#ransomware

Ransomware lifecycle and protection methods

One of the most popular and rapidly growing categories of cybercrime is ransomware. More than 4000 ransomware attacks occur daily. This number of attacks and close relationship between company and third parties increases the risk compromising employee data. Sensitive data can be secured with a ransomware prevention strategy and a process for quickly detecting compromised data.

An effective attack prevention strategy involves deploying security controls at every stage in the evolution of a typical ransomware attack.

The main stages of a ransomware attack are:

  1. Phishing attack – email that contains malicious links that redirect the user to a scam site to steal internal credentials. This is the most popular way to launch an attack;
  2. Interaction with the user (victim) – following the link, downloading attachments, etc.;
  3. Account compromise – compromise of the victim’s corporate credentials by addressing them to a malicious site or using social engineering (for example, a hacker pretends to be an employee of the IT department and requests confirmation of a two-factor authentication message. At this stage, malware is most often injected, initiating the installation of ransomware;
  4. Designation of privileged data – privileged credentials detection and compromise to gain unauthorized access to sensitive network areas;
  5. Search for sensitive data (personal data, customer data, social security numbers, corporate credentials, corporate and personal email data, any digital trail that can be used for identity theft);
  6. Data exfiltration – malware deployment to establish backdoor connections to the cybercriminal’s servers. Data transfer is carried out through backdoor connections. For this data the cybercriminal will demand a ransom;
  7. Data encryption – a cybercriminal encrypts the operating and computer systems of the victim in order to cause maximum damage. The victim receives a ransom notice (usually in a TXT file) with a clear indication of the ransom price. Cybercriminals demand ransom payment in cryptocurrency (bitcoins), since it is more difficult for law enforcement agencies to track their movement. To speed up the process of paying the ransom, criminals threaten to place data on the dark web or delete it;
  8. Data dump is the final stage of the attack. At this stage cybercriminals publish all compromised data in the cybercriminal marketplace. Some cybercriminals delete data, saving themselves from publishing it on the black market and tracking purchase requests. If the victim refuses to pay the ransom, the cybercriminal can punish the victim and publish all the data on the forums. Free access to data posted on such forums does more harm to the company than selling it to 1 group of cybercriminals.

Company can protect and mitigate the ransomware impact by implementing security measures at each stage of the attack:

  1. Cybersecurity training. It is very difficult to defeat ransomware if it has already infiltrated the corporate network. By preventing intrusion, cybercriminals are unable to carry out a successful attack. Employees often don’t know how to recognize threats and how to respond to them, and thus contribute to the attack success. It is important to provide high-quality training for all employees, inform about potential risks and teach them to recognize threats;
  2. Tracking interactions with malicious links and attachments. To prevent an attack from progressing to the next stage, such activity must be detected as soon as possible. Employees should alert IT security professionals immediately;
  3. Prevent account compromise. Multi-factor authentication should be implemented. The most secure form is the biometric authentication method. Biometrics such as fingerprints, facial recognition are very difficult to steal or copy;
  4. Protection of privileged data. Implementation of a password manager, multi-factor authentication, zero-trust security model (all internal traffic is perceived as malicious, and therefore the user must constantly confirm his identity to get access to confidential resources);
  5. Prevent data loss. Closing or segmenting from the general users access to sensitive network areas. It is also necessary to ensure that all user accounts that have access to restricted areas are protected by multi-factor authentication;
  6. Prevent data theft. This process consists of 2 elements: detection and prevention. Detection methods include:

Prevention methods include:

  1. Protection against data encryption. Rapid switchover processes to backup systems can minimize business disruption in the event of a ransomware attack. Such environments must be accessible with a unique set of credentials, i.e. they must be different from those used in a normal IT environment.

Double Ransomware Extortion

In parallel with Internet and technology development, there is an increase in cyberattacks. Each time, cybercriminals develop new, more complex and dangerous ways to use networks and servers. Double extortion ransomware attacks first appeared in 2020. Now it’s a serious threat to the largest companies and organizations. Its actions can lead to devastating consequences. Therefore, to ensure the safety of the company is a high priority.

Ransomware is malware that steals data, encrypts it, and then demands a ransom for it. The ransom amount can range from hundreds to millions of dollars. Basically, the payment of the ransom is required in cryptocurrency.

Learn more about ransomware here

Double ransomware extortion is a new level of «traditional» ransomware attack. In this case, the cybercriminal also uses the victim’s data, files, server, etc., encrypts them and demands a ransom for them. However, in the double extortion case, the cybercriminal threatens to publish/sell the victim’s sensitive data on the dark web if the ransom is not paid within the specified time frame. Backups can help in the matter of data recovery, but the damage from getting confidential information to the dark web doesn’t reduce.

Typically, attackers target medical facilities, schools and other educational institutions, legal organizations, etc., where a large amount of confidential information is stored. The compromise of such data can completely destroy both organizations and people. This is what makes double extortion attacks so dangerous.

Ways to gain access to confidential data:

The most popular programs for double-ransomware extortion are:

  1. Netwalker Ransomware – malware for the Windows operating system that encrypts and moves data and requires a ransom;
  2. Egregor Ransomware – the program breaks into confidential data, encrypts it and demands a ransom payment for it within 3 days. Also, some of the data is published on the darknet as evidence that criminals have data;
  3. Ransomware as a service (RaaS) is a subscription-based ransomware model for affiliates. Partners use a set of tools to carry out an attack, and if successful, receive a percentage of the ransom;
  4. Sodinokibi (Ransomware Evil) – ransomware that encrypts data and then deletes the ransom message;
  5. Conti – a rather dangerous type of attack due to the speed of encryption, it spreads very quickly and infects other systems.

The sequence for performing a double ransomware attack is:

Cybercriminals don’t follow ethical norms and rules. If the victim refuses to pay the ransom, there will definitely be consequences. But even if the ransom is paid on time, there is no guarantee that the data will be fully and safely returned to the legal owner. Attackers don’t care whose lives or companies they destroy. They have their own interest, which must be satisfied.

How to prevent this type of attack:

How to avoid becoming a ransomware victim?

The number of cyberattacks in recent years has been continuously increasing. Its victims are individuals or organizations with a poor cybersecurity system. There is no area that cybercriminals have not affected: medicine and healthcare, government, finance, culture, manufacturing, insurance, etc. Any company anywhere in the world can become a victim.

The first place in the popularity of cyber-attacks is the ransomware attack. There were approximately 623 million incidents in 2021. A reliable information security system, as well as an understanding of such programs operation principles, can reduce the risks of infection and the consequences.

Ransomware is malware that aims to steal and encrypt files, sensitive data, or personally identifiable information. File recovery is possible with the help of a special decryption key. Cybercriminals use extortion tactics to force the victim to pay the ransom. The data is held by cybercriminals as collateral until the victim pays a set ransom for it. Poor security and unpatched vulnerabilities are bait for attackers. This gives them the ability to access the network and inject ransomware-laden malware onto the victim’s computer or mobile device. As a ransom, cybercriminals began to ask for cryptocurrency (for example, bitcoin) more often. Such a payment system is known for its ability to hide financial activities. Tracking ransom payments is difficult, but still possible. Ransomware is especially dangerous and destructive for those organizations that depend on encrypted data to carry out their day-to-day activities.

Types of ransomware:

How you can get infected with ransomware:

  1. 1. Phishing emails are the main cause of infection. It occurs by opening or downloading malicious attachments (pdf, .exe applications, Word documents, .zip files, etc.), following infected links that lead to a malicious website (spyware, trojans, keyloggers). Also, the attack can be carried out using a series of SMS messages with an image or a link to a website where you need to enter confidential information.
  2. Infected web pages are used to distribute malware. By clicking on a link or going to an unverified site, the user runs the risk of automatically starting the ransomware download process. Users should practice safe web surfing and also check the spelling of the URL. A decoy site can be identified by a misspelled address that mimics a legitimate site. If you’re not sure, don’t go.
  3. Malicious advertising is malware that is disguised as false advertising in the legal space. Legitimate advertising spaces can contain malicious ads and look like a real banner. Such an ad causes ransomware to be downloaded when clicked. The user should be careful with ads about free offers, message notifications, videos, animations, adult images.
  4. Attack on the Remote Desktop Protocol (RDP – a feature of Microsoft Windows that allows users to remotely connect to another network or server). An RDP attack is characterized by a hacker infiltrating a system, attempting to steal data or install malware.
  5. Social engineering – attackers impersonate legitimate representatives (law enforcement, support services, etc.) to force the victim to «accidentally» reveal personal or confidential information. Such an attack can be carried out through emails, text messages, phone calls, online chat, and social networks. After obtaining the necessary information from the victim, the attackers use it to launch a larger cyberattack.

How to prevent ransomware attacks:

  1. Creating a backup copy of data and storing it on an external hard drive or on a cloud server;
  2. Updating systems and applications – outdated systems and applications with old security protocols can lead to ransomware infections;
  3. Installation of anti-virus software and firewall;
  4. Protection of all endpoints – one vulnerable endpoint can infect the entire network. Consider installing EPP or EDR;
  5. Network segmentation – it is much more difficult for a cybercriminal to cover the entire network of a company if it consists of several small ones;
  6. Expedient access management within the company;
  7. Regular security testing;
  8. Training of staff in cybersecurity.

What is Ransomware?

The number of ransomware attacks is constantly rising. According to the research, the number of such attacks in 2021 has doubled. Eastern European countries are the most targeted region for such attacks. Their share is 55% of the total number of malware infections.

Ransomware is malware that encrypts victim’s files, databases, and programs for purpose of ransom. After infection the victim receives a message about the possibility of data decrypting by paying a ransom. Usually, the ransom is paid in cryptocurrency. Ransomware can also use the «triple ransomware» technique, that helps them to create a «digital hostage». That is, a cybercriminal receives victim’s data copies before the encryption process, that they later threaten to make public if the victim refuses the ransom.

Ransomware as a Service (RaaS) is a subscription-based model. This model allows affiliates to use ransomware tools to carry out an attack. From each successful attack and paid ransom, partners receive a percentage. RaaS (Ransomware-as-a-service) proved to be an effective way to increase profits,  helped transform digital ransomware into a successful and prosperous business.

RaaS is built on the principle of SaaS (software as a service) that makes it even easier to carry out an attack. Like SaaS, RaaS does not require special skills and experience from users. Even inexperienced hackers can carry out sophisticated cyberattacks. RaaS software has a high probability of successful penetration and a low probability of detection. The low technical entry barrier and huge earning potential make RaaS solutions popular that increases the number of victims.

RaaS solutions bring high dividends to partners. Users can register with a one-time payment, as well as with a monthly subscription. They are provided with documentation with step-by-step instructions for launching attacks. Some distributors provide a dashboard to track the status of each ransomware attack. Attracting partners takes place on the dark web.

Most hacks happen through phishing attacks (a method of stealing confidential information). An email is sent to the victim that contains a link. By clicking on this link, the victim unknowingly activates a malware downloading. Email looks very convincing, so more often the victim is led to a provocation.

Once downloaded, ransomware disables firewalls and antivirus programs, and may also initiate additional components downloading. Thus, the malware can spread freely and silently, and encrypt the victim’s files, making them inaccessible. With the end of the attack, the extortion begins. The victim receives a TXT file containing the ransom text in exchange for a decryption key. Cybercriminal can also threaten the victim to publish the data on the dark web if the payment is not made within the agreed timeframe.

Since the darknet is a criminal network, any information leak can provide free access to confidential data and customer data. Such consequences force a victim to obey cybercriminal demands. Payments are made through the darknet using a special payment gateway.

The best defense against ransomware attacks is a combination of staff training, security measures, and ongoing system monitoring for vulnerabilities.

Recommendations to protect ransomware:

GoUp Chat