Ransomware

Ransomware is a type of malicious software that infects and restricts access to a computer or sensitive data until a ransom is paid. This type of attack is among the most pervasive malware threats, with thousands of incidents happening to businesses each day.

Types of Ransomware

2021 was a record year for high-profile, expensive ransomware attacks. This trend is expected to continue as ransomware-as-a-service expands threat actor accessibility to tools, and new double/triple extortion attacks raise potential profits even higher.

Ransomware Types

The most common type of ransomware is crypto ransomware, which encrypts your data making it inaccessible unless you pay the ransom. Locker ransomware on the other hand simply blocks access to the computer system and will not let you in until the ransom is paid. 

As ransomware resilience planning becomes more common, and organizations have fail-safes such as offline backups in place, doxware or leakware may also come into play, which performs the same type of data-withholding actions as crypto ransomware, but also threatens to leak the hostage information if ransom is not paid. This type of extortion may be used as an additional layer of pressure when a victim has demonstrated resistance to cooperating with threat actor demands. 

Finally, less commonly used is scareware, software that demands a ransom in exchange for removing a “virus” on your computer that doesn’t actually exist. Scareware may lock the computer, or it may block access through the stereotypical flood of pop-up windows saying your machine has a virus. 

Ransomware Strains

The first ransomware attack, known as the AIDS Trojan hit the healthcare industry in 1989, but it’s only been in the last decade that strains such as CryptoLocker, Petya, NotPetya, WannaCry, TeslaCrypt, and Locky have pushed ransomware to the forefront of cybersecurity discussions. 

Today, with increased interest from law enforcement, ransomware groups will routinely go dark and then rebrand, releasing new ransomware strains with similar effects as their predecessors. BlackMatter, REvil, DoppelPaymer, and Black Cat are just a few of these likely rebrands. 

Meanwhile, ransomware-as-a-service has made it easier for popular strains to gain notoriety as they are used repeatedly by affiliate groups. 

Ransomware Resources:

 

Ransomware Resilience Planning Guide

Get actionable strategies to reduce your organization's ransomware risk.
Get the Guide

Ransomware Attacks

The last few years have seen a dramatic rise in high-profile ransomware cases, leading CISOs to bump ransomware planning to the top of their list of initiatives. However, just as companies have adapted to guard against this threat, ransomware gangs have adapted in turn, employing additional layers of extortion focused on exposing customer data.

What is a Ransomware Attack?

A traditional ransomware attack is based on the premise that organizations will pay a ransom in exchange for the safe restoration of their data, which has been hijacked and encrypted. Companies will pay the ransom to restore network functionality and reduce downtime. 

As ransomware attacks have become more prevalent however, security teams have worked to mitigate the impact that loss of data has on their businesses. Measures such as secure off-site backups and division of key network segments have rendered standard ransom-for-data attacks less effective.

Attack Vectors

How does a ransomware attack happen? There are a variety of methods that threat actors can take advantage of. One of the most common is phishing, which makes security awareness training an essential part of your organization’s ransomware resilience planning. Employees who click on malicious links or open malicious attachments are opening the door for a malware infection which can lead to deployment of ransomware. 

Another common point of entry is unsecured RDP ports that are open to the internet. Putting your remote desktop protocol behind a firewall, enforcing a strong password policy, requiring multi-factor authentication and limiting IP access are all great ways to ensure that you’re not an easy target for bad actors scanning for open 3389 ports. The other popular attack vector is taking advantage of software vulnerabilities to gain network access. 

Attack Methods:

 

How to Prevent Ransomware

It is important to have a comprehensive ransomware resilience plan that addresses preparation, prevention, and response in the event of an attack. Here are a few tips for prevention of double/triple extortion attacks that you can incorporate into your ransomware strategy.

Don’t Let Attackers In

Double extortion ransomware attacks utilize the same methods to gain access to your network as any traditional ransomware attack. Security awareness training for employees, password policies and multi-factor authentication, regular patching of known vulnerabilities, and protection of RDP ports and VPNs are all important measures to stop initial access. You may also consider investing in a web application firewall and ransomware detection solution.

Backups and Data Encryption

In the event an attacker does get into your network, having a recent offline backup can protect against the first prong of a ransomware attack, the recovery of your data. Additionally, to protect against a double extortion attack, encrypt your data so that if stolen for use in an attempted data leak, it is not readable by the ransomware group. 

Preventing Ransomware:


Ransomware Resilience Planning Guide

Get actionable strategies to reduce your organization's ransomware risk.
Get the Guide

Ransomware Recovery

Of course, you want to prevent a ransomware attack as best as possible, but you should still prepare for a scenario where you are the victim of a ransomware attack and need to recover your data.

Identify and Limit

To start, you want to identify the source of the infection and limit further exposure if it has not already spread. Disconnect all vulnerable devices. Next, you’ll need to identify the type of ransomware you’re dealing with to determine if there is any way of decrypting the files or recovering your data using the tools available on the market. 

Determining the type of ransomware will let you know what the demands are, which will help you figure out whether to pay the ransom or attempt to recover your files from a backup. You’ll need to ensure that your backups are not also impacted by the malware and that they are current enough to restore from. 

Recovery Strategies:

 

Ransomware Resilience Planning Guide

Get actionable strategies to reduce your organization's ransomware risk.
Get the Guide

Read the Latest Blog Posts

Subscribe to the blog

Join RH-ISAC today!

Complete an application form if you are interested in becoming a member of RH-ISAC.

Become a member