The year 2020 has witnessed an exponential rise in the attack rate, as per cybersecurity researchers it is evident that the ransomware attacks doubled in number. This is because of the work from home conditions that the COVID-19 pandemic has brought in. Lack of cybersecurity measures in work from home environment is the major reason for the drastic rise in the attack rate.
The year 2020 has opened a new gateway for attackers to intrude the business systems through its employee’s computers. During the first quarter of the year, hardly any company was ready to set up a secure Work From Home environment, which resulted in the highest number of attacks, reportedly through the employee's accounts and systems.
Also, many ransomware people have enhanced their skills of theft sensitive data from many sectors such as governmental services, financial services, banking, insurance and manufacturing sectors. Regardless of the size and sectors, every organisation has the great danger of Ransomware attacks, all over the world.
What Is Ransomware?
Ransomware is one kind of malicious software —i.e., malware — that blocks access to a device or data and demands a ransom to be paid to retain the data. Read more
What Does Ransomware Do?
When ransomware infects a device, an encryption schema is executed, resulting in effectively locking organization critical files on the victim’s device. If organizations systems are infected, they will receive a ransom message from the attacker demanding payment which, apparently, will grant access to the decryption digital key which is needed to unlock organizations files and/or system. The following are three types of ransomware
- Crypto ransomware - Crypto ransomware is nothing but a simple weapon with strong encryption applied against victims system to deny them access to those files
- Locker ransomware - This locks the device's user interface and then demands the victim for the ransom.
- Scareware - usually include tech support or security software scorns, not really dangerous.
How high are the Ransoms?
Some ransom demands are relatively low, in the range of a few hundred dollars. However, cybercriminals are getting more aggressive. Attacks that target healthcare institutions and larger organizations can carry very high ransom demands. For example, a South Korean web hosting firm admitted to paying a $1M ransom to its attackers in June 2017.
How Are Ransoms Collected?
Attackers generally require ransoms to be paid in Bitcoin or another "untraceable" electronic format. These "cryptocurrencies" are fully digital. They are created and held electronically, have no physical form, and are not controlled by any banking entity.
Key Ransomware Characteristics
New ransomware is coming out in volumes at an ever-increasing pace
- Unbreakable Encryption:
Ransomware features unbreakable encryption. Organizations can't decrypt the files on their own. It has the ability to encrypt all kinds of files in the victim’s computer such as documents to pictures, videos, audio files and other things.
- Ransomware Note:
After a successful attack, the attacker lets the victim know that their system is been attacked, by displaying an image or a message that let them know that their data has been encrypted. This note also specifies the amount of ransom that has to be paid to get back the encrypted files or data.
- Bitcoin Payment:
Bitcoin is a crypto-currency this is usually cannot be tracked by cybersecurity researchers and law enforcement agencies. This is why attackers demand payment from the victims in the form of Bitcoins.
- Payment Deadline:
The ransom payments, usually have a time limit. In the extortion scheme, setting a deadline is a kind of psychological constraint on the victim. Going over the deadline typically means that the ransom will be increased if payment is not done on time. This deadline also gives a warning for the victim for destroying their data forever, if not paid on time.
- Organized Network:
Attackers also will have organized networks to plan the attacks, they usually recruit the infected PCs into botnets, so that they can expand their infrastructure as fuel for future attacks. It can also spread to other PCs connected to a local network, creating further damage.
- Hard to Detect:
It uses a complex set of evasion techniques to go undetected by traditional antivirus. Depending on the computer, the takeover can sometimes take hours if a computer is fast, and sometimes it can take days for the malware to encrypt all the files.
- Extracts Organizations data:
It frequently features data exfiltration capabilities, meaning that it can also extract data from the affected computer and send it to a server controlled by the attackers. It sometimes includes geographical targeting, meaning the ransom note is translated into the victim's language, to increase the chances for the ransom to be paid.
- No location is safe:
It sometimes includes geographical targeting, meaning the ransom note is translated into the victims language, to increase the chances for the ransom to be paid.
Ransomware by the Numbers
How ransomware works
Ransomware can take n number of vectors to access a computer, in which Phishing spam is one of the most common delivery systems. An email will be sent to a victim that comes with an attachment that is masqueraded as a file they should trust. Once the attachment is downloaded by the victim, soon the attacker will take over the victim's computer and if the victim has had built-in social engineering tools, it is very much easy for the attackers to gain administrative access. NotPetya is another aggressive form of ransomware that is more powerful and doesn’t need any tricks. It will directly exploit security holes to infect computers.
Once the malware enters into the victim’s computer, it can do several things to exploit organizations data, the most common thing that malware does is to encrypt all or some of the user's files. These files cannot be decrypted as the attacker only knows the decryption key. Here the attacker starts his business by first sending a message to the victim's system, saying their files are now inaccessible and will only be decrypted if the victim sends an untraceable Bitcoin payment to the attacker.
In some cases, the attacker will also pretend to be a law enforcement agency and shuts down the victim's computer saying it has pirated software on it or has the presence of pornography, and demands payment of a "fine,". This is one way where the victims are less likely to report the attack to authorities. Leakware or doxware is one kind of malware activity, where the attacker threatens to expose the victim's sensitive data, unless a ransom is paid. But searching and extracting such critical data is a very tricky scheme for attackers, encryption ransomware is the most common type.
Following are the four steps to show how ransomware actually works
- Ransomware comes in the form of an e-mail with an attachment or a Web address. The moment the attachment is downloaded or the link to the Web address is clicked, the virus downloads itself onto the computer.
- Ransomware takes advantage of flaws that may exist in the computer operating system due to a variety of reasons including the lack of the latest fixes and patches.
- Once active, the ransomware encrypts the data in the hard drive, usually with 24-bit encryption which is virtually impossible to decrypt without an unlock key. Demands are then made for payment, usually via bitcoins because it is almost impossible to trace the recipients. The hackers may then send the unlock key. In many cases, they don't even do that and the data in the computer is lost forever.
- Newer forms of ransomware, such as WannaCry, use flaws in the operating system to replicate themselves and spread to other devices connected to the network like a computer worm.
Ransomware Attacks in 2020-2021
Top Ransomware attacks that threaten the organisations in 2020 and 2021
REvil Ransomware: is the topmost ransomware for the year 2020-21. It is a file encryption virus that infiltrates the system and encrypts all the files and demands money from the victim and they are forced to pay the money via bitcoins. The attackers will double the ransom rate if the victim doesn’t stick to the timeline for clearing the payment.
Sodinokibi Ransomware: also known as Sodin, is a type of REvil ransomware. It first spread in 2019, using a zero-day vulnerability in the servers of Oracle Weblogic. This vulnerability was later fixed, but the attackers made use of software installers to spread Sodin. Sodinokibi ransomware has a configurable structure, due to which it can process the following things, when activated:
- Making use of CVE-2018-8453 weakness to expand one’s authorization.
- Encrypting mobile or web drivers that have not yet been taken to the whitelist.
- Averting resource conflict by concluding blacklisted projects.
- Deleting files that are on the blacklist.
- Transferring the system data to the attacker that belongs to the target.
Nemty Ransomware: is different from other ransomware, it acts like a ransomware service. It was a version of RaaS (Ransomware as a Service), here the clients were able to spread these versions in their preferred way. Phishing emails were widely used to spread this malware. When the victim is infected with Nemty, they had to pay 30% of the ransom to the Nemty developers and the remaining to the clients
Nephilim Ransomware: As per cybersecurity researchers, Nephilim Ransomware is just like Nemty, as they both have similar resource codes, designs and attitudes. They both threatened the victims to pay the ransom, else they would publish the sensitive data. This type of ransomware was largely found in large scale industries, the attackers managed to encrypt victims’ data by using the vulnerability of a remote desktop network and VPN.
NetWalker Ransomware: is one of the modern variations of ransomware, also known as Mailto. NetWalker-using attackers, majorly targeted the remote working employees, Governmental agencies, corporations and healthcare organisations. In the list of 2020-2021 Ransomware attacks, NetWalker is one of the most destructive malicious software. NetWalker encrypts all Windows devices. It uses a configuration including ransom notes and file names. Cybersecurity researchers have identified that NetWalker follows two different ways to attack. One through Phishing emails about Coronavirus and the other through executable files that spread through networks.
Checklist effective security measures to keep Ransomware at Bay:
Check out our blog to have an understanding of how the pandemic has brought in new security challenges and how to design a security palm amid the newer risks. Click Here
- Policies/ procedures: pandemic centric cybersecurity policies may be the same or need to be updated as per the new set of cyber-attacks and their consequences. Documentation on Cybersecurity operating procedures must be kept current.
- Cross-training and backup plan: organizations need to create a skills matrix of key cybersecurity personnel and their roles, and need to cross-train them on handling events in case of emergency.
- IDS and IPS management: Make Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) both part of organizations' network infrastructure. IDS/IPS are configurable to help enforce internal security policies at the network level
- Co-ordinate with network vendors, including local access, internet access, and WAN services, to make sure the ongoing outbreak does not disrupt the network services
- Cybersecurity plans. Ensure the cybersecurity or information security plan is up to date and documented with all necessary data to respond to a cyberattack.
- Integrate a Zero Trust Architecture which helps to prevent unauthorized access, and reduce the risk of any hacker’s movement within your network.
- Security posture assessment: frequent security posture assessments help cybersecurity personnel’s to identify cybersecurity strength and resilience in relation to cyber-threats.
- Incident Response Plan: To identify, analyse and mitigate a potential cyberattack. An incident response plan helps IT staff detect, respond to, and recover from network security incidents such as cybercrime, data loss, and service outages.