What is Ransomware?

Contributions by Michael Roza and Vince Campitelli

Ransomware is a rapidly growing problem that has increased 715% year-over-year, according to the latest Threat Landscape Report 2020 by Bitdefender (Bitfinder, 2020). Ransomware is highly profitable, which has made it the fastest growing malware threat. The average ransomware payment is $233,817, and many high profile payments cost companies millions.

With the increased use of public clouds over recent years, many enterprise organizations have started adding cloud computing as a crucial part of their IT strategies. Due to the nature of public cloud, where the underlying infrastructure is secured and managed by the cloud service provider, many customers incorrectly assume that the threat of ransomware in the cloud is less than in a private data center (Netapp, 2020). However, cloud services rely on the synchronization of data, and if ransomware encrypted data enters the synchronization process, data will run the risk of being propagated in the cloud. At this point, cloud applications become complicit in spreading the malware. Therefore, while data in cloud storage is not immune to ransomware, cloud storage can still offer a significant advantage with data protection due to the number of flexible recovery options.

What is ransomware?

Ransomware is a form of malware used by an attacker to encrypt a victim’s data and demand a ransom for the encryption key, which allows the victim access to their data.

There are two general classes of ransomware:

1. Those that encrypt files and deny access to them
2. Those that incapacitate the device

Ransomware is typically delivered through exploits, associated with website advertisements containing malware, or through phishing campaigns. After delivery, ransomware identifies the files and data to be encrypted through an embedded file extension list. Files that match one of the listed file extensions are then encrypted, and other file types are left alone. After encryption, the ransomware leaves a notification for the user, with instructions on paying the ransom.

7 stages to a ransomware attack

A ransomware attack has a very familiar pattern. There are seven stages to the attack.

1. Reconnaissance. The main goal of this stage is to pinpoint the weaknesses in the target system.
2. Delivery and execution. This is when the malware is delivered and the execution begins. Persistence is also established in this stage.
3. Exploitation and infection. In this stage, the attacker finalizes an attack plan and infects the target machine after the preliminary survey. The target is infected with the ransomware, but the files are not yet encrypted.
4. Scanning and backup spoliation. The ransomware scans the system for important files to encrypt and removes the backup files and folders or waits until the backup synchronization infects the backups.
5. File encryption. The ransomware encrypts the selected files.
6. User notification and cleanup. The ransomware cleans up the system to eliminate evidence. Victims are notified and given a few days to pay before the price goes up.
7. Payment process. If done right, the ransomware attack is timed for maximum impact on the business to force payment. Payment is made with Bitcoin to make tracking difficult (Kumar & Ramlie, 2021).

Traditional backups don’t solve ransomware infections

Gone are the days when quickly restoring a backup tape will solve a ransomware infection. A problem with the traditional backup is that the backup server can be rapidly infected by time-delayed ransomware due to the cyclical nature of backup processes. A ransomware cyberattack can be delayed, thus ensuring that all backup systems are also infected. Sometimes it can take a significant period for companies to recognize that they were hacked. During that time, backups are overwritten with malware or ransomware, infecting the backups. After a predetermined period, the hacker triggers the ransomware, and the company has no way to repair the files. At the same time, the ransomware starts looking for additional areas it can infect with the intent of infecting associated public cloud repositories while also deleting all backups (Tolson, 2020).

Exfiltrating data

To inhibit the user from choosing not to pay, attackers are now exfiltrating data before encrypting it. If the victim doesn’t pay, the attacker then threatens to post the data on the Internet. Additionally, in a recent twist, attackers have started calling customers to pressure the business to pay quickly. Remember there is no honor among thieves. An attacker will usually provide the decryption key for the files if the victim pays the ransom; however, there have been incidents in which the attacker never could decrypt the files.

Ransomware continues to evolve and become more sophisticated, offering better encryption and new features (Metivier, 2019). Ransomware has become so profitable that there is now ransomware as a service (RaaS). RaaS is a platform designed so that anyone can conduct a ransomware attack. It is a user-friendly platform that enables an attacker to simply pick a victim, set the ransom, select a payment deadline, provide a bitcoin wallet, and deploy the attack.

The attack vectors for ransomware are either social or physical engineering and will usually include one of the following:

1. Phishing: Phishing uses email to get users to click on a link or open an attachment that carries the malicious code.
2. SMSishing: SMSishing uses text messages to prompt the users to go to a website. Some SMSishing ransomware attempts to propagate by sending itself to all contacts in the device’s contacts list.
3. Vishing: Vishing uses voicemail to deceive the user. The voicemail recipient is instructed to call a number. The voicemail takes the user through several steps to correct a fictitious problem, including entering credentials and downloading malware.
4. Social Media: Social media can be used to get the user to download an image containing malware.
5. Instant Messaging: Instant messaging can be hacked and used to distribute malware to the user’s contact list.

In addition to the social engineering aspect, there are also the physical attack vectors. Physical attacks are normally machine to machine and require very little user intervention. Physical attacks include the following types:

1. Drive-by: The only requirement is for the user to open a webpage that contains malicious code.
2. System Vulnerabilities: These can be exploited to break into the system and install malware.
3. Malvertising: In this type of attack, malware is inserted into ads that the user clicks on, then downloading malware (Singh, 2019).

Interested in learning more?

Read our paper on Ransomware in the Healthcare Cloud. Written specifically with healthcare delivery organizations in mind, the information it covers is also applicable if you’re interested in ransomware in general.