The Rising Threat: Understanding Ransomware Virus Attacks

Ransomware is a form of malware that prevents access to data or systems until the victim pays a specified amount. This is one of the fastest-growing threat categories, and attacks are increasingly common.

Quick containment is critical, especially if a device has been infected with ransomware. This includes disconnecting the system from network access or powering it down and ensuring all devices are isolated.

Targets

While ransomware attacks against individuals have been around for years, cybercriminals now focus primarily on organizations willing to pay ransom to get their data back. The 2021 ransomware attack wave exemplified this, with attacks targeting companies like Colonial Pipeline, the world’s largest meatpacker JBS, and North Carolina’s Onslow Water and Sewer Authority. Attackers often use information-stealing Trojans to infect targeted systems before delivering ransomware variants like Ryuk.

Once a system is infected, ransomware variants encrypt valuable files and search for opportunities to spread to other devices and systems. The malware often leaves a note that details how much to pay for the decryptor, typically in bitcoins.

Threat actors use a variety of tactics to gain access to systems before launching ransomware attacks, including malspam and spear phishing. Using social engineering, they send emails that appear to be from trusted institutions or friends and encourage victims to click on malicious attachments. The malware can also be downloaded through compromised software apps, infected external storage devices, or compromised websites.

Hospitals and healthcare systems are tempting targets for attackers because, as the old saying goes, “the money is where the blood is.” They’re the most commonly attacked industry in terms of ransomware infections. Attackers may also target financial institutions, where they know they’ll find a ready audience willing to pay the requested ransom.

Methods

In the most common ransomware attack, an attacker encrypts a victim’s data and demands payment to decrypt it. This malware can infect multiple computers within a network and cripple databases, file servers, and applications. It can also disrupt the operations of a business or a government agency, potentially resulting in lost revenue.

See also  What is a Proxy Server and How it Works?

The malware can spread via phishing emails that appear to come from trusted sources and encourage victims to click on malicious links or download the malware directly. It can also apply through the exploitation of vulnerabilities in popular software programs. For example, the WannaCry ransomware worm exploited a vulnerability in Microsoft’s operating system to rapidly infect systems worldwide.

Threat actors can also sell ransomware tools on the dark web that automate creating and distributing this type of malware. These tools can target specific capabilities, including the ability to mine cryptocurrency like Bitcoin, without requiring any manual user interaction.

A type of ransomware virus also can determine a victim’s location and automatically adjust the price of the demanded payment, as demonstrated by the malware that attacked hospitals and demanded Bitcoin payments in the name of cybersecurity. It’s estimated that more than 45 percent of ransomware attacks target healthcare orgs, and attackers know these enterprises are more likely to pay a ransom to get their data back.

Damage

In ransomware attacks, criminals encrypt data on the victim’s system and demand a fee to decrypt it. When victims pay the demanded ransom, they receive a decryptor key that may or may not decrypt all of the encrypted files. It’s common for cybercriminals to take the money and not follow their promises. According to Kaspersky, 20% of organizations that paid a ransom did not get their data back.

While some industries are a more tempting target for attackers than others, all businesses are vulnerable to ransomware attacks. Small and medium-sized companies tend to have less rigorous cybersecurity practices than large enterprises. They also need more resources to defend against advanced threats.

Home devices are another tempting target for ransomware attacks. As more employees work remotely, personal computers with access to networks are often infected by malware. And since many of these computers are complete with network-connected business machines, a ransomware attack that infects the home computer could also infect the company’s system.

See also  How Virtual Reality Is Changing the Entertainment Industry

Attackers also target utilities and public infrastructure because they know these organizations are more likely to pay ransom demands. For example, a recent attack on Presbyterian Memorial Hospital infected medical offices, pharmacies, and emergency rooms, demonstrating that hospitals are just as susceptible to ransomware attacks as any other organization. Moreover, as attackers become more sophisticated in their tactics, they increasingly target high-value victims likely to pay higher ransoms.

Payment

The victim receives an on-screen alert that their computer has been locked or their data encrypted and must pay a ransom in virtual currency to regain access. The attack may also include wiper malware, which destroys the data on the infected device (often a database or file server) after a ransom payment.

Cybercriminals use phishing email links and attachments, malicious software apps, zero-day exploits, and Remote Desktop Protocol to infect victims’ devices—a computer, printer, external storage device, or point-of-sale (POS) terminal. They can also use malware kits and ransomware-as-a-service to create and deploy customized malware versions for specific attacks.

Once infected, ransomware typically encrypts files with an extension that makes them unusable until the attackers are paid. They will then display a message telling the victim that their data will be published online or permanently destroyed unless they pay a ransom, usually in Bitcoin.

Law enforcement agencies encourage organizations not to pay ransoms because it only subsidizes criminal behavior. However, even if the organization decides to pay, there is no guarantee that they will get their files back. Sometimes attackers will not decrypt the data they seized or provide an ineffective decryptor. Others may not keep their word after a ransom is paid, as evidenced by the Wannacry ransomware attack that hit the UK’s NHS.