Ransomware is a type of malware that targets an organization’s data. Attackers use it to hold valuable information hostage through encryption, requiring a ransom payment for it to be restored.
Ransomware affects millions of businesses globally and is currently growing at unprecedented rates — both in terms of the likelihood of a ransomware attack against your organization and of the average ransom amount requested. Ransomware is designed to spread across a network and target database and file servers, and can thus quickly paralyze an entire organization.
The motivation behind ransomware attacks is primarily economic, as companies are often willing to pay millions of dollars to the attackers in order to have their files unlocked, systems restored, and business operations resumed smoothly.
With cyber criminals continuously upgrading their malware and with attack strategies becoming increasingly sophisticated, these threat actors are developing resources to conduct cyber attacks of enormous magnitude and impact.
Stay-at-home notices introduced during the COVID-19 pandemic have contributed to increased organizational cyber vulnerabilities with employees using personal devices connected to home or shared networks which are far less secure than organizational ones. Combined with bad cyber hygiene and a lack of general awareness of cyber best practices, organizations are truly at risk of a cyber breach.
In this article, we take a deep dive to learn more about what ransomware is, how long this attack vector has been around, and its impact on businesses and individuals today.
Who created ransomware?
While Ransomware has been making headlines for at least the past three years as a novel attack vector, the first recorded ransomware attack occurred almost thirty years ago.
The first person to create a ransomware-type virus was Doctor Joseph Popp in 1989. His program—dubbed “AIDS Trojan''—was distributed via floppy discs to unknowing attendees of a research conference. Believing the discs were research tools, the victims inserted the malware into their computers. Once the disk was inserted, the ransomware started encrypting only the file names—rather than the files themselves, as it happens nowadays. The ransom request amounted to USD189, with the promise that instructions to decrypt their systems would be provided once the payment had been made. In fact, the ransomware had a flaw that made it possible to independently decrypt the files, without making the ransom payment.
Still, ransomware did not become the most common type of cyber attack until recently. Up until the early 2000s, Distributed Denial of Service (DDoS) attacks were more common than ransomware. This trend shifted with the catastrophic attack known as WannaCry, which in 2017 compromised entire sectors around the world, initiating what some have called “the era of ransomware.”
Ransomware is a crime punishable by imprisonment in most countries, either because of the breach of cyber-specific laws or other laws related to information theft and extortion. It is becoming increasingly debated whether laws should be put in place to ban the payment of ransomware. The US already has laws in place to punish those who pay ransoms to a select list of cyber threat actors. In the future, it is likely that most countries will ban the payment of ransoms completely, as these fuel the cyber criminal economy and empower attackers to produce more effective and dangerous ransomware.
How does ransomware work?
Although in some cases—such as with the famous WannaCry virus or NotPetya— ransomware can travel between computers without user interaction, ransomware attacks are typically carried out using a Trojan. A Trojan is a type of malware that is typically downloaded onto an endpoint from a user clicking a phishing link or opening an email attachment. As the mythical Trojan horse, it is disguised as benign software and can often pass undetected by Endpoint Detection and Response (EDR). Once it is inside the computer, the Trojan can delete, block, copy and modify data such as passwords and keyboard strokes, but also disrupts the performance of computers or computer networks opening the door for further malware.
Ransomware acts rapidly, and can encrypt important files on every single device on the network within hours, minutes, or even seconds, depending on the number of targets in the attack and whether or not the attacker has spent time silently monitoring and exfiltrating data prior to encryption.
After encrypting all files in a computer, the ransomware will display a message on the desktop, giving instructions on how to pay the fee to obtain the decryption key from the attackers. Some examples of ransomware messages include: "Your computer has been infected with a virus. Click here to resolve the issue", "Your computer was used to visit websites with illegal content. To unlock your computer, you must pay a $100 fine”, or "All files on your computer have been encrypted. You must pay this ransom within 72 hours to regain access to your data”.
There are three main ways for ransomware to infect your computer:
1. Malspam emails
Malicious spam, or “malspam” emails, are unsolicited malicious emails that are used to deliver malware. The email may contain the virus disguised as a credible attachment in the form of a PDF, Word document, or link to a malicious website. Malspam preys on human weaknesses, using social engineering to deceive people into opening attachments or clicking links by appearing to originate from a legitimate source (e.g., a trusted friend or reputable organisation).
Malicious advertising, otherwise known as “malvertising”, is another form of ransomware that requires little to no user interaction. While scrolling through a website, users are directed to criminal servers without even clicking on the advertisement, as these malicious ads often appear as pop-up windows.
It must be noted that reputable, legitimate websites are not immune to malvertising. You might have the latest and best computer protection, but all it takes is one wrong click or pop-up for you to fall prey to such attacks.
3. Ransomware-as-a-Service (RaaS):
Ransomware is so popular and effective among cybercriminals these days that many malicious actors operate Ransomware-as-a-Service (RaaS) business models in online criminal markets.
RaaS allows anyone who wants to access and use ransomware against another individual or business to do so by simply paying online providers for the service, significantly lowering the barrier for cyber criminals. Many RaaS providers operate with a high level of sophistication, offering competitive market prices and excellent customer support services to their criminal patrons.
How long does a ransomware attack take?
The lifespan of a cyberattack – the length of time a cyber attacker has free reign in an environment from the time they get in until they are eradicated– is its dwell time. The longer attackers have access to a network, the more opportunities they have to collect vital data and cause disruptions across the company’s digital systems.
On a global level, the average cyber dwell time in 2020 was 56 days. However, Asian companies are performing much worse than their US and EU counterparts when dealing with cyberattacks. In Hong Kong and Singapore attackers are often able to operate undetected for much longer, with most cyber attacks dwelling in systems between 90 and 180 days respectively, with some even lasting years.
Given the speed at which ransomware can hold your information hostage, time is of the essence. A few seconds can make the difference between securing valuable information and risking losing it while having to pay out a much bigger ransom. Having a good cyber incident response strategy in place is the best way to prepare your organization to promptly respond to a ransomware attack and minimize its dwell time.
The impact of ransomware
Ransomware can have a debilitating impact on organizations due to a variety of factors. Firstly, ransomware causes a temporary, and possibly permanent, loss of critical company data. This can bring about a complete shutdown of business operations for several days, resulting in financial loss from revenue interruption. Further financial losses are associated with remediation efforts, as companies without a good cyber insurance plan must bear the burden of incident response costs, as well as expenses for legal and PR activities related to the event.
On top of this, if the company decides to pay the ransom, this can put a several million dollar dent in its finances. It is important to note that paying the ransom does not guarantee that the data will be restored. Especially with the rise in semi-skilled attackers conducting ransomware, it often happens that the attackers themselves do not have a working decryption key. In fact, 1 in 5 small and medium enterprises (SMEs) that suffered a ransomware attack and paid the ransom do not get their data back.
In addition, decrypting files does not mean the malware infection itself has been removed. Relying on an experienced digital forensics and incident response provider like Blackpanda is the best way to ensure that there are no ongoing threats to your organization. Perhaps most dramatically, company reputation can be permanently damaged, as clients lose their trust in the organization’s ability to protect their sensitive information and provide them with good services.
How common is ransomware?
Ransomware attacks have been on the rise, with the Asia Pacific region alone experiencing a 168% increase in ransomware incidents in 2021 compared to the previous year. Not only are ransomware attacks becoming more common, but they are targeting organizations across all sectors and sizes, especially Small-Medium Enterprises (SMEs) and startups.
In Singapore alone, The Cyber Security Agency received 61 reports of ransomware attacks, almost double the figure for the whole of 2019 (The Straits Times, 2020). The increased incidence of ransomware attacks can be linked to the emergence of ‘Ransomware-as-a-Service’ (RaaS); a business model designed by cyber criminal organisations which lease ransomware variants to their clients in exchange for a percentage of the ransom paid by the victim. This way, people with little to no technical knowledge are able to launch sophisticated ransomware attacks on organizations.
With the average ransom demand averaging USD 180,000, hackers are always on the lookout for digital open doors. It is crucial for organizations of all sizes to be informed of the cyber risks they face and build resilience.
No one can ever be safe from ransomware. As a type of malware that is primarily initiated by human error and which can cause large damages within seconds, no Operating System (OS)—whether it be Mac, Windows 10, or Linux—has ransomware protection. Even traditional Endpoint Detection and Response (EDR) and anti-virus can do very little to prevent ransomware, as these work by searching for known malware. Given ransomware’s rapid development and its constantly evolving strains, EDR and anti-virus simply cannot keep up. Behavior-based threat hunting is the best solution to catch early signs of compromise.
Unlike what is thought by many, you cannot simply delete ransomware, and only expert incident responders can have a chance of independently decrypting data or mitigating the damages brought about by ransomware.
"With rapid growth across Asia-Pacific markets, ransomware-related acts are increasingly normalizing in the region as attackers follow the money trail"
Who are the targets of ransomware attacks?
In the past, ransomware attackers targeted individuals. However, cybercriminals have more recently turned to businesses for larger payouts, affecting more endpoints and to detrimental effect.
Attackers target organizations holding sensitive data which can (and often do) pay quickly to retrieve their data and avoid irreparable damage or embarrassment. Such firms include financial institutions, medical facilities, and government agencies.
Hackers know that these industries require consistent and reliable access to their data and face serious repercussions if Personally Identifiable Information (PII) of their patients, clients, or contractors are eliminated or released.
Western markets like the United States, Canada and the United Kingdom remain the top three targets for ransomware attacks geographically. However, with rapid growth across Asia-Pacific markets (such as Hong Kong, Singapore, and ASEAN economies) ransomware-related acts are increasingly normalizing in the region as attackers follow the money trail.
How to stay protected from ransomware?
A commitment to cyber hygiene is critical to protecting organizations and users from cyber threats. Malware protection begins with the basics, as follows:
- Update your software and operating system regularly. Outdated applications are at higher risk of compromise and are often the target of attacks.
- Configure firewalls to block access to malicious IP addresses.
- Do not click on links or open attachments from people who are outside your network or organisations unless they are completely trustworthy. If in doubt, confirm with the sender that they intended to send communication through a new reply email or phone call.
- Backup your devices to an external hard drive on a regular basis and disconnect the hard drive from your computer following backups – backups are also targeted by attackers.
- Follow safe practices when browsing the internet. Do not visit pages with uncommon URLs or sites that are not trusted.
- Enable strong email spam filters to prevent phishing attempts from reaching end users.
- Be wary of attachments that require you to enable macros to view files. Macro malware can infect multiple files.
- Authenticate inbound emails to prevent email spoofing.
- Apply application whitelisting to monitor the applications allowed to run on your network.
- Avoid revealing any personal or financial information over email or over the phone. Important transactions should occur face to face where possible.
More technical solutions include engaging a ransomware incident response firm to perform a routine risk analysis on your networks and servers to identify potential points of compromise. Compromise Assessments offer a holistic option, as they help single out bugs and vulnerabilities in the network, identify opportunities for improvement, and produce information about whether the company is already under attack. They also aid Incident Response efforts—if required—by helping reduce dwell time and enabling prompt activation of response plans and processes.
For professional assistance with any of the above services, please schedule a call with a Blackpanda incident response expert here.