Introduction
As an increasing threat, ransomware attacks pose a threat to corporations and rarely individuals. Therefore, managers, individuals, security professionals, and hackers become more interested in this topic.
Ransomware is a type of malware that encrypts files or the entire system of the infected machine and demands a ransom to decrypt them. Ransomware is an easy way to profit since attackers directly demand ransom. They do not have to infiltrate sensitive data and sell them to others which requires more effort.
While ransomware is nothing new, it’s been on the rise in recent years and shows no sign of stopping. So what should you know about ransomware?
Categories of Ransomware
It uses various ways to infect and encrypt. We can categorise ransomware.
- Locker Ransomware: It locks the entire system and the victim cannot reach any feature after booting up the system.
- Crypto Ransomware: This encrypts the files of the victim machine and the users cannot reach their data.
These are the two types of ransomware as mentioned above and a ransomware uses just one of them.
Ransomware Wariants
- BadRabbit: This ransomware generally affected Russian media sector and demands 0.05 Bitcoin as ransom. Victims downloaded a malicious Adobe Flash file and run it manually. Then the malicious code runs and encrypts files.
- BitPaymer: This ransomware attacked mainly to the medical sector and is associated with Dridex malware.
- Cerber: This encrypts files and adds .cerber extension to the encrypted files. It encrypts files without online connection with C2 servers.
- CryptoLocker: This targeted Windows machines and encrypts files with RSA-2048 public key. Decryption can be made by a private key and attackers left a note saying if the ransom is not paid, then the private key will be deleted.
- Dharma: This malware is spread from RDP (Remote Desktop Protocol). Attackers search for the victims using RDP on port 3389 and guess their password by brute forcing so that they can gain access to the victim’s computer. Then they encrypt the computer. Phishing is also used to spread malware.
Some Common Vulnerabilities and Associated Ransomware Groups
- CVE-2021-35211 – Clop Ransomware
- CVE-2021-34527 – Magniber Ransomware
- CVE-2021-30116 – REvil Ransomware
- CVE-2020-1472 – Ryuk Ransomware
- CVE-2019-11539 – Sekhmet, Mailto, Maze, REvil, Black Kingdom Ransomware
- CVE-2019-11510 – REvil Ransomware
- CVE-2019-19781 – Revil, Nefilim Ransomware
- CVE-2019-11634 – Nefilim Ransomware
- CVE-2018-13379 – Cring, REvil Ransomware
- CVE-2017-0144 – WannaCry, Petya Ransomware
- CVE-2016-1019 – Locky Ransomware
- CVE-2015-1701 – Locky Ransomware
The Most Popular Ransomware
The most popular ransomware is WannaCry since it has affected 7.000 computers in the first hour and 110.000 distinct IP addresses in two days. It has affected 230.000 computers worldwide. It has used the EternalBlue exploit. It caused NHS (National Health Service) in the UK to be collapsed. Malware is written in a random file in the ProgramData folder with the name “tasksche.exe” or in C:\Windows\ folder with the names “mssecsvc.exe” and “tasksche.exe”.
Statistics
Associated Vulnerabilities of Some Popular Ransomware Groups:
- Conti: CVE-2018-12808, CVE-2018-13379, CVE-2020-0796, CVE-2020-1472, CVE-2021-34473, CVE-2021-34523, CVE-2021-44228, CVE-2020-0609, CVE-2021-21972, CVE-2021-21985, CVE-2021-22005, CVE-2021-26855
- LockBit: CVE-2021-22986, CVE-2018-13379
- REvil: CVE-2021-30116, CVE-2019-2725, CVE-2018-13379, CVE-2019-11510, CVE-2018-8453, CVE-2020-0609, CVE-2020-0610, CVE-2020-16896, CVE-2019-1225, CVE-2019-1224, CVE-2019-1108, CVE-2019-11539, CVE-2019-18935, CVE-2019-19781, CVE-2020-2021, CVE-2020-5902, CVE-2020-1472
- Maze/Egregor: CVE-2018-8174, CVE-2020-0688, CVE-2018-4878, CVE-2018-15982, CVE-2020-0609, CVE-2020-0610, CVE-2020-16896, CVE-2019-1489, CVE-2019-1225, CVE-2019-1224, CVE-2019-1108
Some interesting facts:
- 34 TB data has been stolen through ransomware attacks in the first half of 2022.
- Ransomware attacks cost 20 billion dollars worldwide in 2021.
- %32 of ransomware victims have paid the ransom, but they get their %65 of their data back.
- Average ransom increase from 6.000 dollars in 2018 to 84.000 dollars in 2019.
Tactics to Infect Users
Exploit kits are tools that are embedded into a website, and the victim is redirected there. An exploit kit tries to exploit a specific vulnerability and infect it with ransomware. After infection, ransomware encrypts files or the systems and demands a ransom to decrypt. EternalBlue is a common vulnerability that can be exploited.
Malicious email attachments and links are known as phishing attacks. These campaigns may target employees so that attackers can inject malware into the company’s systems and escalate privileges to encrypt more important files. Therefore, employees, even if they do not work in the cyber security field, should be informed about these campaigns.
Upcoming Threats
Sometimes ransomware groups invent a new tactic and surprise security professionals. These new tactics or methods can be group-specific or a new invention everyone uses. For example, RaaS (Ransomware-as-a-Service) is a particular version of SaaS (Software-as-a-Service) that provides customers to control already injected ransomware. Both the customer and the provider profit from the ransomware attack. There are various payment methods for customers depending on the RaaS platform: Monthly subscription, one-time payment, or profit sharing. RaaS could be a very beneficial way to attack, especially if the RaaS customer does not have enough knowledge to infect the target, escalate privilege, hide the malware, demand ransom, and decrypt successfully.
Another threat is both encrypting and infiltrating victim data. This method is called double extortion. This method provides attackers a second chance to threaten the victim, especially if the victim has backed up their data. If the data is backed up, then encryption will not work, and the attack may fail. However, if the attacker infiltrates data over the network, the victim can be threatened by publishing or selling the victim’s data. This creates a difficult situation for both the victim and the security professionals.
Modern ransomware attacks do not have to be industrialized as RaaS. They can be done especially for a specific company. Attackers search for the company’s features (size, revenue, security systems, etc.) and employees (profiles and interests) to conduct a more sophisticated attack. Moreover, security professionals will have a more difficult time after the attack since they cannot use memorized security measures. They need to use specific measures.
Change in the payment method increases the anonymity of the ransomware group. Cryptocurrency does not reveal the attacker’s information (especially geographical information), so the attacker uses it. This creates a hard time for security professionals to find and catch the attacker.
Should You Pay Ransom?
Paying a ransom does not guarantee that you can get your data back. The only thing is that if the victim is a well-known company and the attacker does not give your data back after getting a ransom, then the attacker’s popularity and reliability will be damaged. Then no one will pay them the ransom they demand. Nevertheless, paying ransom creates another risk: You will get marked as a payer. Hackers will know that if you get hacked and someone demands ransom from you, they predict that you will pay. That prediction may increase your possibility of getting hacked.
Prevention Methods
- Prevent yourself from phishing campaigns. Especially emails are one of the most common ways to deceive. For more information, click here.
- Periodically scanning your systems to catch vulnerabilities is crucial. Exploiting vulnerabilities is another way to distribute malware. To get help with vulnerability management, click here.
- Do not forget to keep your software up-to-date.
- Back up your data (especially sensitive ones) so that if a ransomware attack occurs, you will not have to pay ransom to get your data back. You can continue with backed-up data. Do not forget to update your backup regularly.
- Threat intelligence service may benefit your company so that you can take measures before any cyber attack happens. For threat intelligence service for proactive security, visit here.
Conclusion
Ransomware is a popular and modern way of profiting from a cyber attack. Thus, ransomware attacks increase from year to year. There is no need to take risks and say, “this won’t happen to me.” that’s why you need to inform your employees/colleagues about ransomware. Keep your system as safe and vulnerability free as possible as it is. Take proactive measures like backing data up so that you will not worry when a ransomware attack comes to you.