The Complete Guide to Ransomware

Written By: Ontrack

Date Published: 20 November 2024 07:23:20 EST

The Complete Guide to Ransomware

  • ransomware-1

    What is Ransomware? The Complete Guide

    Ransomware is a form of malicious software designed to either block access to a computer system or publish a victim’s data online. The attacker demands a ransom from the victim, promising – not always truthfully – to restore access to the data upon payment.

    Since the 1980s, the last decade has seen an increase of various ransomware Trojans surface but the real opportunity for attackers has increased since the introduction of Bitcoin. This cryptocurrency allows attackers to easily collect money from their victims without going through traditional channels.

    Ransomware attack: How does the cybercriminal come in?

    A ransomware attack begins when malicious software is downloaded onto a device. Examples of device types are laptops, smartphones or desktop computers. The malicious software is normally downloaded due to user error or inadequate security protocols.

(Spear) Phishing mail

The most common delivery system for ransomware is a phishing email that includes an attachment or a link.

Infected Webpages and Malvertising/Adware

Infected URLs are commonly used to distribute ransomware. Clicking on one of these links, whether through an email or an unverified website, can automatically trigger a ransomware download to your hard drive, also known as a “drive-by download.” Just visiting the site without even downloading anything can lead to a ransomware attack.

Remote access points (RDP)

Ann increasing number of attacks are gaining access to a company that has open and exposed remote access points, such as RDP and virtual network computing (VNC). RDP credentials can be brute forced, obtained from password leaks, or simply purchased in underground markets. Where past ransomware criminals would set up a command-and-control environment for the ransomware and decryption keys, most criminals now approach victims with ransom notes that include an anonymous email service address, allowing bad actors to remain better hidden.

Once ransomware has infected a system, it will take over the device's critical process; searching for files to encrypt; the malware will scramble all the data on the device or delete those files it can’t encrypt. It can infect any external devices attached to the host machine. For more sophisticated attacks this is just the start of a series of events as described in the Lockheed Martin Cyber Kill Chain® framework and MITRE ATT&CK® knowledge base.

 

Different ransomware tactics

Ransomware is also called extortion software. Cyber criminals use different tactics to get money.

Encrypting data

In many cases, experts also speak of encryption trojans, since the extortion is based on the fact that the data is inextricably coded and inaccessible to the user. Promising  decryption key in exchange for money.

Data stealing exfiltration Leak ware or Dox ware

Another type of malware is called leak ware or Dox ware. This is where the attacker will threaten to release sensitive data on the victim’s hard drive unless a ransom is paid. Often targeting emails and word documents, there have also been cases of mobile variants where private messages, pictures, and contact lists from users’ phones have been released.

Dox ware is recognized as a more effective malware than ransomware – in terms of getting the money from the victim. With ransomware, you can maintain separate backups of data that is no longer accessible, but with Dox ware, once an attacker has information that the victim doesn’t want to be made public, there is little to be done apart from paying up.

Locking

There have also been cases where malware will display a message claiming that the user’s ‘Windows’ is locked. The user is then encouraged to call a “Microsoft” phone number and enter a six-digit code to reactivate the system. The message alleges that the phone call is free, but this isn’t true. While on the phone calling the fake ‘Microsoft’, the user racks up long-distance call charges.

Wiper

Malware with sole objective to permanently destroy access to data.

Double and triple extortion

Over time new tactics emerged combining data encryption with data theft (double extortion) and performing a distributed denial-of-service (DDoS) attack (triple extortion).

 

Ransomware threat groups and variants

The threat comes from different kind of actors with different motives and skills levels varying from nation state actors, criminals, hacktivists, script kiddies/ thrill seeker and insiders. Different threat groups developed many different variants of ransomware, with new ones being created all the time. These groups often specialize and collaborate.

A few examples of some famous ransomware variants developed by these groups over the last few years:
2024 AKIRA, SEXi ransomware
2023 Lockbit, AlpVM, Clop (sometimes written “Cl0p”, Royal 
2022 BlackBasta 
2021 Black cat
2020 NetWalker
2019 REvil /Sodinokibi , MedusaLocker, Maze, DoppelPaymer, Anatova
2018 Ryuk, GandCrab
2017 WannaCry, Dharma, BitPaymer, BadRabbit
2016 Petya NotPetya, Locky, Cerber
2015 SamSam
2014 Emotet
2013 Cryptolocker

A comprehensive overview of the threat groups and variants can be found here: https://github.com/cert-orangecyberdefense/ransomware_map

Am I a target for ransomware?

In today's online world, the question is not whether an organization will be attacked, but when and how well prepared it will be.

If you read the news, you will have noted that organizations from a variety of different sectors and industries have become victims of ransomware attacks. From healthcare to airlines, the attackers don’t seem to have a preference of who they target, or do they?

An attacker will normally choose an organization to hit based on two things:
1. Opportunity
2. Potential financial gain

Opportunity
If an organization has a small security team, lacks IT resources, and has a user base that shares many files, i.e., a University, then an attacker may view this as an easy target.

Potential financial gain
Organizations that need immediate access to their files, e.g. Law firms or government agencies, may be more likely to pay a ransom quickly. Organizations with sensitive data may also be willing to pay to keep the news of the data breach quiet.

Should I pay the ransom?

You would think that paying a ransom to gain access to your data was bad enough, but that can pale in comparison to the actual damage costs involved with an attack. Additional implications include:
•    Damage and destruction (or loss) of data
•    Lost productivity
•    Post-attack disruption to the normal course of business
•    Forensic investigation
•    Restoration and deletion of hostage data and systems
•    Reputational harm
•    Employee training in direct response to the attacks

When you take the above into account, it is no wonder that ransomware damages are predicted to climb. When you speak to cybercrime experts, most urge you not to pay the ransoms as funding ransomware attackers will only help create more ransomware.Although, many organizations go against this advice weighing up the cost of the encrypted data against the ransom being asked. But why do organisations pay their attackers?

While refusing to pay ransomware is suggested for the wider business community, refusing to pay may not be the best course of action for the business itself. When there is a chance the business may permanently lose access to vital data, incur fines from regulators or go out of business altogether businesses’ options may seem bleak. The choice between paying a relatively modest ransom and staying in business or refusing to pay to help the wider business community is a no brainer for most. In some ransomware cases, the ransom demanded is often set at a point that it’s worth the attacker’s while, but low enough that it is often cheaper than a victim paying to reconstruct their lost data. Discounts are also sometimes offered if the victim pays within a certain timeframe e.g., 3 days.

With that in mind, some companies are building up reserves of Bitcoin specifically for ransom payments. 

How to prevent a ransomware attack

Ransomware variants will target different business verticals. Those who are at risk should take precautions to reduce their risk and lessen the effects of an attack.One of the most important plans your organization should have in place is a Disaster Recovery Plan. If you don’t have one in place, the chances are that the consequences will be severe. Many  companies that experience data loss and downtime for ten or more days file for bankruptcy within 12 months.

Disaster Recovery Plan

A disaster recovery plan describes various scenarios for resuming work quickly after a disaster, i.e. a ransomware attack. A key part of an organization’s business continuity plan should allow for sufficient IT recovery and data loss prevention. A disaster recovery plan describes a variety of scenarios for resuming work quickly after a disaster i.e. a ransomware attack. A vital part of an organization’s business continuity plan, should include a disaster recovery plan that allows for sufficient IT recovery and data loss prevention.

Remember to keep the plan updated and also some printed versions. Because if it is on an encrypted server or drive, even the best emergency plan is useless. If you don’t have a disaster recovery plan, you can download our free template here

Other recommendations include:

  1. Ensure you have up-to-date backups - this way if anything does happen, restoration of your files from a backup is the fastest way to regain access to your data.

  2. Be prepared by testing backups regularly. Organizations must be familiar with what is stored in backup archives and ensure the most critical data is accessible should ransomware target backups.

  3. Conduct user training to ensure all employees can spot a potential attack. Make sure employees are aware of best practices to avoid accidentally downloading ransomware or opening up the network to outsiders.

  4. Implement security policies. Use the latest anti-virus, anti-malware and endpoint detection software and monitor consistently to prevent infections.

  5. Make sure you have content scanning and filtering on your mail servers. Scan every inbound email for known threats and block any attachment types that could pose a threat.

  6. Develop IT policies that limit infections on other network resources. Companies should put safeguards in place, so if one device becomes infected with ransomware, it does not permeate throughout the network.

  7. Secure the resources of incident specialist teams and Ontrack data recovery specialists in quiet times with Master service agreements for an emergency.

  8. Communication is key during crisis. Create email addresses for use in emergencies (for the most important decision-makers) that are separate from the company environment, e.g. with a free cloud email provider such as gmx. yahoo etc. .  Enter these, including the login data, in the emergency plan. A company wide whatsapp group has been instrumental for affected companies as well. An external file share server is also helpful.  This speeds up and facilitates communication after an incident.

Reduce exposure to cyber risk: manage data lifecycle

The management of data across its lifecycle is often not a consideration for many organizations. But without a data lifecycle strategy in place, an organization is leaving itself exposed to serious security risks and costs. Today, the cost of ineffectively safeguarding data comes with ‘too high a price’.

It’s not just ransomware attacks organizations need to be wary of, data breaches, damaged reputation, lost customers, downtime, and large fines are all potential risks for an organization that doesn’t effectively manage its data’s lifecycle. Those organizations that take the time to invest the necessary efforts and resources in data lifecycle management can minimize the risks and costs of their business-critical data at all stages.

How Ontrack has helped organisations hit by ransomware 

At Ontrack, we are continually tracking different types of Ransomware. Ransomware changes and develops all of the time, so we want to make sure we are watching and studying the latest changes and advancements. Studying ransomware and its ever-changing forms provide additional knowledge and experience, leading to a higher probability that we will recover data that has been lost as a result of an attack. When it comes to inaccessible data, it is always best to contact an expert. If you find yourself under attack from ransomware, contact an expert like Ontrack to help you gain access to your data.

Below are some examples of successful ransomware data recovery cases we have completed. 

Cyberattack on VMware Datastore and Virtual Backups

Data Recovery from Malware-Infected Virtual Files

Hospital databases rescued from ransomware

Merge files of damaged backup with corresponding virtual files

Rescued MS SQL database from encrypted virtual backup on QNAP

Taking Advantage of Hackers’ Mistakes in a Ransomware Attack

 

Visit our Ransomware Recovery page

Subscribe

KLDiscovery Ontrack Limited, Nexus, 25 Farringdon Street, London, EC4A 4AB, United Kingdom (see all locations)