Ransomware

Ransomware is malware that prevents users from accessing their personal, work, or system files in order to demand a ransom payment. The idea is that access will be restored once the ransom is paid, but there is actually no guarantee that this will happen.

Ransomware may access a computer system via a number of vectors. Phishing spam is among the most common delivery systems. This involves sending email attachments that appear to be trusted files to the victim. After the victim downloads and opens the attachment, it takes over the computer.

Ransomware with built-in social engineering tools is particularly dangerous because it tricks users into allowing administrative access. Certain aggressive types of ransomware don’t even need to trick users, bypassing them entirely by exploiting security holes to infect computers.

There are several ways the ransomware might encrypt the victim’s files, but in any case, only the attacker will have the decryption key for the files. A variation on this theme is doxware or leakware, which threatens the victim not with encrypting files, but with public exposure of private files including sensitive data.

There are several common types of ransomware:

• Crypto-malware — Crypto-malware such as the WannaCry ransomware attack from 2017 simply targets and encrypts folders, files, and hard drives. This is a classic ransomware attack, and in the case of WannaCry, it targeted systems running Windows OS and demanded ransom in Bitcoin.
• Doxware — Doxware, extortionware, or leakware is all the same subset of ransomware that demands ransom or threatens to publish your stolen information online. This is the kind of attack typically linked to personal photos and other sensitive files.
• Locker ransomware — Locker ransomware is so named because it infects the target operating system to lock out the user entirely. This kind of ransomware is most often Android-based and makes it impossible to access any applications or files. CryptoLocker, which generated a 2048-bit RSA encryption key pair, is an example of this kind of ransomware virus.
• Mac ransomware — Since 2016, ransomware has been spotted on Mac operating systems. This form of ransomware infects Apple systems and encrypts victims’ files through an app called Transmission.
• Mobile ransomware — Mobile ransomware has been present at scale since about 2014. It works basically the same way but is delivered through apps, leaving users with “locked” messages and non-functional mobile devices.
• Ransomware-as-a-Service (RaaS) — Ransomware-as-a-Service is malware anonymously hosted on the dark web and offered by cyber criminals. These hackers manage each step, including distributing the payload, managing ransomware decryptors, and collecting payments, for a share of the ransom.
• Scareware — Scareware imitates an antivirus tool, “detecting” problems on your system, and then demanding a ransom to resolve them. Some scareware locks victim systems, while other types flood the screen with pop-ups.

Although these ransomware examples are fairly comprehensive as of this writing, hackers are continuously refining phishing techniques to improve the yield from ransomware.

Social engineering attacks are one way attackers might more effectively deploy ransomware and are often part of a multi-step cyberattack. Hackers research potential targets using various social media platforms to find security vulnerabilities. Attackers will seek out ways to gain the target’s trust so they can successfully deliver ransomware and gain access to information.

Phishing emails are a common form of social engineering attack that frighten the victim into opening an attachment or clicking a link by claiming there has been a security breach. The attachment contains malware or the link is to a malicious website, so the phishing email is frequently the first step in the attack.

Social engineering enables pretexting, a form of phishing in which the attacker mimics someone with legitimate access to sensitive data — such as a bank official, co-worker, or trusted vendor. Once the victim has fallen for the pretext and trusts the attacker, the attacker induces the victim to provide a password or other credentials or perform some other critical task. Spear phishing combines phishing and pretexting in an elaborate technique for targeting specific businesses or people.

A multi-layered approach to ransomware prevention is the best way to stay protected. To deter attackers, use strategies and tools for ransomware protection:

• Use up-to-date antivirus and security software — Install and use a reputable antivirus and security suite that goes past viruses and includes mobile ransomware and ransomware removal tools. Always keep all software and anti-ransomware tools up-to-date to best guard against new ransomware variants that arise.
• Update your software and operating system — Ransomware attackers look for new security vulnerabilities to exploit that have not yet been patched, so update software frequently.
• Do not open email attachments automatically — Email attachments are among the main ransomware infection vectors. Avoid opening attachments or emails with untrusted or unfamiliar senders. Phishing spam in particular may contain legitimate-looking links that actually contain malicious code that can stop you from accessing your sensitive data.
• Do not trust email attachments with macros — Any email attachment that demands that you enable macros to see it should be viewed as suspect. Macro malware can infect multiple files once it is enabled, so do not enable macros, and always delete these emails unless you are absolutely certain of their source.
• Back up important data externally — Backups don’t do any good if they are also encrypted by an attacker, so an air-gapped backup (not attached to the network) is critical to avoiding loss from ransomware attacks. Backup files that are stored entirely separately, either in the cloud or otherwise off-premises, allow for an easier refusal of a ransom demand and a quicker recovery.
• Use cloud services — Using cloud services, for example, to backup and recover after a ransomware attack, can help mitigate the damage and allow your business to roll back its files to their unencrypted form.
• Never pay the ransom — It is unlikely paying will resolve the problem, or allow the victim to recover the encrypted data, and it may make it worse, confirming for the hacker that they found a good target.

Antivirus Protection

Many antivirus tools guard against ransomware attacks by denying unauthorized access to spreadsheets, databases, and unknown programs. They ask the known user — you — whether to allow any access attempt by an unknown program. You should deny any such requests unless you are certain of their provenance.

Ransomware Behavior Detection

There are multiple approaches to detecting and preventing ransomware attacks. Some utilities create “bait” files in locations that ransomware attackers often target. Any modification attempt on these files starts a ransomware response. In other words, this is a form of behavior-based ransomware detection.

Other anti-ransomware tools use behavior-based malware detection strategies but without bait files. Instead, they quarantine threats after detecting unusual behaviors in how programs treat actual documents. Many of these programs automatically back up files when they detect unusual behavior as a safeguard.

Unauthorized Access Prevention

Some anti-ransomware tools work by preventing unauthorized access to programs. They will place files in a protected folder or zone, and no unauthorized programs will be able to create, delete or modify files in that protected area.

File Recovery

All of the previous strategies are important, but there is no substitute for file recovery. In fact, that is why automatic backup is part of most other steps of ransomware protection.

Ransomware attacks do land from time to time despite the best defenses. The best way to survive them is to optimize preventative measures, maintain up-to-date, secure cloud backups of all essential files, and establish an “air gap” or physical separation between backup and essential files. Ransomware recovery should be baked into every larger ransomware prevention strategy.

Frequent data backups and testing of data restoration procedures are essential to surviving a world of network-based ransomware and other cyberattacks. Quick, reliable, automatic cloud backups are the most effective way to replace compromised data after a ransomware attack, maintaining availability and minimizing downtime and damage.

Druva actively scans backup data for signs of a ransomware attack, becoming an extra line of defense past your intrusion detection and prevention system. Should any attack get through, your data is available in the cloud, accessible via the web, until the problem is remediated.

Druva’s data protection-as-a-service stores backup data in the cloud, away from your operating systems under different protocols. This distinguishes the Druva solution from most others, which run in data centers next to systems being targeted by attackers.

With your data secure in the cloud and VMs protected, Druva can perform disaster recovery-as-a-service (DraaS) as well as ransomware recovery. Whether you bring the data center back up with the push of a single button in an AWS VPC in minutes or you run from an older copy before the attack, you have options for running your data center in the cloud until the ransomware issue is resolved.

The entire solution is accessible via a web portal and without the installation of on-site hardware. This is a scalable, cost-effective ransomware solution.

It’s neither safe nor wise to store backups where your server is likely to be attacked — especially when it’s so easy to prepare for ransomware. Learn more about how Druva can help you tackle ransomware challenges.