Insights: Ransomware Explained

What is ransomware?

There are various different types of malicious software (or ‘malware’), but they generally have a common purpose: to cause harm to your systems, your data, or your finances. Different types of malware include viruses, worms and Trojans. In recent years, ‘ransomware’ has become one of the most prevalent types.

Ransomware is a type of malware that prevents access to a computer system or to data, and requests that the victim pays a sum (the ‘ransom’) to regain access.

A device infected with ransomware enables a cyber-criminal to encrypt (or lock) the device, or part of it (e.g. a particular folder) remotely. Ransoms are often demanded in the form of cryptocurrency (e.g. Bitcoin) to protect the identity of the criminals involved.

Different types of ransomware

There are two main types of ransomware:

• Encrypting or crypto ransomware, the most prevalent type, encrypts files on an infected system resulting in the user being unable to access them. The attacker requests payment of the ransom in exchange for decryption of the files. Other aspects of the infected system may continue to function (e.g. web browsers), as the attacker hopes that the victim will use them to access the relevant payment service.
• Non-encrypting or locker (or ‘screen lock’) ransomware does not encrypt files, but prevents access to or full use of the device, often through interfering with the normal login process, software licence status, or browser operation.

Other types include:

• Exfiltration ransomware, or leakware, which rather than preventing access to files threatens to publish them on the Internet unless the ransom is paid within a certain time.
• Mobile ransomware, which is most similar to non-encrypting ‘locker’ ransomware since mobile devices typically have smaller local storage capacities and data can more easily be restored through resynchronisation with the relevant cloud services.

There are ransomware strains affecting most major operating systems: Microsoft Windows, Apple macOS, Linux, Android and iOS have all been attacked by ransomware.

Examples of ransomware

Some of the most well-known ransomware variants include:

• CryptoLocker: emerged in late 2013 and is estimated to have extorted at least $3 million from victims before being shut down by the US Department of Justice in mid-2014.
• CryptoWall: emerged in 2014 and by mid-2015 the FBI estimated that victim’s losses exceeded $18 million.
• Petya: a form of encrypting ransomware, initially from 2016 which aimed to encrypt at the file system level, preventing systems from booting in to Windows.
• WannaCry: emerged in May 2017 and infected over 230,000 devices in over 150 countries, including parts of the NHS.
• SamSam: a strain of ransomware targeting vulnerabilities in Remote Desktop Protocol (RDP) and identified as the source of attacks on numerous government and healthcare targets.

Recent ransomware trends

More recently, in the 2020s, new ransomware trends have emerged, including:

• General ransomware increase: US security firm Check Point reported global increases in ransomware as a result of changes in organisational structures and working practices due to the COVID-19 pandemic.
• Targeted ransomware: the National Cyber Security Centre (NCSC) released ransomware advice for the UK education sector in March 2021 after a surge of attacks targeting schools, colleges and universities. Other sectors and specific organisations have also been targeted.
• Increase in leakware: there were some high-profile leakware victims in 2020, including the Sodinokibi or REvil attack on Grubman Shire Meiselas & Sacks, a New York law firm representing Lady Gaga, Madonna and others.
• A real world death directly related to a cyber-attack: tragically, 2020 also saw German police launch an investigation after computer systems at Düsseldorf University Hospital were rendered inoperable by ransomware, leading to a female patient due to receive life-saving treatment dying while doctors attempted to transfer her to another hospital.
• Ransomware-as-a-service: providing more people with the ability to launch ransomware attacks by selling them the capability (rather than them having to learn themselves). During 2019 GandCrab was thought to be the most widely distributed ransomware, being sold on the dark web but promoted more openly. Towards the end of 2019 the creators announced it would close down as they had made enough money.

Common ransomware now

Common and harmful variants in circulation include:

• Maze: a sophisticated Windows ransomware strain that not only encrypts but also exfiltrates data to servers controlled by the attackers. This means that restoration from backup won’t be an entirely effective resolution, as cyber-criminals still have a copy of potentially sensitive data. In early 2020 Hammersmith Medicines Research, which had done work on a vaccine for Ebola and drugs to treat Alzheimer’s disease, was targeted by the Maze ransomware.
• Ryuk: believed to be used by at least two Russian criminal groups, Ryuk ransomware appeared in 2018 and often uses ‘Emotet’ or ‘Trickbot’ malware to install itself, defeating many anti-malware defences and with the capability to completely disable a network and even find and disable backup files if they are on accessible servers. Often the initial infection and the encryption of the data take place weeks or months apart, while the attackers attempt to penetrate the systems more deeply to maximise the impact of the attack and the ransom value they demand.
• Cerber: another ransomware-as-a-service (RaaS) variant, Cerber most often spreads through phishing emails. It was the first ransomware variant to include a distributed denial of service (DDoS) element, and also creates an audio file that ‘talks’ to the victim (in addition to the ransom note that appears on the victim’s screen).

How many people and businesses are affected by ransomware?

It’s difficult to get an accurate statistic for the number of people and businesses that have been infected with ransomware for several reasons, including whether or not a ransomware infection is reported, and if it is, to whom.

Statista suggest that there were over 187 million ransomware attacks globally in 2019.

The Department for Digital, Culture, Media and Sport (DCMS) Cyber Security Breaches Survey 2021 found that 7% of UK businesses had experienced a ransomware attack in the previous year.

US telecoms company Verizon also stated that “ransomware is everywhere”, noting in the 2020 Data Breach Investigations Report (DBIR) that ransomware accounts for 27% of malware incidents, and that “no organisation can afford to ignore it”.

Despite differing statistical positions on the extent of ransomware infections, it is clear that it does affect a great many people and businesses and is therefore a threat that requires consideration.

How does ransomware spread?

The ‘attack vector’ is the method the attack uses to perform a malicious action. Three of the most common ransomware attack vectors are:

• Email: in the 2019 DBIR Verizon found that 94% of malware was delivered by email, and phishing emails account for a large proportion of ransomware infections.
• Remote access: US ransomware recovery firm Coveware found that Remote Desktop Protocol (RDP) was the most common attack vector, with attackers identifying open systems and compromising weaker accounts to gain access.
• System vulnerabilities: though fewer attacks involve exploiting vulnerabilities when compared to phishing emails or RDP attacks, they remain an easy target for attackers using existing tools where systems have not been patched.

There are other attack vectors too, including:

• Compromised or malicious web sites: often also called ‘drive by downloads’, a web site is taken over or set up by an attacker to host malware that may be disguised as something legitimate or useful. Victims visiting the site may be tricked in to downloading the malware, and become infected.
• Removable storage media: things like USB flash memory devices remain a means of ransomware spreading, something that Australian police warned residents of Melbourne about in 2016.

How can I protect against ransomware?

Here are five practical steps you can take to protect yourself against ransomware.

1. Make regular offline backups. If a system or data does become infected with ransomware, it may not be possible to clean it, and there’s no guarantee that paying the ransom will regain access. Restoring the data or the whole system from a recent backup is often the best option. A backup needs to be kept ‘offline’ (also called a ‘cold backup’) to prevent it from also being affected by the ransomware.
2. Use good anti-malware solutions. Some anti-malware products use a signature system to detect malware by comparing files against the ‘signatures’ of known malware: the malware has to be known in order to be detected. A zero-day attack is malware that exploits a vulnerability before it’s been patched, so isn’t known. Next generation anti-malware solutions use behaviour analytics to detect file-based malware and ‘fileless’ attacks, providing a stronger defence.
3. Keep systems up to date. 357 vulnerabilities were identified in Windows 10 in 2019. It isn’t just Microsoft either; 117 were discovered in macOS in 2019 too. Enabling automatic updates is a quick and easy way of reducing the attack surface.
4. Use least privilege. BeyondTrust, a US access management specialist, found that 97% of ‘Critical’ Microsoft vulnerabilities can be mitigated by ensuring the user that is logged in does not have ‘Admin’ rights. Where users need more privileges, two accounts should be set up: one with lower access for general use, and one with more power to be used only when required.
5. Increase user awareness. As the majority of ransomware, and malware in general, is spread via email, ensuring users are aware of risks and how to spot and avoid them helps to reduce the chance of infection.

What should I do if I’ve been infected by ransomware?

Most experts (including Think IT), agencies (including the FBI) and tech giants (including Microsoft) advise against paying a ransom. It does not provide assurance you or your organisation will get any data back, and it also encourages cyber-criminals to continue to target more victims.

However, if you need to recover legal, medical or important business records, irreplaceable family photos, or other important files, paying a charge of a few hundred pounds might seem like a viable option, and historically the majority of criminals do seem to unlock files after a ransom has been paid.

We have set out below a series of ‘incident management’ steps that can be taken in the event of a ransomware infection, assuming that you will not pay the ransom (or at least that the steps will be taken before deciding to pay the ransom).

1. Disconnect the device. Isolate the affected device as fully as possible. If the device is on a wired network, physically disconnect it. If the device is on a wireless network and has a physical switch, turn the switch to the off position or remove any physical network interface adapters; otherwise, turn on flight mode or equivalent. This is to prevent the infection from spreading to other devices locally, or to connected services (e.g. cloud storage).
2. Disconnect any critical systems. It might not be obvious at this stage whether the infection has spread to other devices, so isolating any important systems is a sensible precaution. If there are local servers or devices holding backups, take these offline as well to prevent infection while the initial incident management steps are performed. The quickest, though also highest impact step to take may be to turn off any Wi-Fi networks and disconnect the internet connection.
3. Photograph the ransom note. Use a smartphone or a digital camera to take a picture of the message(s) displayed on the screen. If you are able to screenshot the display, that is also useful (using the ‘PrntScrn’ button or equivalent). This is helpful when reporting to law enforcement and when attempting to determine the precise nature of the infection.
4. Contact law enforcement. Call Action Fraud (0300 123 2040 or https://www.actionfraud.police.uk/) without delay, and optionally also inform local Police (in some cases, support may be available).
5. Contact IT support. Explain the basic details of the issue and ask for immediate assistance. If you use Think IT, contact us by phone (01392 435803), email (support@thinkituk.com) or both.

At this stage in the incident response process, IT support may complete the remaining steps.

6. Check backups. This step comes before the remaining steps, as it helps to identify the options available for recovering from the infection. Confirm that a recent backup is available and it is free from malware. If there is confidence in the restoration process (i.e. it’s been tested), any issues with completing other remedial actions are less problematic.
7. Change passwords. How widely this is done depends on the extent of the infection, however as a minimum the passwords for the accounts of the users of the affected systems should be changed, and administrator and other system accounts should also. Ensure however that this does not prevent legitimate access to any systems needed in the recovery process.
8. Determine the ransomware variant. In some cases the ransomware will provide details about what specific ‘strain’ it is. If it doesn’t, tools like Crypto Sheriff from No More Ransom and ID Ransomware from MalwareHunterTeam allow information or even sample encrypted files to be uploaded to determine the specific infection and whether the system or data can be decrypted.
9. Check for decryption tools. No More Ransom also have decryption tools for various ransomware variants, so having determined the specific variant, it is worth checking their site to see if a tool is available that can reverse the encryption.
10. Attempt recovery. At this stage, sufficient information should have been gathered to enable one of several recovery options to be commenced.

a) Quick and secure: a solution like SentinelOne Endpoint Protection Platform includes a rollback feature that provides the ability to restore, with a single click, maliciously encrypted files to their previous good state. SentinelOne uses Volume Shadow Copy Service (VSS) on Windows systems, taking a snapshot every four hours by default and protecting snapshots from tampering.

b) Secure: if you don’t have a solution like SentinelOne, but you do have a recent backup, wipe the device and reinstall the operating system using ‘known good’ installation media (e.g. for Windows, a USB flash device that is free of malware). Once complete, update (or patch) the operating system, install anti-malware software, and restore files from backup (providing the backup is free of malware).

c) Non-invasive: if no recent backup is available, or the backup is also infected, it may be preferable to attempt to remove the infection and restore access (though note that this is not always possible).

• First, use a good anti-malware solution to clean the device. In most cases, doing this will not decrypt the files and may make recovery of them by paying the ransom impossible.
• Then, attempt to decrypt the files:
  • Some forms of ransomware make a copy of data, encrypt the copy, and then delete the originals. A tool like ShadowExplorer, or various paid-for tools like EaseUS Data Recovery Wizard, may be able to detect and restore deleted files.
  • Avast provide a number of ransomware decryption tools. The Free Ransomware Decryption Tool from Quick Heal can also decrypt files encrypted by various ransomware variants, including GandCrab, and the GIBON Ransomware Decryptor can be used with the GIBON ransomware.

If you need help with anything in this Insights article, contact us by phone (01392 435803), email (support@thinkituk.com) or both.