Cybersecurity - Ransomware
Ransomware is an ever-evolving form of malware designed to encrypt files on a device, rendering any files and the systems that rely on them unusable. Malicious actors then demand ransom in exchange for decryption. Ransomware actors often target and threaten to sell or leak exfiltrated data or authentication information if the ransom is not paid.
How Ransomware Works
There are a number of vectors ransomware can take to access a computer. One of the most common delivery systems is phishing spam — attachments that come to the victim in an email, masquerading as a file they should trust. Once they're downloaded and opened, they can take over the victim's computer, especially if they have built-in social engineering tools that trick users into allowing administrative access. Some other, more aggressive forms of ransomware, like NotPetya, exploit security holes to infect computers without needing to trick users.
There are several things the malware might do once it’s taken over the victim's computer, but by far the most common action is to encrypt some or all of the user's files
How to Prevent Ransomware
- Keep your operating system patched and up-to-date to ensure you have fewer vulnerabilities to exploit.
- Don't install software or give it administrative privileges unless you know exactly what it is and what it does.
- Install antivirus software, which detects malicious programs like ransomware as they arrive, and whitelisting software, which prevents unauthorized applications from executing in the first place.
- And, of course, back up your files, frequently and automatically! That won't stop a malware attack, but it can make the damage caused by one much less significant.
- CryptoLocker, a 2013 attack, launched the modern ransomware age and infected up to 500,000 machines at its height.
- TeslaCrypt targeted gaming files and saw constant improvement during its reign of terror.
- SimpleLocker was the first widespread ransomware attack that focused on mobile devices
- WannaCry spread autonomously from computer to computer using EternalBlue, an exploit developed by the NSA and then stolen by hackers.
- NotPetya also used EternalBlue and may have been part of a Russian-directed cyberattack against Ukraine.
- Locky started spreading in 2016 and was "similar in its mode of attack to the notorious banking software Dridex." A variant, Osiris, was spread through phishing campaigns.
- Leatherlocker was first discovered in 2017 in two Android applications: Booster & Cleaner and Wallpaper Blur HD. Rather than encrypt files, it locks the home screen to prevent access to data.
- Wysiwye, also discovered in 2017, scans the web for open Remote Desktop Protocol (RDP) servers. It then tries to steal RDP credentials to spread across the network.
- Cerber proved very effective when it first appeared in 2016, netting attackers $200,000 in July of that year. It took advantage of a Microsoft vulnerability to infect networks.
- BadRabbit spread across media companies in Eastern Europe and Asia in 2017.
- SamSam has been around since 2015 and targeted primarily healthcare organizations.
- Ryuk first appeared in 2018 and is used in targeted attacks against vulnerable organizations such as hospitals. It is often used in combination with other malware like TrickBot.
- Maze is a relatively new ransomware group known for releasing stolen data to the public if the victim does not pay to decrypt it.
- RobbinHood is another EternalBlue variant that brought the city of Baltimore, Maryland, to its knees in 2019.
- GandCrab might be the most lucrative ransomware ever. Its developers, which sold the program to cybercriminals, claim more then $2 billion in victim payouts as of July 2019.
- Sodinokibi targets Microsoft Windows systems and encrypts all files except configuration files. It is related to GandCrab
- Thanos is the newest ransomware on this list, discovered in January 2020. It is sold as ransomware as a service, It is the first to use the RIPlace technique, which can bypass most anti-ransomware methods.