Malware with a ransom note
Ransomware is malicious software used by threat actors that aims to extort money from victims. This form of cyber aggression is one of the most prolific criminal business models in existence today. Ransomware attacks can cost an organization millions of dollars and can require hundreds of hours to rebuild the devices and restore data destroyed during an attack.
Organizations often learn about their cyber-attack when they receive a notification from an infected machine informing them that their data has been targeted. There are typically a few steps within a typical ransomware attack. First, the system or control server is compromised to install the malware. Next, the malware takes control of the machine by encrypting data with the ransomware. Then, the compromised machine displays a message with the “ransom note” with the attacker’s demands for the individual or corporation, telling them that their encrypted files will not be accessible until the ransom is paid.
Payment is frequently demanded in the form of cryptocurrency, credit card, or gift cards, but that doesn’t ensure that the victim will regain access. If the victim chooses to pay the ransom, the attackers could provide the decryption key to restore access to the victim’s data. Sometimes the victim can pay, and the attackers don’t provide the decryption key, resulting in both data and financial loss. Sometimes a victim chooses not to pay the ransom and relies on system rebuilds and data backups to restore their IT operations. Victims who are targeted once are often targeted by the same cyber criminals again, particularly if they’ve shown a willingness to pay before.
According to the report “Combatting Destructive Malware”, on average, a single ransomware attack costs large multinational companies USD 239 million and destroys 12,316 computer workstations. The cyber threat landscape is constantly evolving and expanding with new ransomware due to the complexity of networks, the cloud, remote virtualization, and the IoT.
There are several ways that ransomware can get into your computer or system. One of the most common is email phishing and spam with messages that include a malicious attachment or link leading to a compromised website. Once the user opens the attachment or clicks the link, the ransomware can infect the computer and spread to the entire network.
Another ransomware attack vector is through an exploit kit that takes advantage of a vulnerability, or security hole, in the system or program. WannaCry is an example of a ransomware infection that affected hundreds of systems worldwide through an exploit in the Microsoft Windows operating system in 2018. It can also take the form of a fake software update, prompting users to enable admin capabilities and execute the malicious code.
Phishing, social engineering and other tactics
Ransomware has been around since 1989, and the attack landscape is constantly expanding as the world’s network and infrastructure gets more complex, from cloud to mobile to IoT.
Ransomware often enters organizations via phishing emails that contain malicious attachments or links to malicious sites. For example, Locky Ransomware infects victims through a Microsoft Word document with embedded malicious macros.
Ransomware can be difficult to combat, but a combination of user education, proactive and practiced incident response planning, and basic security hygiene such as aggressive patch management and endpoint protection solutions can help. The practice of cyber resilience encompasses data protection, data recovery, resilience best practices, and ransomware training for end-users. For organizations that have moved data to the cloud, or use the cloud as their backup location, using tools such as cloud data encryption can help reduce the risk and cost of a ransomware attack.
There are two main classes of ransomware, and both are intended to disrupt business operations for financial gain for the attackers.
Crypto ransomware prevents access to files or data through encryption with a different randomly generated symmetric key for each file. The symmetric key is then encrypted with a public asymmetric key; attackers then demand the ransom payment for access to the asymmetric key.
Doxware is a form of crypto ransomware where victims are threatened with not only losing access to their files, but also having their private files and data made public through “doxing”.
Locker ransomware locks the computer or device by preventing users from logging in; an infected machine can display an official looking message warning the user. This type of malware does not actually encrypt files on the device.
The Department of Homeland Security issued an alert on ransomware and recent variants with advice for organizations and individuals. Their top recommendation is to have a secure data backup and recovery process.
The DHS advised organizations to:
Recovering from ransomware is all about maintaining control of your data as efficiently and securely as possible. Regulations such as GDPR in Europe and the California Consumer Privacy Act are imposing new requirements for data breach notifications that affect how you should handle a ransomware attack. The FBI recommends reporting any ransomware attacks to federal law enforcement so they can coordinate with local United States law enforcement agencies to track attacks and identify attackers.
If you are experiencing a cybersecurity incident, contact the IBM Security X-Force team for immediate help.
Los Angeles partners with IBM Security to create first-of-its-kind cyberthreat sharing group to protect against cybercrime.
Only 38% of state and local government employees are trained on ransomware prevention, but two thirds of all employees are concerned about cyberattacks at their workplace.
Learn how to protect your organization’s data from ransomware threats that can hold it hostage.
Secure network infrastructure against advanced threats and malware.
Get centralized visibility to detect, investigate, and respond to cybersecurity threats.
Discover how you can improve cyber incident response preparedness and minimize the impact of breaches.
Get faster incident response rates with intelligent orchestration and automation.
Threat defense starts with around-the-clock prevention, detection and fast response.
IBM Security X-Force Incident Response detected a new strain of ransomware known as PXJ.
Banking Trojans have become increasingly sophisticated, elevating from bank fraud to large ransoms.
IBM X-Force Threat Intelligence Index helps you understand your cyber risks with a global point-of-view of the threat landscape.
Cybersecurity is founded on protecting the integrity of your networks, systems, devices, and data from cyber-attacks.
What does the explosion of ransomware in 2020 signal for organizations?