause its spread; it is manually controlled by the cybercriminals who inject it inside targeted company networks. The key objective of SamSam ransomware is to get into an organization or enterprise. After getting in, it waits, monitors, and collects a lot of the organization’s data. In the meantime, the cybercriminal gains access to systems and then copies the malware/ransomware onto other systems. 

Once the cybercriminal feels that sufficient data is collected, they strike with force. This generally happens when the sysadmins of the target are sleeping. Hence, the attack goes unnoticed in most probable scenarios. As the attack process begins, the malware begins to encrypt all documents and files on all systems it can find on the network. It is at this point that the malware becomes ransomware.

Learn More: Top 7 Digital Rights Management Software in 2021

Generalized working of SamSam Ransomware involves the following six steps:

• Target identification and acquisition
• Penetrating the network
• Elevating privileges
• Scanning the network for target computers
• Deploying and executing the ransomware
• Awaiting ransom payment

The SamSam encryption makes the recovery a slow and difficult-to-track process, as restoring via partial backups does not induce a full recovery. A full disk re-image must first be created to bring encrypted applications back, followed by incremental restoration of the encrypted files. SamSam encryption technique generates a unique AES key for each individual file and application that it encrypts, making it a hard nut to crack.

7. Thanos ransomware

Thanos is the newest crypto ransomware, identified in January 2020. It is sold as ransomware-as-a-service (RaaS) and is observed to bypass most anti-ransomware methods.

The Thanos ransomware is the first to use a researcher-disclosed RIPlace anti-ransomware evasion technique, in addition to other advanced features that make it a serious threat from the security point of view. Most ransomware is written in C# and lacks a high level of sophistication. On the contrary, Thanos is written in .Net, which has numerous advanced features that make it deadlier than the rest.

Thanos is the first ransomware family that advertises the use of the RIPlace tactic. RIPlace is a Windows file system technique that can maliciously alter files and allows attackers to bypass various anti-ransomware methods.

Thanos does not incorporate any novel functionality beyond RIPlace, apart from its simple overall structure and functionality. However, the ease-of-use of Thanos has allowed it to grow in popularity amongst hackers, cybercriminals, according to research from Recorded Future’s Insikt Group, shared with Threatpost.

Thanos was first spotted by researchers in January and was developed by a threat actor under the alias “Nosophoros.” Since then, the threat actor continued to develop Thanos over the past six months (of 2020), with regular updates and advanced features (the new RIPlace tactic first advertised in February 2020).

The Thanos ransomware builder gives operators the ability to create ransomware clients with different options that can be used in attacks. As mentioned earlier, on underground forums, it’s being sold as a “Ransomware Affiliate Program,” similar to a ransomware-as-a-service (RaaS) model. Thanos builder is thereby offered either as a monthly light or lifetime company subscription. The ‘company’ version includes additional features, such as data-stealing functionalities, RIPlace tactics, and lateral-movement capabilities, that do not form a part of the light version.

Learn More: Top 10 Customer Identity Management Solutions in 2021

Locker ransomware

In locker ransomware, the victims are locked out of their device and are thereby prevented from using their device. Once locked out, the cybercriminals attacking via locker ransomware demand a ransom (i.e., Bitcoin payment) to unlock the device. 

Let’s look at some examples of locker ransomware attack types that heavily impacted businesses and markets.

8. NotPetya and Petya ransomware

Petya is a locker ransomware that infects and locks a target computer using phishing and gives the victim a message explaining how they can pay in Bitcoin to get their system back.

The initial version of the Petya malware, which began to spread in March 2016, arrives on the victim’s computer attached to an email purporting to be a job applicant’s resume. It has two files: an image of a young man (job applicant, but looks like a stock image) and an executable file, often with “PDF” somewhere in the file name. The plan is to get you to click on that file and to subsequently agree to the Windows User Access Control warning that tells you that the executable file will make changes to your computer. (Petya only affects Windows computers.)

If you agree to this request, Petya will reboot your computer. You’ll see a standard Windows CHKDSK screen, as seen after a system crash. In fact, the malware has already taken over the control of the computer by this time, eventually making the files unreachable. In Petya, rather than searching out specific files and encrypting them, as other known ransomware do, it installs its own boot loader, overwriting the affected system’s master boot record, then encrypts the master file table, which is the part of the filesystem that serves as sort of a roadmap for the hard drive.

In summary, victim’s files are still present in unencrypted form, but the computer has no access to the part of the file system that tells it where they are, so they might as well be treated as lost. At this instance, the Petya ransomware demands a Bitcoin payment in return for decrypting the hard drive.

As noted earlier, Petya needs the user to agree to give Petya permission to make admin-level changes and carry out the bad behavior. A couple of months after Petya first began to spread, a new version appeared. It was bundled with a second file-encrypting program, which was dubbed as Mischa. Mischa takes control of the user admin-level access. Mischa encrypts individual files, including encrypts .exe files, that can interfere with the victim’s ability to pay the ransom.

Petya, therefore, disclosed a new way of encrypting files. In June 2017, NotPetya — a new variant of the malware began spreading rapidly across Ukraine, Europe, and beyond. The new version spread rapidly from computer to computer and network to network without requiring spam emails or social engineering to gain administrative access.

The NotPetya virus discloses some common features observed in Petya: it encrypts the master file table and shows a pop-up on the screen requesting a Bitcoin ransom to regain access to the files. 

Learn More: What Is Disaster Recovery? Definition, Cloud and On-premise, Benefits and Best Practices

There are plenty of ways in which NotPetya appears different from Petya.

• NotPetya spreads independently.

Petya originally required the victim to download it from a malicious spam email, launch it, and give it admin permissions. NotPetya harnesses and exploits several different methods to spread without human intervention. The original infection vector appears to be via a backdoor planted in M.E.Doc, an accounting software package that is used by almost every company in Ukraine. After infecting the Medoc’s servers, NotPetya used various methods to spread to other computers, including EternalBlue and EternalRomance. EternaBLue and EternalRomance are two exploits developed by the United States NSA to take advantage of a flaw in the Microsoft Windows SMB protocol implementation.

• NotPetya encrypts the master boot record.

The NotPetya malware targets the hard drive of the target computers in addition to encrypting the master boot record.

• NotPetya isn’t ransomware.

NotPetya looks like ransomware, complete with a screen informing the victim that they can decrypt their files if they send Bitcoin to a specified wallet. For Petya, this screen includes an identification that they’re supposed to send along with the ransom; the attackers use this code to figure out which victim just paid up. But on computers infected with NotPetya, this number is just randomly generated and would be of no help in identifying anything. And it turns out that in the process of encrypting the data, NotPetya damages it beyond repair.

9. Ryuk ransomware

Ryuk is a locker ransomware that locks a victim’s machines via phishing emails or drive-by downloads. Ryuk establishes a network connection with the victim’s machine by extracting a trojan from the victim’s machine. Attackers further use Ryuk as a basis for an advanced persistent threat (APT) that helps in installing useful tools such as keyloggers, which may be used for logging cryptographic keys.

The attack starts with a phishing email or a drive-by download triggered by visiting a malicious website or clicking on a flashed pop-up. Here the attackers maintain persistent access to networks by using a dropper and a Trojan. They use the tools of the typical APT operators for controlling vulnerable machines, unintended installation of keyloggers, and stealing user credentials, in order to move and navigate around the infiltrated target network. They identify the information that can be compromised, then collect it and exfiltrate it, consequently expanding their footprint over the network on the fly. The APT operators typically allow them to install Ryuk on each system they intend to access. Once their network infiltration is accomplished, they trigger Ryuk to encrypt the vulnerable machines and ransom their victims.

In Ryuk ransomware, the attack that comes before Ryuk causes real damage. If organizations knew how to identify the initial attack before Ryuk takes control, they would probably be less likely to be hit by Ryuk ransomware.

10. WannaCry ransomware

WannaCry is a locker ransomware that uses self-propagation mechanisms to infect devices and exploits a vulnerability in the Windows SMB protocol. In 2017, WannaCry spread across 150 countries, infecting about 230,000 computers and causing an estimated $4 billion damage.

WannaCry struck several high-profile systems, including many in Britain’s National Health Service. It exploited a Windows vulnerability that was suspected of first being discovered by the United States National Security Agency. Moreover, it was linked to a cybercrime organization that may have been connected to the North Korean government by Symantec and other security researchers to the Lazarus Group. 

The WannaCry ransomware has a plurality of components. It infects the computer in the form of a dropper, a self-contained program that extracts the other application components embedded within it. Those components are:

• An application responsible for encrypting and decrypting data
• Data files with encryption keys
• A Tor copy

The program code of WannaCry is easy for security personnel to analyze. Once launched, WannaCry attempts to access a hard-coded URL (called as kill switch). If it fails, it proceeds to search and encrypt files important formats, ranging from Microsoft Office files to MP3s and MKVs, leaving them locked and inaccessible to the user. WannaCry then displays a ransom notice, demanding $300 in Bitcoin to decrypt the files. 

The attack vector for WannaCry is unique as compared to other types of ransomware. The WannaCry exploit lies in the Windows implementation of the Server Message Block (SMB) protocol.

Learn More: 5 Ways Hackers Can Get Around Your MFA Solution

Top 10 Best Practices for Prevention and Protection Against Ransomware Attacks

Ransomware is a kind of malware that typically encrypts and blocks access to a victim’s files, data, or the entire system until payment is made to the attacker. 

Ransomware threat has shown an upward growth curve in the past few years. According to a report published by NTT Security in 2018, the volumes of ransomware increased by a staggering 350% in 2017 alone. Security teams that ensure the security of an organization’s data must have a roadmap to mitigate the threat posed by such malware practices. 

No security system is full-proof. However, organizations can have a restore and recovery plan in place to prevent ransomware attacks rather than finding a cure for the already infected systems. Here is a list of 10 best cybersecurity practices that help detect ransomware attacks, prevent, restore, and recover from the disruption caused by them. 

1. Intrusion detection policy

A secure system recognizes the signs of any malware attack (ransomware included), whether the system communicates via a secret channel, communicates with malicious code that disables firewalls (also antivirus software), or whether it is communicating with a known bad actor. Random updates to policies, untimely scans, software update failures may also serve as a trigger point for determining the possibility of malware threats. Hence, intrusion detection policies should be in place to spot the ransomware infection and isolate them before it spreads over the network.

Intrusion prevention or intrusion detection systems (IPS/IDS) can prevent the ransomware from communicating with Command and Control servers, thereby limiting the impact of a ransomware attack on the susceptible network or system.

Furthermore, one can install ransomware protection software to identify a potential attack at an early stage. In addition to the software, threat management programs may help identify intrusions or infections as they happen and take corrective actions to prevent them. Such programs may also come with gateway antivirus software for enhanced protection against any form of malware attack.

Learn More: Top 8 Disaster Recovery Software Companies in 2021

2. Network Traffic Monitoring

Dynamically filtering and flagging the inbound and outbound traffic over a network may serve as a preparative measure before any malware makes its way into the network. If we can listen to the network traffic in real-time and block any outbound traffic directed towards the attacker’s server, then we may be able to prevent the ransomware attack before it takes off the ground. Hence, any suspicious traffic traversing the inward or outward path of the network should be dynamically flagged for generating appropriate alerts at the right time.

Network traffic monitoring tools can track multiple security threats, identify security vulnerabilities, troubleshoot network issues, and analyze the impact new applications will have on the network. The following features can be taken into consideration while employing a network traffic monitoring application:

1. Pick the right data source

Two main data sources that can be used for monitoring network traffic are:

•  Flow data: Includes layer 3 devices like routers

Flow data is great if you are looking for traffic volumes and mapping the journey of a network packet from its origin to its destination. This level of information can help detect unauthorized WAN traffic and utilize network resources and performance.

• Packet data: Sourced from SPAN, mirror ports, or TAPs

Packet data extracted from network packets can help network managers understand how users are implementing/operating applications, track usage on WAN links, and monitor for suspicious malware or other security ransomware. Deep packet inspection tools provide 100% visibility over the network by transforming the raw metadata into a readable format and enabling network managers to drill down to the minutest detail.

2. Monitoring pivots in a network

Installing agent-based software on each device you want to monitor is not only expensive but also creates an effective implementation and maintenance overhead for the organization. Furthermore, suppose your objective is to monitor activity on a BYOD or publicly-accessible network. In that case, an agent-based software will not give you the full picture of user activity because it is impractical to monitor activity on users’ personal devices.

Therefore, it is crucial to understand that there is no need to monitor every network point. Instead, you need to pick points where data converges. Internet gateways, Ethernet ports on WAN routers, or VLANs associated with critical servers are examples of this technique.

The monitoring procedure can begin from the Internet gateway(s). This can be an excellent source of security and operational data. The image below shows a good approach when it comes to network traffic monitoring for most networks. A SPAN or mirror port is configured at the network core, which captures any traffic passing through. In the example disclosed below, the provided architecture may allow capturing traffic going to and from the Internet as well as traffic associated with important servers.

In-bound and Out-bound Traffic Monitoring
Source: NetFort

3. Real-time data is not enough

Monitoring network traffic in real-time is not enough to identify potential threats to the network. In most cases, historical traffic metadata acts as significant network forensic evidence. It is important to analyze past events, identify trends, or compare current network activity with the previous week. Keeping these factors in mind, it is best suited to utilize tools for monitoring network traffic with deep packet inspection.

4. Check data flows and packet payloads for suspicious content

Networks usually have intrusion detection systems operating at the edge of the network. However, very few monitor internal traffic. All it takes is a single rogue mobile or IoT device to compromise a network’s security. Another issue often seen is where firewalls allow suspicious traffic through wherever a rule was misconfigured. Hence, checking the data flows and packet payloads for suspicious content is of paramount importance given the ransomware-based security threat.

Learn More: 10 Best Practices for Disaster Recovery Planning (DRP)

3. Log analytics

Launching and running a ransomware attack on a network without leaving a trace of its activity is currently an uncharted territory for the cybercriminals. Hence, to catch hold of such traces, the secure system needs software to scan, monitor, and analyze system logs, app, and activity logs to flag an irregular and abnormal behavior.

Consider employing a security information and event management (SIEM) software tool that is capable of scanning system logs, app logs, security logs, and activity logs to collate and analyze data and flag unusual or anomalous behavior. User and entity behavior analytics (UEBA) will “learn” what normal user activity looks like and alert you when something unusual occurs.

Further, log monitoring and analysis have the following advantages:

1. Detection of security breaches

Most organizations are affected by different types of malware attacks. Security logging, monitoring, and analysis can help guard against malicious and suspicious external threats and also provide insights on internal misuses of information. By logging and analyzing such events, any security threat can be detected in real-time to facilitate faster intervention while also contributing to your long-term strategy.

2. Event reconstruction

Security logging allows audit trails that can facilitate a reconstruction of the security breach events leading up to the incursion when the security breach occurs. Such logging and analysis will give an enterprise a clear idea of how the breach occurred and how to rectify vulnerabilities.

3. Faster recovery

Businesses do not like to have a ‘downtime’ parameter linked to themselves. Therefore, audit logs can create a fast and effective recovery process. Logging can help reconstruct data files that were lost or corrupted by reverse engineering from the changes recorded in the logs in real-time.

Learn More: 5 Step Guide to Business Continuity Planning (BCP) in 2021

4. Overview network assets 

All network assets within a network need to be up-to-date, wherein all the devices within a network are visible with a clear understanding of the access permissions of each device based on the user of the device. This may help in identifying an unmanaged device operating over the network. Such a scenario may become prevalent in the upcoming IoT world, wherein multiple unmanaged devices may co-exist.

With the upsurge in the number of assets building up in the realm of a network, a detailed list of all the IT assets can form the basis for the vulnerability check. This may help detect systems and applications in need of an update or change of settings so that they no longer constitute a security risk for the company. Overviewing network assets has plenty of advantages, including network control, detection of all connected devices in a network, vulnerability checks, detection and resolution of IT asset vulnerabilities, and enhanced security of the systems on the network.

5. Regular backup and recovery

Every secure system is vulnerable and prone to malware attacks such as ransomware infection. Hence, one can safeguard against ransomware attacks by setting up a regular and secure backup system along with a restore and recovery plan, which may allow the system to bounce back to its normal state even if it is hit by a ransomware attack.

The regular backup copies can be stored on external hard drives, where a 3-2-1 rule (creation of three backup copies on two different media and storing one of the backup copies at a separate location) can be followed. The backup data can also be tampered by a ransomware attack. Hence, it may be recommended to disconnect the hard drives from the device or system to prevent the encryption of backup files. The system backups can be stored locally and offsite (i.e., on the cloud).

Learn More: What Is Multi-Factor Authentication? Definition, Key Components, and Best Practices

6. Regular vulnerability check

Attackers usually choose the pathway offering the least resistance. Hence, ransomware attacks may expose and utilize some common vulnerabilities existing in popular software. Hence, a security system needs to be regularly updated about the existing vulnerabilities posing a threat to the network. This data can be validated by cross-checking with the network to ensure that the network is not exposing an easy route to an outsider trying to invade the network.

Running scheduled security scans regularly over the security software can keep track of the security software status operating in the system. Such security scans form a layer of defense for the security software. These scans detect potential threats that may usually go unnoticed by the real-time checker software packages.

7. Security awareness

Various ransomware attacks can infect the victim’s system or a network, out of which a phishing attack is one of the prominent ones. As the user clicks or taps on an unauthorized link or URL within an email or opens a wrong attachment, ransomware gains control over the victim’s system. This ransomware may spread like wildfire across the network. Hence, to avoid such a scenario, the employees within an organization or enterprise need to undergo a security awareness training module, which may highlight the security threats posed by ransomware-type malware and provide a defense mechanism for overcoming any such vulnerability.

Professional employees within an organization can be trained to recognize phishing attacks. Mock drills can be conducted to determine if the employees can identify and avoid taking action against phishing tricks. Further, a company can use spam protection and end device protection technology to automatically detect malicious emails, links, etc., and block them.

8. Securing endpoint 

Endpoint security is of paramount importance in preventing ransomware attacks. Attackers target configuration loopholes and exploit vulnerabilities over a network to gain control and access the systems within a network. Hence, the security system needs to ensure that all the devices and systems in a network are up to date with the latest security patches and no vulnerability via misconfiguration of any security software.

Securing endpoints can employ a multi-layered approach, wherein the endpoint protection strategy not only includes the obvious antivirus tools and firewalls but also backup and recovery mechanisms. User training can further be added to this strategy, along with well-defined regulations for BYOD policies and mobile workforce management. The following postulates need to be taken into consideration in order to have a strong threat proof endpoint protection strategy:

1. Security tools

To effectively protect endpoints, you have to think about it in three ways – prevention, remediation, and recovery. For prevention, there’s no shortage of endpoint security solutions that scan for and block malware. These solutions can also issue alerts and initiate remediation when needed.

2. File backup and recovery

File backup and recovery is an essential component of endpoint security. No matter how solid a company’s defenses are, there is always a possibility of malware sneaking in. Or, more commonly, a user will make a mistake resulting in loss of data.

When that happens, if a business hasn’t backed up its files regularly, the results can be data loss or security breach. That’s why a file backup and recovery solution with built-in granularity and rapid restore is essential.

A cloud solution with built-in granularity helps you prioritize among different types of data. It can help select which of your clients’ files should be backed up and restored with priority. The idea here is to use an intelligent system that can discern critical and sensitive data in each endpoint from less-important data. This way, you can automate data management for important data and ensure an easy recovery if disaster strikes.

3. Device policies

No security plan is complete without policies that regulate device use. The most effective way to accomplish this is to centrally manage all mobile and employee-owned devices. This way, you can prevent misuse and minimize the chance of a data breach. Each BYOD and mobile device should be equipped with a lock and wipe technology should they ever fall into the wrong hands.

In addition, whatever endpoint security and file backup and recovery solutions a business has in place should also cover mobile and BYOD devices. Failing to protect these devices is similar to locking your house but leaving the keys in the seat of an unlocked car. All a thief has to do is grab the keys and look in the glove box for registration and address to break in.

4. User training

Provide training remedial to users so that visiting suspicious websites and clicking harmful links and attachments is avoided. Corporate organizations need to work with customers in this area to ensure that users recognize the danger signs and immediately report anything suspicious.

Hence, addressing the human element while providing a secure endpoint will ensure that the strategy does not fall short of full protection. Training, therefore, is just as important as deploying technology that scans and blocks malware and solutions that back up and restore data.

Learn More: What Is Biometric Authentication? Definition, Benefits, and Tools

9. Threat intelligence

The security of a network can be studied in a better way if the activity within the network is monitored in real-time, which gives a clear picture of the vulnerabilities in the network. However, employing threat intelligence subsequently with network monitoring may be needed for preventing ransomware attacks from spreading its web over the network. Along with threat intelligence, the security software needs to be updated with the behavior pattern endured by some of the modern malware. Hence, artificial intelligence and machine learning may serve as better network security technology for trapping ransomware attacks before it attacks the entire network.

10. Tracking file integrity 

Today’s cybersecurity threats, such as advanced persistent threats (APTs) or ransomware attacks are more dangerous than ever. Even the traditional security systems such as antivirus programs cannot prevent them from infecting the network due to their sophistication and uncontrollable nature. To prevent the menace of such cyberattacks, companies are now looking for multiple layered security to enhance their cybersecurity posture. This is the reason file integrity monitoring (FIM) and security information and event management (SIEM) together can provide a better mechanism for protecting and preventing cyberattacks such as ransomware.

SIEM is a security technology utilized for security incident response and threat detection via a real-time capturing and historical analysis of security events from a wide range of data sources. In simple terms, the SIEM enables security professionals to find, monitor, record, and analyze security events or incidents within a real-time environment and store their relevant data at a central place.

The FIM is a security control that monitors and records changes to the system files and other critical applications to detect unauthorized modifications or cyberattacks. The following set of files and configuration settings can be monitored by the FIM system:

• Operating System Files
• File Systems such as FAT32 or NTS
• Password Policy
• User Account
• Management and Monitoring Functions
• Registry Keys and Values
• User Rights Assignment

An effective FIM solution can help an organization protect its IT infrastructure, reduce noise, and stay compliant with various compliance standards, such as HIPAA, NIST, SOX, FISMA, NERC CIP, and PCI DSS, as well as best practice frameworks, such as the CIS security benchmarks. Additionally, with a SIEM tool, you can interpret logs, handle security alerts, perform data aggregation, use dashboards, utilize threat intelligence feeds, and conduct computer forensics all at one place.

Integrating the FIM with the SIEM tool, therefore, offers many benefits to organizations in terms of enhancing cybersecurity. Some common advantages include:

• User-aware FIM: It allows users to deliberately access and change a file, which is otherwise an illegitimate action.
• Zero-day malware detection: File integrity is mostly compromised by a malware threat, but with a SIEM system, one can protect against malware even before it harms your sensitive and critical files.
• Meeting compliance requirements: SIEM solution offers templates that assist with compliance audits.

As cybersecurity threats continue to grow in sophistication, one cannot rely merely on traditional security tools like antivirus programs or firewalls. Instead, a multiple-layered security approach is required to deal with such a toxic situation. Therefore, using FIM and SIEM together can enhance the overall cybersecurity structure for any organization.

Learn More: How to Close the Door on New Cloud Attack Vectors

In Conclusion

A ransomware attack is a dangerous malware attack that locks a user’s computer by encrypting the data using various encryption techniques and demands a ransom fee to restore the encrypted files or the computer. 

As ransomware continues to grow and spread its outreach to various corporate and healthcare sectors, security teams need to become more conscious of the threat posed by such malware. The potential impact of a ransomware attack can be significantly reduced by taking the right action at the right time to prevent, detect, and recover from the ransomware attack without real damage to the system.

Did this article help you understand the basics of ransomware? Comment below or let us know on LinkedIn, Twitter, or Facebook!

What kind of malware is used to take ransom?

Which type of malware locks and encrypts your files until a ransom is paid?

What type of ransomware Locks victims out of their device until the ransom is paid?

What is a ransom Trojan?