The cybersecurity world is constantly evolving into new types of threats and vulnerabilities. But ransomware is proving to be a different animal – most destructive, persistent, challenging of a celebrity to stop, and showing no signs of slowing down.
Crashing a ransomware attack can cause significant data loss, data breach, active downtime, costly recovery, legal consequences, and reputational damage.
In this story, we’ve covered everything you need to know about ransomware and how it works.
What is ransomware?
Ransomware is a malicious program that gains control over the infected device, encrypts files, and blocks user access to the data or system until a sum of money, or ransom, is paid.
Crooks’ plan includes a ransom note – with an amount and instructions on how to pay a ransom in exchange for the decryption key – or direct communication with the victim.
While ransomware affects businesses and organizations of all sizes and types, attackers often target healthcare, education, IT, government and finance sectors with deeper pockets – causing damages ranging from hundreds of millions to billions of dollars .
Ransomware attacks began to rise in 2012, and have since become the most pervasive cyber-attacks worldwide.
For example, HelloKitty ransomware hit Polish video game developer CD Projekt Red last week with a rather popular tactic, ie, attackers threatened the company to drop the source code for the games, including Cyberpunk 2077, Witcher 3, Gwent, and together with confidential files in the company.
And it’s actually happened! After CD Projekt announced that they would not pay the ransom, attackers created an auction for the stolen data on a hacker forum.
And this is not the only example. Ransomware has always been one of the most popular types of malicious samples uploaded in ANY.RUN malware software analysis sandbox. We analyzed over 124,00 interactive sessions with online ransomware alone in 2020.
From locker to enterprise
One of the ways to protect against attacks is awareness. We believe it is essential for executives and enterprise workers to understand this type of threat.
In this article, we will look at the history of ransomware:
The first ransomware
The first known ransomware attack was conducted in 1989 by AIDS researcher Joseph Popp, who distributed 20,000 malicious floppy disks to AIDS researchers spanning more than 90 countries, claiming the disks contained a survey program. Since then, the ransomware threat has evolved a lot and acquired more features.
In 2007, Locker appeared ransomware, a new category of ransomware malware, which does not encrypt files; instead, it locks the victim out of his device, preventing him from using it.
Similar to this, WinLock demanded a $ 10 ransom for the unlock code. Later, Citadel, Lyposit, and Reveton bait managed a screen with a fine message from a fake law enforcement agency.
This usually takes the form of locking the user interface of the computer or device and then asking the user to pay a fee to restore access to it.
In later years, attackers changed their strategy to exploit fear by spreading counterfeiting applications and antivirals (AV) programs. The attack includes a popup message displayed to victims saying their computers are infected with viruses. It attracts victims to a website where they are asked for money to pay for software to solve the problem. Everything looked reliable: logos, color schemes, and other copyrighted materials.
From that moment, criminals understood that it was much easier to compromise multiple websites, focus on phishing, and get the whole process automated.
In 2013, CryptoLocker emerged as the first cryptographic malware that typically arrives as an email attachment. Botnet Gameover ZeuS was responsible for these attacks. CryptoLocker encrypts files, after which it needed a bitcoin payment to unlock it.
If the ransom was not received in 3 days, the ransom doubled. CryptorBit, CryptoDefense, CryptoWall, WannaCry varoy decoy variants and even system vulnerabilities used to infect computers.
The latest step in that evolution is the advent of ransomware-as-a-service, which first appeared in 2015 with the launch of the Tox toolkit. It gave prospective cybercriminals the option to develop custom ransomware tools with advanced avoidance capabilities.
Ransomware attackers leveled and entered the enterprise phase. They preferred to deal with large organizations and intimidate them into a possible cause.
For example, a target received an email with a threat of distributed denial of service (DDoS) attack. To avoid it, victims needed to pay a ransom.
Another cause is the data compromise ransom. Offender threatens target to exploit threatened information to the public unless ransom is paid. The following tactic is effective at enterprise level, as companies do not want to jeopardize their reputation.
Now it is clear that malicious software will continue to evolve. And it may acquire hybrid attacks, including other malware families.
Attack on details
Now that we know the history and types of ransomware, now it’s time to understand how it works.
- Use: In the first step, attackers distribute essential components used to infect, encrypt, or lock the system, download them without the user’s knowledge, using phishing, or after exploiting malicious system defects targeting.
- Installation: When the payload is downloaded, the next step is infection. The malicious software releases a small file that can often bypass protection. The ransomware operates and tries to ensure persistence on the infected system by giving itself the autorun of the registry keys, allowing remote attackers to control the system.
- Command and Control: The malicious software then connects to the attackers’ command and control (C2) server to receive instructions and, for the most part, deposit the asymmetric private encryption key out of the victim’s reach.
- Destruction: Once files are encrypted, the malicious software deletes original copies on the system, and the only way to restore them is to decrypt encrypted files.
- Extortion: Here come ransom notes. The victim finds out that his data is at risk. The pay range varies by target type. To confuse and intimidate a victim, attackers can delete several files from the computer. However, if a user pays the ransom, there is no guarantee that the information will be restored or that ransomware itself will be deleted.
Popular families and activists
Many types of malware are well known in the ransomware world. Let’s look through them and talk about popular operators who stand out in the history of malware:
1) GandCrab ransomware is one of the most notorious ransomware releases of the past few years that collected nearly $ 2 billion in payments from its victims.
Believed to be the product of a Russian hackers group, GandCrab was discovered in 2018 as part of Ransomware-as-a-Service (RaaS) sold to other cybercriminals.
Although GandCrab announced “retirement” in 2019, some researchers claim it returned with a new strain, called Sodinokibi, with a similar code base. Sodinokibi targets Microsoft Windows systems and encrypts all files except configuration files.
2) Next, Maze ransomware, which made headlines in the past two years, is known for releasing stolen data to the public if the victim does not pay to decrypt it.
This was the first ransomware attack that combined data encryption with information theft. In addition, they threatened to publish the data if the ransom was not paid. When the COVID-19 started, Maze announced that they would be leaving hospitals. But later, they broke that promise, too.
In 2020 Maze announced that it was closing its operations. But it is more likely that they have just moved to another delusion.
3) Netwalker used process hollowing and code obfuscation to target corporate victims. But in January 2021, law enforcement agencies joined forces against Netwalker and took over domains in a dark web used by malicious software actors.
4) Wannacry spreads independently from computer to computer using EternalBlue, an exploitation apparently developed by the NSA and then stolen by hackers.
This is the most uploaded type of ransomware in ANY.RUN’s service in 2020. The best malicious software hit the 1930 tasks. You can search them in the public presentation library, search by the “wannacry” tag.
5) Avaddon’s malspam usually contains the only smile to entice users to download the supplement. The malicious software also checks the user’s locale before infection. If it’s Russian or Cherokee, Avaddon doesn’t encrypt systems.
6) Babuk is a new malware targeting enterprises in 2021. Babuk includes secure encryption which makes it impossible to recover free files.
Targets ransomware attacks
There are several reasons for attackers first to choose what kind of organizations they want to target with ransomware:
- Easy-to-avoid protection. Universities, small companies with small security teams are an easy target. Extensive file sharing and database make the penetration simple for attackers.
- Possible fast payment. Some organizations are forced to pay a ransom quickly. Government agencies or medical facilities often need immediate access to their data. Law firms and other organizations with sensitive data usually want to keep a compromise a secret.
And some ransomware spreads automatically, and anyone can become a victim.
Rapid Ransomware Growth
The main reason why this kind of malice has become successful is the attacks that bring consequences to cybercriminals. Marketers let Crooks buy advanced ransomware for making money.
Malicious software authors provide several ways to block the ransomware. Malicious software encrypts systems quickly and stealthily. Once the ransom is received, it is not a challenge to cover the tracks. These points lead to significant progress.
Now criminals are going bare and expecting to get hundreds or thousands of dollars because companies do not want to risk losing and breaking data.
Ransomware distribution methods
Here are several ways of how ransomware spreads:
- Email (spam)
- Watering Hole Attack
- Take advantage of kits
- USB and removable media
- Ransomware as a service
- No days
Ransomware Analysis in ANY.RUN
Let’s research a sample of ransomware together.
Here is a task with Sodinokibi malware. Thanks to ANY.RUN interaction, we can follow the user path:
First of all, we’re waiting for the malicious program to finish encrypting files on disk. The distinguishing feature of Sodinokibi is the desktop wallpaper with text.
Then we open a text file on the desktop. Yes, we can interact with files and folders in the virtual Machine while performing the task.
There, we can see instructions with the URL address. We can copy it and open it in the browser. On the new page, we need to enter the key; each key is unique for each infected Machine.
Ours is in the text file so we can identify it. And then a page with the amount of the ransom payment appears and counts down. Finally, we open the file with an image for decrypting tests and opening it.
2021 began with ransomware gang arrests. The Egregor hackers group has been taken down by French and Ukrainian police last week.
That’s a good trend for law enforcement agencies to continue to defeat malicious software actors. However, we need to be vigilant and try to prevent attacks as well.
To protect against ransomware, companies should have an elaborate plan against malicious software, including data backup. Since ransomware is very difficult to detect and fight, different defense mechanisms should be used.
ANY.RUN is one of them that helps identify malware early and prevent infections. Apart from that, the most important defense is staff training. They need to avoid any suspicious links or files. Employees who know ransomware exists and how it works can detect such attacks.