How Does Ransomware Spread?
Ransomware is most widely spread via spam attacks. The spam email will have an attachment disguised as a legitimate file, or a redirect to the URL will be included in the email body. If the old system is used, the ransomware software will be activated as soon as the attachment is opened and, within seconds, the computer will start encrypting the files.
If the attack vector is a link, the user will be brought to the web page when the ransomware is delivered to the computer unbeknownst to the user. Malicious programs or pages also use exploit kits to detect if there are security vulnerabilities in the operating system of the computer or software that can be used to deliver and activate ransomware. In fact, cyber criminals may use existing exploits as seen in the latest WannaCry attack, which has benefited from a well-documented Windows vulnerability known as EternalBlue.
High-Profile Ransomware Attacks
CryptoWall is a later CryptoLocker variant that operates in the same way. The most serious attack occurred in Australia at the end of 2014 when phishing emails with malicious links “sent from” government agencies were used to distribute malware.4 To avoid blocking security products, the malicious actors used the Captcha form before the malware was downloaded.
Locky was first detected at the beginning of 2016 and was typically delivered by email with an attachment to the invoice. If the Word or Excel file was opened, the user was asked to allow macros to display the invoice. By enabling macros, the file runs an executable that downloaded the actual ransomware. Local and network files have been encrypted and renamed with a.lock extension.
To unlock the files, victims had to visit the website and download a browser that they could use and access the payment website of the malicious actor. Payment typically varied from half and one bitcoin. Locky was one of the first ransomware attacks to gain wider public media attention as a U.S.-based hospital had its patient data encrypted and paid for file recovery.
WannaCry reached the headlines in May 2017 when 400,000 computers were identified worldwide. 6 Both public and private organisations were significantly affected, including the UK National Health Service, the Spanish telephone firm, and the largest German bank. Luckily, thanks to a defense researcher who found a ransomware kill switch, the attack was stopped within a few days.
The attack was launched and spread through a known Windows (EternalBlue) security vulnerability. Although a security patch had been available for several months, it had not yet been installed by many organizations.
NotPetya, a Petya ransomware version, quickly came on the heels of WannaCry in June 2017 and first surfaced in Ukraine. Distributed as a PDF email file, the ransomware was distributed using the same EternalBlue vulnerability as the one used in WannaCry.Again, public and private organizations around the globe were impacted, including a major U.S. pharmaceutical company, a multinational law firm, and the UK’s largest advertising firm. Unlike other ransomware, Petya infects the master file table of the computer. It has been speculated that this attack was more a cause of disruption in Ukraine than a financially motivated one.
Reducing the Risk of Ransomware Impacting Your Business
Educate the weakest link. The vast majority of ransomware require someone to take action to activate the payload. It really is important to educate employees about how to recognize and defend against cyber attacks. Many threats will use email and social engineering techniques to manipulate employees into downloading malware or disclosing their username and password. As such, training should be focused on these common attack vectors. Exercises in which employees are sent fake “phishing” emails are effective in coaching users to distinguish between genuine supplier communication and phishing email with the subject line “Invoice Attached-Please Open.”
Patch, patch, patch. Then patch it again. As demonstrated by recent attacks by WannaCry and Petya, failure to implement a rigorous approach to patching known security vulnerabilities can leave an enterprise exposed. Even months after the EternalBlue vulnerability was exploited for the WannaCry and NotPetya ransomware attacks, it is estimated that at least 38 million PCs remain unpatched. It is relatively simple for cyber criminals to identify unpatched devices and software on the enterprise network and, once identified, to take advantage of known vulnerabilities.
Back up your data, back up your backup. To others, this might sound obvious, but ransomware will encrypt backups saved on network servers. As a result, companies need to review their current approach to backups. Are employees backing up important files on a network drive? Are backups from these devices and file servers backed up to a cloud backup service? Are you testing whether the backups can be restored? This way, if ransomware encrypts all local data and backups, an organization can still recover them quickly with minimal business effects.
Make it harder for the bad guys—have multiple layers of defense. Cybercriminals spend huge amounts of time and money developing ever-more sophisticated forms of advanced malware that are designed to bypass a company’s security defenses. Relying on a single layer of security against this evolving barrage is not best practice. Using several layers of protection ensures that if one layer does not block an attack, you have additional layers that can mitigate the threat. So, what are the levels of protection safety the organization actually has in place? Do you have different security solutions to help mitigate risk at all stages of the attack? Are there any existing security holes that malicious actors can exploit?