Malignant (malicious) software, aka malware, are programs that enter computers and other devices and perform unauthorized operations affecting the data, systems, or networks. Ransomware are malware designed to lock users’ systems or their access to files until a ransom is paid. Today, they are hot cakes in the cyber underworld, with thousands of users and businesses becoming victims. In most cases, attackers demand a hefty sum as ransom. According to a report, the average amount of reported ransomware transactions per month in 2021 was $102.3 million.
Ransomware continues to evolve in terms of nature (mode of attack) and sophistication. With victims willing to pay without choice, threat actors have brought in a great deal of innovation, the scope of which includes double- or triple extortion ransomware and ransomware-as-a-service.
Ransomware can be broadly classified into two types–one that restricts users’ access to systems (locker ransomware), and one that encrypts the data and files from being accessible to the users (crypto-ransomware:) Below are some of the more traditional and nuanced variants of ransomware.
These types of ransomware lock the users out of their systems. Most of the time, users are allowed to view only the lock screen or interact with a screen containing the ransom demand. The mouse and keyboard would be partially enabled to make the payment to the attacker. Lockers usually don’t destroy the data as it only prevents users from accessing it. A timer with a deadline would be displayed to persuade the victim to pay up.
As the most common type of ransomware, they encrypt the data, information, or files on the victims’ device. The victim would usually be able to see the data and even use the system. However, they would not be able to access the data due to encryption. Crypto ransomware also prompts the victims to make the payment. If the user misses the deadline, all encrypted data would be permanently deleted.
Scareware generally tries to freak the users out by displaying an alarming message and consequently tricks them into downloading malware. The attackers often use prompts that look official and legitimate and urge the user to act fast without giving them much time to think or analyze. The prompts can be a popup, a threatening message, or a false button, displaying alarming messages such as: “Your PC is slow. Speed up Now”, or “Attackers can see your IP, Protect it now.” Users who take the bait enable the ransomware to enter their systems and lock them out or encrypt their data.
Through leakware, the attacker, instead of destroying the data, threatens to release it on public domains. Also known as Doxware, leakware attacks are targeted at organizations like banks and nationalized entities that handle confidential or sensitive data.
RaaS is where the threat actors embrace a SaaS-like business model to carry out ransomware attacks. RaaS operates like an affiliate network and allows cybercriminals with low technical knowledge to subscribe to RaaS and launch ransomware attacks. Members of the affiliate earn a percentage of the ransom payment. The RaaS model is one of the prime reasons for the dramatic increase in ransomware attacks in the recent past because it removes the barrier of prerequisite coding knowledge to launch an attack.
Note that scareware, leakware, and RaaS are essentially crypto- or locker ransomware variants.
Ransomware continues to devastate businesses, MSPs, and their clients. Here is a list of some of the most known and infamous ransomware programs:
This malware directly infects the system’s boot record and encrypts the NTFS file system. This prevents the system from booting into the OS until the ransom is paid. Some researchers have deemed it a nation state ‘act of war’ against Ukraine rather than cybercriminals’ intent for money.
Cerber is crypto-ransomware RaaS that infects the system when the user clicks on a malicious ad or a spammy email initiated by the attacker.
WannaCry launches a worm attack into the target system, locks the data, and demands a ransom in cryptocurrency. It spreads rapidly within systems. Its transport code uses an exploit known as EternalBlue–a cyberattack exploit developed by the U.S. National Security Agency (NSA)– to gain access and make copies of itself.
Dharma is a RaaS operation targeting small and medium businesses (SMBs) that cannot afford a high-profile cybersecurity team. It allows the attackers to encrypt the directory files on the victims’ Windows-based systems. Once it conceals within the system, it infects each file being added to the directory. Threat actors using Dharma often demand relatively smaller ransom in the range of $8000 to $10000. However, the number of attacks that happened was of huge proportions, making it one of the most effective RaaS ever created.
Maze works on an affiliated network of cybercriminals and mainly targets SaaS companies. Once Maze affects an IT provider’s network, it spreads onto the network of their clients’ networks too. Maze usually encrypts data on the victim’s system and threatens to leak it online unless the ransom is paid in cryptocurrencies.
There has been a steady increase in the number of ransomware attacks with each passing year. This not only causes financial damage to firms but also dampens their reputation and destroys the customers’ trust. Here are some important measures that MSPs and businesses can take to avoid ransomware attacks:
A blueprint for combatting ransomware in the manufacturing industry
Insider threats are becoming center stage to some of the deadliest cyberattacks in recent news.
Novacommand can help detect threats by inspecting and analyzing the network traffic. The information about the network traffic (metadata) will be correlated and analyzed as well.
By doing this, threats can be detected in an early stage by their behavior, destination, or a combination of both.
Novacommand will not ‘defend’ you against threats but will alarm you on a threat and if needed initiate an action with a 3rd party integration like a firewall or EPP.
Counting the number of ransomware is beyond anyone’s capabilities. Broadly speaking, there are two types of ransomware – crypto-ransomware that encrypts your data and locker ransomware that locks you out of your system.
The most commonly reported variants in H1 2021 were REvil/Sodinokibi, Conti, DarkSide, Avaddon, and Phobos.
Ransomware is a type of malware. Malware attacks usually come in the form of a computer virus or worm.
