Knowledge Bank

Back to overview
RedSocks_icons_Crook

What is Ransomware?

In this Knowledge Bank article, we take a closer look at Ransomware and how you, and essentially your business, can protect yourself from Ransomware attacks – but before we can deep dive into the world of Ransomware, we need to be on the same page about what ‘Ransomware’ is exactly.

What is Ransomware?

Ransomware is a malware variant that demands ransom, in the form of monetary payment, from the user that owns or operates the infected device(environment) in order to regain access to their system and the files therein.

Ransomware characteristics:

  • Ransomware is known for its capabilities of encrypting data that is hosted or made accessible via the infected device.
  • Ransomware is known for its aggressive behavior on the infected device, as it will attempt to encrypt data on the device and it often notifies the user that the device has become victim of a ransomware attack.
  • Ransomware victims are forced to pay the ransom within a specific time frame.
  • Ransomware keeps evolving – exploits new vulnerabilities in the environment or technologies.

History of Ransomware 

CryptoLocker appeared in the year 2013, it introduced a new era of file-encrypting Ransomware, and over the last couple of years, we have seen various Ransomware variants being used in attacks against unaware home users, businesses, health care institutions, and government organizations.

We have also seen various global operations that targeted cybercriminals, for example the Tovar Operation focused on the take down of the Gameover Zeus botnet which was responsible for the distribution of the CryptoLocker Ransomware.

The analysis performed on the network concluded that 1.3% of those infected had paid the ransom demand. The GameoverZeus gang was believed to have extorted about 3 million dollars.

The Tover Operation did not end the Ransomware trend, the cybercriminals and criminal syndicates understood that there is a business model in Ransomware and that a lot of money can be earned by using Ransomware, so it comes as no surprise that over the last couple of years numerous Ransomware variants were created.

A recent, and effective, example of Ransomware is the WannaCry pandemic (you can read more here about the Ransomware Outbreak WannaCry) that took the world by storm on 12 May 2017. Or watch Cyber Security Expert, Rickey Gevers, go into details about the WannaCry outbreak:

What are the different types of Ransomware?

Currently there are two types of Ransomware that are making their way around on the web.

  • Crypto-Ransomware
    The Crypto-Ransomware hunts down specific data on the targeted device and once it has found the data, it will encrypt the data and then it will follow up with a ransom demand, forcing the user to pay the ransom so the data can be restored.
  • Locker-Ransomware
    The Locker-Ransomware tries to make the device inaccessible. Once it has successfully made the device inaccessible it will demand a ransom payment, forcing the user to pay the ransom so that access to the locked device can be restored.

Ransomware Variants

There are over 100 Ransomware variants, but here is a short list:

  • Cryptowall
  • Hydracrypt
  • Teslacrypt
  • Cerber
  • Cryptolocker
  • Locky
  • DMALOCKER
  • PayCrypt
  • FAKBEN
  • CTB-Locker

How Can You Protect Yourself Against Ransomware? 

There is no silver bullet against Ransomware, but there are methods to make it more difficult for cybercriminals to infect your devices.

First of all, it is important to understand that the cybercriminal will try to seduce you into paying the ransom – they will try to do this by encrypting your data, sending you messages that contain payment instructions and they also display a deadline that increases the pressure to take action, which could be paying the ransom or reinstalling the device and its contents.

So, in order to make it difficult for them, we need to focus on the things that provide a first line of defense:

  • Increase Awareness
    Once you receive an email with an attachment or link and you feel uncertain about the content, make sure that you contact someone from your IT department that has knowledge about malware and malicious threats – they can help you identify if the data you have received is legitimate or malicious.
  • Patch and Update
    Patching and updating your systems is critical. Cybercriminals abuse vulnerabilities in both hardware and software to penetrate environments. WannaCry Ransomware was successful because a lot of environments failed to update or patch their operating systems. Be a step ahead, and patch and update whenever you can.
  • Create Back-ups
    It is also important to back-up important files on an external device that is not connected to the web or any system. This will help you to add a layer of protection to any data and information you don’t want falling into the hands of cybercriminals or organizations.
  • Anti-Virus Software
    Make sure that you use an updated antivirus product on the device(s) that you own or manage. Anti-virus products can identify malicious behavior on the computer, and the identification of any malicious behavior can make potential Ransomware infection unsuccessful.
  • Disable Macros
    Macros are pieces of code that can perform unwanted actions, it is wise to disable the macros in your document editors, as it will decrease the likelihood of a Ransomware infection. Cybercriminals often send documents with malicious macros to their targets with the hope that the target will execute the macro (piece of code), the code will then perform unwanted actions (e.g. download and activate the Ransomware).

The Ransomware picture shows how the cybercriminal tries to lure the victim into enabling the content (macros) by claiming that the document needs to be adjusted to meet the version requirements that the victim is using:

FAQ: What is Ransomware? Macros

Your second line of defence against Ransomware:

Anti-Ransomware Software
The security industry keeps track of Ransomware and some security solution providers have crafted anti-Ransomware software which needs to be installed on the device, this software is then capable of detecting specific Ransomware behavior, which provides the user a chance to stop the Ransomware attack or take other appropriate actions.

It is important to keep in mind that Ransomware will continue to evolve, so the solutions that are provided with by Anti-Ransomware software are successful until the Ransomware begins to evolve.

Hardening the Devices
There are many techniques that can be used to harden a device from unwanted actions. Policies, and access control can have an impact in the protection against Ransomware attacks. For example, if the user is not allowed to perform encryption processes it will be very hard for the Ransomware to perform a successful infection.

How does RedSocks Security fight Ransomware?

The RedSocks Malware Intelligence team has setup dozens of labs that analyze local malware behavior and network malware behavior. These labs are maintained daily, and remain under active development to increase the detection and analysis ratio of the malware that is seen in our labs.

For example, we analyze up to one million malware samples per day and focus on the countries in which our clients are based.

Gathering Cyber Threat Intelligence

The RedSocks Malware Intelligence Team is always on the hunt for additional information that can be translated to detection rules – to make this as effective as possible – we have setup our labs, but we also perform Open Source Intelligence hunting and we make use of paid intelligence feeds. We also collaborate with CERTS, meaning that we provide and also gather intelligence.

We also perform behavior analysis, making it possible for us to create patterns that can be used to trigger alerts in the Malicious Threat Detection appliance.

Creating Blocklists

The intelligence that is stored at the RedSocks Malware Intelligence Team can be used directly to mitigate and avoid Ransomware infections – and as we are working towards a more secure planet, we have decided to share our Ransomware intelligence with you in the form of a Ransomware blocklist.

The blocklists can be implemented directly into your security environment and the great part about it is that this intelligence is completely free.

Need some help? Get in touch with the RedSocks Malware Intelligence Team via osint@redsocks.nl.

 

Back to overview