Circle 01
Circle 02
Circle 03

Join our mailing list

Subscribe to the TSC newsletter to receive exclusive news and advice
  • 24 October 2022
  • 8 min read

Ransomware: security tips and everything you need to know

What is a ransomware attack and how can you spot one? What are the most common ransomware attacks and how can you avoid them?
25

There was a belief that ransomware attacks had become outdated. However, if events in 2022 are any example, then ransomware attacks are here to stay.

Ransomeware security tips and everything you need to know

This 2022 report shows that ransomware attack rates rose by 13 percent over the last 12 months. The data highlights a need for more cybersecurity awareness about ransomware.

In this blog post we will detail what a ransomware attack is, how a device gets infected, what a ransomware attack looks like, some examples of infamous ransomware strains, and some security tips on staying safe against ransomware.

What is a ransomware attack?

When we refer to ransomware, we refer to a type of malware attack in which the attacker locks and encrypts a victim’s account, and/or important data files and then demands a financial payment to unlock and decrypt the data.

Ransomware can remain dormant on a device until the device is at its most vulnerable, and only then execute an attack. After a device is exposed to the malicious code, the ransomware attack proceeds as follows.

Ransomware attacks take advantage of human, system, network, and software vulnerabilities to infect a device such as a computer, printer, smartphone, smart watch, or digital terminal.

How does a device get infected with ransomware?

A device is infected when the victim clicks a link, visits a web page, or installs a file, application, or program that includes malicious code designed to secretly download and install the malware/ransomware.

What does a ransomware attack look like?

There are usually seven steps to a ransomware attack. We have detailed them below:

  1. Infection: Ransomware is covertly downloaded and installed on the device. This is done usually by hiding malicious links in emails, web pages, files, applications and so on.
  2. Execution: The ransomware scans and maps locations for targeted file types as well as mapped networks connected to the device. Some ransomware attacks also delete or encrypt any backup files and folders during this stage, so they are solely in control of the data they mean to hold ransom.
  3. Encryption: The ransomware malware then performs a key exchange with the Command and Control Server of the criminal, using the encryption key to scramble all files parsed in Step 2: Execution. The ransomware also locks access to the data.
  4. User Notification: Then, the ransomware adds instruction files detailing the pay-for-decryption process, then uses those files to display a ransom note to the user. The ransom note usually appears as a text file on the user’s desktop or device screen.
  5. Cleanup: After the ransom note is displayed, the ransomware usually terminates and deletes itself, leaving only the payment instruction files.
  6. Payment: The cyber victim then has to click a link in the payment instructions, which takes the victim to a web page with additional information on how to make the required ransom payment.
  7. Decryption: After the victim pays the ransom, the victim may receive the decryption key from the cybercriminal. However, there is no guarantee the decryption key will be delivered as promised – you are dealing with thieves and cybercriminals after all. Which is why it is better to be proactive than reactive!

Examples of ransomware attacks

If we detailed every single strain of ransomware malware, this blog post would never end … there are thousands and thousands. So, with that in mind, we have put together a list of the most infamous malware with context as to their global impact and cyber damage caused.

  • Cerber

Cerber is actually a RaaS (ransomware-as-a-service). It is available for use by cybercriminals and is usually sourced via the dark web. Threat actors carry out the attacks themselves with the understanding that loot will be spread with the malware developer.

Cerber ransomware runs silently while it is encrypting files, and also tries to prevent antivirus and Windows security features from running. It also endeavours to prevent users from restoring the system in a bid to circumvent the malware. When it successfully encrypts files on the machine, it displays a ransom note on the desktop wallpaper.

  • Cryptolocker

Released in 2017, Cryptolocker affected over 500,000 computers. Cryptolocker ransomware infects computers using the Microsoft Windows operating system, through email, file sharing sites, and unprotected downloads. It not only encrypts files on the local machine, but can also scan mapped network drives, and encrypt files it has permission to write to, making this a very damaging ransomware malware. Newer, more updated, versions of Cryptolocker can hide from antivirus software and firewalls making it even harder to detect once on your system.

  • GrandCrab

Released in 2018, GrandCrab encrypts files on a user’s machine and demands a ransom. GrandCrab was used to launch ransomware-based extortion attacks, where attackers threatened to reveal victims’ porn-watching habits in 2018. There are several versions of GrandCrab, all of which target Windows machines. Fortunately, GrandCrab malware has not been updated to a new sophisticated version with free decryptors available today for most versions of GrandCrab.

  • Locky

Locky ransomware can encrypt 160 file types. Locky targets files used by designers, engineers, and testers. First released in 2016, attackers send emails that ask the user to open a Microsoft Office Word or Excel file with malicious macros, or a ZIP file that installs the malware upon extraction. This malware is used in conjunction with social engineering techniques.

  • Ryuk

Ryuk ransomware is a very advanced malware that infects machines via phishing emails or downloads. It extracts a trojan on the victim’s machine and establishes a persistent network connection. Attackers can then use Ryuk as a basis for an Advanced Persistent Threat (APT), installing additional malicious tools. If Ryuk infiltrates another device via connected networks, Ryuk also installs itself on that system. Once the attackers have installed the trojan on as many machines as possible, they activate the locker ransomware and encrypt the files.

How to protect yourself against ransomware

Ransomware and cyber attacks using the trojan technique have been around for a while now. As a result, best practice for dealing with these situations is pretty much nailed down. Of course, in cybersecurity, threats are always evolving and so must the response … but you will not be doing yourself any harm with the security tips we have put together below:

  • Application Whitelisting

To prevent ransomware being installed via unauthorised applications, you can establish a whitelist of centrally controlled applications. This would prevent ransomware making it onto your device.

  • Data Backup

It is also important to regularly backup your organisational data to an external hard drive using the 3-2-1 rule. The 3-2-1 rule asks that you create three backup copies on two different drives with one backup stored in a separate location. If possible, disconnect the hard drive from the device to prevent encryption of the backup data. This is vital as ransomware attacks encrypt all data and delete copies. By following the 3-2-1 rule, you will remain in control of your data.

  • Email Protection

We cannot stress how important it is to train employees to spot and avoid social engineering emails. You must arm them with the knowledge and understanding to keep themselves safe. Give them the confidence to be cyber aware and cyber safe. Conduct simulations to test if employees are able to identify and avoid phishing. But keep in mind, although simulations can test if employees are able to identify and avoid phishing, they should be used with caution as these can be overused and relied upon too much, and there are far more effective ways to raise awareness and improve knowledge around phishing. Use email security services to automatically block suspicious emails and block malicious links if a user does end up clicking on them.

  • Endpoint Protection

Installing and maintaining an up to date antivirus application is an obvious first step in ransomware protection. Endpoint protection and device firewalls will help security teams detect and block attacks occurring on endpoints in real time.

  • Patches and updates

Keep all of your device’s operating system and installed applications up to date. Developers update applications and devices with patches when they are notified of vulnerabilities. If you are ignoring updates, you are leaving your door wide open for a cybercriminal to stroll their way in. Make sure you install security patches and run vulnerability scans to identify and remedy gaps in your security.

  • Website filtering

As an extra security measure, you should increase browser security settings, disable Adobe Flash and other vulnerable browser plugins. Organisations should also use web filtering to prevent users from visiting malicious sites.

Do not be a victim of ransomware!

Hopefully, this deep dive into the tricky world of ransomware gives you a better understanding of this common cyber threat. However, being informed about a threat is one thing, are you prepared to face it?

At TSC, we believe that engaging and targeted cybersecurity awareness training goes a long way to mitigating the threat of ransomware attacks. We are all about controlling and refining the human aspect of cybersecurity.

Nas
Written by
Nas Ali
Cyber security and awareness content creator focused on emerging threats and the next wave of cyber security risks like AI, deepfakes and tech 4.0 initiatives in order to build towards a more secure organisational culture.
View Profile

See how we can help you protect your organisation today?

Circle 01
Circle 02
Circle 03

Join our mailing list

Subscribe to the TSC newsletter to receive exclusive news and advice