A terminology that we have been hearing and reading a lot, particularly in the past two years we have come across this jargon, mostly in a negative context where some organization was a victim of a ransomware attack, and so on.
Ransomware is a type of malicious software, also known as malware (another jargon that is used quite frequently) that is a potential threat to restricting data or publishing it in public forum, causing potential business risk. This is usually done by encrypting the data whereby the victim has to pay a ransom to the attacker for releasing the data. Usually in such cases, there is a deadline for the victim to pay the ransom. In case the victim fails to meet the deadline, then the attacker will erase the data. In best case scenario, the attacker will increase the ransom value with a revised deadline.
Malware attacks are pretty common these days and we have seen many organizations from North America and Europe being victims to such attacks. These cyber attackers don’t have any set criteria as they can attack any set of customers or any organization across industry verticals.
Many agencies such as the FBI and some governments refrain from paying such ransoms. In fact, there is a special project called the No Ransom Project, a not-for-profit organization that works towards the objective of not giving ransom to cyber attackers. Moreover, it is observed that those victims who pay the ransom are subjected to repeated ransomware attacks
Background of Ransomware Attacks
If we look at the history of ransomware attacks, it dates back to 1989, when ‘AIDS Virus’ was used by cyber attackers to extort funds from victims. Once the payments for this attack was released (through mail) to Panama, the decryption key was also released via mail.
In the year 1996, two individuals Moti Yung and Adam Young from Columbia University introduced a definition of ransomware, and they coined the term “crypto viral extortion”. These two academicians presented the first crypto virology attack in the year 1996 in a conference of IEEE, which was a security and privacy conference.
Over a period of time, we have seen innovation in the space of cyber-attacks and ransomware attacks. Cyber attackers have become creative by asking for ransom payments that are practically impossible to track. This way these cyber criminals maintain anonymity of their whereabouts. As we saw a surge in the use of cryptocurrency such as Bitcoin, we saw a considerable rise in ransomware attacks.
If we look at the pattern, ransomware attacks has made every industry a victim, with the most famous attack being the one on Presbyterian Memorial Hospital. It was a massive attack where laboratories, pharmacy stores and emergency rooms were all victim to this.
How does a ransomware work?
As mentioned earlier ransomware is a type of a malware that is created to extort money from organizations by encrypting their data and blocking access to it. We see mainly two types of ransomwares – one set are known as encryptors, and the other set is known as screen lockers. As the name is self-explanatory, encryptors encrypt the data, making it redundant without a decryption key. However, screen lockers just block access to the system by deploying a “lock screen.”
In this scenario, usually victims see a lock screen that has a message to purchase cryptocurrency such as Bitcoin to pay the ransom. As soon as the ransom is paid, organizations receive the decryption key and then they can try to decrypt the files. However, there is no rule or ethic that these cyber attackers follow. Sometimes, even after the ransom is paid, victims don’t receive the decryption keys. Worse case, the malware is still installed even after the ransom is paid.
Usually, such enterprise malware attacks start with a suspicious email that. A user might open up that email without suspecting anything and that just opens up a can of worms.
Who is at risk?
When we talk about ransomware, any gadget or device that is connected to the internet is a potential risk for becoming a victim of a malware attack. Ransomware usually checks a local device and any device that is connected to the network, which means that the local network in an organization is also at a risk of becoming a victim.
Hence, if a device is connected to the internet, it becomes a pre-requisite for the organization to ensure latest security updates and endpoint security systems are in place to avoid any sort of malicious entry by these cyber attackers.
Impact of ransomware on business?
It is an unwritten statement that any business that is a victim to ransomware, will have incur losses that can run into millions of dollars. Over and above that, it creates rippling effect of loss of new business. Even if a business is salvaged, employees have to spend lot of hours to build that data that they lost, thereby causing thousands of hours of productivity loss. One of the first thing that any malware attack does is stop the productivity of the organization. Hence, it is pertinent for organizations to do containment as the first task. Conducting a root cause analysis does help in identifying the vulnerability, but if it causes delays then it will have serious impact on productivity and revenue.
Examples of Ransomware
While ransomware examples are in plenty for every business entity to refer to, there are some crucial ones that standout, which can help in setting up the foundation for any organization to avoid such ransomware attacks. Let us look at some of the examples
WannaCry – It was a power virus around a vulnerability of Microsoft that was harnessed by these cyber attackers to infect over 250,000 systems. However, before it could spread to more systems, a kill switch was tripped to stop it. Proofpoint – a name in the security and privacy space, was deployed to get details of the ransomware.
BadRabbit – this was considered to be a visible ransomware, whose primary target was media companies in Russia and Ukraine region. As soon as the ransom was paid, BadRabbit provided the decryption code. It is suspected that the virus was spread via a fake Flash Player.
NotPetya – said to be the elder brother of BadRabbit, NotPetya was one of the most devastating malware attacks. It leveraged the vulnerability like WannaCry and started spreading rapidly. It demanded a ransom in bitcoins however, NotPetya could not undo the changes to the master boot record, which meant that the target system was rendered unrecoverable.
These are some of the top malware examples. There have been other ones such as CryptoLocker, REvil, Ryuk, and many more.
Ransomware is not going away. As long as there are people who have ill-intent, we will consistently see innovation in this area. This is evident from an FBI statistic, which states that around 4000 ransomware attacks occur every day. Though ransomware and virus are different types of malwares, ransomware essentially is not a virus, because it does not replicate like a virus.
The only way for organizations to keep themselves protected against such ransomware attacks is to keep innovating their security systems and also educate the users on potential ransomware threats including malicious emails and other sources.