Ransomware is malware that employs encryption to hold a victim’s information at ransom. A user or organization’s critical data is encrypted so that they cannot access files, databases, or applications. A ransom is then demanded to provide access. Ransomware is often designed to spread across a network and target database and file servers, and can thus quickly paralyze an entire organization. It is a growing threat, generating billions of dollars in payments to cybercriminals and inflicting significant damage and expenses for businesses and governmental organizations. Show
How does ransomware work?Ransomware uses asymmetric encryption. This is cryptography that uses a pair of keys to encrypt and decrypt a file. The public-private pair of keys is uniquely generated by the attacker for the victim, with the private key to decrypt the files stored on the attacker’s server. The attacker makes the private key available to the victim only after the ransom is paid, though as seen in recent ransomware campaigns, that is not always the case. Without access to the private key, it is nearly impossible to decrypt the files that are being held for ransom. Many variations of ransomware exist. Often ransomware (and other malware) is distributed using email spam campaigns or through targeted attacks. Malware needs an attack vector to establish its presence on an endpoint. After presence is established, malware stays on the system until its task is accomplished. After a successful exploit, ransomware drops and executes a malicious binary on the infected system. This binary then searches and encrypts valuable files, such as Microsoft Word documents, images, databases, and so on. The ransomware may also exploit system and network vulnerabilities to spread to other systems and possibly across entire organizations. Once files are encrypted, ransomware prompts the user for a ransom to be paid within 24 to 48 hours to decrypt the files, or they will be lost forever. If a data backup is unavailable or those backups were themselves encrypted, the victim is faced with paying the ransom to recover personal files. Why is ransomware spreading?Ransomware attacks and their variants are rapidly evolving to counter preventive technologies for several reasons:
Today’s thieves don’t even have to be tech savvy. Ransomware marketplaces have sprouted up online, offering malware strains for any would-be cybercrook and generating extra profit for the malware authors, who often ask for a cut in the ransom proceeds. Why is it so hard to find ransomware perpetrators?Use of anonymous cryptocurrency for payment, such as bitcoin, makes it difficult to follow the money trail and track down criminals. Increasingly, cybercrime groups are devising ransomware schemes to make a quick profit. Easy availability of open-source code and drag-and-drop platforms to develop ransomware has accelerated creation of new ransomware variants and helps script novices create their own ransomware. Typically, cutting-edge malware like ransomware are polymorphic by design, which allows cybercriminals to easily bypass traditional signature-based security based on file hash. What is ransomware-as-a-service (RaaS)?Ransomware-as-a-service is a cybercrime economic model that allows malware developers to earn money for their creations without the need to distribute their threats. Non-technical criminals buy their wares and launch the infections, while paying the developers a percentage of their take. The developers run relatively few risks, and their customers do most of the work. Some instances of ransomware-as-a-service use subscriptions while others require registration to gain access to the ransomware. How to defend against ransomwareTo avoid ransomware and mitigate damage if you are attacked, follow these tips:
Key incident response ransomware data pointsThe following trends are commonly seen by our frontline incident response experts when investigating and remediating ransomware. Median Dwell Time for Ransomware Attacks (in Days) The median dwell time for ransomware attacks is 72.75 days, in comparison to all threats at 56 days (including ransomware). Popular Days of the Week for Ransomware Deployment Days of the week highlighted above represent when deployment and execution of the ransomware attack begins, not when the attacker gains initial access. Minimize Risk and Reduce Ransomware Dwell Time Focus on attacker behavior to reduce the average dwell time of a strategic ransomware actor from 72 days to only 24 hours or less. 9 steps for responding to a ransomware attackIf you suspect you’ve been hit with a ransomware attack, it’s important to act quickly. Fortunately, there are several steps you can take to give you the best possible chance of minimizing damage and quickly returning to business as usual.
Why shouldn’t I just pay the ransom?When faced with the possibility of weeks or months of recovery, it might be tempting to give in to a ransom demand. But there are several reasons why this is a bad idea:
More Ransomware Articles
Which management tool can you use to approve the deployment of Windows updates to computers?Windows Server Update Services (WSUS) enables information technology administrators to deploy the latest Microsoft product updates. You can use WSUS to fully manage the distribution of updates that are released through Microsoft Update to computers on your network.
What critical step you should perform before applying updates?What should you do before approving updates to be installed? Test the updates on your own systems before approving for rollout.
What is enable client side targeting?With client-side targeting, you use Group Policy or edit the registry settings on client computers to enable those computers to automatically add themselves into the computer groups. You must specify which method you will use by selecting one of the two options on the Computers Options page.
How do I push updates from WSUS to clients?In the WSUS Administration Console, go to Update Services\Server_Name\Updates\All Windows 10 Upgrades. Right-click the feature update you want to deploy, and then click Approve. In the Approve Updates dialog box, from the Ring 4 Broad Business Users list, select Approved for Install.
|