Ransomware: A cheat sheet for professionals
This guide covers various ransomware attacks, including Colonial Pipeline, WannaCry and Petya, the systems hackers target and how to avoid becoming a victim and paying cybercriminals a ransom.
In the past, security threats typically involved scraping information from systems that attackers could use for other crimes such as identity theft. Now, cybercriminals have proceeded to directly demanding money from victims by holding their devices–and data–hostage. This type of malware attack in which data is encrypted (or claimed to be) and victims are prompted to pay for the key to restore access, called ransomware, has grown rapidly since 2013.
TechRepublic’s cheat sheet about ransomware is an overview of this malware threat. This guide will be updated periodically as new exploits and defenses are developed.
SEE: Hiring Kit: Cybersecurity Engineer (TechRepublic Premium)
- What is ransomware? Ransomware is malware. The hackers demand payment, often via bitcoin or prepaid credit card, from victims in order to regain access to an infected device and the data stored on it.
- Why does ransomware matter? Because of the ease of deploying ransomware, cybercriminals increasingly rely on such malware attacks to generate profits.
- What are the primary targets ofs ransomware attacks? While home users were traditionally targets of ransomware attacks, healthcare, schools and universities and the public sector are now targeted with increasing frequency. Enterprises are more likely to have deep pockets from which to extract a ransom.
- What are the most well-known ransomware attacks? Ransomware has been an active and ongoing malware threat since September 2013. WannaCry, Petya and the Colonial Pipeline attack are some of the most high-profile ransomware attacks to date.
- How do I protect myself from a ransomware attack? A variety of tools developed in collaboration with law enforcement and security firms are available to decrypt your computer.
What is ransomware?
Ransomware is a type of malware attack characterized by holding device control–and therefore locally stored data–for a ransom, which victims typically pay in bitcoin or with other virtual currencies. Sophisticated ransomware attacks employ disk or file-level encryption, making it impossible to recover files without paying the ransom demanded by the hackers.
Historically, ransomware has invoked the image of law enforcement organizations in order to coerce victims into paying. These messages often display warnings with the FBI logo and a message indicating that illegal file sharing was detected on the system, prompting users to pay a fine or risk criminal prosecution. As ransomware attacks have grown into the public consciousness, attackers have taken to crafting payloads that clearly indicate that a device has simply been hacked and that victims must pay the hackers to return access.
Other attacks, such as the WhiteRose ransomware, display mystifying and scarcely grammatical messages to unsuspecting victims about nothing in particular, describing such idyllic settings such as a hacker “sitting on a wooden chair next to a bush tree” with “a readable book” by William Faulkner, in a garden in a remote location.
SEE: Identity theft protection policy (TechRepublic Premium)
Ransomware attacks are often propagated through file-sharing networks and have also been distributed as part of a malvertising campaign on the Zedo ad network, as well as through phishing emails that disguise the payload as maliciously crafted images or as executables attached to emails. WannaCry, perhaps the most well-known single ransomware attack, uses a flaw in Microsoft’s SMB protocol, leaving any unpatched, internet-connected computer vulnerable to infection. Other attacks leverage unsecured Remote Desktop services, scanning the internet for vulnerable systems.
As of May 2021, there has been a 102% surge in ransomware attacks globally compared to the beginning of 2020, with no signs of slowing down, according to a report from Check Point Research. The report also found that the “number of organizations impacted globally has more than doubled in the first half of 2021, compared with 2020.” In addition, according to the report, healthcare and utilities sectors are the most targeted (as of April 2021); organizations in Asia Pacific have seen the most attacks with an average of 51 per week (a 14% increase compared to the beginning of 2021); and African organizations have seen the highest increase in attacks (34%) since April.
SEE: Infographic: The 5 phases of a ransomware attack (TechRepublic)
Why does ransomware matter?
For cybercriminals, the use of ransomware provides a very straight line from development to profit, as the comparatively manual labor of identity theft requires more resources. As such, the growth of ransomware can be attributed to the ease of deployment and a high rate of return relative to the amount of effort put forth. Newer ransomware attacks double down on the profit factor, including cryptocurrency miners to utilize the processing power of infected systems as they are left otherwise idle, waiting for victims to pay the ransom.
Typically, ransomware attacks leverage known vulnerabilities, so original research is not required of cybercriminals seeking to make fast money. The WannaCry attack was a special case—it leveraged two exploits named EternalBlue and DoublePulsar. These exploits were discovered and used by the NSA, and the existence of these vulnerabilities was disclosed by The Shadow Brokers, a group attempting to sell access to a cache of vulnerabilities and hacking tools developed by the U.S. government.
Ransomware attacks are generally quite successful for cybercriminals, as victims often pay the ransom. Specifically targeted attacks may result in increasingly higher ransom demands, as malicious attackers become more brazen in their attempts to extort money from victims.
However, “false” ransomware attacks—in which attackers demand a ransom, though files are deleted whether users pay or not—have also recently become widespread. Perhaps the most brazen (though unsuccessful) of these is a KillDisk variant that demands a $247,000 ransom, though the encryption key is not stored locally or remotely, making it impossible for files to be decrypted if anyone were to pay the ransom.
SEE: Ransomware: Why we’re now facing a perfect storm (ZDNet)
What are the primary targets of ransomware attacks?
While home users were traditionally the targets of ransomware, business networks have been increasingly targeted by criminals. Additionally, servers, healthcare and utilities (e.g., the Colonial Pipeline attack) have become high-profile targets for malicious ransomware attackers.
Enterprises are particularly appealing targets for these malware attacks because larger organizations have deeper pockets to pick from; however, those larger businesses are also more likely to have robust IT operations with recent backups to mitigate any damage and avoid ransom payment.
As of 2021, the industry sectors with the highest volumes of ransomware attack attempts globally are healthcare, with an average of 109 attacks attempts per organization every week, followed by the utilities sector with 59 attacks and insurance/legal with 34, according to the Check Point Research triple extortion report.
To compound the problem, NTT Security’s 2021 Cybersecurity and the next generation report indicates that 39% of the next-generation would pay a ransom to a cybercriminal in order to be able to continue their work.
What are some of the most well-known ransomware attacks?
While the first rudimentary ransomware attack dates back to 1989, the first widespread encrypting ransomware attack, CryptoLocker, was deployed in September 2013. Originally, victims of CryptoLocker were held to a strict deadline to recover their files, though the authors later created a web service that can decrypt systems for which the deadline has passed at the hefty price of 10 BTC (as of June 2021, the USD equivalent of 10 Bitcoin, or BTC, is approximately $385,793).
While the original CryptoLocker authors are thought to have made about $3 million USD, imitators using the CryptoLocker name have appeared with increasing frequency. The FBI’s Internet Crime Complaint Center estimates that between April 2014 and June 2015, victims of ransomware paid more than $18 million USD to decrypt files on their devices.
Locky, another early ransomware attack, has a peculiar tendency to disappear and reappear at seemingly random intervals. It first appeared in February 2016 and stopped propagating in December 2016, only to reappear again briefly in January and April of 2017. With each disappearance, the creators of Locky appear to refine the attack. The Necurs botnet, which distributes the Locky attack, seems to have shifted to distributing the related Jaff ransomware. Both Locky and Jaff automatically delete themselves from systems with Russian selected as the default system language.
SEE: Ransomware attackers are now using triple extortion tactics (TechRepublic)
The WannaCry attack, which started on May 12, 2017, stopped three days later when a security researcher identified and registered a domain name used for command and control of the payload. The National Cyber Security Centre, a division of GCHQ, identified North Korea as the origin of the WannaCry attack. Estimates indicate that the WannaCry attack cost the U.K.’s NHS almost £100 million due to disruptions in patient care.
Petya, also known as GoldenEye, was first distributed via infected email attachments in March 2016; like other ransomware attacks, it demanded a ransom to be paid via Bitcoin. A modified version of Petya was discovered in May 2016; it uses a secondary payload if the malware is unable to obtain administrator access.
In 2017, a false ransomware attack called NotPetya was discovered. NotPetya was propagated through the software update mechanism of the accounting software MeDoc, which is used by about 400,000 firms in Ukraine. While Petya encrypts the MBR of an affected disk, NotPetya also encrypts individual files, as well as overwrites files, making decryption impossible.
Like WannaCry, NotPetya uses the NSA-developed EternalBlue vulnerability to propagate through local networks. Compared to Petya, the cheaper ransom that NotPetya demands, combined with the single Bitcoin wallet victims are instructed to use, suggests that the aim of that attack was to inflict damage rather than generate profits. Given that the affected organizations are almost entirely Ukranian, NotPetya can be inferred to be a cyberwarfare attack.
In October 2017, the Bad Rabbit attack targeted victims initially in Russia and Ukraine, and spread through corporate networks, affecting victims in Germany, South Korea and Poland. Rather than using disk or file encryption, the Bad Rabbit attack encrypts the file tables created by the computer filesystem, which index the names and locations on disk where files are stored. As with WannaCry and NotPetya, the Bad Rabbit attack uses an NSA-developed exploit, EternalRomance, continuing the trend of ransomware attacks weaponizing exploits found and left unreported by U.S. government agencies.
SEE: Ransomware gangs made at least $350 million in 2020 (ZDNet)
In January 2018, the first variants of the GandCrab ransomware family were discovered, with enhanced variants detected that April. GandCrab is distributed primarily through phishing emails, as well as exploits in Internet Explorer, Adobe Flash Player and VBScript. Depending on the specific variant, it demands a ransom paid either in the Dash or Bitcoin cryptocurrencies.
GandCrab was described as “one of the most aggressive forms of ransomware” according to Europol. Though it disappeared a few weeks after it appeared, sister site ZDNet explained that researchers believe the attackers may have simply changed focus based on the “strong similarities in the code of GandCrab when compared to Sodinokibi,” which was still going strong in 2020.
In March 2018, the computer network of the City of Atlanta was hit by the SamSam ransomware, for which the city projected costs of $2.6 million dollars to recover from. Rendition Infosec founder Jake Williams noted that the city’s infrastructure had fallen victim to the NSA-developed DoublePulsar backdoor in late April to early May 2017, which ZDNet notes was over a month after Microsoft released patches for the vulnerabilities. Although the City of Atlanta did not pay a ransom, the attackers behind the SamSam malware netted nearly $6 million since the attack began in late 2015, according to a July 2018 report at ZDNet. That report also indicates that the attackers continue to gain an estimated $300,000 per month.
In September 2018, ransomware attacks forced gate information screens offline at Bristol Airport for two days.
ZDNet reported that in November 2018, the U.S. Department of Justice charged two hackers working out of Iran with creating SamSam ransomware, which purportedly “made over $6m in ransom payments over the course of a year. Shortly afterwards, SamSam appeared to cease as an active form of ransomware.”
In 2019, one of the biggest ransomware attacks to make news was the RobbinHood attack on the city of Baltimore government. During the attack, all servers—except essential services—were taken offline. The hackers demanded 13 Bitcoin (equivalent to $501,530.90, as of June 2021) in a ransom note in order to restore services.
It was reported that Baltimore was susceptible to such an attack because of the decentralized control of its technology budget, as well as a failure to fund cyber attack insurance.
Maze ransomware, which combined regular updates to the malware code with threats to leak stolen information if a six-figure ransom wasn’t paid, was one of the most successful ransomware families of 2020. Though the group “retired” in late 2020, it’s thought that several of the members behind the success of the group may have moved on to work on other criminal ransomware operations.
On May 6, 2021, the Colonial Pipeline Company—which is responsible for 45% of the East Coast’s fuel, including gas, heating oil and other forms of petroleum—discovered that it was hit by a ransomware attack. The company was forced to shut down some of its systems, stopping all pipeline operations temporarily.
In a TechRepublic article about the attacks, Lance Whitney reported that the FBI identified the DarkSide ransomware gang as the culprits for the attack. DarkSide, a “professional” and “organized” hacking group that has already seen profits in the millions (ransom demands range from $200,000 to $2 million), typically targets English-speaking countries and avoids Soviet Bloc nations, according to Lior Div, CEO of security firm Cybereason. Div also noted that DarkSide historically targets domain controllers, which threatens entire networks.
“Given this importance, it is likely that this act was known to Russian government—either through direct communication or from intelligence gathering by the GRU and SRV,” said Mike Hamilton, former CISO of Seattle and CISO of government cybersecurity firm CI Security. The motives for the attack could differ between DarkSide and the Russian government, but the Kremlin could be using DarkSide to determine if the U.S. would “draw the line” between a criminal act and an act of aggression, added Hamilton.
It was reported on May 13, 2021 that Colonial Pipeline paid a ransom demand of close to $5 million in return for a decryption key.
SEE: How to prevent another Colonial Pipeline ransomware attack (TechRepublic)
How can I protect myself from a ransomware attack?
Different ransomware families use different points of entry, such as file-sharing networks, malvertising, phishing, email attachments, malicious links and using infected systems to scan for vulnerable open ports on internet-connected computers. As a result, protecting yourself from a ransomware attack simply requires diligent security hygiene. For enterprise workstation deployments, using Group Policy to prevent executing unknown programs is an effective security measure for ransomware and other types of malware.
SEE: Cryptocurrency glossary: From Bitcoin and Dogecoin to hot wallets and whales (TechRepublic Premium)
Ensuring that all devices on your network receive regular and prompt security patches is the biggest defense against any hacking attempt, including ransomware. Additionally, a sane device lifecycle is also important for network security—outdated systems running unsupported operating systems such as Windows XP have no place on an internet-connected network.
The No More Ransom project—a collaboration between Europol, the Dutch National Police, Kaspersky Lab and McAfee—provides victims of a ransomware infection with decryption tools to remove ransomware for more than 80 variants of widespread ransomware types, including GandCrab, Popcorn, LambdaLocker, Jaff, CoinVault and many others.