What Is Ransomware: Definition, Types, Examples & How It Works

What is Ransomware
Image Credit: Kaspersky

Ransomware is a dimension of cyberattack. It is the act of cybercriminals hijacking sensitive company data and demanding a ransom in exchange for its release. Read further to get a full grasp of what ransomware is in cybersecurity and how to avoid attacks.

Ransomware: What is it?

Ransomware is a type of malware that is aimed at preventing a user or organization from accessing files on their computer. Cyberattackers place organizations in a position where paying the ransom is the easiest and cheapest option to recover access to their files by encrypting these files and demanding a ransom payment for the decryption key. Some variants have introduced extra capabilities, such as data theft, to provide further incentives for ransomware victims to pay the ransom.

Ransomware has fast become the most apparent and popular sort of malware. Recent ransomware attacks have hampered hospitals’ capacity to offer critical services, paralyzed city public functions, and caused severe damage to a variety of companies.

How Ransomware Works

Ransomware is a sort of virus that is aimed at extracting money from its victims by preventing them from accessing data on their systems. The two most common ransomware types are “encryptors” and “screen lockers.” Encryptors, as the name suggests, encrypt data on a system, rendering it unusable without the decryption key. Screen lockers, on the other hand, just limit system access with a “lock” screen while claiming that the system is encrypted.

To be effective, ransomware must get access to a target system, encrypt the data, and demand a ransom from the victim. While the implementation details differ from one ransomware strain to the next, all three stages are the same.

Here are the stages:

#1. Infection and Distribution Vectors

As is the case with other forms of malware, ransomware can infiltrate an organization’s computer systems through a variety of entry points. Phishing emails is one of these methods. An email that is malicious could contain a link to a website that hosts a malicious download, or it could have an attachment that already has the capability of a downloader built into it. If the recipient of the email is tricked into clicking on the malicious link, then ransomware will be downloaded and executed on their computer.

Taking advantage of services such as the Remote Desktop Protocol (also known as RDP) is yet another common method that ransomware uses to spread itself. Using RDP, an attacker who has obtained or guessed the login credentials of an employee can use those credentials to authenticate themselves to a computer within the company network and get remote access to that computer. With this access, the attacker is able to simply download the malicious software and run it on the machine that they control.

#2. Encryption of the Data

When ransomware has successfully obtained access to a computer, it will immediately begin encrypting the user’s files. Accessing files, encrypting them using a key held by the adversary, and replacing the originals with encrypted versions of the files are all that are required to accomplish this goal, given that encryption technology is typically built into operating systems. In order to maintain the integrity of the computer system, the vast majority of ransomware strains are selective about which files they encrypt. Some variations will also take steps to remove backup and shadow copies of files, which will make it more difficult to recover files that have been encrypted without the correct decryption key.

#3. Demand for the Ransom

After the files have been successfully encrypted, the ransomware will be ready to make a demand for payment. There are a variety of methods that each form of ransomware uses to carry out this function; nevertheless, it is not uncommon for the display backdrop to be altered to show a ransom note or for text files to be inserted into each encrypted directory with the ransom message.

In most cases, these letters require the victim to pay a specified quantity of bitcoin in order to gain access to the victim’s files. If the demanded sum of money is paid, the operator of the ransomware will either provide a copy of the private key that was used to safeguard the symmetric encryption key or a copy of the key itself.

This information can be inputted into a decryptor program, which was also provided by the cybercriminal. The decryptor program can then utilize it to undo the encryption and restore the user’s access to their files.

Ransomware Types and Examples

The increasing prevalence of ransomware has resulted in increasingly complicated ransomware attacks.

Screen lockers: These programs are designed to lock the victim out of their computer, preventing them from accessing any files or data. A message is usually presented, demanding cash to open it.

Encrypting ransomware: Also known as “crypto-ransomware,” this type of ransomware encrypts the victim’s files and demands payment in exchange for a decryption key.

DDoS extortion: A Distributed Denial of Service extortion promises to conduct a DDoS assault against the victim’s website or network until a ransom payment is made.

Scareware: This sort of ransomware deceives users by showing a false warning message stating malware has been found on the victim’s machine. Such attacks are frequently disguised as an antivirus solution requesting payment to eliminate nonexistent infections.

Ransomware-as-a-Service (RaaS): Cybercriminals provide ransomware programs to other hackers or cyber-attackers who use such programs to target victims.

Mobile ransomware: As the name implies, mobile ransomware targets devices such as smartphones and tablets and demands payment to unlock the device or decrypt the data.

Doxware: While less prevalent, this sophisticated type of ransomware threatens to disclose sensitive, explicit, or confidential information from the victim’s computer unless a ransom is paid.

These are only a few of the most popular varieties of ransomware. As cybercriminals adapt to cybersecurity methods, they shift to new and imaginative ways to exploit weaknesses and access computer systems.

Examples

There are many ransomware versions, each with its own set of characteristics. Some ransomware groups, however, have been more prolific and successful than others, allowing them to separate from the rest.

Examples of popular ransomware:

#1. Maze

The Maze ransomware was the first ransomware strain to combine file encryption and data stealing. When victims refused to pay the ransom, Maze began collecting sensitive data from their computers before encrypting it. If the ransom demands were not met, this information would be made public or sold to the highest bidder. The threat of a costly data leak was used as an additional incentive to pay up

The gang responsible for the Maze ransomware has officially ceased operations. This, however, does not imply that the threat of ransomware has subsided. Some Maze affiliates have switched to the Egregor ransomware, and the Egregor, Maze, and Sekhmet strains are thought to be related.

#2. Ryuk

Ryuk is an example of a highly specific ransomware variant. It is typically distributed through spear-phishing emails or by leveraging compromised user credentials to log into company systems via the Remote Desktop Protocol (RDP). When a system is infected, Ryuk encrypts some types of files (but ignores those required for computer operation) and then demands a ransom.

Ryuk is well-known for being one of the most expensive varieties of ransomware. Ryuk seeks ransoms in excess of $1 million. As a result, the hackers behind Ryuk prioritize firms with the means to match their demands.

#3. REvil (Sodinokibi)

Another ransomware strain that targets major enterprises is the REvil gang (also known as Sodinokibi).

REvil is a well-known ransomware family on the internet. The ransomware organization, which has been run by the Russian-speaking REvil group since 2019, has been responsible for a number of high-profile breaches, including ‘Kaseya’ and ‘JBS.’

It has been competing with Ryuk for the title of most expensive ransomware strain for some years. REvil is said to have sought $800,000 in ransom.

While REvil originated as a standard ransomware variation, it has developed over time to steal data from organizations while also encrypting the files. In addition to demanding a ransom to decrypt data, attackers may threaten to reveal the stolen material if a second payment is not made.

#4. DearCry

Microsoft announced updates for four vulnerabilities in Microsoft Exchange servers in March 2021. This is a new ransomware version that exploits four previously reported vulnerabilities in Microsoft Exchange.

DearCry malware encrypts specific file types. DearCry will display a ransom notice once the encryption is complete, prompting customers to send an email to the ransomware operators to learn how to decrypt their files.

#5. WannaCry

A sophisticated Microsoft exploit was used to construct a global ransomware worm that infected over 250,000 systems before being stopped by a kill switch. Proofpoint helped identify the sample used to detect the kill switch and deconstruct the ransomware.

#6. Lockbit

LockBit is data encryption malware that has been active and is a recent Ransomware-as-a-Service (RaaS). This ransomware was designed to encrypt huge enterprises quickly in order to avoid detection by security appliances and IT/SOC teams.

7. Lapsus$

Lapsus$ is a South American ransomware organization that has been tied to high-profile cyberattacks. The cyber gang is infamous for extortion, threatening victims with the release of critical information if their demands are not met. The organization has boasted of hacking into Nvidia, Samsung, and Ubisoft, among others. The gang disguises malware files as trustworthy by using stolen source code.

Read SAMSUNG CYBERSECURITY BREACH: What Really Happened?

#8. NotPetya

NotPetya, considered one of the most severe ransomware attacks, used tactics similar to its namesake, Petya, such as infecting and encrypting a Microsoft Windows-based system’s master boot record. It exploited the same vulnerability as WannaCry to rapidly propagate payment requests in Bitcoin in order to reverse the alterations. Some call it a wiper because NotPetya cannot erase its changes to the master boot record, rendering the target machine unrecoverable.

#9. CryptoLocker

This was an early current-generation ransomware that demanded payment in cryptocurrency (Bitcoin) and encrypted a user’s hard drive and attached network drives. CryptoLocker was distributed by email with an attachment purporting to be FedEx and UPS tracking alerts. In 2014, a decryption tool for this was released. However, according to several accounts, CryptoLocker extorted up to $27 million.

#10. The Bad Rabbit:

Bad Rabbit was a visible ransomware that appeared to target Russian and Ukrainian media firms. It was thought to be a cousin of NotPetya, as it used similar code and exploits to spread. In contrast to NotPetya, Bad Rabbit did allow decryption if the ransom was paid. The majority of incidents suggested that it was propagated using a bogus Flash player update that impacted users through a drive-by attack.

By learning about the top ransomware attacks above, organizations will obtain a firm foundation of their methods, exploits, and characteristics. While ransomware algorithms, victims, and capabilities are always changing, most new forms of assault are incremental rather than revolutionary.

How to Prevent Ransomware Attacks

Follow these actions to protect yourself and your system from ransomware cybersecurity attacks:

  • Avoid opening unsolicited emails or clicking on embedded links.
  • Update software, programs, and applications on a regular basis to protect them from the most recent vulnerabilities.
  • Create a security culture and provide employees with adequate knowledge of ransomware and other threats that use phishing and unsafe accounts in their campaigns.
  • Enforce the concept of least privilege to prohibit users from running apps that ransomware variants can employ.
  • Turn off file sharing and restrict access to shared or network drives. This reduces the possibility of a ransomware attack spreading to other devices.
  • Make three backup copies on two distinct media, one of which should be kept in a separate location. It is known as the 3-2-1 rule.

Organizations can also counteract the impact of public shame caused by ransomware’s double extortion technique by being accountable and implementing the following steps:

  • Inform law enforcement about the incident and the scope of the data breach.
  • Adhere to data regulation processes, such as the General Data Protection Regulation (GDPR), and make all required disclosures and notifications.
  • Prevent similar attacks from succeeding by correcting the security flaws that the assault exploited.

In layman’s terms, what is ransomware?

Ransomware is a type of malware that is aimed to prevent a user or organization from accessing files on their computer. Cyberattackers place organizations in a position where paying the ransom is the easiest and cheapest option to recover access to their files by encrypting these files and demanding a ransom payment for the decryption key.

What is the source of a ransomware attack?

Ransomware is frequently disseminated via phishing emails with malicious attachments or through drive-by downloading. Drive-by downloading occurs when a person accesses an infected website inadvertently, and malware is subsequently downloaded and installed without the user’s awareness.

Who developed ransomware?

The first documented malware extortion attack, the “AIDS Trojan” designed by Joseph Popp in 1989, had a design flaw so severe that paying the extortionist was unnecessary.

How can I protect my computer against ransomware?

Make sure Windows Security (or Windows Defender Security Center in previous versions of Windows 10) is turned on to help protect you from viruses and malware. Turn on Controlled Folder Access in Windows 10 or 11 to protect your crucial local folders from unauthorized programs such as ransomware or other infections.

PRODUCTION PLAN: What Is It & Why Is It Important?

HOW TO PASSWORD PROTECT A FOLDER: Step-By-Step Guide

Why Is Cybersecurity Important?: All You Should Know

EMAIL SPAMMER BOT: What It Means & All to Know

References

Trendmicro

Proofpoint

0 Shares:
Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like