Ransomware is exactly what its name suggests: a type of malware that attempts to extort money from victims. The most common type of ransomware attack involves cryptoviral extortion, in which a target’s computer files are encrypted and the only way to decrypt them is to pay a ransom to gain the necessary decryption key. Attackers will usually ask for ransoms to be paid in a digital currency like Bitcoin, since this makes it tough to trace and prosecute the perpetrators.
Ransomware usually ends up on a computer by tricking victims into downloading and opening a malicious file. This is what is known as a Trojan, referencing the Ancient Greek story about an enormous Trojan horse statue containing hidden attackers leading to the fall of the city of Troy. However, there have been examples of ransomware that spreads in different ways, such as the WannaCry worm, which spread by exploiting a software vulnerability and unprotected public-facing SMB ports.
The rise of ransomware
The first ransomware attack was seen in 1989. Since then, ransomware attacks have greatly ramped up both in number and complexity. In 2020, many organizations are targeted by ransomware attacks, with this problem worse in places where data hygiene is poor, opening up more weaknesses attackers can exploit. Ransomware attacks can target every industry, from small-to-medium businesses to media and entertainment giants to public sector organizations ranging from schools to medical institutions. Data encrypted in attacks may include locally stored data, along with information stored on the cloud. Professional ransomware attackers will target large networks where they can infect multiple devices, rather than simply focusing on one device at a time.
A new brand of ransomware attack makes things even worse for victims by not just encrypting data, but also stealing it, with attackers threatening to publish this information in the event that the ransom is not paid.
Not every target of ransomware attacks will pay to get their money back (some will take the data loss rather than paying, some will have wisely employed backups made prior to the attack, while others will use some of the cybersecurity tools described later in this article.) However, enough will be willing to pay to regain access to their data that the strategy is one that cybercriminals apparently consider worthwhile enough to continue practicing. With ransoms that may be well into the four or five figures (or above), it only takes a few victims paying up for cybercriminals to consider it worth their time to stage similar attacks.
RansomEXX arrives on Linux
Recently, a major Windows ransomware strain called RansomEXX was ported to Linux, the open-source Unix-like operating system that serves as an alternative to Apple’s macOS and Microsoft Windows. While Linux is a small player in the consumer market, making up just a couple of percentage points (at a maximum) of the desktop market, it’s far more widely used in the web server market: running on around 28.8 percent of all web servers.
RansomEXX is known for being used to attack big organizations and bring down their systems, making it impossible for users to access the files they need until the problem is addressed. The spreading of RansomEXX to Linux could only exacerbate the usage of this new flavor of ransomware. It also highlights how cybercriminals will constantly evolve their ransomware strategies in order to seize on potential new opportunities to harm users.
Protecting against ransomware
Needless to say, protecting against ransomware should be a priority for organizations, and they should make sure that they have a plan in place for how to recover from a ransomware attack. This will include making regular file backups and being confident that they would be able to clean computers infected by ransomware and then reinstall data from backups for minimal system disruption. They should also be familiar with the steps to take in the aftermath of a ransomware attack, whether this is calling regulators, law enforcement, insurers -- or all three. Having such a plan in place won’t avoid all disruption, but it certainly means that targets can be more proactive in the event that a ransomware attack is aimed their way.
The best course of action altogether is to avoid a ransomware attack altogether. Educate yourself -- and the people who work with you -- about common attack vectors such as Trojans to avoid falling for social engineering attacks that seek to spread malware. Also invest in anti-phishing tools and those for ransomware detection.
The right tools for the job
File Security tools can be used to detect ransomware attacks before they cause widespread damage and quarantine the infected users or devices to stop the attack in its tracks. These tools can also gather the necessary data to help security teams investigate the activity and patch up any vulnerabilities that may have caused it. Web Application Firewalls (WAFs) can additionally detect and block ransomware when it strikes, defending you from these attacks and offering you notifications about potential threats.
All of these are solid strategies that can help protect you against ransomware. The thing you should never do? Pay the ransom. It shows their extortion attempts are worthwhile and effective (not least against you!), but there’s no guarantee that paying the money will result in the decryption key being given or any stolen data being deleted.
Ransomware is among the nastiest forms of malware you’re likely to encounter. Fortunately, there are ways to fight back.