What is Ransomware?

Ransomware is a form of malware that encrypts a victim’s files. The attacker then demands a ransom from the victim to restore access to the data upon payment. 

Users are shown instructions for how to pay a fee to (hypothetically) get the decryption key. The costs can range from a few hundred dollars to thousands, payable to cybercriminals in cryptocurrencies like Bitcoin that are difficult to trace.

Three options to address an attack
There are only three basic ways to address data and endpoints that have been encrypted by ransomware:

1). Restore the files and endpoints from backups
2). Recreate the lost endpoints and files
3). Pay the ransom for the decryption key

How ransomware works

There are a number of options that attackers can use to introduce ransomware to a computer. One of the most common delivery systems is phishing spam — attachments that come to the victim in an email, masquerading as a file they should trust. Once they’re downloaded and opened, they can take over the victim’s computer, especially if the malware have built-in social engineering tools that trick users into allowing administrative access. More aggressive forms of ransomware, like NotPetya, exploit security holes to infect computers without needing to trick users.

There are several things the malware might do once it’s taken over the victim’s computer, but by far the most common action is to encrypt some or all of the user’s files. The files cannot be decrypted without a mathematical key known only by the attacker. The user is presented with a message explaining that their files are now are now inaccessible and will only be decrypted if the victim sends an untraceable Bitcoin payment to the attacker.

In some forms of malware, the attacker might claim to be a law enforcement agency shutting down the victim’s computer due to the presence of pornography or pirated software on it, and demanding the payment of a “fine,” perhaps to make victims less likely to report the attack to authorities. But most attacks don’t bother with this pretense. There is also a variation, called leakware or doxware, in which the attacker threatens to publicize sensitive data on the victim’s hard drive unless a ransom is paid. But because finding and extracting such information is a very tricky proposition for attackers, encryption ransomware is by far the most common type.

Who is a target for ransomware?

There are several different ways attackers choose the organizations they target with ransomware. Sometimes it’s a matter of opportunity: for instance, attackers might target universities because they tend to have smaller security teams and a disparate user base that does a lot of file sharing, making it easier to penetrate their defenses.

On the other hand, some organizations are tempting targets because they seem more likely to pay a ransom quickly. For instance, government agencies or medical facilities often need immediate access to their files. Law firms and other organizations with sensitive data may be willing to pay to keep news of a compromise quiet — and these organizations may be uniquely sensitive to leakware attacks.

Ransomware is a Business

Malware is sold and licensed just like traditional legitimate software products and services, with licensing models that mirror legal markets. 

What tools are Available on the Malware Markets?

According to the New America Foundation, the markets for malware contain everything from simple software programs to crack passwords to companies offering governments a one stop shop for surveillance and espionage. Some of these products are highly valuable; one company, Zerodium, advertises a $1.5 million payout to anyone willing to sell zero day vulnerabilities in Apple’s iOS operating system. NSO Group, an Israeli company that was caught having sold surveillance malware to the UAE to monitor human rights activists, has been valued at more than $1 billion. Alongside this big business are groups that lease access to ransomware and rent time on botnets for just hundreds to thousands of dollars a week. This dichotomy in prices and offerings has helped create a two-tiered market, with a larger lower level conducting business in online marketplaces, and a small upper level working through social networks and encrypted communications.

The markets encourage specialization so that certain criminals build an entire business around developing, maintaining, and selling different kinds of malware and criminal services to give their customers up to date access to massive number of potential targets. Imagine an attacker who stumbles upon the leaked source code for a piece of malware like Zeus or a sample of ransomware and rents time on a ready-made exploit kit or botnet to distribute it? Without ever writing a line of code, a criminal is born.

Business Models – Ransomware as a Service (RaaS)

First discovered in 2018, the PINCHY SPIDER group pioneered Ransomware as a Service (RaaS) as a model of operations, in which the developer receives a share of the profits that affiliates collect from successful ransomware infections. Beginning in February 2019, this adversary advertised its intention to partner with individuals skilled in RDP/VNC networks and with spammers who have experience in corporate networking. 

Outlook for Ransomware

According to market research firm Gartner, there are several macro trends as they look forward in the evolution of Ransomware

• The velocity and creativity of attacks continue to grow. Attackers will continue to exploit a variety of tools, tactics and techniques against an ever-increasing diversity of targets to achieve a growing range of goals. All of this further reduces the ability to anticipate and prevent security failure. Business disruption and data loss will continue to be primary motivators. Attackers will increasingly exploit legitimate software to achieve their ends.
• The security skills gap will grow, abetted by the accumulating complexity in IT systems and the rapid pace of change in security tools to protect this rapidly shifting infrastructure.
• Application delivery scale and complexity will continue to grow as a result of component containerization and native cloud delivery.
• Device and endpoint diversity will continue to grow due to the emergence of cyber-physical systems underpinning the Internet of Things (IoT), industrial IoT (IoT), smart cities, Industry 4.0¹ and mobile accelerators.
• Regulatory data protection and privacy challenges will continue to grow in response to digital business’s insatiable appetite for personal data.

Security and Risk Management (SRM) leaders should be aware of these trends and take advantage of those that will help secure their organization. In response to the security skills gap and attacker trends, XDR (Extended Detection and Response) tools, Machine Learning (ML) and automation capability are emerging to improve security productivity and detection accuracy:For more information, visit www.hackerstrike.com or call xxx-xx-xxxx for more information or see a demo.