How Ransomware Works Infographic

• 05 January, 2023
• No Comments

In the last few years, we have seen many ransomware-related incidents in Information Security. It’s more likely that the word ransomware has become a common occurrence for you and everyone else because our lives are so related to computing nowadays.

A fine example of a ransomware attack is WannaCry Ransomware, – A global epidemic in the digital world that happened in 2017. Let’s explore more about ransomware in detail.

What is Ransomware?

Ransomware is a type of malware that encrypts data, including images, videos, and essential documents owned by victims. It later helps the attackers extort ransom in exchange for a key to decrypt the data and make it accessible to victims. These ransom amounts can vary from hundreds to millions of dollars and are to be paid in the form of bitcoin or any other cryptocurrency so that they cannot be traced easily.

How Does A Ransomware Attack Work?

• The ransomware attack leverages multiple attack vectors, like phishing, social engineering, vulnerable software, etc., as an entry point to attack the victim’s device. The threat actor secretly injects ransomware malware into the victim’s device when the victim falls for such attacks.

• Now that the machine is infected with ransomware, the same malware secretly and steadily encrypts all the data and files. For encryption, most ransomware malware uses Asymmetric encryption, which means all the encrypted files can only be decrypted with the secret or public key of the attacker. At the same time, data exfiltration also happens.

• As soon as the encryption of all the files or data is done on the victim’s device, the victim is left with a ransom note that came along with the ransomware malware. The ransom note includes details about the ransom amount, the wallet address of the attacker, and some extra messages regarding the decryption of the victim’s files and device and the ransom deadline. 

• If the ransom amount is not paid by the deadline in the ransom note, all the data is destroyed on the victim’s device. Ransomware also exfiltrates data to the C2 server, and often the threat actor threatens the victim to leak sensitive data on the dark web.

What Are The Three Types of Ransomware?

Screen Locking: 

Such ransomware attacks lock the victim entirely out of their devices, making it impossible to access the files or anything stored on the devices. In such attacks, the victim gets to see a message window on the infected device screen asking for ransom in exchange for unlocking the device. The details are mentioned in that display message, including payment addresses. The same message window also has a countdown to create a panic situation.

Encrypted Ransomware: 

This malware uses encryption algorithms to encrypt the data present on the victim’s device. Through this, a note is shared in the form of a text file that explains the situation to the victim and asks them for ransom to get a decryption key to decrypt their data.

Scareware: 

This malware uses social engineering to trick victims into believing their device is infected through display pop-ups. Then, the victims are manipulated or convinced to buy and download fake software to fix the same phony issue.  

Live Ransomware Attacks Happened In The Wild.

Ransomware attacks can have significant impacts on businesses and organizations, disrupting operations and leading to significant financial losses.

Here are three of the several live ransomware attacks that have happened in the past:

WannaCry Ransomware Attack: 

In May 2017, the WannaCry ransomware attack affected more than 200,000 computers in 150 countries. The attack used a vulnerability in Microsoft Windows to spread rapidly across networks (a type of ransomware worm), encrypting users’ data and demanding a ransom in order to decrypt it. The attack caused widespread disruption in hospitals, businesses, and government agencies.

AIIMS India, November 2022 Ransomware Attack: 

On November 23, 2022, the All India Institute of Medical Sciences (AIIMS) suffered a ransomware attack that resulted in the disruption of its digital patient management system. In this case, the attackers encrypted the data and demanded a ransom for the decryption key. Due to the attack, the online appointment system remained offline, and all services, including outpatient and inpatient departments and labs, had to be conducted manually.

 REvil ransomware attack: 

In 2020, the REvil (also known as Sodinokibi) ransomware attack targeted several large organizations, including the travel company CWT and the software company Citrix. The attackers demanded multi-million dollar ransom payments in exchange for decrypting the affected systems.

What If You Get Infected By Ransomware?

There are several countermeasures a victim must follow if their system has been compromised by ransomware. A few of them are as follows:

• Isolation/Quarantine: 

Make sure you isolate the affected device/system and users as soon as possible. Ransomware usually tries to peek into the internal network and capture as many devices as possible on the same network.

• Analyze the details of the ransomware: 

Make sure to note down important details related to the ransomware infecting your system. Valuable information such as encrypted file extension, the ransom note, any new changes in the system, etc.

• Turn off the device. 

As soon as you discover a ransomware attack happening on your device, you can choose to turn off your device or system to stop the ransomware from spreading. This can save some of your data.

• Disable any cron jobs, maintenance, or backup tasks: 

It is advisable to disable any kind of cron job or maintenance task that can interfere with the infected files. Such files can be valuable for forensic analysis.

• Look out for Decryption tools: 

If the information related to ransomware collected is identifiable and already has a decryption algorithm or tool available online, search for it. One example of a place to search for such decryption tools is No More Ransom.

Should You Pay The Ransom?

It is generally not recommended to pay a ransom to threat actors who have encrypted your data or otherwise taken control of your computer systems through a ransomware attack. There are several reasons for this: 

1. Paying a ransom does not guarantee that you will regain access to your data or systems. Hackers may not decrypt your data or restore access as promised, or they may simply demand more money. 

2. Paying ransom to cybercriminals can potentially have negative consequences for an organization’s reputation. While paying ransom may seem like a quick and easy solution, the decision to pay ransom may be viewed negatively by the public, stakeholders, and customers, as it can be perceived as a sign of weakness or poor cybersecurity practices.

3. This encourages hackers to continue their attacks, as it shows that their tactics are effective and profitable. This can lead to more ransomware attacks on other individuals and organizations. 

4. Paying a ransom may be illegal in some jurisdictions, depending on the nature of the attack and the specifics of the ransom demand.

Prevention Against Ransomware Attacks

Below are a few ways to prevent Ransomware and strengthen your defense:

1. Ensuring that all software and operating systems are up to date with the latest security patches can help prevent ransomware attacks.

2. Regularly backing up important data can help organizations recover from a ransomware attack. It’s important to store backups in a secure, offsite location to ensure that they are not also encrypted by ransomware.

3. Using strong, unique passwords for all accounts can help prevent unauthorized access to systems and networks.

4. Enabling two-factor authentication can add an extra layer of security to accounts by requiring an additional form of authentication in addition to a password.

5. Implementing network security measures such as Antivirus/EDR solutions, firewalls, intrusion prevention systems, and software update/patch management can help prevent ransomware from spreading within an organization’s network.

6. Training employees on cybersecurity best practices, such as how to identify and report suspicious emails, can help prevent them from inadvertently introducing ransomware into the organization.

FAQ