{"id":459,"date":"2024-10-02T07:00:00","date_gmt":"2024-10-02T07:00:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=459"},"modified":"2024-10-02T07:00:00","modified_gmt":"2024-10-02T07:00:00","slug":"ransomware-explained-how-it-works-and-how-to-remove-it","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=459","title":{"rendered":"Ransomware explained: How it works and how to remove it"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

What is ransomware?<\/h2>\n

Ransomware is a form of\u00a0malware\u00a0that encrypts or blocks access to a victim\u2019s files, data, or systems until a ransom is paid. When under such an attack, users are shown instructions for how to pay a fee to get the decryption key. The costs for enterprises hit with ransomware can range from hundreds to thousands to millions of dollars, payable to cybercriminals in Bitcoin.<\/p>\n

Ransomware attacks are common and costly<\/h2>\n

According to the Sophos State of Ransomware 2024 survey<\/a>\u00a0of 5,000 IT and cybersecurity leaders released in April, 59% of organizations were hit by a ransomware attack in 2023. Of those victims, 56% paid a ransom to get their data back. Exploited vulnerabilities were the most commonly identified root cause of an attack, impacting 32% of organizations. This was closely followed by compromised credentials (29%) and malicious email (23%).\u00a0<\/p>\n

Ransoms being demanded and \u2014 in many cases \u2014 paid are growing. In 63% of cases the ransom demand was for $1 million or more \u2014 $4.3 million, on average. Of the 1,097 respondents who shared their payment details, the average payment was $4 million \u2014 up from $1.5 million in 2023. But attacks such as \u00a0ransomware attack in 2023 cost MGM Resort International casino $100 million<\/a> can be dramatically more costly.<\/p>\n

Similarly, according to a 2024 report<\/a> by Cybersecurity and Infrastructure Security Agency (CISA)<\/a>, ransomware continues to evolve and disrupt with \u201ccritical services, businesses, and communities worldwide, causing costly incidents that are increasingly destructive and disruptive.\u201d According to the report, it costs businesses an average of $1.85 million to recover from a ransomware attack.\u00a0<\/p>\n

Adding salt to the wound, 80% of victims who paid a ransom were targeted and victimized again by criminals, CISA reported.\u00a0The economic, technical, and reputational impacts of ransomware incidents, throughout the initial disruption and, at times, extended recovery, continue to pose a challenge for organizations large and small, according to CISA.\u00a0<\/p>\n

What is ransomware as a service (RaaS)<\/h2>\n

Ransomware as a service (RaaS) allows cybercriminals to offer ransomware software to other individuals or groups for a fee. While of course a criminal activity, it follows the same model as software-as-a-service, infrastructure-as-as-service, and other cloud-based services. This allows individuals with limited technical skills to launch ransomware attacks without needing to develop the malware themselves. RaaS has made it easier for cybercriminals to launch ransomware attacks, increasing the frequency and sophistication of these attacks \u2014 and of AI is only making it easier<\/a>.<\/p>\n

RaaS platforms often provide would-be criminals the following cloud-based services:<\/p>\n

RaaS providers develop and maintain services such encryption algorithms and decryption keys.<\/p>\n

RaaS platforms can help distribute the ransomware to potential victims, often through phishing campaigns or exploiting vulnerabilities in software.<\/p>\n

RaaS providers offer payment processing: services to help collect and launder ransom payments, making it difficult for law enforcement to trace the funds.<\/p>\n

Much like legitimate businesses, RaaS providers often offer customer support.<\/p>\n

How ransomware works<\/h2>\n

There are a number of ways that ransomware can access a computer. One of the most common delivery systems is phishing<\/a> spam \u2014 attachments that come to the victim in an email, masquerading as a file they should trust. Once they\u2019re downloaded and opened, they can take over their computer, especially if they have built-in social engineering<\/a> tools that trick users into allowing administrative access. Some other, more aggressive forms of ransomware, such as NotPetya<\/a>, exploit security holes to infect computers without needing to trick users.<\/p>\n

Once it\u2019s taken over the victim\u2019s computer, there are several things the malware might do, but by far the most common action is to encrypt some or all of the user\u2019s files. The Infosec Institute offers an in-depth look at how several flavors of ransomware encrypt files<\/a>, but the most important thing to know is that at the end of the process, the files cannot be decrypted without a mathematical key known only by the attacker. The user is presented with a message explaining that their files are now inaccessible and will be decrypted only if the victim sends an untraceable Bitcoin payment to the attacker.<\/p>\n

In some forms of malware, the attacker might claim to be a law enforcement agency<\/a> shutting down the victim\u2019s computer due to the presence of pornography or pirated software on it, and demanding the payment of a \u201cfine,\u201d perhaps to make victims less likely to report the attack to authorities. However, most attacks don\u2019t bother with this pretense. There is also a variation, called leakware or doxware,<\/a> in which the attacker threatens to publicize sensitive data on the victim\u2019s hard drive unless a ransom is paid. But because finding and extracting such information is a very tricky proposition for attackers, encryption ransomware is by far the most common type.<\/p>\n

Who is targeted for ransomware attacks?<\/h2>\n

There are several ways attackers choose the organizations they target with ransomware<\/a>. Sometimes it\u2019s a matter of opportunity: For instance, attackers might target universities because they tend to have smaller security teams and a disparate user base that does a lot of file sharing, making it easier to penetrate their defenses.<\/p>\n

On the other hand, some organizations are tempting targets because they seem more likely to pay a ransom quickly. For instance, government agencies or healthcare <\/a>facilities often need immediate access to their files. Law firms and other organizations with sensitive data may be willing to pay to keep news of a compromise quiet \u2014 and these organizations may be uniquely sensitive to leakware attacks.<\/p>\n

But don\u2019t feel like you\u2019re safe if you don\u2019t fit these categories: As noted, some ransomware spreads automatically and indiscriminately across the internet.<\/p>\n

How to prevent ransomware<\/h2>\n

There are a number of defensive steps you can take to prevent ransomware infection<\/a>. These steps are, of course, good security practices in general, so following them improves your defenses from all sorts of attacks:<\/p>\n

Keep your\u00a0operating system patched and up-to-date<\/strong>\u00a0to ensure you have fewer vulnerabilities to exploit.<\/p>\n

Don\u2019t\u00a0install software or give it administrative privileges<\/strong> unless you know exactly what it is and what it does.<\/p>\n

Install\u00a0antivirus software<\/strong><\/a>, which detects malicious programs like ransomware as they arrive, and\u00a0whitelisting software<\/strong><\/a>, <\/strong>which prevents unauthorized applications from executing in the first place.<\/p>\n

And, of course,\u00a0back up your files,\u00a0<\/strong>frequently and automatically. That won\u2019t stop a malware attack, but it can make the damage caused by one much less significant.<\/p>\n

How to remove ransomware<\/h2>\n

If your computer has been infected with ransomware, you\u2019ll need to regain control of your machine. CSO\u2019s Steve Ragan has a video demonstrating how to do this on a Windows 10 machine<\/a>:<\/p>\n

The video has all the details, but the important steps are the following and read the complete article:<\/p>\n

Reboot Windows 10 to safe mode<\/strong><\/p>\n

Install antimalware software<\/strong><\/p>\n

Scan the system<\/strong> to find the ransomware program<\/p>\n

Restore the computer<\/strong> to a previous state<\/p>\n

Or read the complete article detailing how to recover a system from a ransomware attack<\/a><\/strong><\/p>\n

But here\u2019s the important thing to keep in mind: While walking through these steps can remove the malware from your computer and restore it to your control, it won\u2019t decrypt your files.<\/em> Their transformation into unreadability has already happened and if the malware is at all sophisticated, it will be mathematically impossible for anyone to decrypt them without access to the key that the attacker holds. In fact, by removing the malware, you\u2019ve precluded the possibility of restoring your files by paying the attackers the ransom.<\/p>\n

Should you pay the ransom?<\/h2>\n

Whether or not to succumb to ransom demands depends partly on whether you backed up the data you have on the system that has been infected with malware and can restore it<\/a>. If you\u2019ve lost vital data that you can\u2019t restore from backup, should you pay the ransom?\u00a0<\/p>\n

When speaking theoretically, most law enforcement agencies urge you not to pay ransomware attackers, on the logic that doing so only encourages hackers to create more ransomware. That said, many CISOs that find themselves afflicted by malware quickly stop thinking in terms of the \u201cgreater good\u201d and start doing the cost-benefit analysis of paying or not paying<\/a>, weighing the price of the ransom against the value of the encrypted data.<\/p>\n

To make the best decision, evaluate whether your data can be restored from backups and whether your cyber insurance covers operational expenses in the event of prolonged business disruption. Both would give enterprises leverage to avoid paying the ransom.<\/p>\n

To encourage victims to pay quickly before thinking too much about it, there are often discounts offered for acting fast, so as. In general, the price point is set so that it\u2019s high enough to be worth the criminal\u2019s while, but low enough that it\u2019s often cheaper than what the victim would have to pay to restore their computer or reconstruct the lost data. With that in mind, some companies are beginning to build the potential need to pay ransom into their security plans: For instance, some large UK companies that are otherwise uninvolved with cryptocurrency are holding some Bitcoin in reserve<\/a> specifically for ransom payments.<\/p>\n

There are a couple of things to remember, keeping in mind that the people you\u2019re dealing with are, of course, criminals. First, what looks like ransomware may not have actually encrypted your data at all; make sure you aren\u2019t dealing with so-called \u201cscareware<\/a>\u201c before you send any money to anybody. And second, paying the attackers doesn\u2019t guarantee that you\u2019ll get your files back. Sometimes the criminals just take the money and run, and may not have even built decryption functionality into the malware. But such malware will quickly get a reputation and won\u2019t generate revenue. For that reason, Gary Sockrider, principal security technologist at Arbor Networks, estimates around 65% to 70% of the time<\/a> the crooks come through and your data is restored.<\/p>\n

Ransomware examples<\/h2>\n

While ransomware has technically been around since the \u201890s, it\u2019s only taken off in the past nine years or so, largely because of the availability of untraceable payment methods like Bitcoin.<\/p>\n

Below is a list of some of the worst offenders historically as well the top ransomware groups to watch<\/a> in 2024. \u00a0<\/p>\n

LockBit<\/a>, <\/strong>once a dominant player in the ransomware scene, its activities have been disrupted due to law enforcement actions. However, the ransomware landscape is constantly evolving, and new variants or affiliates of LockBit may still be active<\/p>\n

DragonForce<\/a><\/strong>, uses a leaked ransomware builder originally associated with the notorious LockBit ransomware group.<\/p>\n

RansomHub<\/a><\/strong>, a RaaS operation that emerged in February 2024 but quickly rose through the ranks. NCC lists it as the top ransomware group by the number of attacks observed in July. According to a\u00a0CISA and FBI advisory<\/a>\u00a0from 29 August, the group has made over 210 victims so far.<\/p>\n

APT73<\/a><\/strong>, refers to themselves as \u201cAPT\u201d (Advanced Persistent Threat) followed by a number, specifically APT73, which is a ransomware group modeled on LockBit.<\/p>\n

dAn0n<\/strong> surfaced at the end of April 2024 and has since posted information about 12 victims on their data leak site. Its data leak site lacks of emphasis on design or a visible logo, which may suggest that the group prioritizes attack methodologies over branding.<\/p>\n

Play<\/a><\/strong>, also known as Playcrypt, is not a newcomer to the ransomware scene, being around since 2022, it has taken advantage of the demise of its bigger peers, possibly attracting some of their affiliates..<\/p>\n

Conti<\/a>, <\/strong>another prominent ransomware group that was significantly impacted by law enforcement operations. While it may have been dismantled, its infrastructure could potentially be reused by other cybercriminal groups.<\/strong><\/p>\n

Akir<\/strong>, appeared in April 2023 and was thought to be an offshoot of the defunct Conti group because its file encryptor shared many code.<\/p>\n

Medusa<\/a><\/strong>, a RaaS operation that started in late 2022 and gained prominence in 2023. The group is different from MedusaLocker, another RaaS operation that has been around since 2021.<\/p>\n

CryptoLocker<\/strong>, a 2013 attack, launched the modern ransomware age and infected up to 500,000 machines at its height.<\/p>\n

TeslaCrypt<\/strong> targeted gaming files and saw constant improvement during its reign of terror.<\/p>\n

SimpleLocker<\/strong> was the first widespread ransomware attack that focused on mobile devices.<\/p>\n

8Base<\/strong>, a double-extortion ransomware group that started operations in 2022, is a bit of a weird group because it displayed similarities to other data extortion gangs such as RansomHouse, prompting speculation that they might be related.<\/p>\n

BlackCat,<\/a>\u00a0also known as ALPHV, was the second most active ransomware group in 2022, according to cybersecurity conpany Malwarebytes.<\/p>\n

Black Basta<\/a>, Another suspected Conti offshoot,\u00a0is a ransomware group that first appeared in April 2022 and is believed to have targeted over 500 organizations to date, with 114 victims listed on its in 2024.<\/p>\n

BlackByte<\/a>, similar to Black Basta,\u00a0BlackByte is another sophisticated Conti offshoot. While this group does not stand out through the high number of publicly known victims, recent research by Cisco Talos suggests that the group is much more active than previously believed.<\/p>\n

WannaCry<\/a><\/strong> \u00a0spread autonomously from computer to computer using EternalBlue, an exploit developed by the NSA and then stolen by hackers.<\/p>\n

NotPetya <\/a><\/strong>\u00a0also used EternalBlue and may have been part of a Russian-directed cyberattack against Ukraine.<\/p>\n

Locky<\/strong><\/a> started spreading in 2016 and was \u201csimilar in its mode of attack to the notorious banking software Dridex<\/a>.\u201d A variant, Osiris<\/strong>, was spread through phishing campaigns.<\/p>\n

Leatherlocker <\/strong>was first discovered in 2017 in two Android applications: Booster & Cleaner and Wallpaper Blur HD. Rather than encrypt files, it locks the home screen to prevent access to data.<\/p>\n

Wysiwye, <\/strong>also discovered in 2017, scans the web for open Remote Desktop Protocol (RDP) servers. It then tries to steal RDP credentials to spread across the network.<\/p>\n

Cerber<\/strong><\/a> proved very effective when it first appeared in 2016, netting attackers $200,000 in July of that year. It took advantage of a Microsoft vulnerability to infect networks.<\/p>\n

BadRabbit<\/strong><\/a>spread across media companies in Eastern Europe and Asia in 2017.<\/p>\n

SamSam<\/strong><\/a> has been around since 2015 and targeted primarily healthcare organizations.<\/p>\n

Ryuk<\/strong><\/a> first appeared in 2018 and is used in targeted attacks against vulnerable organizations such as hospitals. It is often used in combination with other malware like TrickBot.<\/p>\n

Maze <\/strong>is a relatively new ransomware group known for releasing stolen data to the public if the victim does not pay to decrypt it.<\/p>\n

RobbinHood<\/strong> is another EternalBlue variant that brought the city of Baltimore, Maryland, to its knees in 2019.<\/p>\n

GandCrab <\/strong>might be the most lucrative ransomware ever. Its developers, which sold the program to cybercriminals, claim more then $2 billion in victim payouts as of July 2019.<\/p>\n

Sodinokibi<\/strong><\/a>targets Microsoft Windows systems and encrypts all files except configuration files. It is related to GandCrab<\/p>\n

Thanos<\/strong>, discovered in January 2020. It is sold as ransomware as a service, It is the first to use the RIPlace technique, which can bypass most anti-ransomware methods.\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/p>\n

This list is just going to get longer. Follow the tips listed here to protect yourself and check out the CISA\u2019s #StopRansomware Guide.<\/p>\n

More on ransomware:<\/strong><\/p>\n

The state of ransomware: Faster, smarter, and meaner<\/a><\/p>\n

Top 10 ransomware groups to watch<\/a><\/p>\n

Emerging ransomware groups on the rise: Who they are, how they operate<\/a><\/p>\n

The worst and most notable ransomware: A quick guide for security pros<\/a><\/p>\n

Ransomware recovery: 8 steps to successfully restore from backup<\/a><\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

What is ransomware? Ransomware is a form of\u00a0malware\u00a0that encrypts or blocks access to a victim\u2019s files, data, or systems until a ransom is paid. When under such an attack, users are shown instructions for how to pay a fee to get the decryption key. The costs for enterprises hit with ransomware can range from hundreds […]<\/p>\n","protected":false},"author":0,"featured_media":460,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-459","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/459"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=459"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/459\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/460"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=459"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=459"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=459"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}