A closer look at ransomware attacks
A decade ago, ransomware was rare, but that’s not true anymore. The many ransomware attacks on the scene have made this a game-changing threat.
Ransomware is evolving, getting faster and more intelligent, and incurring more financial losses at every turn.
With a full-scale ransomware attack costing a mind-numbing US$1,850,000 on average, it’s essential to know what you’re up against and how to stay protected. This unfortunate reality shows that ransomware is rising, and as a small business, you must prepare.
As new ransomware variants regularly arise, keeping track of the different strains can be challenging. While each malware strain is extra, they often rely on similar tactics to take advantage of users and hold encrypted data hostage. You’ll be better situated to protect your business with a more thorough understanding of the risks.
The most common types of Ransomware
For decades, cybercriminals have dedicated time, energy, and resources to craft an incredibly extensive pool of ransomware strains that we can classify into specific types.
Today, ransomware comes in many types, but the differentiation lies in the kind of assets each holds for ransom. Although there are countless ransomware strains, they mainly fall into two types: crypto-ransomware and locker ransomware.
Here are some of the most popular types of ransomware attacks on the internet today.
What is Crypto ransomware?
Crypto ransomware works by encrypting valuable files on a computer so that they become unusable. Crypto ransomware attackers leverage attacks to generate income by holding the files to ransom and demanding a ransom to recover their files.
What is Locker ransomware?
Locker ransomware, unlike crypto-ransomware, doesn’t encrypt files. Instead, it goes one step further and locks victims out of their devices. In these attacks, cybercriminals will demand a ransom to unlock the device.
In both types of ransomware attacks, users are left without an option to recover back to normal, which is why it’s vital to prepare your systems to recover without falling victim to cyber attackers.
What is Double extortion ransomware?
Double extortion ransomware encrypts files and exports data to blackmail victims into paying a ransom. With this ransomware, attackers threaten to publish stolen data if their demands are unmet, meaning that, even if victims restore their data from backup, the attacker still has power over them. However, paying the ransom does not guarantee the protection of the data either, as the attackers have access to the stolen data.
What is Leakware?
Through Leakware (also known as Doxware), the attacker threatens to release the data on public domains instead of destroying the data. These attacks target organizations like banks and nationalized entities (including governmental organizations) that handle confidential or sensitive data.
What is RaaS (Ransomware as a Service)?
RaaS creators rent access to a ransomware strain from cybercriminals who offer it as a pay-for-use service. RaaS perpetrators host their ransomware on dark net sites, allowing criminals to purchase it as a subscription, like a SaaS model. The fees depend on the ransomware’s complexity & features; generally, becoming a member is an entry fee. After RaaS perpetrators infect computers and collect ransom payments, some part of the ransom is paid to the RaaS creator under whatever terms they agreed to while conspiring.
What is Scareware?
Scareware is fake software that works by detecting a virus or other issues on your computer and offers you a solution in exchange for payment. Some types of scareware inflict damage by locking the computer. But others flood the screen with pop-up alerts without damaging files.
Common Ransomware Strains
WannaCry
The WannaCry ransomware attack was designed to exploit a security vulnerability in Windows created by the NSA. WannaCry was leaked by the Shadow Brokers hacker group and spread over 150 countries in 2017. It affected 230,000 computers worldwide and hit one-third of all NHS hospitals in the UK, causing estimated damages of 92 million pounds. Also, users were locked out and demanded a ransom payable in Bitcoin. The WannaCry attack caused worldwide financial damage of about US$4 billion & exposed the issue of outdated systems. WannaCry hackers exploited an operating system vulnerability for which a patch had long existed during the attack.
Facts:
Year of attack: 2017
- Primary target: Computers running on Microsoft Windows
- Method: Propagated via a Microsoft exploit known as EternalBlue
- Countries Affected: 150 countries across the globe
- Extortion (approx.): A total of 327 payments amounting to US$130,634.77
NotPetya and Petya
Petya requires the user to agree to permit it to make admin-level changes, after which it reboots the computer, shows a fake system crash screen, and encrypts the disk behind the scenes. Finally, it shows the ransom notice.
The original Petya virus was not that successful, but a new variant, NotPetya, proved more dangerous because it came equipped with a propagation mechanism and could spread without human intervention. NotPetya initially spread using a backdoor in the accounting software used widely in Ukraine first and then in EternalBlue and EternalRomance vulnerabilities in the Windows SMB protocol. NotPetya encrypts the MFT and other files on the hard drive. While encrypting the data damages, it cannot recover it. Users who pay the ransom cannot get their data back.
Facts:
Year of attack: 2016
- Primary target: Computers running on Microsoft Windows
- Method: Propagated via infectious email attachments
- Countries Affected: Mainly Ukraine
- Extortion (approx.): Unknown
Cerber
Cerber is ransomware-as-a-service (RaaS), and cybercriminals use this ransomware when they deem to carry out attacks & spread their loot with the malware developer. It silently runs while encrypting files and prevents antivirus software and Windows in-built security features from running so that the users cannot restore their system. After successfully encrypting all the files, it displays a ransom note on the desktop wallpaper.
Facts:
Year of attack: 2016
- Primary target: Cloud-based Microsoft 365 users
- Method: phishing Propagated by campaigning and malvertising
- Countries Affected: Across the globe
- Extortion (approx.): Around $2 million in its first year
Bad Rabbit
The Bad Rabbit ransomware attack spread via so-called drive-by attacks by using insecure websites to carry out the attacks. In drive-by ransomware attacks, users visit an actual website, unaware that hackers have already compromised it. A user only needs to call up a compromised page for most drive-by attacks. For you, it can happen when running an installer containing disguised malware leading to an infection called a malware dropper. This ransomware attack can commonly ask users to run a fake Adobe Flash installation and infect the computer with malware.
Facts:
Year of attack: 2017
- Primary target: Organizations and consumers
- Method: Propagated via fake Adobe Flash update request
- Countries Affected: Russia, Ukraine, and Eastern Europe
- Extortion (approx.): Unknown, with a publicly admitted ransom payment of $1 million.
Ransomware Distribution Techniques
Now that you know what the types of ransomware attacks are, cyber-security experts at IMAGINE IT believe you’ll be better off learning how cybercriminals distribute these attacks in multi-faceted organizations, small businesses, and companies. Ransomware can infect devices when the victim visits a web page, installs a file, application, or program, or clicks a link containing malicious code to download and install the ransomware covertly. The table below explains the variety of ways it can happen for you:
Distribution Techniques | Description |
Phishing email | Phishing emails inflict damage when you click a link embedded in an email, redirecting to a malicious web page. |
Email attachments | Email attachments inflict damage when you open an email attachment and enable malicious macros, download a ZIP file containing a Windows Script Host (WSH) file, malicious JavaScript, or a document embedded with a Remote Access Trojan or RAT. |
Social media | Social media ransomware inflicts damage when you click a malicious link on Facebook, Twitter, social media posts, instant messenger chats, and many more. |
Malvertising | Malvertising ransomware inflicts damage when you click on a legitimate advertising site, unaware that it’s seeded with malicious code. |
Infected infected infected | Infected programs also work as ransomware when you install a web app or program containing malicious code. |
Drive-by infections | Drive-by infections work as ransomware when you visit an unsafe, suspicious, or fake web page or open or close a pop-up. |
Traffic Distribution System (TDS) | This ransomware inflicts damage when a user clicks a link on a legitimate gateway web page but gets redirected to a malicious site based on the user’s OS, browser, geo-location, or other filters. |
Self-propagation | Self-propagation ransomware operates by spreading the malicious code to other devices through network and USB drives. |
Ransomware Protection Tips
The following tips are supported by what IMAGINE IT has found to prevent and combat ransomware successfully:
- Practicing best-in-class IT practices
- Enhance your email security
- Harden Endpoints
- Ready ransomware-proof data with offline backups
- Restrict access to the virtualization management infrastructure
- Develop and make use of an Identity and Access Management (IAM) Program
- Create and test an Incident Response Plan
- Improving the resiliency of internet-facing applications may help
- Know when to ask for help
- Most importantly, Train Your Organization to prevent types of ransomware attacks
Boost your IT Infrastructure & protect yourself from all types of ransomware attacks with IMAGINE IT’s world-class Cybersecurity Software.
No matter what type of ransomware attack you are a victim of, be wary that they mostly start with a malicious email. Attackers or cybercriminals know it takes a single individual to let down their guard for them to get into your organization.
Anti-ransomware Cybersecurity software by Imagine IT gives you every bit of protection to keep your IT infrastructure and, most importantly, data running optimally and efficiently.