More and more, ransomware has emerged as a significant threat to individuals and businesses alike. Ransomware is a type of malware that encrypts data on infected systems, has become a lucrative option for extortionists. When the malware runs, it locks the victim’s files and allows criminals to demand payment to release them.
These people can impact organizations of all types and sizes. Still, small businesses can be particularly vulnerable to attacks, and the use of ransomware is on the rise. In the McAfee Labs June 2018 Threat Report, the number of new ransomware strains saw an increase of 62% in the previous four quarters. This increase brings McAfee’s total number of identified strains to roughly 16 million. Ransomware is distributed in various ways and is difficult to protect against. Like a flu virus, it is continually evolving.
There are ways to protect your business against ransomware attacks. In this article, you’ll learn how the malware spreads, the different types of ransomware proliferating today, and what you can do to avoid or recover from an attack. Hiding your head in the sand won’t work because today’s ransom seekers play dirty.
There are a few dominant types, or families, of ransomware in existence. Each type has different variants. New families will continue to surface as time goes on. Historically, Microsoft Office, Adobe PDF and image files have been targeted. Still, McAfee predicts that additional types of files will become targets as ransomware continues to evolve.
Most ransomware uses the AES algorithm to encrypt files, though some use alternative algorithms. To decrypt files, cyber extortionists typically request payment in Bitcoins or online payment voucher services, such as Ukash or Paysafecard. The standard rate is about $500, though there has been much higher. Ransomware campaigns typically focus their attacks in wealthy countries where people and businesses can afford to pay the ransom.
How Ransomware Spreads
Spam is the most common method for distributing ransomware. It generally spreads using a form of social engineering. Cybercriminals trick victims into downloading an e-mail attachment or clicking a link. Fake email messages might appear to be a note from a friend or colleague asking a user to check out an attached file, for example. Or, an email might come from a trusted institution (such as a bank) asking you to perform a routine task. Sometimes, ransomware uses scare tactics such as claiming that the computer has been used for illegal activities to coerce victims. Once the user takes action, the malware installs itself on the system and begins encrypting files. It can happen in the blink of an eye with a single click.
Another standard method for spreading ransomware is a software package known as an exploit kit. These packages identify vulnerabilities and exploit them to install ransomware. In this type of attack, hackers install code on a legitimate website that redirects computer users to a malicious site. Unlike the spam method, sometimes this approach requires no additional actions from the victim. This is referred to as a “drive-by download” attack.
Spam botnets and exploit kits are relatively easy to use but require some level of technical proficiency. However, there are also options available for aspiring hackers with minimal computer skills. According to McAfee, there are ransomware-as-a-service offerings hosted on the Tor network, allowing just about anyone to conduct these types of attacks.
Common Types of Ransomware
As noted above, ransomware is constantly evolving, and new variants are appearing all the time. So, it would be difficult, if not impossible, to compile a list of every type of ransomware proliferating today. While the following is not a complete list of today’s ransomware, it gives a sense of the major players and the variety in existence.
Ransomware has been around in some form or another for the past two decades but came to prominence in 2013 with CryptoLocker. The original CryptoLocker botnet was shut down in May 2014, but not before the hackers behind it extorted nearly $3 million from victims. Since then, the CryptoLocker approach has been widely copied, although today’s variants are not directly linked to the original. The word CryptoLocker, much like Xerox and Kleenex in their respective worlds, has become almost synonymous with ransomware. CryptoLocker is distributed via exploit kits and spam. When the malware runs, it installs itself in the Windows User Profiles folder and encrypts files across local hard drives and mapped network drives. It only encrypts files with specific extensions, including Microsoft Office, OpenDocument, images and AutoCAD files. Once the dirty work complete, a message informing the user that files have been encrypted is displayed on the user’s screen demanding a Bitcoin payment.
CryptoWall gained notoriety after the downfall of the original CryptoLocker. It first appeared in early 2014, and variants have emerged with various names, including Cryptorbit, CryptoDefense, CryptoWall 2.0 and CryptoWall 3.0, among others. Like CryptoLocker, CryptoWall is distributed via spam or exploit kits. The initial version of CryptoWall used an RSA public encryption key. Later versions (including the latest CryptoWall 3.0) use a private AES key, further masked using a public AES key. When the victim opens the malware attachment, the CryptoWall binary copies itself into the Microsoft temp folder and begins to encode files. CryptoWall encrypts a wider variety of file types than CryptoLocker. When encryption is complete, it also displays a ransom message on a user’s screen demanding payment.
The criminals behind CTB-Locker take a different approach to virus distribution. Taking a page from the playbooks of Girl Scout Cookies and Mary Kay Cosmetics, these hackers outsource the infection process to partners in exchange for a cut of the profits. This strategy allows for achieving large volumes of malware infections at a faster rate. When CTB-Locker runs, it copies itself to the Microsoft temp directory. Unlike most forms of ransomware today, CTB-Locker uses Elliptic Curve Cryptography (ECC) to encrypt files. CTB-Locker impacts more file types than CryptoLocker. Once files are encrypted, CTB-Locker displays a ransom message demanding payment in Bitcoins.
Locky is a relatively new type of ransomware, but its approach is familiar. This malware spreads using spam, typically in the form of an email message disguised as an invoice. When opened, the invoice is scrambled, and the victim is instructed to enable macros to read the document. When macros are enabled, Locky begins encrypting an extensive array of file types using AES encryption. Bitcoin ransom is demanded when encryption is complete. Can you sense a pattern here? The spam campaigns spreading Locky are operating on a massive scale. One company reported blocking five million emails associated with Locky campaigns over the course of two days.
TeslaCrypt is another new type of ransomware on the scene. Like most of the other examples here, it uses an AES algorithm to encrypt files. It is typically distributed via the Angler exploit kit, explicitly attacking Adobe vulnerabilities. Once a vulnerability is exploited, TeslaCrypt installs itself in the Microsoft temp folder. When the time comes for victims to pay up, TeslaCrypt gives a few payment choices: Bitcoin, PaySafeCard and Ukash are accepted here. And who doesn’t love options?
TorrentLocker is typically distributed through spam email campaigns and is geographically targeted, with email messages delivered to specific regions. Often referred to as CryptoLocker, TorrentLocker uses an AES algorithm to encrypt file types. In addition to encoding files, it also collects email addresses from the victim’s address book to spread malware beyond the initially infected computer/network—this is unique to TorrentLocker.
TorrentLocker uses a technique called process hollowing. A Windows system process is launched in a suspended state, malicious code is installed, and the process is resumed. It uses explorer.exe for process hollowing. This malware also deletes Microsoft Volume Shadow Copies to prevent restores using Windows file recovery tools. Like the others outlined above, Bitcoin is the preferred currency for the ransom payment.
According to ArsTechnica, KeRanger ransomware was discovered on a popular BitTorrent client. KeRanger is not widely distributed at this point. Still, it is worth noting because it is the first fully functioning ransomware designed to lock Mac OS X applications.
Instead of encrypting files on a victim’s computer, Petya overwrites the master boot record, leaving the operating system in an unbootable state. Petya commonly relies on phishing emails to spread its payload.
Initial reports categorized NotPetya as a variant of Petya, a strain of ransomware first seen in 2016. However, researchers now believe NotPetya is instead a malware known as a wiper with the sole purpose of destroying data and not obtaining any ransom.
WannaCry burst onto the scene in 2017 in a widespread ransomware campaign that affected organizations across the globe. Over 200,000 organizations in over 150 countries were impacted. The ransomware strain, also known as WCry or WanaCrypt0r, affects Windows machines through a Microsoft exploit known as EternalBlue.
Protect Against Ransomware
Cybercriminals armed with ransomware are a formidable adversary. While small-to-mid-sized businesses aren’t explicitly the target in ransomware campaigns, they may be more likely to suffer an attack. Frequently, small business IT teams are stretched thin and, in some cases, rely on outdated technology due to budgetary constraints. These constraints are the perfect storm for ransomware vulnerability. Thankfully, there are tried and true ways to protect your business against ransomware attacks. Security software is essential. However, you can’t rely on it alone. A proper ransomware protection strategy requires a three-pronged approach, comprising of education, security and backup.
First and foremost, education is essential to protect your business against ransomware. Your staff must understand what ransomware is and the threats that it poses. Provide your team with specific examples of suspicious emails with clear instructions on what to do if they encounter a potential ransomware lure (i.e. don’t open attachments, if you see something, say something.).
Conduct bi-annual formal training to inform staff about the risk of ransomware and other cyber threats. When new employees join the team, make sure you send them an email to bring them up to date about best practices. It is essential to ensure that the message is communicated clearly to everyone in the organization, not passed around on a word of mouth basis. Lastly, keep staff updated as new ransomware enters the market or changes over time.
Antivirus software is essential for any business to protect against ransomware and other risks. Ensure your security software is up to date, as well, to protect against newly identified threats. Keep all business applications patched and updated to minimize vulnerabilities. Some antivirus software products offer ransomware-specific functionality. For example, Sophos offers technology that monitors systems to detect malicious activities such as file extension or registry changes. If ransomware is detected, the software can block it and alert users. However, because ransomware is continually evolving, even the best security software can be breached. This is why a secondary defence layer is critical for businesses to ensure recovery in case malware strikes: backup.
Modern total data protection solutions, like Datto, take snapshot-based, incremental backups as frequently as every five minutes to create a series of recovery points. If your business suffers a ransomware attack, this technology allows you to roll-back your data before the corruption occurred. When it comes to ransomware, the benefit of this is twofold. First, you don’t need to pay the ransom to get your data back. Second, everything is safe since you are restoring to before the ransomware infected your systems. The malware can not be triggered. Here’s an example of how Datto saved the day for the international hotel chain, Crowne Plaza.
Additionally, some data protection products today allow users to run applications from image-based backups of virtual machines. This capability is referred to as “recovery-in-place” or “instant recovery.” This technology can be useful for recovering from a ransomware attack because it allows you to continue operations. At the same time, your primary systems are being restored and with little to no downtime. Datto’s version of this business saving technology is called Instant Virtualization. Instant Virtualization virtualizes systems either locally or remotely in a secure cloud in seconds. This solution ensures that businesses stay up-and-running when disaster strikes.
Ransomware and other malware shouldn’t hold you or your business hostage. If you’re ready to ensure, your business is protected in the event of an emergency, give us a call.