Ransomware is malicious software (malware) that threatens to publish or limit access to data or a computer system until the victim pays a ransom price to the attacker. In many circumstances, the ransom demand is accompanied by a deadline. If the victim does not reimburse the ransom in time, the data is lost forever, or the market is raised.
Ransomware assaults have become all too regular in recent years. It has harmed major corporations in both North America and Europe. Cybercriminals will target any consumer or business, and victims come from every industry.
Several government authorities, including the FBI, advocate against paying the ransom to prevent the spread of ransomware, as does the No More Ransom Project.
WannaCry is entry-level ransomware that uses a weakness in the Windows SMB protocol and features a self-propagation mechanism that allows it to infect additional devices. WannaCry is distributed as a dropper, self-contained software that extracts the encryption/decryption application, encryption key files, and the Tor communication program. It is not masked and is quite simple to identify and delete. WannaCry quickly swept over 150 countries in 2017, infecting 230,000 systems and inflicting an estimated $4 billion in damage.
Ryuk is an example of a very specific ransomware strain. It is often distributed by spear-phishing emails or by utilizing compromised user credentials to get into company systems using the Remote Desktop Protocol (RDP). When a system is infected, Ryuk encrypts some data types (but ignores those required for computer operation) and then demands a ransom.
Ryuk is well-known for being one of the most costly varieties of ransomware. Ryuk seeks ransoms over $1 million. As a result, the hackers behind Ryuk prioritise firms with the means to satisfy their demands.
The Maze ransomware was the first strain to combine file encryption and data stealing. When victims refused to pay the ransom, Maze began gathering sensitive data from their computers before encrypting it. If the ransom demands were not satisfied, this information would be made public or sold to the highest bidder. A costly data leak threat was used as an extra incentive to pay up.
The gang responsible for the Maze ransomware has officially ceased operations. This, however, does not imply that the threat of ransomware has subsided. Some Maze affiliates have switched to the Egregor ransomware, and the Egregor, Maze, and Sekhmet strains are thought to be related.
Another ransomware strain that targets major enterprises are the REvil gang (also known as Sodinokibi).
Ravil is a well-known ransomware family on the internet. The ransomware organisation, which the Russian-speaking REvil group has run since 2019, has been responsible for several high-profile breaches, including 'Kaseya' and 'JBS.'
It has been competing with Ryuk for the most costly ransomware strain for some years. Ravil is said to have sought $800,000 in ransom.
While Ravil originated as a standard ransomware variation, it has developed over time to steal data from organisations while simultaneously encrypting the files.
LockBit is a data encryption virus that has been active since September 2019 and a recent Ransomware-as-a-Service (RaaS). This ransomware was designed to quickly encrypt huge enterprises to avoid detection by security appliances and IT/SOC teams.
Microsoft announced updates for four vulnerabilities in Microsoft Exchange servers in March 2021. DearCry is a new ransomware version that exploits four previously reported vulnerabilities in Microsoft Exchange.
DearCry malware encrypts certain file types. DearCry will display a ransom notice after the encryption is complete, prompting customers to send an email to the ransomware operators to learn how to recover their data.
Lapsus$ is a South American ransomware organisation tied to high-profile intrusions. The cyber gang is infamous for extortion, threatening victims with the publication of critical information if their demands are not met. The organisation has bragged about hacking into Nvidia, Samsung, and Ubisoft. The gang disguises malware files as trustworthy by using stolen source code.
How Does Ransomware Operate?
There are several ways ransomware might get access to a computer. One of the most prevalent distribution methods is phishing spam, which consists of attachments sent to the target in an email disguised as a file they should trust.
Once downloaded and launched, they can take control of the victim's computer, especially if they contain built-in social engineering techniques that deceive people into granting administrator access. Other, more aggressive ransomware, such as NotPetya, employ security flaws to infect machines without the need to deceive people.
Once the virus has seized control of the victim's computer, one of the most typical actions is to encrypt some or all of the user's data. If you're looking for technical information, the Infosec Institute gives a wonderfully in-depth look at how various types of ransomware encrypt files.
The most crucial point is that the files cannot be decrypted without a mathematical key known only to the attacker after the procedure.
The user is informed that their data are now unavailable and will only be decrypted if the victim submits an untraceable Bitcoin payment to the attacker.
In certain varieties of malware, the attacker may pretend to be a law enforcement agency, shutting down the victim's computer owing to the presence of pornography or unlicensed software on it and demanding the payment of a "fine," possibly to discourage victims from reporting the attack to authorities. However, most assaults do not bother with this ruse.
There is also a variant known as leak warm or do ware, in which the attacker threatens to make sensitive data on the victim's hard drive public unless a ransom is paid. However, because locating and extracting such information is a difficult task for attackers, encryption ransomware is the most frequent variety.
Who Is A Ransomware Victim?
There are various methods through which attackers select which firms to target with ransomware. It's also a question of opportunity: for example, attackers may target colleges since they have smaller security teams and a diverse user population that engages in many file sharing, making it simpler to breach their defences.
On the other side, certain corporations appear to be more appealing targets because they seem more inclined to pay a ransom swiftly. For instance, government institutions or medical facilities typically need fast access to their information. Law firms and other businesses with sensitive data may be prepared to pay to keep information about a hack quiet — and these companies may be especially vulnerable to leaks being assaulted.
But don't think you're secure if you don't fall into one of these categories: as we have stated, some ransomware spreads indiscriminately over the internet.
How to Avoid Ransomware
You may take some protective measures to avoid being infected with ransomware. These are, of course, important security practices in general, so following them strengthens your defenses against all types of attacks:
Maintain a patched and up-to-date operating system to guarantee you have fewer vulnerabilities to attack.
Install software or grant it administrator capabilities only if you understand what it is and what it does.
- Install antivirus software, which detects malicious programs like ransomware as they arrive, and allow listing software, which prevents unauthorized applications from executing in the first place.
- And, of course, back up your files frequently and automatically! That won't stop a malware attack, but it can do the damage caused by one much less significant.
If your computer has been compromised with ransomware, you must reclaim control of it. Steve Ragan of CSO has a wonderful video showing how to accomplish this on a Windows 10 machine:
The video has all of the specifics, but the key stages are to:
- Restart Windows 10 in safe mode.
- Set up anti-malware software.
- Scanning the system for the ransomware software
- Restore the computer to an earlier condition.
- But keep in mind that while following these procedures will remove the virus from your computer and return it to your control, it will not decrypt your contents. Their metamorphosis into unreadability has already occurred, and if the infection is smart enough, it will be mathematically impossible for anybody to read them.
Should You Hand Up The Ransom?
Should you pay the ransom if your PC has been infected with malware and lost crucial data that you can't restore from backup?
In theory, most law enforcement organisations advise you not to pay ransomware attackers, arguing that doing so encourages hackers to generate more ransomware. Many businesses infected with malware rapidly cease thinking in terms of the "greater good" and begin performing a cost-benefit analysis, evaluating the expense of the ransom against the worth of the encrypted data.
According to a Trend Micro study, while 66% of firms say they would never pay a ransom as a matter of principle, 65% do.
There are a few things to bear in mind here, especially because the folks you're working with are coal. First, what seems to be ransomware may not have encrypted your data at all; be sure you're not dealing with "scareware" before sending any money to anybody.
Second, paying the attackers does not ensure that you will receive your files back. Sometimes the perpetrators simply take the money and flee, and the software may lack decryption capabilities. However, such malware quickly gains a reputation and does not produce cash; thus, in most situations – Gary Sockrider, chief security technologist at Arbor Networks, estimates 65 to 70% of the time — the fraudsters come through, and your data is restored.