A Closer Look at the Ransomware Attacks: Why They Still Work
Why ransomware attacks continue to threaten our online security
Ransomware phenomenon continues to dominate the threat landscape and affect important sectors (hospitals, banks, universities, Government, law firms, mobile users) and various organizations equally worldwide.
There are ransomware attacks happening on a daily basis and still have a high rate of success, because they use an advanced technology approach by providing a decryption key after a specific ransom is paid. Cyber criminals also use social engineering techniques to find their next targets, infect various computers and have access to valuable information. Such attacks disrupt businesses and force them to take cyber security seriously.
According to a recent study from Google , ransomware victims have paid more than $25 million in ransoms over the last two years, making the ransomware ecosystem a destructive, yet profitable cyber attack.
Evolution and types of ransomware
While ransomware is still impacting and causing data leakage and important financial loss for organizations and home users alike, it’s worth mentioning that it has been around since 1989 (28 years ago), when ransomware first appeared under the name of AIDS Trojan, which was introduced into systems via floppy disks.
Since then, the ransomware invasion has increased significantly and there are numerous variants of cyber threats available in the malware economy causing a lot of damage.
Nowadays, there are two main types of ransomware in circulation that you should know about:
- Encrypting ransomware (datalocker) includes advanced encryption algorithms and was designed to block system files and ask for money to give back the key to the victim that can provide decryption to the blocked content. Some examples are: CryptoLocker, Locky, or CryptoWall.
- Locker ransomware (computer locker) locks the victim’s operating system which makes it impossible to access any apps or files, unless a ransom is paid, so attackers unlock the infected computer. A few examples of such ransomware include the Petya and Satana families.
Encrypting ransomware (crypto-ransomware) is the most widespread and worrying cyber attack of the moment and it’s important to keep all your online products up to date with a focus on always having a backup of all data on an external hard drive or other source.
Other types of ransomware you need to stay away from are: Master Boot Record (MBR), Android mobile device ransomware, IoT ransomware or ransomware encrypting web servers.
All of these cyber threats can target anybody, anywhere and anytime, so remember that awareness and prevention are the best precautions to safeguard your sensitive data.
How a ransomware infection spreads
Cyber criminals try to find different methods to extort personal data and infect a person’s computer with malware, asking to pay for a ransom to unlock the data. If you haven’t yet been the victim of a cyber attack, consider yourself lucky. For maximum protection, it’s essential to be proactive and keep your system up to date.
Online criminals usually look for the easiest method to infect a system or network and use the backdoor to spread a malicious code.
Therefore, it is safe checking the most common ways used by cyber criminals of spreading ransomware infection:
- Spam email campaigns that include malicious links or attachments;
- Taking advantage of security exploits in vulnerable software;
- Internet traffic that redirects to malicious websites;
- Legitimate websites that have malicious code injected in their web pages;
- Malvertising campaigns;
- SMS text messages (Smishing);
- Using botnets for malicious purposes;
- Self-propagation capabilities (spreading from one infected computer to another).
These cyber attacks started to happen more often, as online criminals improved their methods day by day, by making use of a mix of technology knowledge with psychological manipulation (social engineering).
A simple ransomware infection chain usually follows this pattern:
Everything happens so quickly that users affected by a malicious software don’t seem to really realize what just hit them, looking at the message shown on the screen.
In the light of the recent cyber attacks we’ve witnessed, the question then arises: “Who does it target?” The short answer is “everyone”, whether it’s a small or a large organization, a home user or a public institution.
The longer answer isn’t so simple, because the vulnerability to a potential cyber threat may depend on various factors regarding users’ data and how attractive is for online criminals, how vulnerable is a system or network, or how fast companies/users can answer to a ransom request and many more.
The most common ransomware targets:
1. The healthcare sector – Hospitals particularly, are a main target for cyber criminals and according to the Verizon Data Breach Investigations new Report (DBIR) this sector is under greater threat compared to other targets, with 72% of all malware incidents targeted the health care system.
Why are they vulnerable: Because the patients’ data is vital for hospitals and could be a life and death situation, so cyber criminals know they could get paid for the ransom. A good example is the case of the Hollywood Presbyterian Medical Center, which paid approximately $17,000 to cyber criminal for the decryption key to unlock their files.
2. Government institutions – Another industry that’s a vulnerable target for ransomware attacks involves the government agencies and public service organizations that work and hold very important and sensitive personal data.
Why are they vulnerable: Cyber criminals know the Government institutions need to be efficient and operations, so it’s more likely to pay the ransom and get their data back. A recent example is the Petya outbreak that impacted important organizations, including Government departments in Ukraine and members who claimed they couldn’t access their computers.
3. Education – According to a BitSight Insights report, education, and mostly higher-education institutions, have been a top target for ransomware attacks. Researchers found that education sector had the highest rate of ransomware, “with at least one in ten experiencing this cyber attack on their network”.
Why are they vulnerable: Education becomes an easy target for cyber criminals, mainly for its weak IT hierarchy to which thousands of students connect every day or the ease of launching a spear phishing campaign. Other than that, educational institutions don’t have skilled system administrators for this job, and they also don’t have financial resources to invest in cyber security. A recent example is the University College London that saw its shared drives and student management system taken down by cyber criminals.
4. Law firms
Why are they vulnerable: Legal firms are another sector at risk of being a sure target for online criminals, because they are responsible for clients’ data, which is sensitive and confidential, and might have the resources to pay for the ransom. Global law firm, DLA Piper, was also a victim of Petya ransomware, as it saw their computers infected with malware.
5. Mobile users and MACs
According to Forrester Research, “the number of global smartphone subscribers is expected to reach 3.8 billion by 2022, crossing the 50% mark for smartphone penetration by population in 2017 and reaching 66% by 2022.”
This means that our dependency for mobile will continue to grow, as well as the amount of data stored on our devices, making them vulnerable to cyber attacks. Another report from Kaspersky Lab revealed that the mobile malware is increasing quickly and found that 218,625 mobile ransomware files were detected in the first quarter of 2017.
Why are they vulnerable: While you may be tempted to say Windows computers are the main target for cybercriminals, it seems that Mac OS users have also been hit by ransomware. FortiGuard Labs recently discovered a Ransomware-as-a-service (RaaS) targeting Mac computers.
WannaCry and Petya, the most recent cyber attacks
May and June may have been “two black months” for the cyber security industry and a reality check for everyone reminding us about the importance of being proactive and keeping our system up to date all the time.
The WannaCry ransomware outbreak first attacked in May 2017 and affected hundreds of thousands of Windows-running computers in more than 100 countries that were running an outdated version of their operating system. It spread quickly by using the EternalBlue exploit, which takes advantage of a Microsoft SMB vulnerability to rapidly propagate and infect computers.
Similar to WannaCry, Petya (Petya.A, Petya.D, or PetrWrap) ransomware made its appearance in June 2017 and used the same EternalBlue exploit, but also had self-replicating abilities. At a later stage, Petya turned out to be a data wiper disguised as ransomware.
Unlike WannaCry, its key differentiator was the use of multiple attack vectors and a malware cocktail to encrypt and extract as much confidential data as possible. Petya doesn’t just encrypt users’ files, but also overwrites and encrypts the Master Boot Record (MBR).
Both WannaCry and Petya ransomware outbreak affected large and important organizations (Telefonica, Renault, Maersk, Saint-Gobain, Mondelez), as well as public institutions, banks, hospitals across Europe and the rest of the world.
This article from Forbes can help you better understand the main differences and similarities between these two types of malware.
If your files have been encrypted with one of these ransomware and you don’t want to pay for the ransom, there’s the alternative solution to unlock your data for free using a decryption tool.
For WannaCry ransomware, French security researchers have discovered a decryption key called WannaKey that works under certain conditions and this article describes how the WannaCry-infected file decryption works.
As regards to Petya ransomware, Janus, who claimed to be the original author of this cyber attack, released a master decryption key that worked for all Petya versions, so the victims can use it and recover their files.
Why do ransomware attacks continue to be successful?
If we think of the number of ransomware attacks happening on an alarming scale and putting at risk millions of users and machines worldwide, it’s a legitimate question.
A first answer would be that victims – whether is a large/small company or a home user- are still willing to pay money (ransom) to get back the valuable data they’ve lost.
Security experts recommend not to do it, because payment is just an incentive for cyber criminals who will continue to work on more elaborate cyber attacks. Besides that, there’s no guarantee that victims will get their files back, and they might become a target for a future cyber attack.
More reasons why ransomware attacks continue to be successful and grow at an alarming rate:
- The malware economy has evolved, like any other market, but was – and still is – heavily sustained by ransoms paid by those victims who needed immediate access to their valuable data.
- A high number of software vulnerabilities found in many computers which appear mostly because people don’t update their software.
- All software have vulnerabilities and Windows operating system is no exception. Hackers take advantage of these flaws found in Microsoft Windows and encrypt users’ valuable data. This is why most ransomware attacks happen.The mysterious Shadow Brokers hacking group leaked NSA tools/documents used in the global WannaCry cyber attack and warn to unleash even more hacking tools.
- Lack of testing recovery plans is another reason for ransomware attack to be successful. Without a tested recovery plan to detect if everything is working properly, your business operations may have downtime and critical restoring issues.
- The aging (outdated) infrastructure of public and private companies is linked to security breaches and potential new cyber attacks. Old PCs can run outdated software which make them vulnerable to online threats. When launching a cyber attack, criminals use more advanced and sophisticated techniques, and companies with an outdated infrastructure are the most exposed to such attacks. It is essential for businesses to upgrade their infrastructure and close different gaps in cyber security.
- Lack of user security training and basic cyber security skills exposed both organizations and individuals to online attacks. Without minimum cyber security knowledge, people can’t discern the good from the bad, so they can easily click on a malicious website or link. Cyber security education is essential and vital in such cases, and can contribute to building a safer online environment for anyone. Because it’s not a solitary mission, it’s important that authorities and cyber security organizations should join their forces in combating ransomware phenomenon that continues to make victims. Like they’re doing, for example, in the No More Ransom initiative to contribute to the global fight against ransomware. Awareness security programs and specialized courses could help prevent these attacks.
- Companies fail to have a well structured data backup plan to protect their business in the face of cyber security incidents, making them an easier target to ransomware attacks.
- Users/employees need to learn to be skeptical and increase the paranoia level when receiving an email with a suspicious attachment or any other online scams they may find on social media.
- There’s no doubt that most of cyber attacks are tied to human factor which hasn’t changed much in the past years. People still have the same mindset and respond to the same stimuli, which means cyber criminals can plan to exploit these reactions methodically, over and over again.
- Unfortunately, people still postpone and neglect keeping their system patched and up to date or using a proactive security solution for maximum protection.
- Malware gets more and more sophisticated and advanced, as cyber criminals improve their hacking skills and manage to develop advanced versions of ransomware.
Anti-ransomware checklist for businesses
Business wise, a ransomware attack could have devastating consequences for its continuity. Thus, preventing and avoid infection spread is vital for every business interested in keeping its sensitive data safe and secure.
We recommend reading this useful ransomware prevention checklist:
- Use a multi-layered proactive security solution that will keep up to date all the business endpoints and monitor your daily online activity;
- Backup all your data every day and use external sources such as a hard drive or in the cloud (Google Drive, Dropbox, etc.) to store it. Read this useful guide on how to do it;
- Use and apply security awareness programs within your business to avoid clicking on unknown links and attachments in email that could redirect to malicious websites;
- Encourage employees to report back to you when they notice suspicious emails;
- Don’t use public Wi-Fi connections unless you have a virtual private network or using encryption software;
- Daily updates and use the most recent version of your operating system and browser;
- Apply a patch management system and make sure the exploited third party software such as Java, Flash, and Adobe are fully patched;
- Restrict the access of employees to only that data to which they need and use, and also limit the authority to install software programs.
Read this article to find out what cyber security experts recommend for businesses to better defend against ransomware attacks.
Anti-ransomware checklist for home users
Prevention is the best weapon a home user can have against ransomware attacks. It’s also essential to be proactive and take all the measures needed to protect those sensitive data.
- Don’t store your sensitive data exclusively on your PC and make sure you have at least 2 backups of your data on external sources;
- Update, update and update! It is vital to have installed all the latest updates for your apps, software programs and operating system.
- Try not to use the administrator account every day and remember to disable macros in the Microsoft Office Package.
- Never open (spam) or download email (messages) from untrusted sources that could infect your device. Moreover, don’t click on suspicious links.
- Make sure you have a paid antivirus product which is up to date, or consider using a proactive security product (you can check what Heimdal PRO can do for you).
- It also helps to remove risky plugins from the browsers you are using: Adobe Flash, Adobe Reader, Java and Silverlight.
The future of ransomware: What’s next?
Ransomware isn’t just a trend these days, but a successful business model that’s increasingly popular and profitable for cyber attackers who extort money from both individuals and organizations.
The most recent ransomware outbreaks, Petya and WannaCry, which affected so many companies and users, are such examples of successful cyber attacks, but there have been other before them, and we believe these malware threats won’t stop here.
Now that attackers have successfully tested strains that include self-replicating abilities, we can expect that such attempts will be even more frequent in the future. This means that more businesses and home users alike will still remain vulnerable to cyber threats. Ransomware authors will not only develop more advanced techniques, but they will also target bigger companies which will be more likely to pay for the ransom.
The more widespread the attack, the bigger the potential return on investment for malicious hackers. And if they manage to exfiltrate some confidential data in the process, that gives them additional leverage in their extortion attempts.
We strongly recommend companies to invest in cyber security and train employees to safeguard their online privacy. Awareness programs become crucial these days, so we believe cyber security companies and experts should continue focusing on education, because education is key to making Internet a safer place for everyone.
What the experts say
Trend’s security experts made some predictions about the future of ransomware phenomenon and said that “there will be an evolution in ransomware strategy in the near future, including increased ransomware attacks on IoT systems”. The healthcare sector will remain a top target for cyber attacks, according to IDC’s Worldwide Healthcare Predictions Report, predicting that by 2018, the number of ransomware attacks on healthcare organizations will be doubled.
In another note, cyber security researchers from Imperva estimate there will be several attack trends moving forward with ransomware such as: file and database corruption, data exfiltration (Vault 7 example – documents of the CIA’s cyber weapons were leaked and published by WikiLeaks).
Other report from Quick Heal Technologies stated that ransomware attacks increased in the second quarter of 2017, infecting over 2.3 million Window systems, and predicted that fake apps will grow in the Google Play and third-party app stores as well.
With the new wave of ransomware outbreak, law enforcement efforts will play a major role helping organizations and individuals to fight against these cyber threats. European Union’s New General Data Protection Regulation (GDPR) is set to be effective on May 25, 2018 and brings new data protection regulations and obligations for EU members.
What do you think of the ransomware phenomenon? Do you expect seeing a decline of this phenomenon or an increase of more advanced forms of Petya and WannaCry ransomware outbreak? Please share your thoughts in a comment below.