What is Ransomware Attack: Types & Characteristics
Ransomware is a malicious program, created to infect a computer system or server and block access until a sum of money is paid. Most of these encrypt the data on the system and make it unreadable. Individuals or companies need to pay a ransom for the removal of the encryption and get the data back to its original state.
Ransomware attacks on the internet today can be classified into two broad categories; Locker ransomware and Crypto Software. Locker ransomware completely locks a computer or similar device, while Crypto ransomware encrypts the data, including files in the system.
However, they can further be broken down into different types of ransomware attacks with different characteristics depending on the different approaches employed by the attackers:
- Scareware: A type of ransomware attack called scareware poses as a security software solution or tech support. Victims receive pop-up warnings saying that malware has been detected on their system. If users do not respond to this, nothing will happen except more pop-ups come up on the screen.
- Screen Lockers: Screen lockers are intended to lock the victim out of their system. When they restart their system, the user will usually see a seemingly official government seal. This seal is intended to lead the victim into thinking that the government authorities are investigating them. The message then continues to inform that the software or OS version they’re using is unlicensed or illegal content has been found in their PC. In order to remedy this, the victim is asked to pay a fine.
- Crypto Ransomware: In a crypto ransomware attack, the extortionist gains access to the victim’s data and encrypts it. Next, they ask for a ransom from the victims to unlock those encrypted files. The worst thing about this is that there is no guarantee that the attacker will decrypt the data after getting the money.
- Doxware: Doxware is a type of ransomware which helps an attacker extract data from the host system. The attacker can then use it to threaten victims to publish the data on public domains if they do not pay the ransom.
- Mobile ransomware: It is similar to a PC ransomware program, but it infects mobile devices. Here, the attacker uses a mobile ransomware program to steal and infect data from a phone to encrypt files or lock the phone. They then demand a ransom from victims to decrypt the data or unlock the phone. Example from Agent Smith Malware.
- Some users also receive a pop-up or a ransom email, threatening them that if a certain sum is not transferred by a particular deadline, the key to unlock the devices or decrypt the data will be destroyed permanently.
Top Ransomware Examples: 2019 Guide
Ransomware has been one of the most worrying threats in the last couple of years and continues to infect valuable data and disrupt business operations across the globe in 2019. Since ransomware was first introduced, it has evolved immensely and there are many ransomware examples.
The ransomware ecosystem has become diverse, with security professionals tracking more than 1,100 variants of ransomware infecting innocent internet users. In the year 2019, various ransomware examples have come to light and have made waves in the industry. Some of the most recent ransomware attacks are listed below.
Katyusha is a recent ransomware attack Trojan that was introduced in October 2018. It adds the extension “.katyusha” and demands ransom of 0.5 bitcoins within three days. If it is not paid it threatens to release the data to public. Moreover, it also deletes shadow copies from the system.
In the beginning of 2019, a recent ransomware attack agent, LockerGoga has infected number of businesses including Altran, a French engineering consulting firm, and Norsk Hydro. It is a hybrid with properties of ransomware and wiper. The latest versions forcibly log users off their devices and which results in users not able to catch the ransom message and instructions for file recovery.
This ransomware had become quite popular at the beginning of 2019 and it was created to force victims to subscribe to PewDiePie and help him reach 100m subscribers before T-Series YouTube channel. PewDiePie fans somehow believe that releasing ransomware on innocent netizens is acceptable. However, after a while the creator released decryption tool for free use.
Ryuk first came into the light in August 2018 and has made $3.7 million in bitcoin. Ryuk is particularly used for targeted attacks and mainly focuses on enterprises that can pay a hefty sum for recovery. Ryuk creators are thought to be located in Russia and had built Ryuk ransomware with the help of stolen Hermes code.
SamSam is another ransomware used for targeted attacks and made over $6 million in ransom payments. SamSam has, till now, attacked various companies in the US; especially critical infrastructure, such as hospitals and city municipalities since they provide essential functions have a critical need to resume operations quickly. Last year, SamSam raised havoc in the entire city of Atlanta and cost close to $17 million of innocent taxpayers’ money. The irony is that it renamed all its infected files “I’m sorry”.
How to Avoid Ransomware from Locking Your PC
Prevention is always better than cure. Therefore, one should always be ready with a robust ransomware protection mechanism. Here are some dos and don’t that you should keep in mind to save yourself from a ransomware attack:
|Keep a backup of all your data. You can restore your data and won’t fall into the ransomware trap if you have your data safe.||Do not pay the attacker. Paying the ransom would further encourage and fund more attacks. Even if you pay the ransom, there is no guarantee that the attacker will unlock your device or release your data.|
|If one knows how to avoid ransomware, half of the work is done. Hence, always use a well-known security software along with a sturdy firewall system. Maintaining a strong firewall and keeping your antivirus software up to date are crucial.||Do not reveal your personal and confidential information on emails, phone calls or text messages. Phishers trick individuals or employees of a company into installing malware by pretending to be from IT.|
|Do employ periodic content scan and filter of your mail servers. Emails need to be scanned for threats and should block any attachment types that could pose a threat.||Don’t click on suspicious email or SMS links. Cyber attackers are not just cunning, but malicious as well. Spams messages and emails are the most popular ways of scamming innocent users.|
|Do make sure that the software and operating system are up to date. Malicious kits hosted on untrusted websites are generally used for spreading ransomware¬. Regular updating of software programs crucial to prevent infection.||Do not trust anyone over personal information. Be extremely cautious while dealing with sensitive information such as bank details, etc. If your device becomes host of an attack, use another device to research about the ransomware. Attackers are deceitful enough to create bogus websites.|
|If you’re travelling while you receive the threat, it is wise to contact a trusted IT professional or your organisation’s IT department. It is also advised to use a trustworthy Virtual Private Network (VPN) when using public Wi-Fi.||Do not leave the matter unreported. Be sure to report the matter to concerned state or regulation authorities such as cyber-crime branch.|
Ransomware Attack Solution: How to Prevent Ransomware on Server
One of the most frequently searched phrases on google in regard to ransomware is “How to protect against ransomware”. Yet it needs to be understood that at what level is the attack taking place. If a ransomware reaches the device, and is stopped there, it still means that numerous security protocols have been broken.
How to Protect Against Ransomware
This could have been only possible at the
server level, meaning the web intrusion detection system (IDS) wasn’t able to
detect an infected domain or the sequence of malicious traffic. One therefore
needs to implement the following ransomware attack solutions to ensure that
this seepage doesn’t occur.
1. Restricting Access
The first and most important step in safeguarding servers in a network is to strengthen them. If the extortionist isn’t able to exploit a weakness in the network, it will be tough to gain access and deliver the ransomware.
2. Get Rid of Flash
There has a been an exponential growth in the infection of ransomware through exploit kits. As it is the easiest to use as a packaged bait, attackers like to use Adobe Flash in shroud exploit kits. Hence, the most sensible thing to do for organisations is to disable Flash or remove it completely from servers and workstations.
If using Flash is necessary, it can be configured in a way where it requires authorised users to click a specific video to play it. But unfortunately, it is quite easy to manipulate users in clicking videos.
3. Asset Management and Patching
While Adobe Flash is an easy weapon for attackers to deploy exploit kits, it is not the only armament. Exploit kits can be latched into other programs such as Internet Explorer, Google Chrome, Silverlight, Mozilla Firefox, Safari, Adobe PDF Reader, and all the other programs that interact with websites.
If a company doesn’t have proper mechanism and inventory, patching systems promptly isn’t feasible. Therefore, for patching, asset management is crucial. With help of asset management solutions, creating a shield around individual vulnerable software installed on laptop, desktop and server is the apt method to stop attacks.
4. Safeguarding IP Addresses
There are usually two ways that ransomware programs handle Command and Control (C&C) communication. It loads up a list of vulnerable IP addresses and start attempting to infiltrate one of those servers that responds and communicates, which is how the famous ransomware, Cerber works. Therefore, it is important to secure the IP addresses, so that only the internal network is able to access it.
5. The Defense Mechanism
Various small businesses and start-ups do not have a dedicated security team or personnel to dedicate their time specifically on security management and usually rely on a single individual to perform multiple duties as security, network and server management, along with desktop support. Sometimes, even large businesses and enterprises sustain a dedicated security mechanism for troubleshooting.
In these cases, it is important to assign at least one expert to monitor the vulnerable places for breaches and infiltration. In addition, safeguarding the server with a proper security solution is the key to a secure ecosystem. You might not understand the value of a robust ransomware protection unless there is a major breach. Hence, it’s better to not let that situation arise.
Already Attacked by Ransomware: What to Do Now
|Crypto Ransomware||Locker Ransomware|
|Disconnect the system from all devicesUse a well-known antivirus to scan and wipe ransomware in the system if you do not want to pay ransom||Disconnect the system from all devices|
|Try to find, which crypto ransomware has infected the system||Reboot system in the ‘safe mode’|
|Use another device to look for online solutions, if available||When the system restarts, run a good antivirus/security software|
|Restore data from backup||In case safe mode doesn’t work, do a full system restore|
|In case you wish to pay ransom, negotiate.||Run security software once again to remove traces of ransomware|
There are various ransomware attack solutions, depending upon what type of ransomware attack is it and what steps do you decide to take. While it is advisable to never give-in, sometimes circumstances can be unavoidable. Here are the steps you should follow in case of a ransomware attack:
Find Out the Type of Ransomware
Firstly, understanding if you've been hit by crypto ransomware, locker ransomware or something merely pretending to be ransomware is critical. If you aren’t able to surpass the ransom message on the screen, it’s possibly infected by a locker ransomware, and isn’t as bad. If you are able to browse applications but you cannot open your work-related data, media files such as music, photographs, movies or emails, then crypto ransomware has most likely infected the system.
- How to Deal with Crypto Ransomware
As crypto ransomware is most common yet malicious, it needs to be addressed first. Here is how to safeguard from crypto ransomware:
- * Disconnect the infected device from other systems in the network, and from any external storage devices.
- Use a smartphone or camera to click a picture of the ransom message on the screen.
- Using a well-known security software to scan and wipe the ransomware from the system is advised but do it only if you have decided on not paying the ransom.
- Check if deleted files can be recovered.
- Try to find out what type of crypto ransomware has infected the system.
- Use another device to check if there are any tools to decrypt it are available online.
- Restore all crucial data from your backup source.
- In case you must recover all that data at any cost, before paying the ransom, try to negotiate.
- Since there is a thin chance of the files being recovered, it’s better to give up on the data and reinstalling the OS.
- How to Handle Locker Ransomware
Locker ransomware isn't as rampant as it once was, yet it still does rounds periodically. Here are the steps to deal with it:
- Disconnect the infected device from other systems in the network, and from any external storage devices.
- Use a smartphone or camera to click a picture of the ransom message on the screen.
- Reboot your system in the ‘safe mode’ by pressing the power button and S key simultaneously. When the system starts again, run a good security/ antivirus software to scan and remove the locker ransomware.
- In case safe mode does not work, do a system restore.
- Run the security software one more time, once you are able to regain access to ensure that traces of it have been wiped out.
- File a Police Report
Lastly, it is quite important to file a police report if you wish to claim insurance or lawsuit for the data loss. Doing this will also help the legal authorities keep a record of the infection.
Ransomware is a malice today, and the extortionists get encouraged and sponsored when individuals and companies pay hefty sums for file recovery. Apart from these attackers being cunning and greedy they are malicious. So, in conclusion, in order to stop ransomware extortions across the globe, we collectively need to take a stand against the malpractice paying money for recovery. You can also check for the best antivirus software solution available in the market, to help you secure your data.