How Does Ransomware Work? Examples and Defense Tips
With working from home already a norm, the world has also seen quite a surge in ransomware attacks. The State of Ransomware Report indicates that cybercrime damages are expected to hit US$6 trillion this year, with the attacks increasing and becoming more complex and disruptive.
In Singapore, roughly 61 reports of ransomware attacks were received by the Cyber Security Agency of Singapore in 2020, which was almost double the number reported in 2019. Needless to say, ransomware is booming and is definitely rising through the ranks to become a global security threat. Vulnerability in the cyberspace is a glaring reality.
Thankfully, governments and other international initiatives have been working relentlessly to pursue those who are responsible for these malicious attacks. Still, it behooves the system owners – organisations even – to educate themselves on ransomware and what they can do to prevent and mitigate it.
How does ransomware work? Let’s define what it is.
Ransomware comes in the form of malicious software and is also known as malware. It blocks the normal access to a system or compromised files, and is kept this way unless the victim pays the determined ransom amount. Upon payment, the victim receives a key that can decrypt the blocked system and restore it to normal.
There are many ways ransomware can get into a computer system:
- through infected email attachments
- removable storage media, such as portable thumbnail drives, that have been infected
- downloaded software
- seemingly harmless links in email, social media websites, or instant messages
Usually packaged with installation files in the guise of legitimate software updates, ransomware is put out there as updates for the likes of Adobe Acrobat or Java. These misleading ads are especially common in unknown websites like torrent sites.
Also Read: How to Choose a Penetration Testing Vendor
At the onset of ransomware, encryption is done on the data, a process similar to how passwords can secure an account to prevent unwanted access. The moment ransomware compromises a system, the threat actor encrypts all data, preventing the victim from accessing that data. Once encryption is done, the victim will not be able to access any of the affected files without the decryption key coming from the threat actor, in exchange of course for whatever ransom amount demanded by the assailant.
What are ransomware examples?
How does ransomware work? For one, it has countless types across thousands of variations, and below is an overview of some of the most prevalent attacks active today:
- REvil – infamously responsible for a third of all ransomware incidents, REvil is a Ransomware-as-a-Service (RaaS). It is also known as Sodin or Sodinokibi. It spreads in many ways, which include unpatched VPNs, exploit kits, RDPs and spam emails.
- Ryuk – when a healthcare organization is attacked, the culprit is most probably Ryuk. It is typically spread by other malware such as Trickbot, or via email phishing attacks and exploit kits.
- Robinhood – this variant usually gains access via a phishing attack or other weaknesses in the system’s security. They can then hold a computer or computer system hostage.
- DoppelPaymer – this variant is notorious for targeting enterprises via access to admin credentials, their gateway for propagating the infection across the whole Windows network.
- SNAKE – this variant targets the industrial sector and is responsible for 6% of all ransomware attacks in 2020. What it does is disable ICS processes, freeze VMs and steal admin credentials so it can further infect and encrypt files across the network.
- Phobos – similar to REvil, this variant is a RaaS. It gains illegal access to a network through exposed. RDP ports.
Defending your system against ransomware
Now that we’ve tackled ‘How does ransomware work?’ let’s dive in to tackle how you can defend your system against ransomware.
Backup is your friend. It is recommended that you keep three copies of your data on 2 different types of media: one version is kept off-site and one version cannot be modified. If, by any unfortunate circumstance you get hit with ransomware, keeping secure offsite versions will help you recover more easily.
It should be noted that ransomware is prevalent in Windows OS. This is because apparently, most malware is built to infiltrate Windows systems. On your end, look into locking down role-based instances to perform only what they are supposed to do, and nothing more.
You will be on the winning end if you perform regular testing of the viability of your backup as well as disaster risk management. Part of your data protection protocol should be to test automated recovery to rule out potential factors that may hamper successful recovery when ransomware does happen.
The earlier you discover ransomware in your system, the faster your recovery can be. Learn how to work with your data protection officers and pen testing service providers to do the necessary studies. Arm your system with security tools that can recognise potential attacks and immediately alert personnel of any unusual fluctuations of data.
So how does ransomware work? It will always catch you unaware, hiding behind legitimate updates, innocent-looking messages, and the like. Be sure to remain vigilant and follow the defense components to help you keep your business safe against threat actors.
Conducting regular penetration testing could also help ensure that threat actors are at bay as it searches for available vulnerabilities present in your system for you to acknowledge before bad actors can exploit them.