What is a ransomware attack?
Hackers launch ransomware attacks after an initial attack, such as a brute force or credential stuffing attack, which gives them access to the sensitive data they're targeting. Once the attacker is in, they lock down files, folders, and databases and demand the victim pay the ransom to regain access to the infected system.
A more modern version of the ransomware attack is called cryptoransomware. Rather than changing file access permissions, the attacker encrypts the files and databases on the infected systems and then demands payment via cryptocurrency (which is much harder for law enforcement agencies to track) to receive the decryption key. The attackers will threaten to release the sensitive information they obtained if the ransom is not paid.
Popular ransomware variants
While there are quite a few ransomware variants in the wild, the following are currently among the most common:
- Ryuk: First spotted in 2018, this ransomware variant is delivered via a malicious attachment in a phishing e-mail or through a compromised account(s). Attackers encrypt the files, then demand a ransom. Ryuk ransomware attacks are the most costly: average ransom demands are well over $1 million.
- REvil (Sodinokibi): REvil, otherwise known as Sodinokibi, may not demand as high a ransom as Ryuk, but it has five times the market share. This ransomware variant targets mainly enterprise networks, and the Russian REvil group carries out the attacks. REvil has increasingly employed "double extortion" in its attacks, which not only involves encrypting files, but also a threat of data disclosure if the victim doesn't pay the ransom. It also offers Ransomware-as-a-Service (RaaS) options, which broaden its reach.
- Conti V2: Conti ransomware attacks are as common as REvil attacks and use many of the same tactics. The two ransomware families account for nearly a third of all known attacks. What makes Conti V2 so damaging is the speed at which it works: the ransomware attacker may be able to breach a vulnerable firewall in as little as 16 minutes, according to Sophos. How is it so fast? Conti V2 is human-operated, allowing it to be more nimble, and uses fileless attack methods to evade detection.
- Avaddon: While REvil and Conti V2 are the most commonly spotted ransomware families, Avaddon quickly gained market share thanks to its SaaS-like platform. This allowed ransomware attackers to launch these attacks rapidly, without doing any groundwork necessary to launch such an attack. While Avaddon closed up shop in mid-2021, other Ransomware-as-a-Service (RaaS) offerings have replaced them including REvil, DarkSide, Dharma, and LockBit.
As you can see, RaaS is becoming an ever larger problem. So what is RaaS, and why is it so dangerous?
What is ransomware-as-a-service (RaaS)?
RaaS allows people to create ransomware without needing to have any technical skills or knowledge about malware development. RaaS can be purchased on the dark web and are occasionally found on the open web if ransomware attackers know where to search.
There are four primary revenue models for RaaS:
- Subscriptions (monthly or annual)
- Affiliate networks, where the ransomware operators get a cut of any ransom payments
- Licensing fees
Like SaaS, RaaS is sold on these sites, complete with 24/7 support, add-on bundles, user reviews, community forums, and more. Monthly fees range from as little as $40 per month to thousands of dollars, all scalable -- although payment is typically in cryptocurrency.
The most sophisticated RaaS platforms even offer dashboards that the attacker can use to launch and monitor infections, information on their targets, and maintain their accounts much like a legitimate SaaS. The simplicity of RaaS is the primary reason why RaaS providers are the source of many recent attacks.
How ransomware attacks work
In the planning phase the ransomware perpetrators look for targets. The goal is to target sensitive files that will extract the highest ransom: this is why mid- and larger-sized businesses are commonly targeted. These organizations have the highly sensitive data attackers want and large enough bank accounts to pay the ransom. The attacker searches for security holes in the victim's computer or attempts to break in using a phishing email using malicious websites or attachments, disguising the malware as a legitimate file.
This phase is by far the most important -- if the attacker doesn't find valuable enough data or is thwarted by good enterprise network security, the whole attack may fail.
Once planning is complete and a target is selected, the attacker gets to work. They break into the device or network using an operating system, network, or application vulnerability. From there, the ransomware software begins to encrypt the targeted files, folders, or databases -- typically looking for specific file extensions or specific sensitive files stored on the victim's computer. Depending on the ransomware attack used, the victim might not even know it is happening until it's too late.
At the same time, the attacker may also take the opportunity to install additional malware to help spread the ransomware throughout the company network and beyond.
The first time a victim may notice a ransomware infection has occurred is upon trying to access an encrypted file. The user might find a digital ransom note instead of the file they're trying to access. Also, a pop-up may appear on the infected computer's screen demanding a ransom to restore access to the user's files. Next, the attacker threatens deletion or disclosure of the data. At this point, paying the ransom is the only way to get access to the decryption key necessary to restore access. Payment is often demanded in bitcoin to prevent disclosure of the attacker's identity.
Remember, a ransom payment doesn't always guarantee access to the infected computer or device. The attacker may simply take off with the money, leaving you with no decryption key and no access to your encrypted file.
Ransomware attacks in the news
Ransomware is quite common, with several recent high-profile attacks in the news:
- Colonial Pipeline: Perhaps the most consequential ransomware attack of the last several years, April 2021's Colonial Pipeline attack disrupted gas supplies all along the east coast of the US, and was the result of a compromised account. Carried out by the DarkSide ransomware group, the attack caused consumers to panic-buy gas. While Colonial Pipeline eventually agreed to pay the $4.4 million bitcoin ransom, the FBI was able to recoup most of the company's money through monitoring cryptocurrency transactions.
- Acer: Acer's attack, carried out by the REvil hacker group, stands out as one of the largest ransoms demanded to date with a $50 million request. Hackers used a vulnerability in the Microsoft Exchange server to gain access to Acer's file servers and leaked sensitive documents to the Web. Making matters worse, Acer confirmed a second attack in October at its Indian offices, where hackers made off with about 60GB of stolen data.
- JBS: REvil hackers were also behind a ransomware attack involving international meat processor JBS in spring 2021. It appears it was tracked to compromised accounts found on the Dark Web. The attackers moved 45GB of stolen data to a sharing site known as Mega, and demanded a ransom of $11 million. While it was able to recover most of its data without the private key, JBS chose to pay the attackers. JBS’s CEO Andre Nogueira argued the payment was "to prevent any potential risk for our customers."
How to protect against ransomware attacks
The best way to handle ransomware is to not get infected with it in the first place, but unfortunately ransomware gangs can be persistent in their attempts to hack databases. Regardless of whether you are a victim of a ransomware attack or not, take the following steps now to protect against and prevent ransomware attacks.
- Eliminate passwords: Replacing passwords with stronger authentication prevents stolen credentials, which are the main entry point for ransomware, from accessing an organization’s network. Learn more about passwordless authentication today and keep your most critical applications secure.
- Set up risk-based authentication and a zero trust architecture: Use risk signals like IP address, geolocation, device type, and more to set up a strong access control policy and never trust, always verify, anyone trying to access the network.
- Consider continuous data backups: Data backup is often an afterthought. Instead of a once nightly (or weekly, etc.), consider a strategy of much more frequent backups. This effectively nullifies the damage of a ransomware attack since they are betting you don't have a recent copy of the encrypted files readily available.
- Secure your backups: Place the backups on a server that isn't accessible for deletion or modification from the server where the data resides. This prevents your backup files from falling victim to an attack (attackers will look for backup files, too!).
- Train your users on how to spot ransomware threats: Many ransomware attacks start through phishing emails. This doesn't just include malicious attachments: many of today's phishing emails use links instead, which could look legitimate.
- Keep your organization's network, devices, and applications up to date: The attacker's entry point is typically an exploit in the network protocols, devices, or applications your organization uses. Keeping these up to date is a priority.
- Regularly scan for malware, and keep your antivirus software up to date: Make sure you keep this up to date, as it provides you an extra layer of protection just in case the user accidentally installs malicious software or clicks on a malicious link.
- Avoid unsecured Wi-Fi networks: Train your users to avoid Wi-Fi networks that aren't secure when accessing your corporate network and applications remotely. Attackers can snoop over these unsecured networks and potentially discover usernames and passwords.
If you are in a situation where it is too late to protect against ransomware since you have already fallen victim there are ways to respond to ransomware so you can save as much data as possible.
Responding to a ransomware infection
If you are a victim of a ransomware attack, it is crucial to take a moment and understand the situation first. Paying the ransom should be the last thing you do, not the first. The FBI recommends not paying the ransom at all. Gather information that you have, and contact law enforcement immediately.
Next, if you can determine the ransomware variant the attacker used, search for free decryptors from trusted security sources. While a decryptor won't be available for some ransomware variants, it's an excellent place to start. We recommend leaving this work to an experienced technician: the wrong decryptor may make the problem worse.
If you're able to track down the affected device or computer, disconnect that from the internet immediately. Once disconnected, the ransomware software can no longer communicate with the command and control server and cannot spread further. Scan all devices and systems with antivirus software, and be sure to alert any third parties with access so that they can take steps to protect themselves.
At this point, investigate your data backups, and begin the ransomware removal process. You may be able to restore files from these backups to replace the encrypted data.