Ransomware is in the top 5 threats in general and a significant danger in the field of cyber security. There is a whole process behind this multi-layered foreign body. Basically, it's malware that encrypts files and makes them inaccessible until users pay a ransom. It was created for exactly that – to generate revenue from people/companies who want their data back. The bad news is that most antivirus programs do not protect against ransomware. And since there is no 100% working protection method, combining the different possibilities for protection and regular backups are mandatory.

IN Geletron we have cases of attacks against our customers and we can tell you from experience that prevention remains the best defense, at least for now. We take a short trip to the dark side of cyberspace to tell you more about this danger.

Ransomware is primarily designed to extort money, but it can also be used for political attacks. The example – NotPetya cyber attack against Ukraine in 2017. The most preferred method of ransom payment is with cryptocurrency as it is difficult to trace. A few years ago, we didn't allow ransomware to affect the cloud, but this practice is now commonplace.

It's safe to say that ransomware cyberattacks are big and lucrative business – so big that research predicts an attack every 11 seconds by 2021, with damage costs of around $20 billion. To better imagine the scale of this "phenomenon", see what the interests of cyberterrorists are by sector and by country: https://www.blackfog.com/the-state-of-ransomware-in-2020/

How is ransomware spread?

From the second graph, it seems that the most affected are the countries leading in terms of purely economic indicators, where, in addition to technological progress, we can also note a more conscious consumer mindset (i.e. targeted application of various protection practices). However, it turns out that ransomware is currently able to overcome many limitations and thrive. Why? Because like most malware, it's based on flexibility and not-so-honorable social engineering practices.

There are many ways to get infected with ransomware. The most popular is phishing. You've probably come across one and hopefully you didn't get hooked. People are tricked into opening malicious emails and clicking on fake links from sms or email or downloading an attachment that infects the computer with ransomware. Usually, the message appears credible to convince the user to take the necessary action. For example, an email posing as a message from a parcel delivery company sends an attachment about a missed delivery. Commonly used attachments have extensions: .doc, .docx, .docm, .xls, .xlsx, .xlsm, .ppt, .pptx, .pptm, .pdf, .js and .lnk. These files are in an archive file such as .zip, .rar or .7z.

Some sophisticated types of ransomware infect the system "from the inside". A typical example is WannaCry, which uses the Microsoft Windows operating system as a medium. Ultimately, the attack affected 200,000 computers worldwide and caused hundreds of millions of dollars in damage.

Another way to "catch" ransomware is to add or download a fake application, for example from Play Store.  It works through permissions - the download itself won't infect the device or the cloud. If you grant the permissions the app asks for, it will infect the files. For example, a fake photo editing app requests access to a photo gallery and then encrypts it.

In the past, the most popular method of infecting devices was through physical media – for example USB.

Once inside the device, ransomware obtains operating system details, IP addresses, geographic location, and account access permissions. Additional malware is also often loaded onto the user's machine to collect personal information, intellectual property, credentials and subsequently sell them for additional revenue. Criminals can also use this information to launch additional attacks if, for example, the ransomware has domain administrator rights.

When the ransomware receives the encryption keys, it starts encrypting files. These files are not malicious and are usually not detected or removed by antivirus programs. Once the information is already encrypted, he sends a ransom message. To pressure the decision, ransomware often includes a countdown clock with a deadline to pay the ransom or else the decryption key will be destroyed, removing any chance of recovery.

Finally, the ransomware deletes itself to reduce the chances of security companies getting hold of it and analyzing it.

In most cases, ransomware does not harm the infected device. If the operating system does get affected, it's more of a side effect.

Types of ransomware

The ransomware, often called CryptoLocker, CryptoDefense or CryptoWall it has its own unique features and special decryption key.
Here are examples:

Screen locker: block users from accessing their devices. Usually, a user tries to turn on his computer but encounters a stuck interface. The keyboard, mouse and screen are locked. The only thing they can interact with is ransomware. For example, it allows the user to enter numbers into a field for their bank details. Tech-savvy users can figure out how to remove it. That's why hackers often use social engineering tricks to pressure victims into paying a ransom.

Encrypting ransomware: blocks access to user data by encrypting it. It uses both symmetric and asymmetric encryption techniques. Ransomware that uses symmetric encryption typically generates a key on the infected computer and sends it to the attacker or requests a key from the attacker before encrypting the user's files. When the user tries to open an infected file, he sees a sign saying that the data is encrypted and to access it, the user must purchase a decryption key. Data shows that nearly 40% of victims pay the ransom to get their information back.

Who are the potential targets?

Literally any person or organization that handles data:

• ordinary users with low IT literacy, mostly home users who, in addition to everything else, are not in the habit of backing up information from their computer.
• businesses – where the misappropriation of customer information, valuable emails, documents, and presentations does major damage to the overall business. This is what makes them an attractive target - they are willing to pay more.
• public organizations – data in sectors such as education, government, healthcare, finance, law enforcement are time sensitive and critical. The degree of urgency also increases the size of the requested ransom.

For decades, hackers have operated on the principle of "the wider the impact, the more chance for ransom." Even if 300 out of 10,000 users pay, the game is worth it. Ransomware attacks are now becoming more personalized – targeting specific organizations directly. They are more difficult to overcome and with them the size of the demanded ransom is significant.

Celebrities among ransomware

Sodinokibi appeared in 2019 and has been the fourth most widespread ransomware in the world since then. The high level of flexibility and constant innovation make it extremely dangerous for organizations. A curious fact is that the group behind Sodinokibi avoids infecting systems from countries that were part of the former USSR.

WannaCry appeared in 2017 and left a deep mark in the history of cyberattacks. It crashed over 200,000 systems in 150 countries, causing over $4 billion in financial losses. Some countries such as the US, UK and Australia insisted that North Korea was behind the attack.

Ryuk launched in 2018 and has since earned around $3.7 million in just 52 payouts. It targets large organizations using military-grade encryption algorithms that are extremely difficult to decrypt. When it infiltrates the system, it converts the files with .ryk extension and drops a notification with ransom demands.

Petya and NotPetya can destroy the entire Microsoft operating system. It appeared in 2017 and is mostly directed against Ukraine. And while the Petya malware was only designed to get a ransom of a few bitcoins, NotPetya evolved as a large-scale political cyberattack.

What is done face to face with ransomware?

Kind advice "just don't pay" they may be good, but they are not universal. Each case must be considered individually.

Even if you pay, you may not receive a key, they may send you a partial one and then ask for more money, or the redeemed tool may not be suitable at all because there is simply no key created for this ransomware. Also, if you pay once, you get on a list and they may visit you again soon, you've encouraged them. What's more, in the US, any person, business, or organization that pays a ransom or that helps others negotiate and execute transactions with ransomware attackers can be subject to criminal prosecution or significant fines. You probably already understand the point of the above tip.

Here is the place to list some useful ways to avoid this attack. They are not a panacea, but they can save some headaches:

• keep them all your systems up to date, install updates regularly.
• don't rush to click on something that looks so enticing, yet suspicious.
• do not provide the passwords you are on untrusted sites
• use an antivirus program, thus increasing the chances of being protected
• use prevention services of ransomware, take a closer look at such products.

The Geletron team offers complete IT solutions for small and medium businesses. We can't promise you that if we partner you will definitely avoid encountering ransomware, but we can significantly reduce the chances of that happening. Contact us, we will tell you authentic stories from our practice and help you make the best combination of tools exactly for your company.