According to the 2019 Verizon Data Breach Report, ransomware is the 2nd most frequent malware attack behind command & control (C2) attacks. This is why ransomware protection is very critical to all organisations. Email is still the top delivery mechanism for all malware, including ransomware. So how do we get users to stop clicking phishing links?
Pro tip: You can’t. Humans will do human things. So we have to approach the problem of ransomware differently. In this post, we will address the basics of ransomware, and explain how an automated detection and prevention system like Varonis is the way to go to prevent ransomware attacks from taking down the network.
Table of Contents
What is Ransomware?
Ransomware is malware that encrypts the target victim’s data. The attacker then tries to get the victim to pay the ransom for the key to decrypt their files.
The first ransomware dates back to 1989, got distributed on floppy disks, and asked for a $189 ransom.
In 2019, the city of Baltimore got hit with a ransomware attack, which cost an estimated $18 million in recovery.
But how exactly does ransomware work?
How Ransomware Works
Ransomware is a multi-staged attack that attackers have packaged in several different ways. The basics are usually the same. Infiltrate the target’s network, encrypt as much data as possible, extort for ransom.
1. Infection
First, attackers need to deliver the malware payload to the target. Most often, this is a simple phishing attack with malware in the file attachments. From here, the ransomware either works locally or tries to replicate itself to other computers on the network.
2. Security Key Exchange
Next, the malware reaches out to the attackers to let them know they have infected a victim and to get the cryptographic keys that the ransomware needs to encrypt the victim’s data.
3. Encryption
Now the ransomware does the encrypting of the victim’s files. It might start with the local disk and then try to probe the network for mapped shares or open shares to attack. The CryptoWall ransomware deleted Volume Shadow Copy files to make restoring from backup harder and looked for BitCoin wallets to steal. WannaCry used the EternalBlue vulnerability to spread to other computers and then perform the encryption.
4. Extortion
The victim is totally pwnd, and the attacker sends the ransom note. Usually, there is some dollar figure attached, and a BitCoin link with threatening messages like “pay us or your data gets it.”
It’s worth it to note that cryptocurrency enabled ransomware to become a lucrative profession. Now the lucrativeness of criminal activity is hard to quantify, but the frequency of attacks indicates that criminals see the upside in continuing to use these techniques.
Recently attackers have used the threat of data exposure as part of their extortion plot. Ransomware can not only encrypts the data in place, it can also exfiltrate the data back to the attackers! The threat becomes, pay us or we release your data.
5. Unlocking and Recovery
Lastly, does the victim pay the ransom and hope the criminal is honorable and will send over the decryption keys? Or does the victim remove the malware infection and try to recover the encrypted data manually.
Attackers generally don’t deliver the keys, even after taking the money. Shocking, I know. That’s why the City of Baltimore ransomware incident cost so much and recovery took so long. Baltimore didn’t pay, so the IT staff had to restore the data that they could and rebuild what machines they couldn’t.
The recovery plan also needs to account for the threat of data release. But how can you prevent an attacker from releasing the stolen data? You can’t. Which makes the protection and prevention of ransomware much more important than relying on data backups for recovery.
How to Protect Against Ransomware: Basic Tips
In building a defense against ransomware attacks, there are things that individuals can do and things that enterprises can do to prevent the initial infection.
Don’t Click the Link!
I know, I know, you have heard that one before. But it is always worth repeating. Phishing emails delivered a large percentage of malware in 2019. Humans aren’t going to stop clicking the link, and I know this because I have clicked the link. So, as fallible mortal humans, we can at least be a little more skeptical of emails. And maybe that little bit of skepticism drops the amount of malware we allow to infect our companies. Check out our blog “The Anatomy of a Phishing Email,” and blow up the infographic and post it around your office.
Build Email Protections and Endpoint Protections
As the enterprise, we know that humans will click the link.
- Scan all emails for known malware strains, and keep firewalls and endpoint protections up to date with the latest known malware signatures.
- Notify users of out of network emails
- Provide VPNs for users to use outside of the network
Keep Backups
Both for enterprises and personal protection, keep current backups of your important data. The best and fastest way to thwart ransomware is by a quick re-image of the disk, and then a data restore from the last good backup – unless the attacks also exfiltrated the data, which is a different issue.
Protect your Personal Information
Humans are genetically predisposed to trust other humans. It’s one of the evolutionary reasons for the vast proliferation of our species. This basic trust is how mentalists can make us believe it was our idea to make a certain choice, or how attackers get us to reveal our passwords or mother’s maiden names.
Again, be skeptical and follow protocol when someone asks you about sensitive information. It’s the same issue as the links, but this might be a real-life in-person interaction. This advice goes double for users in the C-Suite, who are the targets in whale phishing campaigns.
Who’s At-Risk?
Technically, everyone is at risk of a ransomware attack. Economically, the more sophisticated attacks seem to target larger organizations with greater ability to pay. But not all ransomware attacks are targeted, either. Some attackers use carpet-bombing techniques and try to infect as many users as possible at once.
