Ransomware

man in front of his computer suffering ransomware attack

Ransomware is a type of malicious software designed to deny access to a computer system or files until a sum of money, or ransom, is paid to the attacker. This cyber attack encrypts the victim's files or locks them out of their system, demanding payment to release the data or restore access.

The attacker may apply additional extortion methods to increase the psychological and financial pressure on victims. Beyond encrypting data and denying the victims their computing resources, attackers can threaten data exposure, service disruption, and irreparable harm to the organization and its partners. Victims are more likely to consider paying the ransom to avoid the increasingly severe consequences associated with each of the following elements of the extortion strategy:

  • Data Encryption: As in traditional ransomware attacks, the attackers encrypt the victim's critical data, making it inaccessible, and their computing assets inoperable.
  • Data Disclosure: Sensitive information is exfiltrated, creating the risk of exposure and potential legal liabilities for the victim.
  • Service Disruption: Threats to disrupt critical services or launch distributed denial of service (DDoS) attacks can significantly intensify the urgency for the victim to comply with ransom demands.
  • Customer extortion:  The victim's suppliers and customers can be contacted and threatened with data disclosure, further pressuring the victim to pay the ransom. 
  • Regulatory Threats: In a recent incident, the attackers filed a complaint with the U.S. Securities and Exchange Commission (SEC), accusing the victim of failure to report the breach promptly. This adds a layer of legal and regulatory pressure.

In a recent development, attackers have exfiltrated the data without encrypting the victim's computers.  This avoids 1) the time to encrypt files and 2) the risk that the attacker's decryption key does not work if the ransom is paid. 

  • Uncharacteristic of User or Network Behavior: Attacker reconnaissance activities can be a tip-off as they search for the victim's most valuable data assets.   
  • Unusual Volume of Network Traffic: Ransomware infections can cause a spike in network traffic as the malware communicates with command and control servers. 
  • File Encryption: Sudden and unexplained encryption of files on the system clearly indicates a ransomware attack.
  • Ransom Notes: Attackers often leave ransom notes on the victim's system, detailing the ransom amount and payment instructions.
  • Changed File Extensions: Files may have their extensions changed to unfamiliar or random ones, indicating encryption by ransomware.
  • System Lockout Messages: Victims might encounter messages on their screens informing them that their system is locked, and payment is required for restoration.
  • Regular Backups: Maintain regular backups of critical data and ensure they are stored in an offline or secure location to prevent encryption by ransomware. Backups must be tested to ensure they are effective and meet recovery time objectives.  
  • Security Software: Use reputable antivirus and antimalware software designed to detect and block ransomware threats.
  • Email Security: Be cautious of email attachments and links, especially from unknown or suspicious sources. Employ email filtering solutions to block malicious content.  Use the following technologies that permit the harmless detonation of malware in quarantined environments:  
  • Sender Policy Framework (SPF): Validates that the sending server is authorized to send emails on behalf of a domain.
  • DomainKeys Identified Mail (DKIM): Ensures email integrity by allowing the sender to sign their messages with a digital signature.
  • Domain-based Message Authentication, Reporting, and Conformance (DMARC): Enhances email authentication by combining SPF and DKIM, and specifies how to handle emails that fail authentication.
  • Software Updates: Keep operating systems and software updated.  Immediately patch vulnerabilities that malware is likely to exploit.
  • Education: Educate users about the dangers of clicking on links or downloading attachments from unknown sources and emphasize the importance of safe online practices.
  • Isolate Infected Systems: Immediately disconnect the infected systems from the network to prevent the ransomware from spreading to other devices. Do not power down computers until the forensic examiners have retrieved the memory images for analysis. 
  • Report to Authorities: Given the magnitude and complexity of this crime, report the incident to the Federal Bureau of Investigation (FBI) and provide any information that may aid the investigation. The Baltimore Field Office is at 2600 Lord Baltimore Drive, Baltimore, MD 21244, and at phone number (410) 265-8080. 
  • Restore from Backups: If available, restore affected systems from clean backups. Ensure the backups were created before the ransomware infection occurred. Older software systems may not be returned in their pre-attack form because the vendor no longer supports them or because the old systems will not function on the new secure infrastructure implemented post-attack.
  • Consider Not Paying the Ransom: Law enforcement agencies and cybersecurity experts strongly advise against paying the ransom, as it does not guarantee the recovery of files and may further fund criminal activities.  However, this business decision needs to consider the recovery time for one's backups and the revenue lost by the attack. 
  • Negotiation: An experienced ransomware negotiator can reduce the ransom demands and sustain communications as law enforcement traces the attacker's communications. 
  • Implement Security Measures: Strengthen security measures by updating passwords, enhancing network security, and conducting a thorough security review to prevent future attacks. Multi-factor authentication can avoid or mitigate account takeovers as attackers pivot across the victim's network. 

References: