There was a belief that ransomware attacks had become outdated. However, if events in 2022 are any example, then ransomware attacks are here to stay.
This 2022 report shows that ransomware attack rates rose by 13 percent over the last 12 months. The data highlights a need for more cybersecurity awareness about ransomware.
In this blog post we will detail what a ransomware attack is, how a device gets infected, what a ransomware attack looks like, some examples of infamous ransomware strains, and some security tips on staying safe against ransomware.
When we refer to ransomware, we refer to a type of malware attack in which the attacker locks and encrypts a victim’s account, and/or important data files and then demands a financial payment to unlock and decrypt the data.
Ransomware can remain dormant on a device until the device is at its most vulnerable, and only then execute an attack. After a device is exposed to the malicious code, the ransomware attack proceeds as follows.
Ransomware attacks take advantage of human, system, network, and software vulnerabilities to infect a device such as a computer, printer, smartphone, smart watch, or digital terminal.
A device is infected when the victim clicks a link, visits a web page, or installs a file, application, or program that includes malicious code designed to secretly download and install the malware/ransomware.
There are usually seven steps to a ransomware attack. We have detailed them below:
If we detailed every single strain of ransomware malware, this blog post would never end … there are thousands and thousands. So, with that in mind, we have put together a list of the most infamous malware with context as to their global impact and cyber damage caused.
Cerber is actually a RaaS (ransomware-as-a-service). It is available for use by cybercriminals and is usually sourced via the dark web. Threat actors carry out the attacks themselves with the understanding that loot will be spread with the malware developer.
Cerber ransomware runs silently while it is encrypting files, and also tries to prevent antivirus and Windows security features from running. It also endeavours to prevent users from restoring the system in a bid to circumvent the malware. When it successfully encrypts files on the machine, it displays a ransom note on the desktop wallpaper.
Released in 2017, Cryptolocker affected over 500,000 computers. Cryptolocker ransomware infects computers using the Microsoft Windows operating system, through email, file sharing sites, and unprotected downloads. It not only encrypts files on the local machine, but can also scan mapped network drives, and encrypt files it has permission to write to, making this a very damaging ransomware malware. Newer, more updated, versions of Cryptolocker can hide from antivirus software and firewalls making it even harder to detect once on your system.
Released in 2018, GrandCrab encrypts files on a user’s machine and demands a ransom. GrandCrab was used to launch ransomware-based extortion attacks, where attackers threatened to reveal victims’ porn-watching habits in 2018. There are several versions of GrandCrab, all of which target Windows machines. Fortunately, GrandCrab malware has not been updated to a new sophisticated version with free decryptors available today for most versions of GrandCrab.
Locky ransomware can encrypt 160 file types. Locky targets files used by designers, engineers, and testers. First released in 2016, attackers send emails that ask the user to open a Microsoft Office Word or Excel file with malicious macros, or a ZIP file that installs the malware upon extraction. This malware is used in conjunction with social engineering techniques.
Ryuk ransomware is a very advanced malware that infects machines via phishing emails or downloads. It extracts a trojan on the victim’s machine and establishes a persistent network connection. Attackers can then use Ryuk as a basis for an Advanced Persistent Threat (APT), installing additional malicious tools. If Ryuk infiltrates another device via connected networks, Ryuk also installs itself on that system. Once the attackers have installed the trojan on as many machines as possible, they activate the locker ransomware and encrypt the files.
Ransomware and cyber attacks using the trojan technique have been around for a while now. As a result, best practice for dealing with these situations is pretty much nailed down. Of course, in cybersecurity, threats are always evolving and so must the response … but you will not be doing yourself any harm with the security tips we have put together below:
To prevent ransomware being installed via unauthorised applications, you can establish a whitelist of centrally controlled applications. This would prevent ransomware making it onto your device.
It is also important to regularly backup your organisational data to an external hard drive using the 3-2-1 rule. The 3-2-1 rule asks that you create three backup copies on two different drives with one backup stored in a separate location. If possible, disconnect the hard drive from the device to prevent encryption of the backup data. This is vital as ransomware attacks encrypt all data and delete copies. By following the 3-2-1 rule, you will remain in control of your data.
We cannot stress how important it is to train employees to spot and avoid social engineering emails. You must arm them with the knowledge and understanding to keep themselves safe. Give them the confidence to be cyber aware and cyber safe. Conduct simulations to test if employees are able to identify and avoid phishing. But keep in mind, although simulations can test if employees are able to identify and avoid phishing, they should be used with caution as these can be overused and relied upon too much, and there are far more effective ways to raise awareness and improve knowledge around phishing. Use email security services to automatically block suspicious emails and block malicious links if a user does end up clicking on them.
Installing and maintaining an up to date antivirus application is an obvious first step in ransomware protection. Endpoint protection and device firewalls will help security teams detect and block attacks occurring on endpoints in real time.
Keep all of your device’s operating system and installed applications up to date. Developers update applications and devices with patches when they are notified of vulnerabilities. If you are ignoring updates, you are leaving your door wide open for a cybercriminal to stroll their way in. Make sure you install security patches and run vulnerability scans to identify and remedy gaps in your security.
As an extra security measure, you should increase browser security settings, disable Adobe Flash and other vulnerable browser plugins. Organisations should also use web filtering to prevent users from visiting malicious sites.
Hopefully, this deep dive into the tricky world of ransomware gives you a better understanding of this common cyber threat. However, being informed about a threat is one thing, are you prepared to face it?
At TSC, we believe that engaging and targeted cybersecurity awareness training goes a long way to mitigating the threat of ransomware attacks. We are all about controlling and refining the human aspect of cybersecurity.
© The Security Company (International) Limited 2023
Office One, 1 Coldbath Square, London, EC1R 5HL, UK
Company registration No: 3703393
VAT No: 385 8337 51
