Staying ahead of ransomware threats is challenging, with new variants appearing daily, yet current attacks fall into two main categories.
Crypto ransomware infiltrates devices and encrypts files before demanding payment for access; other attacks impose demands by disabling functionality or restricting the workability of their victims.
What Are the Different Types of Ransomware?
There are various kinds of ransomware. Crypto or Locker ransomware encrypts files and demands payment in exchange for decrypting them; attackers usually require cryptocurrency as an easy and untraceable payment option.
Other forms of ransomware withhold system access instead of encrypting files, known as doxware or leakware attacks. These attacks threaten to publish private or confidential data online, such as photos, conversations or social security numbers. They are commonly employed against government agencies and medical facilities as a form of blackmail extortion.
Scareware, another non-encrypting ransomware, masquerades as antivirus software to convince victims they have malware infection and require payment to remove it. Although difficult to detect or prevent, scareware attacks remain popular with attackers due to their difficulty in detection and protection. A properly executed backup strategy can minimize impact and speed recovery times from ransomware threats for businesses using cloud backup services;
History of the Ransomware
Cybercriminals used ransomware attacks as an opportunity for profit, locking users' files until victims paid an upfront fee to regain access. This form of ransomware – sometimes known as crypto-ransomware – still exists today and typically targets databases, web, office, video, image script and text files before encrypting and deleting backup copies for good measure.
Malware spreads from one infected system to the next through various attack vectors such as emails, exploit kits, or malicious website attachments. Furthermore, its wormlike capabilities allow it to spread between connected devices (the so-called Internet of Things).
Ransomware attacks continue to expand in size and sophistication, showing no signs of slowing.
Crypto Ransomware or Encryptors
Crypto ransomware is an advanced type of malware which encrypts all your computer's files, rendering them unusable unless a ransom payment is made. Such attacks typically arrive via malicious email attachments, compromised accounts or software vulnerabilities.
CryptoLocker was the first large organization-targeting ransomware outbreak of 2013, crippling 250,000 systems and forcing victims to pay at least $300 in cryptocurrency or money cards to gain access. That attack yielded at least $3 Million for perpetrators.
Bitcoin market collapse has helped reduce cybercrime, yet attacks still occur regularly. Many attackers use cryptocurrency's anonymity to target victims for ransom payments that may take days or months to be processed through banks and deposited back in digital wallets, making law enforcement agencies hard-pressed to track perpetrators. According to Peter Van Valkenburgh, director of research at Coin Center, attackers often resort to ransomware because it quickly turns cryptocurrency into cash with payments exchanging across digital wallets and national borders, making tracking perpetrators difficult for law enforcement agencies.
Locker ransomware goes beyond crypto-ransomware by locking devices out of use and demanding payment to unlock them. Attackers usually display a window requesting money in exchange for unlocking access, failing which, stolen information may be published online without victims receiving payment back.
Ryuk ransomware is an example of locker ransomware. It infiltrates systems through phishing attacks, drive-by downloads and exploit kits before installing tools such as keyloggers for privilege escalation on the target system and spreading laterally across a network or even infecting new machines.
Ransomware of this kind attacks devices as diverse as computers, printers, smartphones, wearables and point-of-sale (POS) terminals – using human, system, network and software vulnerabilities to gain unauthorized access. CryptoLocker was widely distributed via email attachments that appeared to come from FedEx or UPS tracking notifications in 2013, infiltrating over 250,000 computer systems while amassing over $27 million in ransom payments from them using RSA public key encryption on Windows systems to encrypt files with this variant encrypting files using public key encryption while wiping contents off these systems leaving only an extortion message reading “Your data has been encrypted – please pay us the demanded sum.”
Scareware attacks typically send alarming emails that attempt to convince victims that an ongoing cybersecurity threat requires payment to address. They may pose as messages from an antivirus program, firewall or operating system claiming a vulnerability has been detected and must be fixed immediately.
These attacks resemble encryption ransomware in that they threaten to leak data unless victims pay an upfront ransom payment, often by publishing sensitive material online to increase pressure for payment and make the ransom seem more reasonable. They are commonly known as "doxware", though not all attackers make this claim.
Scareware, one of the most pernicious forms of ransomware, can significantly disrupt services within an enterprise, leading to significant financial loss. If an employee must stop working due to an attack by scareware, your customers or clients may seek similar goods or services elsewhere, resulting in lost revenue for your company. Furthermore, cybercriminals have also used scareware to steal passwords and other sensitive data from victims' computers or networks, creating severe compliance regulations issues in industries like banking or healthcare where compliance regulations can be strict.
Doxware or Leakware
Doxware (also called leakware or extortionware) is a form of ransomware that threatens to release embarrassing material on the victim's computer – typically photos – that the attackers collect before holding it hostage until the ransom payment has been made.
Ransomware that uses an exploit to gain entry is known as EternalBlue and is used in attacks like WannaCry, Petya and TeslaCrypt. Once inside a victim's system, this ransomware encrypts their files before displaying a message that says their data can only be unlocked with an RSA private key controlled by the hacker.
Attackers demand payment to unlock files, often via an untraceable digital payment system like Bitcoin. Some ransomware variants even delete backup and shadow copies to complicate further restoring originals – making these attacks seem very convincing and often imitating government or other legitimate organizations in their messaging.
RaaS Ransomware as a Service
RaaS Ransomware Gangs operate similarly to Software-as-a-Service (SaaS), leasing out malware tools for monthly subscription fees or profit shares from affiliates. Once inside an organization's network, affiliates may use social engineering techniques such as phishing or spear-phishing attacks to gain initial entry. Once there, attackers take advantage of unpatched vulnerabilities or configuration errors or compromised existing user accounts that use reused passwords from previous cyberattacks against it; deal-making takes place via Dark Web forums.
As part of an effective ransomware defense plan, businesses should ensure regular data backups that can be recovered without paying a ransom fee. A robust antivirus/anti-malware solution, regular patching and increased awareness can further mitigate any risk from ransomware attacks.
Ransomware Protection Tips
Defense against ransomware requires an all-of-the-above strategy. Organizations should implement cybersecurity best practices, such as centralizing the management of sensitive data and enforcing access controls on vulnerable systems to minimize attacks.
Education of users is also vital in combating ransomware infections. Cyber awareness training and education can teach individuals to think twice before clicking malicious links in socially engineered emails, which are the primary conduits for ransomware attacks.
Users should consider creating standard accounts instead of administrator accounts to reduce ransomware attacks. Windows and macOS allow users to create standard accounts that can be shared among multiple people instead of one user having exclusive use.
Backup strategies are also essential against ransomware attacks. Backups should be stored away from the network and configured to preserve file versions rather than delete older iterations, helping forensic investigators ascertain whether files were encrypted by ransomware or simply overwritten by other malware, such as disk wipers. Finally, organizations should monitor underground marketplaces where stolen credentials are traded to detect suspicious activity that might indicate ransomware activity.