What is Ransomware?
Ransomware is a form of malware that encrypts a victim’s files. The attacker then demands a ransom from the victim to restore access to the data upon payment.
Users are shown instructions for how to pay a fee to get the decryption key. The costs can range from a few hundred dollars to thousands, payable to cybercriminals in Bitcoin.
- Inventory your assets.
In order to protect yourself against a ransomware infection, you first need to know what hardware and software assets are connected to the network. Active discovery can help, but it will not uncover assets deployed by personnel from other departments. Acknowledging this shortcoming, you should embrace passive discovery as a means of building a comprehensive asset inventory as well as keeping that list of connected hardware and software up to date.
- Personalize your anti-spam settings the right way.
Most ransomware variants are known to spread via eye-catching emails that contain malicious attachments. Some of these attachments might involve Word documents or other file formats that are commonly used in your organization. But some might arrive in a format that’s rarely if ever used. Subsequently, you can configure your webmail server to block those attachments. (File extensions like .EXE, .VBS or .SCR are some common examples.)
- Refrain from opening attachments that look suspicious.
This doesn’t just apply to messages sent by unfamiliar people. It also pertains to senders who you believe are your acquaintances. Phishing emails may masquerade as notifications from a delivery service, an e-commerce resource, a law enforcement agency or a banking institution.
- Avoid giving out personal information.
Malicious actors need to get your information from somewhere if they hope to send you a phishing email that secretly harbors ransomware as its payload. Sure, they might get that information from a data breach that’s been published on the dark web. But they could just get it using OSINT techniques by rifling through your social media posts or public profiles for key pieces of information. With that said, it’s important to not overshare online and to generally avoid giving out identifying pieces of personal information unless it’s absolutely necessary.
- Think twice before clicking.
It’s possible to receive dangerous hyperlinks via social networks or instant messengers. More often than not, digital criminals compromise someone’s account and then send out bad links to their entire contact lists. That explains why the sender of a bad link could be someone you trust such as a friend, colleague or family member. Don’t click on a suspicious link regardless of who it comes from. If you’re unsure whether the contact intended to send you the link to your attention, use an alternate means of communication to reach out to them and verify.
- Educate your Users.
The best practices discussed above highlight the need to educate your users about some of the most common types of phishing attacks that are in circulation. To do this, you should invest in cultivating you security culture via ongoing security awareness training of you entire workforce. This program should use phishing simulations to specifically test employees’ familiarity with phishing tactics.
- Use the Show File Extensions feature.
Show File Extensions is a native Windows functionality that allows you to easily tell what types of files are being opened so that you can keep clear of potentially harmful files. This is useful for when fraudsters attempt to utilize a confusing technique where one file looks like it has two or more extensions, e.g., cute-dog.avi.exe or table.xlsx.scr. Pay attention to tricks of this sort.
- Patch and keep your software up to date.
In the absence of a patch, malicious actors can exploit a vulnerability in your operating system, browser, antivirus tool or other software program with the help of an exploit kit. These threats contain exploit code for known vulnerabilities that enable them to drop ransomware and other malicious payloads. As such, you need to make sure that your vulnerability management covers all of your connected software assets so that your security professionals can prioritize their remediation and mitigation efforts accordingly.
- Instantly disable the web if you spot a suspicious process on your computer.
This technique is particularly efficient on an early stage of the attack. Most ransomware samples need to establish a connection with their command and control (C&C) servers in order to complete their encryption routine. Without access to the Internet, the ransomware will sit idle on an infected device. Such a scenario gives you the ability to remove the malicious program from an infected computer without needing to decrypt any data.
- Only download from sites you trust.
Trust plays an important role in preventing a ransomware infection. Just as you should try to stop any untrusted processes from running on your computer, you should also try to authorize downloads from only locations you trust. Those include websites that use “HTTPS” in the address bar as well as official app marketplaces for your mobile device(s).
- Add applications to Allowed Lists.
Speaking of trust, it’s important to not install applications that could introduce risk into your environment. You should add applications to an allowed list as a means of approving which programs your systems can execute, as per your organization’s security policies.
- Keep the Windows Firewall turned on and properly configured at all times.
The Windows Firewall can help protect your PCs against instances of unauthorized access such as a ransomware actor attempting to infect your machines. You can learn more about the Windows Firewall on Microsoft’s website.
- Use the principle of least privilege.
Firewalls help to review your North-South traffic in an effort to prevent malicious actors from infiltrating the network. These solutions are less effective at scanning East-West traffic for signs of lateral movement, however. As such, you should consider implementing the principle of least privilege by reviewing the levels of control and the instances of write access that you’re doling out. This will deter ransomware actors from using a compromised account to move through your network.
- Adjust your security software to scan compressed or archived files.
Many ransomware actors think they can get by your email filters by hiding their payloads within attachments containing compressed or archived files. You therefore need tools that are capable of scanning those types of files for malware.
- Use strong spam filters and authenticate users.
Aside from having the ability to scan compressed or archived files, you need strong spam filters that are capable of preventing phishing emails from reaching users in general. You should also use technologies such as Sender Policy Framework (SPF), Domain Message Authentication Reporting and Conformance (DMARC) and DomainKeys Identified Mail (DKIM) to prevent malicious actors from using email spoofing techniques.
- Disable Windows Script Host.
Some malicious actors use .VBS files (VBScript) to run ransomware on an infected computer. you should disable Windows Script Host to block malware from using this file type.
- Disable Windows PowerShell.
PowerShell is a task automation framework that’s native to Windows computers. It consists of a command-line shell and a scripting language. Nefarious individuals commonly use PowerShell to execute ransomware from memory, helping to evade detection by traditional anti-virus solutions. You should therefore consider disabling PowerShell on their workstations if you have no legitimate use for the framework.
- Enhance the security of your Microsoft Office apps.
Nefarious individuals have a penchant for using weaponized Microsoft files to distribute their malicious payloads. These files commonly use macros and ActiveX, in particular. Acknowledging this fact, you should disable macros and ActiveX to keep malicious code from being executed on the Windows PC.
- Install a browser add-on to block pop-ups.
Pop-ups serve as a common entry point for malicious actors to launch ransomware attacks. You should therefore look into installing browser add-ons to stop pop-ups in their tracks.
- Use strong passwords.
In the presence of a weak password, malicious actors could brute force their way into a system or account. They could then leverage that access to conduct secondary attacks or move laterally throughout the network for the purpose of deploying ransomware. That’s why you should use and enforce strong, unique passwords for all accounts.
- Deactivate AutoPlay.
AutoPlay is a Windows feature that allows users to instantly run digital media like USB drives, memory sticks and CDs. Malicious actors could use these types of devices to sneak ransomware onto your computer. In response, you should disable this feature on all workstations.
- Don’t use unfamiliar media.
It’s one thing for malicious actors to compromise an organization’s supply chain and send out trojanized media devices. It’s another thing to willingly plug an unfamiliar device into your computer. You never know what could be hiding on a USB drive or CD that’s not yours. You should therefore avoid using these types of media unless you’ve purchased them from a reputable provider.
- Make sure you disable file sharing.
You don’t want to give attackers any way to infect multiple machines in your environment. That’s why you should disable file sharing. In the event of a ransomware attack, the crypto-malware will stay isolated on your machine and won’t spread to other assets.
- Disable remote services.
The Remote Desktop Protocol can be leveraged by black hat hackers to expand the attack surface and gain a foothold into your network. To curb this threat, you should disable remote services. Doing so will help to close one vector for remote attacks.
- Switch off unused wireless connections, such as Bluetooth or infrared ports.
There are cases when malicious actors exploit Bluetooth in order to compromise a machine. You should address this threat vector by turning off Bluetooth, infrared ports and other wireless connections that might not be used in the organization.
- Use Software Restriction Policies.
Per Microsoft’s documentation, Software Restriction policies are trust policies that enable organizations to manage the process of running applications on their computers. For instance, it comes with the ability for you to designate where apps are and aren’t allowed to execute. This is helpful for helping to prevent a ransomware infection, as attackers commonly use ProgramData, AppData, Temp and Windows\SysWow to host their malicious processes.
- Block known malicious Tor IP addresses.
Tor (The Onion Router) gateways are one of the primary means for ransomware threats to communicate with their C&C servers. You can therefore block known malicious Tor IP addresses, as those may help to impede the critical malicious processes from getting through.
- Make use of threat intelligence.
Ransomware actors continue to innovate new techniques, launch new attacks and create new strains of crypto-malware. In light of this reality, you need to have some way to keep pace with what’s going on in the threat landscape and what risks could be affecting other organizations in the same region or industry. You can do this by making sure you have access to reputable threat intelligence feeds.
- Segment the network.
Attackers can use a continuous network to spread throughout your entire infrastructure. You can prevent this from by segmenting your network. In particular, you might want to consider placing your industrial assets and IoT devices on their own segments.
- Monitor the network for suspicious activity.
In whatever way you decide to organize your network, you need to keep an eye out for threat behavior that could be indicative of a ransomware attack or security incident. That’s why you need to use tools to monitor the network for suspicious activity.
Types of ransomware
There are two main types of ransomware: crypto-ransomware and locker ransomware.
Crypto ransomware encrypts valuable files on a computer so that the user cannot access them.
Cyberthieves that conduct crypto ransomware attacks make money by demanding that victims pay a ransom to get their files back.
Locker ransomware does not encrypt files. Rather, it locks the victim out of their device, preventing them from using it. Once they are locked out, cybercriminals carrying out locker ransomware attacks will demand a ransom to unlock the device.
10 ransomware examples
Now you understand what ransomware is and the two main types of ransomware that exist. Let’s explore 10 famous ransomware examples to help you understand how different and dangerous each type can be.
Locky is a type of ransomware that was first released in a 2016 attack by an organized group of hackers.
With the ability to encrypt over 160 file types, Locky spreads by tricking victims to install it via fake emails with infected attachments. This method of transmission is called phishing, a form of social engineering.
Locky targets a range of file types that are often used by designers, developers, engineers, and testers.
WannaCry is ransomware attack that spread across 150 countries in 2017.
Designed to exploit a vulnerability in Windows, it was allegedly created by the United States National Security Agency and leaked by the Shadow Brokers group. WannaCry affected 230,000 computers globally.
The attack hit a third of hospital trusts in the UK, costing the NHS an estimated £92 million. Users were locked out and a ransom was demanded in the form of Bitcoin. The attack highlighted the problematic use of outdated systems, leaving the vital health service vulnerable to attack.
The global financial impact of WannaCry was substantial -the cybercrime caused an estimated $4 billion in financial losses worldwide.
Bad Rabbit is a 2017 ransomware attack that spread using a method called a ‘drive-by’ attack, where insecure websites are targeted and used to carry out an attack.
During a drive-by ransomware attack, a user visits a legitimate website, not knowing that they have been compromised by a hacker.
Drive-by attacks often require no action from the victim, beyond browsing to the compromised page. However, in this case, they are infected when they click to install something that is actually malware in disguise. This element is known as a malware dropper.
Bad Rabbit used a fake request to install Adobe Flash as a malware dropper to spread its infection.
Ryuk ransomware, which spread in August 2018, disabled the Windows System Restore option, making it impossible to restore encrypted files without a backup.
Ryuk also encrypted network drives.
The effects were crippling, and many organizations targeted in the US paid the demanded ransoms. August 2018 reports estimated funds raised from the attack were over $640,000.
The Troldesh ransomware attack happened in 2015 and was spread via spam emails with infected links or attachments.
Interestingly, the Troldesh attackers communicated with victims directly over email to demand ransoms. The cybercriminals even negotiated discounts for victims who they built a rapport with — a rare occurrence indeed.
This tale is definitely the exception, not the rule. It is never a good idea to negotiate with cybercriminals. Avoid paying the demanded ransom at all costs as doing so only encourages this form of cybercrime.
Jigsaw is a ransomware attack that started in 2016. This attack got its name as it featured an image of the puppet from the Saw film franchise.
Jigsaw gradually deleted more of the victim’s files each hour that the ransom demand was left unpaid. The use of horror movie imagery in this attack caused victims additional distress.
CryptoLocker is ransomware that was first seen in 2007 and spread through infected email attachments. Once on your computer, it searched for valuable files to encrypt and hold to ransom.
Thought to have affected around 500,000 computers, law enforcement and security companies eventually managed to seize a worldwide network of hijacked home computers that were being used to spread Cryptolocker.
This allowed them to control part of the criminal network and grab the data as it was being sent, without the criminals knowing. This action later led to the development of an online portal where victims could get a key to unlock and release their data for free without paying the criminals.
Petya (not to be confused with ExPetr) is a ransomware attack that first hit in 2016 and resurged in 2017 as GoldenEye.
Rather than encrypting specific files, this vicious ransomware encrypts the victim’s entire hard drive. It does this by encrypting the primary file table making it impossible to access files on the disk.
Petya spread through HR departments via a fake job application email with an infected Dropbox link.
The resurgence of Petya, known as GoldenEye, led to a global ransomware attack that happened in 2017.
Dubbed WannaCry’s ‘deadly sibling’, GoldenEye hit over 2,000 targets, including prominent oil producers in Russia and several banks.
Frighteningly, GoldenEye even forced workers at the Chernobyl nuclear plant to check radiation levels manually as they had been locked out of their Windows PCs.
GandCrab is a rather unsavory ransomware attack that threatened to reveal victim’s porn watching habits.
Claiming to have highjacked users webcam, GandCrab cybercriminals demanded a ransom or otherwise they would make the embarrassing footage public.
After having first hit in January 2018, GandCrab evolved into multiple versions. As part of the No More Ransom Initiative, internet security providers and the police collaborated to develop a ransomware decryptor to rescue victim’s sensitive data from GandCrab.
Decrypts files affected by all versions of Shade.
30 Apr 2020
Decrypts files affected by Rakhni, Agent.iih, Aura, Autoit, Pletor, Rotor, Lamer, Cryptokluchen, Lortok, Democry, Bitman
3 Feb 2021
Decrypts files affected by Rannoh, AutoIt, Fury, Cryakl, Crybola, CryptXXX (versions 1, 2 and 3), Polyglot aka Marsjoke.
20 Dec 2016
Decrypts files affected by CoinVault and Bitcryptor. Created in cooperation with The National High Tech Crime Unit (NHTCU) of the Netherlands’ police and Netherlands’ National Prosecutors.
15 Apr 2015
Decrypts files affected by Wildfire.
24 Aug 2016
Decrypts files affected by Xorist and Vandev.
23 Aug 2016