Ransomware is a form of malicious payload that best describes the malicious intent of threat actors who seek to extort a payment from the victim because they’ve successfully taken control of the victim’s data or systems. Cryptocurrency is typically demanded for the ransom payment.
The attacker may use multiple attack vectors and failure to pay may have consequences, including the following threats:
Generally, malicious actors will seek to obtain payments because their actions can compromise IT systems and adversely affect the normal operations of their victims. Although malware is one of the primary attack methods, several incidents of ransomware have occurred without the use of malware—for example, incidents of ransomware with cyber extortion by threatening a denial of service (DoS) attack or a website defacement. Ransomware as a service (RWaaS) has emerged as well, where threat actors have created a business model to launch a targeted attack against an individual or company as a service—for a fee.
Ransomware is commonly delivered via phishing emails or “drive by” downloads. Phishing emails appear legitimate and trustworthy and entice the victim to click on a malicious link or open an attachment. A drive-by download is a program that is automatically downloaded from the internet without users’ consent and without their knowledge. It is possible the malicious code may run after download, without any user interaction. After the malicious code runs, the user’s computer becomes infected with ransomware.
Ransomware then identifies the drives on an infected system and begins to encrypt the files within each drive. The encryption generally comes with a unique extension to the encrypted files, such as .aaa, .micro, .encrypted, .ttt, .xyz, .zzz, .locky, .crypt, .cryptolocker, .vault, or .petya. Once the encryption is complete, the ransomware creates and displays a file or set of files containing information and instructions on the terms of the ransomware attack. For example, once the victim fulfills the terms of the ransomware, the threat actor may provide a cryptographic key for the victim to unlock encrypted files.
Basic security hygiene and healthy operational practices can help organizations prevent ransomware incidents and limit financial loss, downtime, and disruption.
Several points of vulnerability exist among an organization’s own users. Organizations would benefit from educating individual users on safe email and internet browsing practices. Education on safe use of social media platforms is also important so that users are aware that a malicious threat actor may use publicly available information about them to target them or others in their organization.
To reinforce safe practices, organizations can implement technical controls for the various systems that attackers use to propagate enable malware. Examples of technical controls include:
In addition to running updated endpoint protection products, organizations should have identity and access management (IAM) systems in place, with an zero trust security approach. With strong authentication and principles of least privilege enforced, organizations can maintain strict control over critical systems and sensitive data stores.
Along with strict access controls, organizations should enforce limitations for collaboration tools, file-sharing resources, and other commonly accessed systems. Organizations may mandate additional authentication challenges where and when appropriate. Elimination of anonymous logins, generic accounts, and the use of weak credentials, combined with strict control over privileged accounts such as root and admin operating system or DBA accounts, is key to maintaining a strong security posture.
Organizations should define and maintain known security configuration baselines and deploy systems in accordance with the security configuration guidelines. Because malicious payloads often target known software vulnerabilities, it is important to apply security patches promptly.
Lastly, another best practice that will help an organization recover from ransomware is storing backups separately and on a different OS so they cannot be accessed from the network.
Once organizations discover ransomware, they should attempt to limit the propagation of the malicious payload by:
To limit the impact of a ransomware attack, an organization’s remediation plans should include the provision for frequent and safe backups with effective and verified recovery procedures. Prior to restoring systems, organizations should determine within a reasonable level of confidence when and how the initial compromise occurred. Without due diligence, victimized organizations may inadvertently restore the compromise and re-establish the infestation while performing the initial recovery. With that in mind, it may be necessary to perform a cost-benefit analysis before choosing whether to restore to an older but known-to-be safe state or to restore to a more recent, but possibly infected state to minimize business disruption. Because some malware is known to target backup files and resources, organizations need to ensure effective control over them as well.