Ransomware is a type of malicious software that infects and restricts access to a computer or sensitive data until a ransom is paid. This type of attack is among the most pervasive malware threats, with thousands of incidents happening to businesses each day.
The most common type of ransomware is crypto ransomware, which encrypts your data making it inaccessible unless you pay the ransom. Locker ransomware on the other hand simply blocks access to the computer system and will not let you in until the ransom is paid.
As ransomware resilience planning becomes more common, and organizations have fail-safes such as offline backups in place, doxware or leakware may also come into play, which performs the same type of data-withholding actions as crypto ransomware, but also threatens to leak the hostage information if ransom is not paid. This type of extortion may be used as an additional layer of pressure when a victim has demonstrated resistance to cooperating with threat actor demands.
Finally, less commonly used is scareware, software that demands a ransom in exchange for removing a “virus” on your computer that doesn’t actually exist. Scareware may lock the computer, or it may block access through the stereotypical flood of pop-up windows saying your machine has a virus.
The first ransomware attack, known as the AIDS Trojan hit the healthcare industry in 1989, but it’s only been in the last decade that strains such as CryptoLocker, Petya, NotPetya, WannaCry, TeslaCrypt, and Locky have pushed ransomware to the forefront of cybersecurity discussions.
Today, with increased interest from law enforcement, ransomware groups will routinely go dark and then rebrand, releasing new ransomware strains with similar effects as their predecessors. BlackMatter, REvil, DoppelPaymer, and Black Cat are just a few of these likely rebrands.
Meanwhile, ransomware-as-a-service has made it easier for popular strains to gain notoriety as they are used repeatedly by affiliate groups.
A traditional ransomware attack is based on the premise that organizations will pay a ransom in exchange for the safe restoration of their data, which has been hijacked and encrypted. Companies will pay the ransom to restore network functionality and reduce downtime.
As ransomware attacks have become more prevalent however, security teams have worked to mitigate the impact that loss of data has on their businesses. Measures such as secure off-site backups and division of key network segments have rendered standard ransom-for-data attacks less effective.
How does a ransomware attack happen? There are a variety of methods that threat actors can take advantage of. One of the most common is phishing, which makes security awareness training an essential part of your organization’s ransomware resilience planning. Employees who click on malicious links or open malicious attachments are opening the door for a malware infection which can lead to deployment of ransomware.
Another common point of entry is unsecured RDP ports that are open to the internet. Putting your remote desktop protocol behind a firewall, enforcing a strong password policy, requiring multi-factor authentication and limiting IP access are all great ways to ensure that you’re not an easy target for bad actors scanning for open 3389 ports. The other popular attack vector is taking advantage of software vulnerabilities to gain network access.
Double extortion ransomware attacks utilize the same methods to gain access to your network as any traditional ransomware attack. Security awareness training for employees, password policies and multi-factor authentication, regular patching of known vulnerabilities, and protection of RDP ports and VPNs are all important measures to stop initial access. You may also consider investing in a web application firewall and ransomware detection solution.
In the event an attacker does get into your network, having a recent offline backup can protect against the first prong of a ransomware attack, the recovery of your data. Additionally, to protect against a double extortion attack, encrypt your data so that if stolen for use in an attempted data leak, it is not readable by the ransomware group.
To start, you want to identify the source of the infection and limit further exposure if it has not already spread. Disconnect all vulnerable devices. Next, you’ll need to identify the type of ransomware you’re dealing with to determine if there is any way of decrypting the files or recovering your data using the tools available on the market.
Determining the type of ransomware will let you know what the demands are, which will help you figure out whether to pay the ransom or attempt to recover your files from a backup. You’ll need to ensure that your backups are not also impacted by the malware and that they are current enough to restore from.
The threat actors behind the BianLian Ransomware are rapidly expanding infrastructure, and it has been observed targeting manufacturing organizations. Context On September 1, 2022, researchers
Context On June 28, 2022, ReversingLABS researchers reported a phishing campaign using malicious Microsoft Office files to distribute the new 2.0 version of the AstraLocker
Complete an application form if you are interested in becoming a member of RH-ISAC.