Ransomware: How It Works And What To Do To Prevent It

Ransomware encrypts the user’s data or blocks access to the device. It also demands a ransom – usually in cryptocurrency – to remove it. This type of attack gets its name by combining the words ransom and malware and is most commonly used against Windows OS in more than 90% of cases.

The first ransomware, known as the AIDS Trojan or PC Cyborg, was reported in 1989 and was spread via floppy disks. It encrypted files on the victim’s hard drive and demanded $189 to send the key to unlock them. However, because it primarily encrypted the file names and not the files themselves, it did not represent a major threat.

In 2023, ransomware (along with DDoS attacks) was the most common type of attack in the Czech Republic and Europe. However, identifying its source is complicated by the Ransomware As a Service (RaaS) model, where cybercriminals provide their ransomware program to other parties in exchange for a share of the ransom. See our January article for more information on cyber-attacks in the past year.

Target Of Ransomware: Individuals As Well As Large Companies

In the early days, ransomware mainly attacked individuals and smaller companies whose IT systems were not sufficiently secure. However, attackers soon realised the potential of these attacks, and the target has gradually shifted to larger companies that can pay higher ransoms. Nevertheless, many of these companies are now aware of the risk of cyber-attacks and have sophisticated security measures in place. As a result, attackers are increasingly targeting medium-sized and smaller businesses (SMEs), which are more vulnerable regarding cybersecurity.

Types Of Ransomware

Users are at risk of several types of ransomware, with the main ones being cryptors and lockers. The more common cryptors encrypt data and demand a ransom for the key to unlock it. However, they do not interfere with basic computer functions. Lockers, on the other hand, lock access to the victim’s device, usually by locking the operating system.

Cryptors and lockers can be further divided into subcategories:

• Leakers steal and, in some cases, encrypt sensitive victim data. They then threaten to disclose this sensitive information if a ransom is not paid.
• Scareware appears as a pop-up window on the computer screen, which claims the computer is infected with malware and demands payment to remove it.
• Mobile Ransomware infects phone devices – most often through malicious apps or downloading infected files from social media, for example.
• A special kind is the so-called Wipers. In their case, the attacker threatens to delete the encrypted data if they do not get the ransom. In fact, it does not count on you regaining access to the data and destroys it. This type of attack is often associated with hacktivists, whose motive is not financial enrichment but to draw attention to their activist goals.

New Methods Of Extortion

In traditional ransomware, attackers demand a ransom for providing the decryption key. However, if the attacked subject regularly backs up their data, they can avoid paying. Therefore, the concept of attacks has changed in recent years, and double-extortion and triple-extortion methods have evolved.

In the case of double extortion, the perpetrators increase the pressure on their victims by threatening to disclose the stolen information in addition to the ransom demands. In triple extortion, threats of service disruption, such as a targeted DDoS attack and contacting third parties about possible data leaks (business partners, employees, or clients of the company), are added.

How Ransomware Works

The ransomware process depends on various factors – the specific type of attack, the victim’s security measures, or the attackers’ motivation. However, for most of them, we encounter the following phases:

• Device Penetration: Attackers must first gain access to the network or the victim’s device. This can be through phishing, malware, stolen login credentials, or exploiting a software vulnerability. Perpetrators also often exploit security flaws in the Remote Desktop Protocol (RDP) or Server Message Block (SMB) protocol.
• Environment Discovery: In this phase, perpetrators try to navigate the compromised space and want to expand their access to other systems and applications on the device.
• Data Collection and Theft: Attackers identify and steal the victim’s data. They are particularly interested in sensitive data (e.g., login credentials, bank account information, important corporate data, etc.), which they can use for double blackmail.
• File Encryption: Crypto ransomware encrypts files and, in some cases, even back-ups of files. Lockers lock the device screen and prevent the victim from using the device. Data encryption may not occur immediately after the attacker enters the device, and it may take months or years to appear.
• Ransom Demands: After encrypting files or locking the device, attackers send the victim a notification (usually via a pop-up or text file) demanding a ransom and the instructions to pay it.

What To Do In The Case Of An Attack

Every cybersecurity handbook advises the same thing. If you are the victim of a ransomware attack, do not pay the ransom. There is no guarantee that the attackers will actually restore access to your data, and you could end up without your data and funds. Moreover, paying the ransom signals to the attackers that their methods are effective and motivates them to carry out further cyber-attacks. If you back up regularly, try to recover your data from your backups and contact law enforcement.

The National Cyber Security Bureau (NCSB) also recommends taking the following steps immediately upon discovering a ransomware attack:

• Disconnect the backup server from the network and limit network communication between devices as much as possible.
• Isolate individual systems and communicate outside the infected network.
• It is recommended to leave the device powered on but disconnect it at the network level. If this is not possible, it is better to turn it off.
• Disconnect communications to the public network, determine the extent of the infection, and isolate the infected systems. Document the findings on an ongoing basis.
• Suspend all virtual machines. If this is not possible, take a snapshot and shut them down.
• Take an image of the infected systems and collect relevant logs, suspicious IP addresses, and other indicators of compromise. Also, keep temporary evidence, e.g., data in the system’s memory or information in the Windows security log.
• Contact a cybersecurity expert (or IT), company management, and the police.
• Request probe/firewall logs from the ISP.

Protection Against Ransomware

Ransomware attacks are the same as all cyber threats: the most effective defence is prevention. Let us recap the best practices that can protect important data and mitigate the impact of the damage.

1. Back up sensitive data regularly, ideally to hard drives or other devices that can be disconnected from the network. It is generally recommended to follow the 3-2-1 rule: make at least three copies on two different devices, keeping one outside the organisation. Large infrastructures can take several days or even weeks to transfer data from back-ups. At MasterDC, we have the experience. For example, we helped a customer whose complete data was encrypted by ransomware transfer back-ups from AWS by enabling Direct Connect, which got the data back to the client many times faster.
2. Updates To Operating Systems And Other Applications. Ransomware often exploits vulnerabilities in outdated software, so using the latest versions of systems is critical. In addition to regular updates, it pays to strengthen server security by hardening or removing vulnerabilities and security gaps. For a practical guide on how to get started with hardening, see our article Security Hardening: Basic Principles For Improving Server Security (Not Only).
3. Network segmentation, which, if configured correctly, can help stop the spread of ransomware. In addition, isolating different parts of the infrastructure increases the protection of critical systems and data.
4. Implementing access control policies and user authentication. Using strong authentication can make it difficult for an attacker to use a guessed or stolen password.
5. Undertake cybersecurity education for employees to increase awareness of phishing and other social engineering methods that can lead to ransomware attacks.
6. Use antivirus and antimalware software, firewalls, and other tools to protect your network. Also, keep an eye out for updates to them.

Backup And Prepare A Disaster Recovery Plan

With the increasing frequency of ransomware, organisations have gotten better at preventing and dealing with the aftermath of attacks. According to Sophos’ research, almost all affected organisations (99%) were able to recover some of their data, with 73% using backups to retrieve it. Hand-in-hand with this statistic is the decline in the number of victims paying the ransom of an attack. In 2022, 41% of affected users paid the ransom, 50% in 2021, and 70% of victims a year earlier.

One of the key factors contributing to this trend is increased investment in securing corporate systems and technology that can detect cyber-attacks. A disaster recovery plan is essential to ensure a rapid and coordinated response to ransomware (and other cyber or natural threats). With an infrastructure recovery plan in place, you can contact MasterDC administrators to analyse your corporate IT and set a strategy specifically for your business.