Ransomware is a type of cryptovirology malware that attackers use to block access to victim data until a ransom is paid. In addition, some ransomware allows hackers to publish the victim’s data if they do not receive the ransom.
Simpler ransomware attacks may not be difficult to reverse. However, more advanced cryptoviral extortion techniques coupled with digital currencies such as Bitcoin and other cryptocurrency render ransomware an intractable challenge.
What Is ransomware?
Ransomware is malware that prevents users from accessing their personal, work, or system files in order to demand a ransom payment. The idea is that access will be restored once ransom is paid, but there is actually no guarantee that this will happen.
Ransomware may access a computer system via a number of vectors. Phishing spam is among the most common delivery systems. This involves sending email attachments that appear to be trusted files to the victim. After the victim downloads and opens the attachment, it takes over the computer.
Ransomware with built-in social engineering tools is particularly dangerous because it tricks users into allowing administrative access. Certain aggressive types of ransomware don’t even need to trick users, bypassing them entirely by exploiting security holes to infect computers.
There are several ways the ransomware might encrypt the victim’s files, but in any case only the attacker will have the decryption key for the files. A variation on this theme is doxware or leakware, which threatens the victim not with encrypting files, but with public exposure of private files including sensitive data.
How does ransomware work?
Young and Yung first presented the concept of file-encrypting ransomware or cryptoviral extortion in 1996 at Columbia University at the IEEE Security and Privacy conference. Ransomware is based on the three step protocol of cryptoviral extortion that happens between attacker and victim.
In step one, the attacker generates a key pair and stores the public key secretly in the malware. The attacker then either releases the malware generally into the world, or targets the victim specifically with that ransomware. Step one is in the direction of attacker to victim.
In step two, the attacker needs the victim’s system to respond to carry out the cryptoviral extortion attack and waits for the response. The ransomware encrypts the victim’s data by generating a random symmetric key and encrypts that key using its public key.
This hybrid encryption process generates the symmetric ciphertext of the victim’s data and a small asymmetric ciphertext. To prevent recovery, it zeroizes the original plaintext data and the symmetric key.
The victim receives the ransom demand message that includes the asymmetric ciphertext and payment instructions.
Finally, in step three, the attacker either does or does not receive the demand payment. They may or may not return the symmetric key to the victim or use their key to decipher the asymmetric ciphertext. In other words, the victim may pay the ransom or not, and either way still never recover.
Unfortunately, symmetric keys cannot help other victims because they are randomly generated. The attacker’s private key is never exposed to victims.
Delivery of ransomware payload
Typically, attackers enter a system and deliver ransomware payloads using a trojan of some kind, such as a malicious email attachment, an embedded phishing link, or a network service vulnerability. Once the trojan pierces the system, the program runs a payload.
The ransomware payload either locks the system somehow or claims to, for example displaying a fake warning about pirated media or illegal activities. Simpler payloads restrict or block the system unless or until the victim pays. They might do this by modifying the partition table and/or master boot record to stop the OS from booting until the attacker repairs it, or by setting the Windows Shell to itself. More sophisticated payloads actually encrypt files using strong encryption.
Since payment is usually an attacker’s goal, it is essential for them to find a convenient digital payment system that is difficult for law enforcement agencies to trace. Possibilities include digital currencies like Bitcoin, premium-rate text messages, pre-paid voucher services such as paysafecard, and wire transfers—although cryptocurrencies have quickly become the payment option of choice.
Types of ransomware
There are several common types of ransomware:
Crypto-malware. Crypto-malware such as the WannaCry ransomware attack from 2017 simply targets and encrypts folders, files, and hard-drives. This is a classic ransomware attack, and in the case of WannaCry, it targeted systems running Windows OS and demanded ransom in Bitcoin.
Doxware. Doxware, extortionware, or leakware is all the same subset of ransomware that demands ransom or threatens to publish your stolen information online. This is the kind of attack typically linked to personal photos and other sensitive files.
Locker ransomware. Locker ransomware is so named because it infects the target operating system to lock out the user entirely. This kind of ransomware is most often Android-based and makes it impossible to access any applications or files. CryptoLocker, which generated a 2048-bit RSA encryption key pair, is an example of this kind of ransomware virus.
Mac ransomware. Since 2016, ransomware has been spotted on Mac operating systems. Called KeRanger, this form of ransomware infects Apple systems and encrypts victims’ files through an app called Transmission.
Mobile ransomware. Mobile ransomware has been present at scale since about 2014. It works basically the same way, but is delivered through apps, leaving users with “locked” messages and non-functional mobile devices.
Ransomware-as-a-Service (RaaS). Ransomware-as-a-Service is malware anonymously hosted on the dark web and offered by cybercriminals. These hackers manage each step, including distributing the payload, managing ransomware decryptors, and collecting payments, for a share of the ransom.
Scareware. Scareware imitates an antivirus tool, “detecting” problems on your system, and then demanding ransom to resolve them. Some scareware locks victim systems, while other types flood the screen with pop-ups.
Although these ransomware examples are fairly comprehensive as of this writing, hackers are continuously refining phishing techniques to improve the yield from ransomware.
Ransomware and social engineering
Social engineering attacks are one way attackers might more effectively deploy ransomware and are often part of a multi-step cyberattack. Hackers research potential targets using various social media platforms to find security vulnerabilities. Attackers will seek out ways to gain the target’s trust so they can successfully deliver ransomware and gain access to information.
Phishing emails are a common form of social engineering attack that frighten the victim into opening an attachment or clicking a link by claiming there has been a security breach. The attachment contains malware or the link is to a malicious website, so the phishing email is frequently the first step in the attack.
Social engineering enables pretexting, a form of phishing in which the attacker mimics someone with legitimate access to sensitive data—such as a bank official, co-worker, or trusted vendor. Once the victim has fallen for the pretext and trusts the attacker, the attacker induces the victim to provide a password or other credentials, or perform some other critical task. Spear phishing combines phishing and pretexting in an elaborate technique for targeting specific businesses or people.
How to Prevent Ransomware Attacks
A multi-layered approach to ransomware prevention is the best way to stay protected. To deter attackers, use strategies and tools for ransomware protection:
Use up-to-date antivirus and security software. Install and use a reputable antivirus and security suite that goes past viruses and includes mobile ransomware and ransomware removal tools. Always keep all software and anti ransomware tools up-to-date to best guard against new ransomware variants that arise.
Update your software and operating system. Ransomware attackers look for new security vulnerabilities to exploit that have not yet been patched, so update software frequently.
Do not open email attachments automatically. Email attachments are among the main ransomware infection vectors. Avoid opening attachments or emails untrusted or unfamiliar senders. Phishing spam in particular may contain legitimate-looking links that actually contain malicious code that can stop you from accessing your sensitive data.
Do not trust email attachments with macros. Any email attachment that demands that you enable macros to see it should be viewed as suspect. Macro malware can infect multiple files once it is enabled, so do not enable macros, and always delete these emails unless you are absolutely certain of their source.
Back up important data externally. Backups don’t do any good if they are also encrypted by an attacker, so an air-gapped backup (not attached to the network) is critical to avoiding loss from ransomware attacks. Backup files that are stored entirely separately, either in the cloud or otherwise off-premises, allow for an easier refusal of a ransom demand and a quicker recovery.
Use cloud services. Using cloud services—for example to backup and recover after a ransomware attack—can help mitigate the damage and allow your business to roll back its files to their unencrypted form.
Never pay the ransom. It is unlikely paying will resolve the problem, or allow the victim to recover the encrypted data—and it may make it worse, confirming for the hacker that they found a good target.
What should ransomware protection include?
Antivirus protection. Many antivirus tools guard against ransomware attacks by denying unauthorized access to spreadsheets, databases, and unknown programs. They ask the known user—you—whether to allow any access attempt by an unknown program. You should deny any such requests unless you are certain of their provenance.
Ransomware behavior detection. There are multiple approaches to detecting and preventing ransomware attacks. Some utilities create “bait” files in locations that ransomware attackers often target. Any modification attempt on these files starts a ransomware response. In other words, this is a form of behavior-based ransomware detection.
Other anti-ransomware tools use behavior-based malware detection strategies, but without bait files. Instead, they quarantine threats after detecting unusual behaviors in how programs treat actual documents. Many of these programs automatically backup files when they detect unusual behavior as a safeguard.
Prevent unauthorized access. Some anti-ransomware tools work by preventing unauthorized access to programs. They will place files in a protected folder or zone, and no unauthorized programs will be able to create, delete or modify files in that protected area.
File recovery. All of the previous strategies are important, but there is no substitute for file recovery. In fact, that is why automatic backup is part of most other steps of ransomware protection.
Ransomware attacks do land from time to time despite the best defenses. The best way to survive them is to optimize preventative measures, maintain up-to-date, secure cloud backups of all essential files, and establish an “air gap” or physical separation between backup and essential files. Ransomware recovery should be baked into every larger ransomware prevention strategy.
Benefits of a ransomware protection strategy
Ransomware removal tools are only part of a more comprehensive ransomware protection strategy. This is because even the most effective preventative measures fail occasionally, and cybercriminals are continuously innovating.
Enterprises must assume that occasionally they will fall victim to ransomware—if only due to human error. This means that the rest of the ransomware protection strategy must address a response plan that identifies, quarantines, and removes ransomware infections immediately, and automatically restores data to resume normal operations.
Does Druva offer ransomware protection?
Frequent data backups and testing of data restoration procedures are essential to surviving a world of network-based ransomware and other cyberattacks. Quick, reliable, automatic cloud backups are the most effective way to replace compromised data after a ransomware attack, maintaining availability and minimizing downtime and damage.
Druva actively scans backup data for signs of a ransomware attack, becoming an extra line of defense past your intrusion detection and prevention system. Should any attack get through, your data is available in the cloud, accessible via the web, until the problem is remediated.
Druva’s data protection-as-a-service stores backup data in the cloud, away from your operating systems under different protocols. This distinguishes the Druva solution from most others, which run in data centers next to systems being targeted by attackers.
With your data secure in the cloud and VMs protected, Druva can perform disaster recovery-as-a-service (DraaS) as well as ransomware recovery. Whether you bring the data center back up with the push of a single button in an AWS VPC in minutes or you run from an older copy before the attack, you have options for running your data center in the cloud until the ransomware issue is resolved.
The entire solution is accessible via web portal, and without installation of on-site hardware. This is a scalable, cost-effective ransomware solution.
It’s neither safe nor wise to store backups where your server is likely to be attacked—especially when it’s so easy to prepare for ransomware. Learn more about how Druva can help you tackle ransomware challenges here: