According to the 2019 Verizon Data Breach Report, ransomware is the 2nd most frequent malware attack behind command & control (C2) attacks. Email is still the top delivery mechanism for all malware, including ransomware. So how do we get users to stop clicking phishing links?
Pro tip: You can’t. Humans will do human things. So we have to approach the problem of ransomware differently. In this post, we will address the basics of ransomware, and explain how an automated detection and prevention system like Varonis is the way to go to prevent ransomware attacks from taking down the network.
Want to learn ransomware basics and earn a CPE credit? Try our free course.
For even more information about ransomware, check out Troy Hunt’s free course “Introduction to Ransomware.” It’s worth 1 CPE.
- How Ransomware Works
- Protect Against Ransomware
- Who’s At Risk?
- Ransomware Types
- Ransomware Examples
- How To Respond
- Should You Pay?
- Mitigation Methods for IT Admins
- Additional Resources
What is Ransomware?
Ransomware is malware that encrypts the target victim’s data. The attacker then tries to get the victim to pay the ransom for the key to decrypt their files.
The first ransomware dates back to 1989, got distributed on floppy disks, and asked for a $189 ransom.
In 2019, the city of Baltimore got hit with a ransomware attack, which cost an estimated $18 million in recovery.
But how exactly does ransomware work?
How Ransomware Works
Ransomware is a multi-staged attack that attackers have packaged in several different ways. The basics are usually the same. Infiltrate the target’s network, encrypt as much data as possible, extort for ransom.
First, attackers need to deliver the malware payload to the target. Most often, this is a simple phishing attack with malware in the file attachments. From here, the ransomware either works locally or tries to replicate itself to other computers on the network.
2. Security Key Exchange
Next, the malware reaches out to the attackers to let them know they have infected a victim and to get the cryptographic keys that the ransomware needs to encrypt the victim’s data.
Now the ransomware does the encrypting of the victim’s files. It might start with the local disk and then try to probe the network for mapped shares or open shares to attack. The CryptoWall ransomware deleted Volume Shadow Copy files to make restoring from backup harder and looked for BitCoin wallets to steal. WannaCry used the EternalBlue vulnerability to spread to other computers and then perform the encryption.
The victim is totally pwnd, and the attacker sends the ransom note. Usually, there is some dollar figure attached, and a BitCoin link with threatening messages like “pay us or your data gets it.”
It’s worth it to note that cryptocurrency enabled ransomware to become a lucrative profession. Now the lucrativeness of criminal activity is hard to quantify, but the frequency of attacks indicates that criminals see the upside in continuing to use these techniques.
Recently attackers have used the threat of data exposure as part of their extortion plot. Ransomware can not only encrypts the data in place, it can also exfiltrate the data back to the attackers! The threat becomes, pay us or we release your data.
5. Unlocking and Recovery
Lastly, does the victim pay the ransom and hope the criminal is honorable and will send over the decryption keys? Or does the victim remove the malware infection and try to recover the encrypted data manually.
Attackers generally don’t deliver the keys, even after taking the money. Shocking, I know. That’s why the City of Baltimore ransomware incident cost so much and recovery took so long. Baltimore didn’t pay, so the IT staff had to restore the data that they could and rebuild what machines they couldn’t.
The recovery plan also needs to account for the threat of data release. But how can you prevent an attacker from releasing the stolen data? You can’t. Which makes the protection and prevention of ransomware much more important than relying on data backups for recovery.
Learn more about how ransomware works in the video below — it comes from our free 8-part introduction to ransomware course led by Troy Hunt.
How to Protect Against Ransomware: Basic Tips
In building a defense against ransomware attacks, there are things that individuals can do and things that enterprises can do to prevent the initial infection.
Don’t Click the Link!
I know, I know, you have heard that one before. But it is always worth repeating. Phishing emails delivered a large percentage of malware in 2019. Humans aren’t going to stop clicking the link, and I know this because I have clicked the link. So, as fallible mortal humans, we can at least be a little more skeptical of emails. And maybe that little bit of skepticism drops the amount of malware we allow to infect our companies. Check out our blog “The Anatomy of a Phishing Email,” and blow up the infographic and post it around your office.
Build Email Protections and Endpoint Protections
As the enterprise, we know that humans will click the link.
- Scan all emails for known malware strains, and keep firewalls and endpoint protections up to date with the latest known malware signatures.
- Notify users of out of network emails
- Provide VPNs for users to use outside of the network
Both for enterprises and personal protection, keep current backups of your important data. The best and fastest way to thwart ransomware is by a quick re-image of the disk, and then a data restore from the last good backup – unless the attacks also exfiltrated the data, which is a different issue.
Protect your Personal Information
Humans are genetically predisposed to trust other humans. It’s one of the evolutionary reasons for the vast proliferation of our species. This basic trust is how mentalists can make us believe it was our idea to make a certain choice, or how attackers get us to reveal our passwords or mother’s maiden names.
Again, be skeptical and follow protocol when someone asks you about sensitive information. It’s the same issue as the links, but this might be a real-life in-person interaction. This advice goes double for users in the C-Suite, who are the targets in whale phishing campaigns.
Technically, everyone is at risk of a ransomware attack. Economically, the more sophisticated attacks seem to target larger organizations with greater ability to pay. But not all ransomware attacks are targeted, either. Some attackers use carpet-bombing techniques and try to infect as many users as possible at once.
The bottom line, ransomware is a real risk to users and organizations.
7 Must-Know Ransomware Types
And now there is even Ransomware-as-a-Service, where hackers sell their malware to other cybercriminals, increasing the frequency and reach of ransomware. Ransomware authors can enlist anyone to sign up, and both parties would earn a percentage of the profits.
Here are some more kinds of ransomware and some details on how they work.
The first and most common category of ransomware is the encryption ransomware. CryptoLocker and CryptoWall have a reputation for being strong encryption ransomware. Encryption is the process of encoding data, so it is unreadable without the appropriate key. And to decrypt the data, you’ll need keys. There are two types of keys: symmetric and public.
Advanced Encryption Standard (AES), Rivest Cipher 4 (RC4), and Data Standard Encryption Standard (DES) are examples of a symmetric-key algorithm. With symmetric-key encryption, the same key is used for both encryption and decryption. It’s only effective when the symmetric key is kept secret by the two parties involved.
Public Keys (Asymmetrical Key)
Rivest, Shamir, & Adleman use two different keys in their famous RSA algorithm. A public key that everyone has access to, and a private key that is controlled by the person who you wish to communicate with.
Breaking an Encryption
Brute force cracking -trying all the possible combinations of numbers to find the right key -a symmetric-key algorithm takes a couple of hours for a small 20-bit key to millions of years for a 128-bit key.
Both public and symmetric keys can theoretically be brute force cracked. But it’s not something to bank on. Modern encryption is simply too complicated for even the fastest computers to crack.
In short, the chances to brute force decrypt the files hit by a ransomware attack are somewhere between slim and none, and a lot closer to none.
With deletion, attackers threaten and warn: any of your attempts to decrypt files would only result in an “irrevocable loss of your data.” Or if you don’t pay, the files get deleted. Popular examples of deletion include Gpcode and FileCoder.
Pro Tip: If your files are ‘deleted’ by ransomware, they might not actually be overwritten on the disk. It’s best to restore from backup, of course, but if you don’t have a backup and you have to get your files back, you may be able to recover the data off the disk.
Attackers have also created new login screens or HTML pages that try to trick you into thinking the cops are after you, and you need to pay a fine or some other scam. They could even disable keyboard shortcuts to make the screen hard to get rid of. Examples include Winlock and Urausy.
Pro tip: Anything that pops up on your computer that asks for money is a scam.
And because ransomware works so well on PCs, attackers have built ransomware to attack mobile platforms. These are mostly the locking variety, since encrypting a mobile device that you backup all the time is rather pointless.
Here are some of the more interesting ransomware strains.
|CryptoLocker||One of the earlier and quintessential ransomware strains. Among the first to demand payment via Bitcoin. Distinguished by it’s good “customer service” and the fact it did actually decrypt your files.|
|Petya/NotPetya||The strain was spread through a vulnerability in a web-based accounting system used by Eastern European companies. Notable because it affected the boot processes, preventing users from logging in.|
|PUBG||PUBG (Players Unknown’s Battlegrounds) is a popular online game. One enthusiastic supporter took some off the shelf ransomware and made the unlock key-dependent upon playing an hour of the game.|
How To Respond to a Ransomware Attack
Follow these steps to manage and mitigate an active ransomware attack.
The first step to managing a ransomware outbreak is to isolate the infected systems from the rest of the network. Shut down those systems and pull out the network cable. Turn off the WIFI. Infected systems need to be completely isolated from the other computers and storage devices on the network.
Next, figure out what kind of malware has infected the computers. The Incident Response team, IT organization, or an outside consultant will be able to determine the strain of ransomware and start to plan out the best way to deal with the infection.
3. Involve the Authorities
Depending on the impact of the incident and any regulations that apply, it might be necessary to report the incident to the FBI or other governmental bodies. The FBI issued a PSA in 2016 asking for reports of ransomware to help increase their capabilities and understanding of the ransomware attacks.
4. Remove the Malware
Now remove the malware from the infected systems to prevent further damage or spreading of the malware.
5. Recover Data
With the malware attack contained, start the process of recovering from the attack. Paying off the ransom is an option – maybe the attackers are honorable thieves and will give you the keys you need to decrypt the data. The best option is to restore from the most recent backup available. Assuming there is a good backup available.
Should You Pay Ransomware?
No. In most cases, you shouldn’t pay the ransom. To me, the prevention of ransomware and backup and recovery options available today are the priority. Do the work now to prevent and protect data from ransomware, so having to pay the ransom isn’t ever an option.
However, it’s a much more complicated issue than that, especially if you are reading this article after the fact.
Is there cyber insurance in place for ransomware attacks? Can bitcoins be purchased to pay the ransom in time? Do backups exist for the attacked systems? Is the data even mission-critical? These are a few questions organizations might have to ask and answer when they consider to pay the ransom or not.
Before Considering Payments
Here are some items to think about before the pay/ don’t pay decision gets made.
Check Your Cyber Insurance Policy
Cyber insurance is a relatively new invention that can help defray the costs of managing a data breach or similar cybersecurity incident. Cyber insurance can help manage and cover costs like:
- Notifying customers and affected parties in a data breach
- Restoring identities and compensating affected parties
- Recovering compromised data
- Rebuilding computer systems
Cooperate with Law Enforcement
The FBI officially does not encourage paying a ransom. However, that doesn’t mean that if you go to law enforcement, that they’re going to recommend you not to pay.
If law enforcement does get involved, they will have expertise and insights that will help make these decisions, so if appropriate, do bring them in.
For example, they can tell if the attack is from a group they know about already, which brings in the prior knowledge and experience to this incident.
Also, the FBI can ensure that you aren’t inadvertently paying off a terrorist if you pay the ransom. Paying off known terrorist organizations can be illegal, and no one needs that on their conscience.
Look for a Decryption Tool
Go online to see if a decryption tool exists. If keys for this attack already exist, there’s no need to pay. Sometimes, when the police and security experts investigate cybercriminal activity, they can potentially obtain decryption keys from malicious servers and share them online. Here are some of them:
When You Should Consider Paying
At a Cybersecurity Summit, Joseph Bonavolonta, the Assistant Special Agent in charge of the FBI’s CYBER and Counterintelligence Program said, “To be honest, we often advise people just to pay the ransom.”
He explained, “The success of the ransomware ends up benefitting victims: because so many people pay, the malware authors are less inclined to wring excess profit out of any single victim, keeping ransoms low. And most ransomware scammers are good to their word. You do get your access back.”
If you pay, the FBI stated that most ransomware payments are typically between $200 and $10,000.
But there have been instances where the payment has been much higher. In 2014, attackers encrypted the City of Detroit’s files and demanded a ransom of 2,000 bitcoins, worth about $800,000 at the time. This story has a happy ending – Detroit didn’t need the database and didn’t pay the fine.
There are times when paying is the right decision. The Tennessee Dickson County Sheriff’s Office paid $622.00 in bitcoin to hackers who encrypted the department’s criminal case files. Detective Jeff McCliss said, “It really came down to a choice between losing all of that data – and being unable to provide the vital services that that data would’ve assisted us in providing the community versus spending 600-and-some-odd dollars to retrieve the data.” The department was lucky – they got back access to its files.
Thou Shall Not Pay: When to Consider Resisting
Some security experts disagree with Mr. Bonavolonta’s remarks and urge you not to pay the ransom because there’s no guarantee that even after you pay the ransom, your files will return to its original state. Moreover, paying perpetuates an ongoing problem, making you a target for more malware.
In 2016 it was reported that a Kansas hospital hit with ransomware paid the ransom in hopes of getting back to business as soon as possible, but the payment only partially decrypted their files. Instead, cybercriminals demanded more money to decrypt the rest of the files. As a result, the hospital refused to pay the second ransom because it was no longer “a wise maneuver or strategy.”
Worse, if you get infected with a defective strain such as Power Worm, you won’t get your files back regardless of what you do. Even with the intent of paying the ransom, this attack will inevitably destroy the victim’s data during the encryption of their data.
Alternatively, if you encounter an attack like NotPetya where the intention wasn’t about financial gain, but destroying data, even if you stockpile bitcoins to pay the ransom, you won’t get your data back.
The Department of Homeland Security has also advised victims not to negotiate with hackers. Conflicting advice has prompted a debate about whether the FBI is encouraging behavior that will lead to more hacking.
In a Wall Street Journal interview, FBI spokeswoman Kristen Setera declined to say if FBI officials recommend paying a ransom to hackers, as Mr. Bonavolonta stated.
Mitigation Methods for IT Admins: How Varonis Can Help
Varonis Data Security Platform is the perfect front line defense against ransomware attacks to primary data storage. When the first wave of modern ransomware appeared in 2014, Varonis already had the detection and prevention system in place – and it’s only gotten better since.
Monitor File System Activity
Varonis monitors the file system activity on storage systems and maintains a full audit trail of all activity on those systems for forensics and analysis if necessary.
In a ransomware attack, the malware encrypts files, which generates a ton of sudden file activity that all look the same to Varonis. Varonis sees one user change hundreds of files at the same time that might even have a file name that includes ‘encrypt’ or something similar. This visibility into the actual file-level events that occur during a ransomware incident is invaluable during recovery and remediation efforts.
Threat Detection and Response
Varonis doesn’t just show you that a ransomware attack occurred. It detects the threat and can neutralize the attack before too much damage gets done.
Let me say that again, Varonis detects and stops ransomware attacks in flight.
The DatAlert threat detection sees the file monitoring events, matches those events to one of the ransomware threat models, and then fires off an alert that neutralizes the attack. The alert notifies the team of the attack, but the lag time between notification and reaction could mean thousands of more files get encrypted. So we automated the ransomware response for you.
When DatAlert detects the ransomware attack, it kicks off a PowerShell script to disable the user account and shut down their machine, which stops the attack. DatAlert can trigger many different actions on alert, this use of PowerShell is just one example, and the one we implement the most for ransomware.
How great would it be to shut down a ransomware attack after it only encrypted a few hundred files – instead of your entire storage system? And you know which files got encrypted, so you can recover just those files from backup.
Varonis also helps you prepare and defend the network against ransomware before any incidents occur. DatAdvantage gathers all the user permissions for the folders on the storage devices, both on-premise and in the cloud – and shows you where files are overexposed by Global Access, excessive permissions, or broken ACLs.
Varonis then automates the processes to remove Global Access, fix broken ACLs, and remove excessive and unnecessary permissions from users and groups to move towards the least-privileged permissions setup.
Users can’t modify files where they have no access. It is known. Ransomware, therefore, only has access to encrypt the files that the infected user can access. By building these barriers in the network with the least privileged access necessary for users to do their jobs, ransomware is limited in the amount of damage it can cause.
Additional Resources and Reading
Here are some more articles about ransomware, and the links to the specific strains the Varonis Security Research Team discovered.
- Ransomware Meets Its Match With Automated Cyber Defenses
- Cerber Ransomware: What You Need to Know
- The Malware Hiding in Your Windows System32 Folder: Mshta, HTA, and Ransomware
- New SamSam Ransomware Exploiting Old JBoss Vulnerability
- 107 Must-Know Data Breach Statistics for 2020
Varonis Ransomware Discovery
Ransomware isn’t going anywhere – it seems like part of the new normal of cybersecurity. In this case, as I said before, it’s best to build a strong defense and not let ransomware do major damage if/when an attack occurs. Set up Varonis to detect and stop the ransomware attacks, and don’t forget about Troy Hunt’s Ransomware course.
We've been keeping the world's most valuable data out of enemy hands since 2005 with our market-leading data security platform.How it works
Michael has worked as a sysadmin and software developer for Silicon Valley startups, the US Navy, and everything in between.