24 May
What is Ransomware?
Ransomware is a type of cyber attack that uses malware to access and tamper with data files. The attackers are able to view, download, and encrypt any files on the infected computer as well as delete them, and will threaten to release or block access to said data unless their ransom is paid.
Malware typically comes in the form of trojan files which the user is tricked into opening because they appear legitimate. Sometimes the virus has been able to transfer itself freely between computers without the need for download, but that requires the attackers to gain access to a program already downloaded on the device.
On a network accessed by multiple users, it only takes one to accidentally download a malware virus.
The most dangerous of these attacks will completely block the victims out of critical systems and force a full shutdown to prevent further spread.
If the victims are unprepared then their only options will be to ignore the attackers or pay the ransom. In 65% of cases, many files are never recovered – there is no guarantee that the problem will be solved.
Though it is in the best interest of the attackers to hold up their end of the bargain as it legitimizes future attacks.
Who is Doing it?
The scary thing is that anyone with a computer and the right information can create a malware attack.
The most damaging ones of course come from professionals. They can create sophisticated and targeted viruses that are largely untraceable, and accept their ransoms in untraceable bitcoin.
More often than not they are in it for the money, and will go after companies or institutions that have a lot of money and weak digital infrastructures such as universities.
People generally assume that all of the hackers are based in Russia or China. While some of the larger attacks can be traced back to these countries it really doesn’t matter in the long run where the attacks originate. What matters is the damage they leave behind.
Who Is Being Targeted?
Hackers are after the money, right??
Well–not exactly. They’ll go after any device.
Not even your phone is safe.
The highest profile attacks target large companies or a huge volume of personal computers. Which means that even sitting in your home you could fall victim to an attack.
All it takes is one person on your network to download one bad file and the entire system could become encrypted.
Small businesses and schools are in danger as well because they generally have weaker infrastructure and security protocols, making them more vulnerable.
A single ransomware attack can stop business operations for weeks, and cost from hundreds of thousands to millions of dollars.
What happened to Colonial Pipeline?
Colonial Pipeline is the largest refined products pipeline in the United States that provides fuel from Houston Texas to New York Harbor.
On May 7th Colonial Pipeline fell victim to a ransomware attack that effectively shut down their entire system, and caused a gas shortage within the U.S. The FBI reported that the attack was enacted by an Eastern European group called DarkSide that specializes in digital extortion.
Darkside has extracted $90 million from 47 victims since late October 2020. There are dozens of ‘Darksides’ in existence, and more born everyday. RaaS (Ransomware as a Service) proliferates on the Dark Web, making it easier than ever for Malware enthusiasts to participate in what is a golden age of ransomware carnage.
While the company initially reported that it would not pay the ransom they ended up sending hackers almost $5 million in untraceable cryptocurrency.
Besides the impressive ransom, the company’s backtracking is significant because it is unclear what forced them into it. They paid for an encryption key, which was reportedly slow in unlocking all of their data, but has since got them up and running.
It is assumed that they either did not possess the proper backups or that the time it would have taken to put them into use was more damaging and costly than paying the ransom.
Either way if they could have done anything to avoid paying the ransom Colonial Pipeline almost certainly would have.
Regardless the attack had repercussions across the United States by causing a gas shortage. This is a trend that bears preparing for.
- Reveton- This 2012 malware attack was also known as the “police malware” because it posed as official monitoring of your computer by law enforcement. The attack would lock down the user’s computer and demand a fine as punishment for illegal activity.
- WannaCry- Infecting nearly 250,000 computers, the WannaCry attack used an EternalBlue exploit to demand $300 from victims to be paid within 7-days.
- BadRabbit- This 2017 attack was reported all over Russia and Ukraine and worked in a similar way to WannaCry by encrypting file tables. The only names tied to the individuals behind it are the names of Game of Thrones characters embedded in the code.
- SamSam- The owners of this ransomware are wanted by the FBI and have reportedly made over $6 Million in extortion and caused over $300 Million in damages. The attacks functioned by targeting weak servers and using a brute force attack to guess passwords.
What Happens If You Fall Victim to Ransomware?
If you are targeted by a ransomware attack the first step will be an immediate action to shut down any systems that could make the problem worse.
An unsophisticated attack can potentially be stopped by rebooting the system and downloading an anti-malware program, a tactic often deployed on home and personal devices. But that does not de-encrypt any files or retrieve stolen data.
If the attackers access and threaten to leak private information, until now there has not been much you can do besides let them release it or pay their ransom– even if you do there is no guarantee the data will not be released.
Likewise you can never be sure that they will actually give you the key to de-encrypt your files after you pay.
The general consensus is that ransoms should not be paid because it will only encourage more of the attacks, but Colonial Pipeline has shown us that this is not always an option. Even after paying the ransom their shipping routes were still delayed.
What Can Be Done to Prevent Attacks
There are security systems and software available that claim they can block ransomware attacks, the simplest of which you may already have downloaded on your home computer, and will protect you from any runofthemill malware.
Windows and Apple also update their systems consistently making it harder for hackers to find and exploit weaknesses.
Unfortunately, it only takes one attack to create havoc – and with 50 Billion connected devices and counting this is inevitable. Here are the best measures and protocols advisable today to mitigate the risk of Ransomware to the smallest degree:
- Keep backup files- Keep in mind that attacks are capable of automatically deleting backup files on the infected computer or that are on that computer’s network, so your files should be in a separate offline location.
- Good cyber hygiene- Quarantine suspicious emails and delete them without opening. Download files from trusted sources only.
- Enlist a ransomware protection and recovery solution that mitigates both the attack AND the attacker.
Many attacks are successful not because companies have done anything wrong, but because they aren’t aware of what they can and should be doing to eradicate the potential damage resulting from these attacks.
WannaCry is a good example of a no-fault attack – this malware spread automatically and autonomously.
Outside of your own habits the best thing to do is pay for a service that provides extra protection, and possibly provides ransom insurance.
STASH® provides their own data solutions utilizing encryption key management and backup protection.
Will Malware Ever Go Away?
Short answer- no.
New Ransomware strains are even more concerning.
Babuk targets Linux and more specifically ESXi servers. ESXi is a popular virtualization platform offered by VMware. Virtualization platforms like ESXi have become a very lucrative target for many ransomware groups, like Defray/RansomExx, Darkside, and Babuk.
Babuk is a relative newcomer in the wild west that is the current ransomware threat landscape. They first appeared at the beginning of 2021 and, like most ransomware gangs, initially focused exclusively on encrypting Windows systems. Over the past couple of months, however, they quickly evolved their platform to jump onto the growing trend of attacking Linux-based systems like ESXi as well.
Unfortunately, the velocity at which they evolved their platform came at the cost of quality. As a result, there are multiple fundamental design flaws within both the encrypting and decrypting parts of Babuk on ESXi, which can result in permanent data loss. As long as there are systems there will be a way to exploit them, and hackers are ruthless when it comes to figuring them out.
The STASH® No Ransom Ransomware Protection & Recovery Solution was built to completely and seamlessly solve malware attacks like Colonial Pipeline. Simple to install, activate with the click of a button, recover data in real time without paying ransom. STASH® RPR mitigates the attack AND the attacker. Find out more here.
