Introduction to Ransomware

How old is ransomware? Ransomware reared its ugly head 34 years ago when a doctor passed around a floppy disk supposedly containing information to combat the growing AIDS crisis. It instead contained the first form of ransomware known today as the ‘AIDS Trojan’.

In this blog post, we take a look at ransomware from a high-level, breaking down the four main types, and providing tips on how to prevent, monitor and remediate.

4 Types of Ransomware

Ransomware tactics continue to change, and while many strains exist they generally fall into four categories: crypto, locker, double extortion, and ransomware as a service (RaaS). 

Crypto is the preferred and more prevalent form for ransomware. It encrypts files on your computer and in exchange for money provides the victim with a decryption key. Newer variations encrypt network drives either on premise or in the cloud. Crypto is generally spread through malicious emails or websites with clickable links.

Locker essentially blocks access to a computer’s entire operating system and generally uses social engineering to obtain user credentials to access systems. After the designated dwell time (the time the trigger files lay dormant before firing) bad actors then block 100% user access until a ransom is paid. Users will be flashed a startling screen usually accompanied by an audible alarm letting you know they are in control!

Double Extortion not only encrypts files, but can export data, exposing sensitive information if payment is not received. Bad actors are able to publish users’ data, which may lead to a multitude of damaging results. Even if the ransom is paid, the attacker can choose to export or publish the information anyway.

Ransomware as a Service (RaaS) increases the number of active attackers. Anyone with bad intentions can use an available ransomware strain, even if they did not develop it. Bad actors may rent or pay for the ransomware like you would with any other SaaS platform. The actual developers host their service on the Dark Net and can take a portion of the successfully acquired ransom.

Prevent, Monitor, Remediate

While ransomware has evolved over time, all strains continue to do the same thing the AIDS Trojan did in 1989, compromise and extort an organization. The security community has developed comprehensive strategies to prevent and combat ransomware, and cutting edge security researchers work hard to stay one step ahead.

Attack vectors remain constant, relying on threat actors to gain access to systems. To combat this, extensive security awareness training is available to help employees across an organization identify anything potentially dangerous, and in turn take action to avoid malicious activity. People are considered the first line of defense, but sometimes training a workforce might not be enough to stop bad actors. It is important to recognize other ways to prevent and monitor ransomware activity, including:

1. Training employees across an organization on how to identify threats
2. Maintaining uptodate firewalls and antivirus 
3. Deploying strong email filtering systems
4. Scanning data on a regular basis and conducting ongoing security assessments
5. Employing strict access controls such as role based access control
6. Implementing endpoint protection on all assets
7. Conducting ongoing network monitoring
8. Using two factor authentication
9. Keeping up with patching updates on every asset, including servers, firewalls, endpoints, etc.
10. Backing up data using immutable storage (data that cannot be changed once written)
11. Engaging in security checkups conducted by trusted security companies like K logix

If an organization is compromised, restoring backups typically helps remediate the attack. However, dwell time might impact this. Dwell time is the time the trigger files lay dormant in a network before they do anything. This is where monitoring and hunting for anomalies becomes paramount. It’s important to find any trigger files before they fire off.

If a bad actor creates ransomware that leverages a six month dwell time, and you are backing up data to immutable storage, that might not mean you are safe from compromise. There is a risk of experiencing the same attack in the future if backup data has not been aggressively reviewed to identity the ransomware.

Since ransomware was first identified, many processes and tools have become available to security teams. The best way to avoid ransomware is to train employees, keep all systems uptodate, and to continually conduct vulnerability scans. While at the same time doing frequent back ups using immutable storage. Organizations who care about protecting their business should invest heavily in comprehensive security programs to keep them safe from ransomware attacks.