Definition
The battle between cyberattacks and cybersecurity never ends, which is why cybersecurity can never fall behind hackers.
To begin understanding what ransomware is, how it works, its types, etc., we’ll start with a brief definition.
So, what is ransomware? It is a type of malware, or malicious software, that locks files and sometimes entire computers or mobile devices.
We can define it based on this behavior: hackers demand a ransom payment in exchange for decrypting your files and restoring access to them.
When an organization is attacked, it will notice immediately because, due to how the malware operates, access to the infected device(s) will be cut off, and the documents selected by the attacker will typically be encrypted.
Once you realize this, you will likely be unable to access critical data, and employees’ privacy may even be compromised. Cybercriminals will contact a company representative to present their demands.
They usually promise to unlock the affected devices or documents if a ransom is paid.
In the last year alone, this type of Malware has grown by more than 700% compared to data collected in 2019, according to cybersecurity firm Kaspersky.
Why is it called that?
Ransomware is formed by combining the words “ransom” and “ware” (product or merchandise).
Once the criminal encrypts the data, they demand a ransom from the victim via a message or pop-up window, effectively carrying out a virtual hijacking.
This threatening message warns the victim that the only way to decrypt their files, restore their system, or prevent a potential data leak is to pay the ransom.
They usually include a deadline for payment, after which the hijacked files will be completely destroyed, published, or the ransom amount will increase if payment is not made on time. Generally, the ransom is demanded in a cryptocurrency (virtual currency) such as Bitcoin. They often use “mules,” who are intermediaries that transfer the money
In exchange for payment, cybercriminals promise to provide the means to unlock the computer or decrypt the files. However, this does not guarantee 100% that the cybercriminals will honor the agreement; for this reason, it is recommended not to pay the ransom to prevent the spread of this type of threat.
Ransom in cryptocurrency—why?
Cryptocurrencies are virtual currencies that allow for nearly anonymous payments between individuals, making them difficult to trace.
They are accessible via the Tor anonymous network; there, funds from different wallets are mixed, creating a sort of cryptocurrency laundering that makes it difficult to trace transactions. This makes it easier for cybercriminals to extort their victims without the police being able to track them down immediately.
How does the infection occur?
As with other types of malware, cybercriminals use one or more of these methods to infect the victim; they exploit security holes (vulnerabilities) in computer software, operating systems, and applications.
Types and Modus Operandi
Each type of ransomware operates and bypasses security measures differently, although they all share a common characteristic. From least to most significant, we can classify them as follows:
Hoax ransomware: simulates encryption using social engineering techniques to extort the user, demanding payment to recover their files or prevent them from being deleted.
Scareware: uses the lure of fake software or support. It usually appears as a pop-up ad reporting a supposed virus infection and offering a quick and easy solution: downloading a cleaning program that is almost always the malware itself.
Screen lockers: prevent the use of the device by displaying a window that covers the entire screen and cannot be closed. Two types of messages may appear in the window: first, a message informing the user that files have been encrypted and explaining the procedure to recover them, but the files remain intact. Second, a message from law enforcement stating that illegal activities have been detected and demanding payment of a fine to unlock the device. This is also known as the police virus.
Encryption ransomware: considered the most dangerous of all. Its main objective is to encrypt information in order to demand a ransom. Cybercriminals make use of the latest advances in encryption for this type of ransomware.
Within this variant, there is one called wiper, which does not restore access to the files; it simply deletes them.
There is also the variant Doxware which employs a technique known as “doxing,” which involves threatening the user with making the extracted personal data public.
Prevention / Think like a hacker:
Many experts claim that the best way to prevent ransomware is to put yourself in the hackers’ shoes and think as they would. To prevent and anticipate attacks, you need to put on the mask. For many companies, it’s not out of the question to hire ethical hackers or former hackers to improve their company’s security.
- Awareness and training for employees and users.
- Antivirus updated.
- Dangerous pop-up installation requests.
- Click on links.
- Downloads of apps from unknown sources.
- Backups.
- Updating the operating system and applications.
- Privilege control.
- Anti-phishing solution for email.
- Action plan.
With this real-time map created by Kaspersky, you can observe all types of attacks (including ransomware) in real time.
Awareness is the first step toward prevention; this is why ransomware isn’t among the most numerous cyberattacks, even though seeing the rate of increase per second is striking.
Spain is the 9th most attacked country according to charts obtained by Kaspersky. This chart also highlights the global need for cybersecurity.
Should I pay the ransom?
From an objective standpoint, you should never pay the ransom demanded, since by paying—which usually involves millions of dollars—you are funding the progress of the organizations behind these attacks.
Furthermore, paying a ransom means falling into the cybercriminals’ trap, since no one can guarantee that the information will be recovered, and the extortion may even continue after payment. Even so, many companies decide to pay the ransom.
The European Union is considering implementing a new law that would prohibit and penalize companies that pay the demanded ransom.
If you are attacked, the best way to restore business operations and recover data is to consult a professional or specialist in cyberattacks for guidance.
Most ransoms are paid using the well-known cryptocurrency Bitcoin (BTC).
This modus operandi has become common among hackers because cryptocurrencies allow the recipient to remain anonymous and make it easy for them to disappear with the money.
Why is it important not to pay the ransom?
The reason is that paying does not guarantee that you will regain access to your data. Furthermore, by agreeing to pay the ransom, you are likely to become a target of further attacks, as cybercriminals will know that you are willing to part with your money.
Incident response plan:
It is very important to have an action plan or incident response plan.
The first thing we must consider is who will manage incidents within the company, and then where the necessary documentation regarding the systems and networks used in the organization is located.
We must define what constitutes normal activity so that we can detect suspicious activities that may indicate incidents.
It is also essential to know who to contact in the event of an incident. For example, in the case of outsourced services, the provider is responsible.
In situations like this, every second counts, so if we have a well-structured plan with all the necessary information, we can act quickly.
Recent attacks:
Kaseya:
On Friday, July 2, 2021, a ransomware attack occurred against the software distributor Kaseya. This not only affected the company itself but also some 1,500 companies that worked with it, as confidential data from all of them was leaked.
The attackers demanded a ransom of $70 million in Bitcoin. Kaseya stated on its social media that it refused to pay the ransom, taking three weeks to discover where the vulnerability in its system lay—in this case, a universal decryptor provided by a third party.
The fact that Kaseya, a pioneer in its industry, did not pay the ransom and instead faced the hackers’ intended consequences should serve as an example for companies on how to handle these situations.
Colonial Pipeline:
Another attack that occurred in 2021 targeted the Colonial Pipeline.
It is a company on which the United States relied due to reduced oil and gas refining capacity in the Northeast.
This organization transported three million barrels of fuel per day from Texas to New York over a distance of more than 8,800 kilometers.
The hacker group that attacked the pipeline is known as DarkSide, and they demanded $4.4 million in ransom.
Figures
According to ITSM 4U, a survey of more than 5,000 IT managers at medium-sized organizations in 30 countries worldwide reveals that 37% of organizations experienced a ransomware attack in the last 12 months. The same report reveals that thefinancial impact of these attacks has increasedfrom an average of $700,000 in 2020, to $1.85 million in 2021.
The average cost of recovery from a cyberattack for Spanish companies has doubled compared to previous years, rising from 260,000 euros in 2020 to an average of 500,000 euros in 2021, according to ISTM 4U.
Over 1 million licensed users
Over 5 million recipients
Contact us for more information: info@tranxfer.com
