Learn what ransomware is, how ransomware spreads on a network, how to prevent ransomware and what ransomware as a service (RaaS) is.
This article is from The Defender's Handbook:
A knowledge base for cybersecurity enthusiasts to level up their
cyber knowledge - one article at a time.
A perfect storm has enabled cybercriminals to launch an unprecedented number of ransomware attacks in recent years.
First, the move to remote work made it easier than ever for threat actors to access the sensitive data of businesses when home networks were unsecured. As more cybercriminals held companies’ data hostage, many companies paid up to get their data restored as soon as possible—providing positive reinforcement to those attackers watching from the sidelines.
And before we knew it, ransomware became the go-to attack tactic for hackers looking to make a quick buck.
Ransomware is a type of malware that encrypts data on a computer or network into an unreadable format until a sum of money, or ransom, is paid.
During a ransomware attack, threat actors hold the readable data hostage until the ransom is paid. Then, the threat actor promises to give the victim the means to decrypt the data into a readable format.
A perfect storm has enabled cybercriminals to launch an unprecedented number of ransomware attacks in recent years.
First, the move to remote work made it easier than ever for threat actors to access the sensitive data of businesses when home networks were unsecured. As more cybercriminals held companies’ data hostage, many companies paid up to get their data restored as soon as possible—providing positive reinforcement to those attackers watching from the sidelines.
And before we knew it, ransomware became the go-to attack tactic for hackers looking to make a quick buck.
Ransomware is just one of the many attack tactics in a threat actor’s toolkit. When run, the ransomware program will scan the file storage disk for files to encrypt, typically documents, spreadsheets, etc. The files are encrypted with a key that only the attackers know, thus preventing access to the files.
Hackers can infiltrate an environment in many different ways. Let’s dive into a few of the most popular ways that hackers gain their access.
1. Phishing: Phishing is still one of the most prevalent ways that threat actors gain access to an environment. Phishing emails commonly attempt to trick the user to download and open an attachment or enter their credentials into a fake login page. When you run the attachment, a second-stage backdoor is often downloaded. This could be a full-featured backdoor, giving the threat actor complete access to the host, or even the initial deployment of the ransomware.
Should the user enter their credentials into the fake login portal, the attacker may attempt to use those credentials to log in to Office 365. This allows the threat actor to send additional phishing emails from a legitimate email address. Other users are more likely to fall victim to the phishing email if it is coming from a trusted source.
Phishing occurs when a threat actor attempts to trick an unsuspecting victim into handing over their sensitive information, such as their credit card information or Social Security number. Alternatively, threat actors may attach a file with malicious code to a legitimate-looking email, encouraging the recipient to open it and unknowingly give threat actors the ability to access and encrypt their data.
2. Public-Facing Vulnerabilities: Threat actors scan the internet looking for systems with known vulnerabilities. Often, there is a gap between when a new vulnerability is publicly released and when the general public has patched their systems. Threat actors exploit these vulnerabilities to gain initial access into the environment. Once in, they typically escalate privileges and begin to deploy their malware to additional systems.
3. Drive-by downloads: A drive-by download occurs when someone navigates to a malicious webpage and unknowingly downloads malicious code to their computer just by visiting the webpage. The malicious code may run immediately or sit dormant for a period of time before encrypting the user’s data.
4. Purchased access: There’s a marketplace for everything these days, and cyberattacks are no exception. Threat actors often compromise networks at scale and then resell that access to other ransomware operators who then deploy the ransomware.
You may have heard of Software as a Service, or SaaS, which is a business model where customers pay a fee to be able to access a vendor’s product—in this case, the product is software. For example, many businesses pay Google a fee to give employees the ability to access the paid versions of Google Workspace (Gmail, Google Calendar, Google Docs, etc.).
In the same vein, Ransomware as a Service, or RaaS, is a business model that enables threat actors to pay for, obtain and use malicious code to conduct their own ransomware attacks. In turn, this enables threat actors who may not have strong coding knowledge to still be able to conduct sophisticated ransomware attacks.
Ransomware as a Service has become more popular in recent years with the growing number of ransomware attacks targeting critical infrastructures as well as small- to medium-sized businesses (SMBs).
For example, that occurred in May 2021. This attack caused panic among the public and an increase in gas prices along the East Coast of the United States.
Another example is REvil’s Ransomware as a Service supply chain attack on the Kaseya VSA, which occurred in July 2021 and wreaked havoc on SMBs. Because both the creators and the deployers (known as affiliates) of the ransomware get a cut of any profits, it’s easy to see why Ransomware as a Service has become a lucrative business.
Read our blog to explore some of the marketplaces on the dark web that feature Ransomware as a Service.
These days, you can find examples of ransomware attacks simply by turning on the news. A few ransomware attacks really demonstrate why these attacks are so devastating.
In May 2021, cybercriminal group DarkSide unleashed a ransomware attack against Colonial Pipeline, a major pipeline that stretches 5,500 miles and transports gas, diesel and jet fuel from the Gulf Coast to the East Coast in the United States.
and was able to infiltrate Colonial Pipeline’s legacy Virtual Private Network (VPN) because of a lack of multifactor authentication (MFA) in place.
In other words, once DarkSide had the password to access the VPN, they were able to simply log in. MFA would have added a secondary barrier to gaining access (e.g. through needing access to a specific cellphone number to receive a texted code). Unfortunately, because this legacy VPN lacked MFA, the attack merely required one set of credentials.
As a result of this ransomware attack, Colonial Pipeline shut down its operations for a weekend, gas prices rose and the public panicked. , which Colonial Pipeline paid. Ultimately, and with the help of the Department of Justice, Colonial Pipeline was able to get back $2.3 million.
This attack was pivotal for a number of reasons. First, it was a direct attack on critical US infrastructure. Had the pipeline needed to be shut down for longer than it was, it’s likely that the East Coast would have been crippled without the ability to transport goods. This attack served as a wake-up call in terms of what today’s threat actors are capable of doing.
In July 2021, cybercriminal group REvil (Sodinokibi) deployed ransomware to victimize Kaseya, an IT management software provider for MSPs and IT teams, via the company’s on-premises Virtual System Administrator (VSA). As a result of this supply chain attack, between 50 to 60 MPSs and upwards of 2,000 of their customers were believed to have been impacted. In this scenario, “impacted” ultimately means that many of these businesses experienced several weeks of downtime before finally getting hold of a decryption key.
Not only was this ransomware attack particularly sophisticated; it was one of the most complex and successful ransomware attacks in recent history. This attack was significant not only because of its immediate impact on its victims but also because of the light it shined on what today’s threat actors can do. This type of attack could happen to any vendor, demonstrating why a focus on cybersecurity is critical both for business leaders and the general public.
Leaders who operate small shops, such as city hospitals and lawyer’s offices, may assume that today’s threat actors have larger and more well-known businesses to target. They may mistakenly believe that they are all but immune to cyberattacks. Unfortunately, this isn’t the case.
Smaller shops are just as prone to cyberattacks as larger shops. Why? Because threat actors know that smaller businesses can’t defend themselves as larger businesses can. Why waste time and effort breaking into one larger business that’s hard to hack when they can get better returns with a series of smaller businesses?
Check out our blog to uncover more information as well as lessons learned.
Ransomware infections can be prevented through a combination of preventive measures and cybersecurity education. The Cybersecurity and Infrastructure Security Agency (CISA) recommends doing the following:
The . They say that paying a ransom does nothing more than reward bad behavior, giving other hackers a shining example of why ransomware attacks are worth executing. Instead, the FBI recommends or and then .
All of this advice is sound logic—until it’s your business or your data in the crosshairs of a threat actor. Once that happens, decisions don’t feel so black and white.
You may want to consider a ransomware negotiation service. Every business leader must make the right decision for its business. If you are thinking of paying the ransom, it may be helpful to get the guidance of a professional negotiation service that has experience lowering the total cost of the ransom payment.
Ransomware tends to be spread on a network in one of three ways:
Potentially, antivirus can detect ransomware; however, its ability to do so relies solely on the shoulders of its developers. Antivirus works by scanning files and comparing their code to existing malware code. In other words, antivirus looks for similarities in code—but it has to be “trained” on what malicious code looks like in order to call it out. Therefore, if new malware code surfaces but the antivirus’ developers haven’t programmed the malicious code in as a threat, the antivirus will fail to flag anything suspicious.
Another factor that makes it hard for antivirus to detect ransomware is that there’s just so much ransomware to go around. It would be virtually impossible to update antivirus software with new batches of malicious code to look for as they’re discovered. As a result, antivirus may not be the best approach to detecting ransomware attacks.
Threat actors are constantly testing their new variants of malware to ensure it can sneak past common antivirus products. There are constantly new techniques being developed to help evade antivirus and it’s not uncommon for new variants of malware to go undetected for days before antivirus successfully detects it.
If you discover a ransomware attack in progress, it’s critical to disconnect your computer from any networks you’re connected to as well as external devices as soon as possible. If you catch the ransomware attack quickly enough, you can isolate the spread and halt the attack in its tracks.
If you have a backup solution, make sure to have a quick way to completely isolate it from the infected host(s). Ransomware will often try to encrypt backups as well.
Activate an incident response plan if you have one. Begin communicating with the proper people in your organization to make them aware of the situation. Consider moving to an out-of-band communication solution to ensure you can continue communicating if systems begin going offline.
Not only are ransomware attacks becoming more widespread; they’re growing more sophisticated. Let’s dive into what ransomware attacks used to look like—and how they’ve evolved into what they are today.
The first known ransomware attack is believed to be , an AIDS Trojan developed by evolutionary biologist Joseph Popp in 1989. He sent 20,000 infected floppy disks titled “AIDS Information — Introductory Diskettes.” Once a user inserted this floppy disk and rebooted 90 times, the Trojan became active by hiding directories and encrypting files. The ransom note to regain access to the decrypted data was to send $189 to PC Cyborg Corp.
Not so long ago, ransomware attacks were fairly straightforward. Threat actors would find their way into an environment, wreak havoc on a network by encrypting the data and then demand to be paid a ransom for the data’s decryption.
Then, defenders got smarter and leveled up their practices. They began isolating their backups to make it impossible to infect them. In turn, this made it more difficult for threat actors to completely cripple an organization because victims of ransomware attacks could still rely on their offline backups.
Necessity warranted threat actors’ leveling up to continue making their money. Now, before they encrypt data on a network, they steal it. As a result, they have a copy of the victim’s data to use as blackmail - if they don’t get their money, they’ll threaten to release the data in a move called double extortion.
This is particularly devastating for businesses that find their customers’ personally identifiable information in the crosshairs of a ransomware actor. Preventing that data from being leaked could be the only hope that business has of surviving a ransomware attack of this sophistication.
As anyone in cybersecurity knows, prevention is only part of the puzzle. Some attacks, such as zero days, are virtually impossible to prevent. Fast detection and response times help combat tomorrow’s threats that are currently undetectable.
To see a real-world example of how MSPs and IT resellers worked to recover from the Kaseya VSA supply chain attack, check out our on-demand webinar.
The process of transferring data from one system or device to another without authorized access.
The process of converting data from an unreadable format into a readable format.
A code that enables victims of ransomware attacks to decrypt their data into a readable format.
During a ransomware attack, double extortion occurs when attackers threaten to publicly release data unless a ransom amount is paid.
The time that an attacker is present in a victim’s environment before they’re detected.
The process of converting data from a readable format into an unreadable format.
The virtual spot an attacker secures in an environment through persistence, allowing the attacker to maintain access through system disruptions.
Software designed to disrupt, damage or help an unauthorized user gain access to a computer or network.
A stealthy attack tactic that threat actors use to gain and keep unauthorized access to a virtual environment.
A type of (usually email-based) cyberattack that occurs when threat actors disguise themselves as legitimate entities to attempt to trick users into revealing personally identifiable or sensitive information.
A code that enables victims of ransomware attacks to decrypt their data into a readable format.
A type of malware that encrypts a user’s data and requires some type of payment to the attacker for decryption to occur.
A business model that enables threat actors to obtain (for a fee) malicious code to conduct their own ransomware attacks.
A message delivered to the victim of a ransomware attack that identifies the threat actor’s demands that must be met for decryption to occur.
Organized groups of threat actors that work to organize and execute sophisticated ransomware-based cyberattacks.
The ĢTV Managed Security Platform can help detect potential ransomware incidents with Ransomware Canaries. See the ĢTV Managed Security Platform in action against threats by signing up for a free trial today.
Start for Free