What is Ransomware?
Ransomware is malware that infects a computer, restricts users’ access to their device, and threatens to publish a victim's personal information, usually by encryption, to meet the demands. The motivation is typically monetary. Ransomware variants often attempt to extort money from victims by displaying an on-screen alert. Payment is usually demanded in virtual currency like Bitcoin to protect the cybercriminal’s identity.
How Does Ransomware Work?
Ransomware can be spread through typical user activities, like accidental clicks and downloads of malicious emails, infected external devices, or compromised websites. A user unknowingly visits an infected website, and then malware is downloaded and installed without the user’s knowledge. With approaches like Remote Desktop protocol, inexpensive ransomware kits, and ransomware as a service, anyone can carry out attacks. A Ransomware on-screen alert displays intimidating messages to extort money from victims similar to those below:
“Your computer has been infected with a virus. Click here to resolve the issue.”
“Your computer was used to visit websites with illegal content. To unlock your computer, you must pay a $100 fine.”
“All files on your computer have been encrypted. You must pay this ransom within 72 hours to regain access to your data.”
How do Ransomware gangs operate?
Ransomware gangs typically operate their attack using a Trojan disguised as a legitimate file that the user is tricked into downloading or opening when it arrives as an email attachment. The gangs plan the attack in many opportunistic and untargeted ways, so the target is to affect individuals and businesses.
Examples Of Most Notorious Ransomware Gangs
An example of all time high-profile ransomware attack is the WannaCry ransomware attack. The malicious backdoors moved laterally into the victim networks, infecting multiple computers without user interaction. According to the news article published by the BBC on the WannaCry ransomware attack, “A massive cyber-attack using tools believed to have been stolen from the US National Security Agency (NSA) has struck organizations around the world. Cyber-security firm Avast said it had seen 75,000 cases of the ransomware - known as WannaCry and variants of that name - around the world. There are reports of infections in 99 countries, including Russia and China. The National Health Service (NHS) was among the worst hit in England and Scotland.”
The Conti ransomware is a ransomware-as-a-service (RaaS) operation believed to be controlled by a cybercrime group in Russia called Wizard Spider. The ransomware shares some code with the infamous Ryuk Ransomware, which was last reported in July 2020. Conti continues his prolific track record in 2022, with four attacks reported within the first two months of the New Year. The following reviews a few recent incidents involving the Conti group. Some of Conti’s Ransomware attack victims are Meyer Corporation, Kenyon Produce Snacks, Delta Electronics, and RR Donnelley. During the Russian invasion of Ukraine in 2022, the Conti ransomware gang issued a statement to its adversaries pledging allegiance to the Russian government's war efforts but warning of retaliatory attacks on critical infrastructure if any nation opposed the war or planned cyberattacks against Russia.
BlackMatter is a ransomware-as-a-service (RaaS) affiliate program launched in July 2021. The BlackMatter group claims that the project incorporates features from DarkSide, REvil, and LockBit. Their main target is Windows and Linux servers and initial access brokers (IABs). IABs are financially motivated threat actors that sell remote access to corporate networks on the black market. BlackMatter actors have targeted several U.S.-based organizations. These organizations have requested ransom payments ranging from $80,000 to $15,000,000 in Bitcoins and Monero.
Revil’s name is an amalgam of “ransomware” and “evil.” The group is a Russia-based hacking organization. Security researchers have previously identified the malware family as REvil/Sodinokibi or REvil.Sodinokibi. Gangs such as REvil deploy ransomware, a virus that encrypts files after infection. Once the data has been stolen and made inaccessible to the victim, the group sends the victim a ransom request message. In most cases, the ransom demand is made in cryptocurrency, such as Bitcoin. The ransom demand doubles if payment is not received in time. Cryptocurrencies are preferred because of their perceived anonymity and ease of online payment.
REvil's practice involved stealing data from the victims' computers, locking them out of them, and threatening to auction off the stolen data. This method imposes additional pressure on the victims. REvil has targeted significant corporations such as JBS Meats, Quanta, and HX5. The company also acted as a business and sold hacking technology and other tools to third parties. REvil members would lease this ransomware to other hacking groups so that they could carry out a similar attack. This is known as ransomware-as-a-service (RaaS). The group would receive a substantial cut of any ransomware payments from the other group in exchange for using REvil's services and malware.
Lazarus$ Group (also known as Guardians of Peace or Whois Team) is a North Korean state-sponsored cybercrime group attributed to the Reconnaissance General Bureau. This criminal group has now been designated an advanced persistent threat due to its nature, threat, and wide range of methods used in conducting an operation. The group has been active at least since 2009 and was allegedly responsible for attacking Sony Pictures Entertainment in November 2014 as part of a campaign called Operation Blockbuster by Novetta. Lazarus$ became famous in recent times with the OKTA breach in January 2022. The malware used by the Lazarus Group also correlates with malware used in Operation Flame, Operation 1Mission, Operation Troy, DarkSeoul, and Ten Days of Rain.
How to Prevent Ransomware Attacks?
There is no sure-fire way to protect against ransomware completely; one of the most effective ways is to be prepared. The company must follow a security hygiene policy to get the basics right, and the organization will have much less to worry about. The concept of security hygiene is simple in theory but difficult to implement. It starts with strong passwords, two-factor authentication, and in-depth defense, staying on top of software updates, good backups, and restoring from backups.
- Having good antivirus software and updating it regularly.
- Keep the company’s operating system, programs, software, browser, and antivirus protection up to date. Typically, it is best to configure the software automatically when an update is released.
- Ensure that the data is regularly backed up to a cloud-based system. Therefore, this will help access the organization’s essential files if they are locked.
- Many ransomware attacks are launched via phishing emails. Since these attacks are becoming more sophisticated, the staff in a company should be cautious before clicking on links in emails or opening any attachments.
- Cyber attackers create web ads that make us curious or feel like missing out on something. They play on our emotions to entice us to click on malicious links. Thus, if any member in an organization notices signs of this or feels something is not right, take extra care.
How To Detect Ongoing Ransomware Attacks?
Cyber security threats and ransomware attacks are increasing at a tremendous pace. It is extremely difficult for cyber security analysts and incident responders to investigate and detect cyber security threats using conventional tools and techniques. NetSecurity’s ThreatResponder, with its diverse capabilities, can help your team detect the most advanced cyber threats, including APTs, zero-day attacks, and ransomware attacks. It can also help automate incident response actions across millions of endpoints, making it easy, fast, and hassle-free.
Want to try our ThreatResponder, cutting-edge Endpoint Detection & Response (EDR) security solution in action? Click on the below button to request a free demo of our NetSecurity’s ThreatResponder platform.
The page's content shall be deemed proprietary and privileged information of NETSECURITY CORPORATION. It shall be noted that the contents of this page are copyrighted by NETSECURITY CORPORATION. Any violation/misuse/unauthorized use of this content "as is" or "modified" shall be considered illegal subjected to articles and provisions that have been stipulated in the General Data Protection Regulation (GDPR) and Personal Data Protection Law (PDPL).