|
| Credit Image: securitymagazine |
Let's know the different types of ransomware and the dangers of each one. You’ll learn how ransomware works and what each various attack is seeking to accomplish. We’ll also put things into context in terms of real-world attacks like the recent one affecting Colonial Pipeline. And with a handy glossary at the end, you’ll be well informed and equipped with all the information you need about how ransomware works.
Ransomware attacks can result in significant loss of data, system functionality, and financial resources. But exactly what is ransomware? Ransomware can take a variety of shapes and forms, not to mention that attackers are constantly evolving and adapting over time. Organizations need to be well-informed about various types of ransomware to put the proper safeguards in place.
What is Ransomware?
Ransomware is a special type of virus or malware primarily designed to
disable critical systems or prevent sensitive data access unless financial
remuneration is made. For example, a ransomware attack on a hospital might
lock out doctors or administrators from accessing patient records they need
on a continual basis. The attacker might then send out a system-wide message
demanding payment in order to restore access.
On a high level, ransomware uses cryptography to encrypt and decrypt files.
The malware encrypts access to systems or files, only granting a special
private key when a ransom is collected. In short, ransomware keeps
organizations from operating unless the attacker is sent payment. Hackers
can also encrypt sensitive or private information, threatening to release it
unless compensated.
How Does Ransomware Work?
For a ransomware attack to occur, malware must first gain access to the
system, usually via a single computer terminal. This often occurs using a
phishing attack, where users are sent files or attachments that appear
trustworthy. But when the user opens or downloads the file, the malware is
released on the terminal. In sophisticated attacks, malicious software can
even unlock advanced administrative access, compromising the system even
further.
The most common form of ransomware immediately encrypts the user’s — or
entire system’s — files. The mathematical key to unlock the files is known
only to the attacker, who will agree to release them once payment is made.
Oftentimes this is through a wire transfer to an offshore bank or an
untraceable cryptocurrency payment to a specified wallet. Another variation
called Leakware steals confidential data and threatens to release that
information to the public, business competitors, or law enforcement unless
payment is made.
In short, ransomware invades a computer or entire system at which point the
organization is held hostage until they pay the ransom to the attacker.
Who is Targeted by Ransomware?
Ransomware attackers select their targets depending on a variety of factors.
In some instances, attackers simply select weak targets. Either they’ve
scouted a particular organization and know that its cyber defenses are
sub-optimal, or choose a certain industry because of traditionally poor
cybersecurity. Universities, for instance, make good targets because their
security teams are smaller and conduct massive file sharing, providing
hackers with a high number of endpoints to exploit.
Other times, ransomware attackers go after companies or governments that
they feel are most able or likely to pay the ransom. Large corporations like
Sony — the victim of one of the largest ransomware attacks in history — or
governments typically have the funds and will most often pay out of
necessity. Other institutions like hospitals are also likely to pay simply
because lives are quite literally on the line if their systems are down for
prolonged periods of time.
Finally, ransomware hackers will go after organizations they know have
sensitive information that might be damaging if released to the general
public. Files or data about legal proceedings or confidential intellectual
property are targeted, and companies often hand over money to ensure those
details aren’t made public. The financial damage that an entity would incur
in many instances far exceeds the ransom payment, making these instances
extremely profitable for ransomware actors.
Types of Ransomware
Ransomware comes in many different forms, has evolved over the years, and
continues to morph in order to avoid modern cybersecurity measures.
Here are some of the main types of ransomware that you should be aware of:
Locker Ransomware
This kind of malware locks systems and devices from performing basic
functions. Keyboard and mouse functions may be disabled or login privileges
denied. Users can typically interact with the device insofar as the attack
lets them in order to make a ransom payment. Locky is one of the most common
locker malware. The good news is that Locker attacks don’t aim to destroy or
compromise data. Only to extract funds to restore functionality.
Crypto Ransomware
These attacks aim to encrypt important data such as documents, videos, or
photos. While basic system functionality still exists, users are unable to
access the files they normally do. Only the attackers have the cryptographic
keys to restore access upon payment. Crypto attacks can also come with
countdown timers, indicating that if payment isn’t made by the time the
clock hits zero, all files will be deleted.
Scareware
In these attacks, malware infects a system or devices and then poses as a
legitimate alert, claiming to detect some other form of virus or
malfunction. It then prompts the user to make a payment to a fake service or
company to resolve the issue. It’s called Scareware because users often get
scared into thinking there is a real issue and remitting payment, not
knowing that the entire ordeal is a ransomware scam. All employees and staff
should be trained on how to spot scareware and what to do if they suspect an
attack.
Doxware
These attacks threaten to distribute confidential or sensitive information
online or leak them to various third parties. Doxware attacks can be highly
effective, as mentioned because companies often see more financial damage
taking place from leaked information than the ransom amount. Some
information is so sensitive that it may even threaten the very existence of
a business, making Doxware attacks extremely dangerous. Therefore,
installing adequate data protection measures up-front is of the utmost
importance for businesses.
Ransomware-as-a-Service (RaaS)
This emerging type of ransomware functions almost exactly like
Software-as-a-Service. The malicious actor doesn’t need any real technical
skills, they simply purchase the ransomware over the dark web and pay a
monthly subscription fee for its use. Attackers can then simply log in to
the service, select targets, conduct hacks, and receive payments all through
one interface.
How to Remove Ransomware
If you do fall victim to a ransomware attack, there are steps you can take
to neutralize the malware and potentially remove it from your system. The
first step is to immediately disconnect devices and systems from the
internet. This includes wireless devices, external hard drives, storage
media, and cloud accounts. Complete disconnection can prevent the spread of
ransomware within your network.
Next, you’ll need to perform a complete virus scan of your systems and
devices using whatever internet security software you’re using. This will
help you identify the threat and quarantine the malicious software before it
can take further action like device locking or file destruction. You can
then delete those files and programs automatically using your software or on
a manual basis if necessary.
In the event of a crypto-ransomware attack, you’ll need to employ a
decryption tool to regain access to your data. Once you decrypt your files,
the attacker loses all leverage to extort you financially. And in the event
of Lockerware, users should restart their devices in Safe Mode. Doing this
can sometimes bypass the malware, letting users navigate to the anti-virus
programs on their desktop to quarantine and remove the malware.
From
varonis.
