The Roots and Future of Ransomware
Historically, ransomware targeted individual personal computer users; today, the big money is in attacking businesses—and MSPs are a huge target.
September 23, 2020
Sponsored by Carbonite
Imagine a thief walks into your home and rummages through your personal belongings. But instead of stealing them, he locks all your valuables into a safe and forces you to pay a ransom for the key to unlock the safe. What choice do you have?
Substitute your digital space for your home and encryption for the safe, and you have what’s known as ransomware. Ransomware is a type of virus or malware. After the initial infection, your files are encrypted and a note appears demanding payment–usually in the form of cryptocurrency such as bitcoin because transactions can’t be stopped or reversed. Once your files are encrypted, you can’t access them until you pay the ransom.
The roots of ransomware can be traced back to 1989. The virus, known as PS Cyborg, was spread through diskettes given to attendees of a World Health Organization International AIDS conference. Victims of PS Cyborg were to mail $189 to a P.O. box in Panama to restore access to their data.
Historically, ransomware targeted individual personal computer users. Today, the big money is in attacking businesses. Most of these infections go unreported because companies don’t want to expose themselves to further attacks or reputational damage.
Criminals know the value of business data and the cost of downtime. Managed services providers (MSPs) are now an especially attractive target because they service multiple SMB customers simultaneously. Therefore, a successful attack on an MSP magnifies the impact of attacks and the value of the ransom.
Primary ransomware attack vectors–with more detailed descriptions below–include:
Phishing
Cryptoworms
Polymorphic malware
Ransomware as a Service (RaaS)
Targeted attacks
Phishing: Still the No. 1 Ransomware Threat
Ninety percent of all Ransomware infections are delivered through email. The most common way to receive ransomware from phishing is from a Microsoft Office attachment. Once such an attachment is opened, the victim is asked to enable macros. This is the trick. If the user clicks to enable the macro, then ransomware will be deployed to the user’s machine. Phishing remains a significant and persistent threat to businesses and individuals. The Webroot 2020 Threat Report showed a 640% increase in the number of active phishing sites since 2019.
Cryptoworms
Cryptoworms are a form of ransomware that gain a foothold in an environment by moving laterally throughout the network to infect all other computers for maximum reach and impact. The most spectacular incarnation of a cryptoworm was WannaCry in 2017, where more than 200,000 computers were affected in 150 countries causing hundreds of millions in damages.
Polymorphic code
One of the more notorious forms of ransomware circulating today is polymorphic malware, which makes small changes to its signature for each payload dropped on machine–effectively making it a brand-new, never-before-seen file. Its ability to morph into a new signature enables it to evade many virus detection methodologies. Studies show that 95% of malware is now unique to a single PC. This is largely due to the shape-shifting abilities of polymorphic malware code. Today, nearly all ransomware is polymorphic, making it more difficult to detect with signature-based, antivirus technologies.
Ransomware as a Service (RaaS)
Ransomware has become so lucrative and popular that it’s now available as a “starter kit” on the dark web. This allows novice cybercriminals to build automated campaigns. Many of these kits are available free of charge for the payload, but criminals owe a cut (usually about 30%, but this can vary based on how people are infected) to the author for a ransom payment using their payload. Grandcab, also known as Sodinokibi, was perhaps the most famous to use this tactic.
Targeted attacks
Cyber criminals are moving away from mass distribution in favor of highly focused, targeted attacks. The exploit is carried out by using tools to automatically scan the internet for weak IT systems. The attack is usually opportunistic, thanks to the vulnerability scanners used. Targeted attacks often work by attacking computers with open RDP ports. Common targets have included large hospitals and municipalities.
Stay cyber resilient with multi-layered defense
As you can see, ransomware criminals have a full quiver of options when it comes to launching attacks. But the good news is that there are also multiple solutions for defending systems against them. The best way to secure your data and your business is to use a multi-layered cyber resilience strategy, also known as defense in depth. This approach uses multiple layers of security to protect the system. We encourage businesses of all sizes to deploy a defense-in-depth strategy to secure business data from ransomware and other common causes of data loss and downtime.
Here’s what that looks like:
Backup: Backup with point-in-time restore gives you multiple recovery points to choose from. It lets you roll back to a prior state before the ransomware virus began corrupting the system.
Advanced threat intelligence: Antivirus protection is still the first line of defense. Threat intelligence, identification and mitigation in the form of antivirus is still essential for preventing known threats from penetrating your system.
Security awareness training: Your biggest vulnerability is your people. Employees need to be trained on how to spot suspicious emails and what to do in case they suspect an email is malicious. Our colleagues at Webroot have proven that ongoing user education at regular intervals significantly reduces phishing clickthrough rates.
Patch and update applications: Cyber criminals are experts at identifying and exploiting security vulnerabilities. Failing to install necessary security patches and update to the latest version of applications and operating systems can leave your system exposed to an attack.
Ransomware mitigation plan: Make sure your IT staff and employees know what to do when a ransomware virus penetrates a user’s system. The affected device should immediately be taken offline. If it’s a networked device, the entire network should be taken down to prevent the spread of the virus.
You don’t have to wait around for ransomware to come knocking. Check out these five strategies for protecting your business from the cybercriminals looking to extort it.
This guest blog is part of a Channel Futures sponsorship.
About the Author
You May Also Like