Cybersecurity 101: Survey of Ransomware

For 35 years, computer users around the world have fallen victim to a classic cyberattack that has gained new life in the last 15 years with the advent of cryptocurrencies: ransomware.

1989’s AIDS Trojan was one of the first specific pieces of malware to achieve wide notoriety in the public press and was also the first known ransomware attack. In the more than three decades since the invention of digital extortion, the attacks have only become more sophisticated, more dangerous, and unbelievably common.

In this month’s session of Cybersecurity 101, we’ll dive deep into ransomware: what it is, where it came from, and how to protect yourself and your company.  

Cybersecurity 101: What Is Ransomware?

Like “phishing” that we discussed last month, “ransomware” is a term that covers several different types of cyberattacks. What defines a ransomware attack is its end goal: extortion. Unlike other types of attacks, where the goal is to steal data or to cause disruption, the goal of a ransomware attack is to force the victim to pay the attacker.

A successful ransomware attack might look something like this:

  • The victim receives an email that appears to be from a trusted source and contains an attachment—maybe an email from his "sister" with some "pictures of her kids."  (A considerable number of ransomware attacks start with a phishing attack like this.)
  • The “pictures” are also Trojan horses that load the ransomware code onto the victim’s computer.
  • At some point, the ransomware code becomes active. It encrypts or otherwise prevents access to the system’s files and then displays the ransom demand on the victim’s computer. (“Your computer has been locked. To unlock your files, send…”
  • If the victim complies, the attackers may or may not provide a valid decryption key to restore the victim's computer. If the victim doesn't comply, then the files remain encrypted until someone can break the encryption, which is usually extremely difficult, or indefinitely.  

Any part of that sequence may be different in any specific ransomware attack. Some attackers honor their promises, while others never send victims a valid recovery key. Some attackers use social engineering (phishing) to gain initial access to the system, while others use different access techniques. And some ransomware attacks aren't really ransomware – a Russian "ransomware" attack on users in Ukraine was discovered not to encrypt user files but to destroy them irreversibly. In that case, the attack's goal wasn't profit but disruption.

Exfiltration, Leakware, and Doxware

Another class of ransomware relies on the threat of releasing sensitive information to compel the victim to pay. In these attacks, the ransomware software may or may not encrypt the user's files or otherwise deny them access to their system, but it always includes some mechanism for the attacker to gain access to sensitive data on the user's hard drive.

Once the attacker has secured the data, they contact the victim and threaten exposure if the ransom is not paid.  

Cybersecurity 101: History of Ransomware

The world of computing looked very different 35 years ago, in 1989. The internet was still something only a limited number of computer users had ever heard of, much less used. The first successful web browser was still a year away. And "file sharing" meant physically transporting a floppy disk from one computer to another.

That year saw the first-ever ransomware attack: a piece of malware distributed by a floppy disk that encrypted a user's hard drive and demanded that the victim send $189 to a Panamanian post office box. The attack, which masqueraded as a disk containing information about the then-rampant AIDS epidemic, was relatively unsophisticated by today’s standards, and the perpetrator was caught.  

In its early days, ransomware was a relatively rare type of attack, for one simple reason: there was no way to receive an entirely untraceable ransom. Ransomware attackers usually ended up prosecuted after investigators traced the ransom money back to them. However, the 2009 introduction of readily available cryptocurrencies changed that.

The availability of untraceable, easily transferrable assets gave attackers the confidence to develop ransomware tools and tactics further. Since then, there have been dozens of high-profile, high-cost attacks on businesses and governments and countless smaller attacks on individuals that have collectively cost victims billions of dollars.

The highest-profile ransomware attacks have included:

  • CryptoLocker (2013) – The first of the high-profile, post-crypto ransomware attacks led to ransom payments totaling more than $3 million.
  • CryptoWall (2014) – A highly sophisticated piece of malware, CryptoWall has gone through at least four versions and has led to estimated losses of more than $18 million.
  • WannaCry (2017) – An attack powered by an exploit invented by and stolen from the US National Security Agency, which may have led to actual deaths as it caused emergency rooms and hospitals in the EU to shut down temporarily.
  • DarkSide (2021) – This attack on US Critical Infrastructure caused the main pipeline supplying fuel to the East Coast of the US to halt operations, leading to a massive fuel shortage lasting several weeks.

Cybersecurity 101: How to Counter the Threat of Ransomware

Building an effective defense against ransomware requires a multifaceted approach:

  • Taking steps to prevent ransomware from being installed on your systems
  • Taking steps to mitigate the impact of a successful ransomware attack

Preventing a Ransomware Infection

Stopping a ransomware attack before it starts is always the best bet. The majority of attacks start with the attacker using a phishing tactic or other social engineering practice to gain access to the victim's system. So, practicing and teaching your team about proper email and password security is a big step in the right direction.

For other attacks that don’t rely on social engineering, protection against malware means using up-to-date antivirus software, keeping your endpoint systems up-to-date with security updates and patches, and setting up appropriate security measures on your network hardware – routers, switches, hubs, etc.

Mitigating a Successful Ransomware Attack

Despite your best efforts to prevent it, there's still a strong likelihood that your business will one day be the victim of a ransomware attack. However, if you've maintained proper information security and data recovery systems, it may not end up costing you much in the long run. After all, if all of your corporate data is backed up in multiple independent locations, then a ransomware attack can only slow you down for as long as it takes to remove infected devices from your network, restore from backup, and get back to work.

By using an automated backup system as part of your data recovery and business continuity plans, you can ignore the ransom. After all, they’ve only locked you out of one iteration of your data – your backups, if they’re maintained on completely independent systems, will be untouched.

If you have a concern about exfiltration (leakware) attacks, a robust data security protocol can help improve that risk, as well. Always store any sensitive information in an encrypted format, never save private encryption keys in the same location as the data, and delete sensitive files as soon as they've outlived their usefulness. If a bad actor accesses sensitive files, they will still have a layer of encryption to work through in order to get usable information. If your encryption scheme is strong enough, it will require so much effort that it won't be worth it for the attackers even to attempt to break it.

Cybersecurity 101: Your Ransomware Homework

Does your team understand the dangers of opening unknown files from email, websites, or other sources? How often is your corporate data being backed up? Is your sensitive data properly encrypted? Before next month’s session on denial-of-service attacks, take some time to think through what a ransomware attack might look like for your business and evaluate if you're adequately prepared to face this increasing threat.

This Month’s Class Is Over, but We’re Still Paying Attention. Schedule a Call to Learn More About Security+ From Nocwing.

Cyberattackers change tactics daily, and the penalty for being caught off-guard is an existential threat to your company. With Nocwing’s Security+ program, companies can be assured of proactive, comprehensive cybersecurity for all of their technology assets and data, led by a team of experts who stay on top of new and emerging threats to keep your business’s vital information safe and secure.

Nocwing is a full-service managed IT services company based in Griffin, Georgia, providing robust cybersecurity, IT management, business continuity/disaster recovery, user support, and VoIP solutions for companies throughout the Southeastern United States.