A Field Guide to Ransomware
Of all the online threats facing businesses, organizations, and government agencies, ransomware still leads the pack. While other types of cyberattacks may have personal fallout, ransomware continues to dominate in terms of the destructive impact on victims. It also remains the most lucrative attack type for the criminals who deploy it.
Ransomware is a type of malware that encrypts critical data on a computer or computer network so that users can’t regain access without paying a ransom. The payment is typically demanded in a cryptocurrency (Bitcoin, Monero, etc.), which is difficult to trace and easily transferable.
Current Ransomware Trends
During the first half of 2021, a reported 7.3 million ransomware-related incidents were detected. In Q2 2021 alone, security experts saw a 55,239% increase in ransomware activity – and no industry seems to be safe.
- The year started with historic attacks against critical infrastructure, such as the U.S.’s energy sector and food supply chain.
- Healthcare providers have been targeted throughout the pandemic, with nearly half disconnecting their networks in the first six months of 2021 due to attacks.
- Financial institutions remain a popular target among cybercriminals given the potential for big paydays.
- City and county governments are under attack, slowing emergency services, disrupting tax payments and processing, and agencies to revert to pen-and-paper operations.
- Even cybersecurity companiesand IT service providers have been successfully targeted.
The threat posed by ransomware owes much to its variability. There are several variants, each of which can be used to exploit specific vulnerabilities in a wide array of systems. Some ransomware variants target specific industries, such as manufacturing, food, and agriculture. New ransomware strains also target and encrypt data backups, denying users the ability to recover their systems.
With more than 450,000 new malware types detected every day, ransomware gangs are working hard to overwhelm defenses and avoid detection.
Ransomware: Should You Pay or Not
Adding to the complexity of dealing with ransomware is the controversy about what to do if you get hit – specifically whether ransoms should be paid. Law enforcement and security experts have long urged victims not to pay, arguing that payments only encourage ransomware activity, and there’s nothing to stop the crooks from targeting you again once you’ve shown a willingness to pay.
Yet, the temptation to pay the ransom to quickly regain access can be substantial for a business – especially since the cost of unexpected downtime can range between $8,600 and $300,000 per hour, depending on the size of the organization.
Paying doesn’t guarantee access, though. One study found that of the 46% of U.S. companies that paid a ransom, only 26% had their data unlocked.
How to Avoid Ransomware
Before worrying about whether to pay a ransom if their files are encrypted, organizations should first take steps to minimize their risk of being successfully targeted.
There are a few attitudes to take – all of them helpful. The first is to focus on minimizing the company’s attack surface by understanding how ransomware works and how the criminals who develop those threats operate.
Below are descriptions of three common types of ransomware and how they operate.
WannaCry is a well-known form of ransomware that first made headlines in May 2017 after infecting between 200,000 and 300,000 computers located in more than 150 countries. Security specialists and the U.S. government tracked the ransomware activity back to the Lazarus Group, a hacking team with ties to North Korea.
Damages from WannaCry’s initial attack were estimated to tally up to $4 billion, affecting companies and organizations including FedEx, the UK National Health Service, Nissan, the Russian government, Hitachi, and others.
While the inaugural attack was stopped after just a few days, WannaCry still remains active. In fact, of the 7.3 million ransomware types detected in the first six months of 2021, the majority were WannaCry or Locky variants.
What makes this variant noteworthy is why it is so virulent. The attackers targeted a vulnerability in the Windows operating system using an exploit called EternalBlue. That exploit originated with the U.S. National Security Agency (NSA), but was stolen in 2016 and leaked online in 2017. EternalBlue has also been repurposed into other related ransomware variants, including NotPetya and BadRabbit.
WannaCry illustrates why regularly patching software is critical to avoid cybersecurity incidents. Microsoft had released a patch for the EternalBlue vulnerability several months before the attack. Unfortunately, many companies – particularly those using the older Windows XP operating system – had not applied that patch, which enabled it to spread like wildfire.
By ensuring they are running the most current versions of applications and OSs, and by applying security patches immediately when they are issued, organizations can close the security gaps in their software to reduce the risk of infection.
Ryuk was first identified in August 2018 as a variant of the Hermes ransomware. Although it hasn’t infected as many systems as more ubiquitous ransomware programs, Ryuk has caused enormous disruption by specifically targeting large scale networks. Recent victims include Spain’s Public Payments Agency (SEPE), the U.S. Coast Guard, the city of Durham, NC, and all 250 locations of Universal Health Services.
The fact that Ryuk compromised several high-profile targets is central to its modus operandi. Instead of spreading via phishing campaigns or propagating willy-nilly over networks, it takes a longer approach and typically compromises its victims via a multi-stage process. That’s because Ryuk is dependent on two other forms of malware called Emotet and Trickbot.
Emotet is what’s referred to as a “dropper” Trojan, which is typically spread via malware-laden attachments that enable attackers to install other programs without being detected. Computers and networks compromised by Emotet will often then be infected by the Trickbot strain of malware, which takes control of targeted computers and allows the attacker to install ransomware such as Ryuk. This combination is often referred to as a “loader-ransomware-banker trifecta.”
Because Ryuk requires several steps before it can compromise a system, it typically targets enterprise environments and charges relatively high prices to decrypt affected files. The size of the ransom tends to vary according to the size and resources of its targets as well as the sensitivity of the data it encrypts.
One of the more sophisticated elements of Ryuk is that it first targets and stops malware and antivirus-related processes, and then attacks system backups. This activity makes it both significantly harder to detect a Ryuk infection and makes it near impossible to recover system data if external and offsite backups aren’t available.
After using three separate layers of encryption on its target computer, Ryuk generates a ransom note in every file folder, typically informing its victim that their files are encrypted, and providing a secure email address and bitcoin wallet to deposit the ransom.
Attributed to the Wizard Spider and Cryptotech ransomware groups, Ryuk had netted $61 million in reported cases in the U.S. alone, according to FBI estimates.
It’s difficult to mitigate once this ransomware takes hold of a system, so the best method is to minimize the risk of infection. Organizations should regularly train employees to identify potential phishing emails containing malware-laden attachments and invest in malware and antivirus software to identify and block threats.
It is also crucial for organizations to follow the 3-2-1 strategy of backup:
- Keep at least three copies of data.
- Store two copies on different media.
- Keep one backup copy offsite and offline.
Sodinokibi / REvil
Sodinokibi, also known as REvil, is a sophisticated form of ransomware with an equally sophisticated criminal organization behind it. It represented a quarter of all the ransomware attacks recorded in the first half of 2021.
First discovered in April 2019, this variant is considered an offshoot of GandCrab, a ransomware strain that was behind 40% of ransomware incidents between 2018 and 2019. GandCrab was officially retired by its developers in May 2019, with its creators claiming they earned $2 billion. Their retirement was short-lived, as they released Sodinokibi / REvil shortly after their announcement.
Sodinokibi / REvil has been used in several high-profile attacks, such as targeting the currency exchange firm Travelex and the celebrity law firm Grubman Shire Meiselas & Sacks. In Q2 2021, Sodinokibi / REvil was behind the supply chain attack that targeted Kaseya’s VSA platform, which affected hundreds of managed service providers (MSPs) and thousands of their small business clients.
Like its predecessor GandCrab, Sodinokibi / REvil stands out as a pioneer of the ransomware-as-a-service (RaaS) business model. The ransomware group leases its malware to affiliates. Those affiliates then infect systems, communicate with victims, and collect the ransoms. Those ransom payments are then split between both parties, with the developers receiving 40% of the ill-gotten gains.
Another Sodinokibi / REvil tactic is to pressure victims into paying a ransom by putting the transaction on a two-day timer. If the victim doesn’t pay, the amount required doubles. Because this variant is service-oriented, the attackers will provide resources and links to cryptocurrency exchanges – and they’ll even provide online chat support.
Stopping Sodinokibi / REvil
Although Sodinokibi / REvil has several advanced features that make it difficult to detect, many antivirus and anti-malware programs can often block it before it deploys on a network.
During the summer of 2021, cybersecurity firm Bitdefender announced it had successfully developed a universal decryptor key for Sodinokibi / REvil. It is unclear how long that key will remain effective, however, since new strains of the ransomware have already been released.
Even with a decryption key, however, recovering after an attack takes time – and given the high cost of downtime, the best approach remains avoiding infection in the first place. Keeping systems and applications updated and applying patches regularly, especially when emergency security updates are made available, is critical.
Ransomware and Data Exfiltration: Two Crimes in One
To maximize their profits, ransomware gangs have been adopting a new strategy that’s gained traction during the past year. Rather than simply rely on the revenue generated from ransoms, they steal sensitive, proprietary, and embarrassing data before encrypting it. They then threaten to publish that sensitive data unless the victim pays.
In just the first six months of 2021, more than 1,100 data leaks were published. At that rate, 2021 is projected to see a year-over-year increase of 70%.
Such breaches not only represent business disruptions to those organizations. Businesses can face major fines for violating privacy regulations. They also risk significant loss of reputation among customers, partners, and vendors.
Protecting Employee Data and Identities
In the wake of ransomware attacks and data breaches, an organization may find itself confronted with employees who have suffered identity-related crimes because their personally identifiable information (PII) was stolen and published on the Dark Web.
To mitigate such issues, human resources departments should consider offering identity theft resolution and other cyber solutions to employees as a benefit. Incorporating such perks is good for the business too, since identity theft victims typically use twice as much sick time and are absent five times more than average – all while dealing with an identity-related crime.
Adding such protection to an employee benefits package or corporate insurance policy helps with employee retention. It encourages staff to better protect their digital lives – and the company’s systems – against cyber threats like ransomware.