In our previous post of the biggest cyber threats plaguing Australian businesses over the last year, we covered phishing and spear phishing. This time round, we look at what the ACSC consider one of the most dangerous cyber threats: ransomware.

Along with phishing, ransomware is one of the most prevalent forms of malware floating around the Internet today. And it’s not just a threat to Australians - over 187 million ransomware attacks were reported throughout 2019.

While most people have a basic understanding of ransomware, there’s much more to this type of attack than a demand for a digital ransom. And when we’re talking about something that literally shuts down businesses in less than a minute, it’s worth exploring if for no other reason than to prevent the same fate.

What Is Ransomware?

The definition of ransomware is pretty simple: software that literally holds your files and/or computers to ransom.

But let’s go a little deeper. Ransomware is a type of malware that infects a PC or mobile device, and then encrypts all or key files on that system. The attacker then demands a ransom, usually by displaying a message that’s part of the ransomware. This ransom can range from hundreds of dollars to thousands, and is usually payable in Bitcoin or Amazon and iTunes gift cards (all of which are untraceable).

When it comes to malware, ransomware is one of the most popular. There are two big reasons for this: 

1. Many organisations hit by ransomware still pay to have their files decrypted, despite the warnings not to. This proves to be a lucrative income for many cybercriminals.
2. You don’t need much technical expertise to stage a ransomware attack. Some hackers sell “turnkey ransomware kits” that criminals with no I.T. ability can use without a problem.

Where It All Began: The “AIDS Trojan” of 1989 Google Trends shows barely that the term “ransomware” wasn’t really part of the zeitgeist until 2016, but the first known attack happened 27 years earlier.   1989 was the year Tim Berners-Lee put forward a proposal for something he called the “world wide web”. It was also the year a Dr. Joseph Popp sent out 20,000 floppy disks to fellow researchers exploring the AIDS virus that had exploded throughout the 1980s. But unbeknownst to these researchers, a “surprise” was waiting for them.   After the disk had been used and the ransomware inadvertently installed onto the PC, it would lie dormant until the computer had been switched on 90 times before activating with a ransom note demanding payment of a “software lease”.   Although this ransomware was basic and flawed, the “AIDS Trojan” was the foundation for many of the sophisticated cyber attacks we’re now threatened with today.

How Does Ransomware Work?

For ransomware to hold your system hostage, it first has to get access to your systems and files. To do that, many ransomware attacks start in much the same way as a phishing scam: through your inbox. 

Emails

Perhaps the most common way of launching a ransomware attack is via email. Like phishing, you get an email that appears legitimate and comes with an attachment. Opening the attachment allows the malware to execute… and after that, it’s only a matter of time before you see the pop-ups and messages demanding money. 

That said, there are other ways ransomware can end up on your PCs or devices.

Malvertising

“Malvertising” is a form of online advertising that looks legitimate, but is actually set up by cyber criminals to attack your system. It can distribute malware with almost no interaction on your part needed, which makes it especially dangerous. It works by installing an invisible page element that redirects a user to a special landing page where the malicious code goes to work (which is why it’s referred to as a “drive-by download”).

Online Messaging

During the high point of Locky’s popularity in 2016, there were reports of the ransomware being spread across Facebook Messenger. This was done by sharing a simple image file, like a JPG. If someone downloaded and then opened the image, Locky would spring into action. Even today, similar malware is still able to exploit online messaging to run similar scams. 

Once the ransomware has infiltrated your systems, it goes to work. But how it affects you can vary, based on the “strain” of ransomware that’s infected you. Here are how some of the different types of ransomware you may have heard of...

The Many Faces of Ransomware

GandCrab

Arriving on the scene in early 2018, GandCrab’s ransom notes on the victim’s computer sent them to a Dark Web site. Once there, the victim would see details of their attack (such as the date of the attack and how many files were encrypted), as well as how they could pay the ransom. To help dispel fears that their files wouldn’t get decrypted once paying, victims could decrypt one file for free through the site.

GandCrab followed the Ransomware-as-a-Service (or RaaS) model, where the authors gave the software to other cybercriminals to hit new victims in return for a cut of the proceeds. They then focused on improving their ransomware.

About 17 months after launching, the criminals behind GandCrab announced they were closing shop. Naturally, questions remained unanswered… including whether GandCrab really is no longer a threat.

CryptoLocker

First appearing in 2013, CryptoLocker is ransomware with a reputation. To help it spread in those early days, the criminals behind the ransomware used a botnet of malware-infected PCs that could be remote controlled. Once hit by a CryptoLocker attack, early victims were asked to pay the $300 ransom with Bitcoin.

One thing that’s not as well known is that CryptoLocker was defeated back in 2014, when a decryptor tool was successfully built. But CryptoLocker’s popularity spawned a host of copycats, each claiming to be “CryptoLocker”. That’s why you might still hear about it floating about seven years later, even if these new variants have little in common with the original.

WannaCry

Though WannaCry’s reign of terror only lasted a week or two in 2017, the shockwaves left by the ransomware is still fresh in our collective mind. In fact, over 1,000 Google searches are still made about it every month for this now-defeated malware.

WannaCry is a cryptoworm, which is basically ransomware able to spread by itself. Reports were that an initial version of the ransomware was developed by the NSA and then stolen by a group of hackers, who then used it to attack an exploit in Windows PCs around the world.

One reason WannaCry left such a mark is that it was able to cripple even the biggest businesses or organisations, with England’s  National Health Service (NHS) hard hit by the malware, and a Taiwanese manufacturing company having 10,000 PCs infected.

5 Signs That You’re a Ransomware Victim Unlike some other types of malware, ransomware isn’t subtle. Cybercriminals want you to know your device has been infected so you pay up. So, if you see any of these common signs, there’s a good possibility you’ve been hit:   Pop-up messages on your devices demanding payment to unlock files You can’t access devices or logins don’t work for unknown reasons Files suddenly need a password to open them Files have moved or aren’t in their usual locations Files have weird extensions, or their names or icons have changed to something strange

What’s The Best Ransomware Protection?

Like most cyber attacks, the best cure for ransomware is prevention. Here’s how you put that prevention in place.

Backup files regularly: Having a solid and frequently-running backup process (especially for business-critical files) is perhaps the best way to prevent ransomware grinding your business to a halt.

Automate your software patches and updates: This is a vital protective action along with backups.  Keeping your systems up-to-date with software patches reduces the risk that ransomware can exploit a hole in your systems or applications. However, it’s best to automate these as a manual process can be easily forgotten, leaving you vulnerable again.

Use firewalls: Firewalls are often what people think of when it comes to protection, and they are a basic building block of your security (but not the only one!). Firewalls are gatekeepers between you and the outside world, filtering malicious downloads or websites to keep your business safe.

Set up end point detection and response: Prevention is always better than cure, but having end point detection in place can help you track down an attack and respond to it faster. Plus, not all viruses or malware enter through the network (e.g. they can turn up via a USB stick), so having an extra layer of protection is wise.

Install spam protection: Along with firewalls, spam protection keeps you safe from unwanted network entries, specifically around emails. Any email or attachment that’s flagged risky is quarantined so you or a team member don’t inadvertently open something that can infect your devices.

Read our phishing post again: Ransomware is most commonly spread by phishing, so read our post on the subject so your team can spot phishing emails before they strike (if they somehow get past your spam protection).

And In A Worst Case Scenario…

If ransomware does infiltrate your business and shut you down, it doesn’t necessarily mean you’re stuck paying the ransom. In many cases, cybersecurity firms develop decrypt tools to undo a particular ransomware attack and make them freely available (such as these ones here).

You can take all the steps to protect yourself from ransomware, but still get attacked by it. If you do get hit and aren't sure what to do next, get in touch with us. We’ll spell out your options and can move quickly to get your business up and running again.