Ransomware, (ransom + malware), is the most popular form of malware, which blocks or denies device access or encrypts files, then requires payment to return stolen documents or data. Despite being a type of malware, it does not have the self-replication capability of a virus.
The first versions of this type of virtual attack appeared in the late 1980s, with payment being made by sending postal mail. Currently, this trail is more difficult to follow as payment is, generally, made in cryptocurrency, a quick and profitable payment.
The way to infect the computer is done in several ways. However, the most common method of infecting your device is malicious spam, or bad spam, which consists of receiving unsolicited emails, used to send malware, through trapped attachments, such as PDF’s or Word documents and, also links to malicious websites, leading the victim to open attachments or apparently legitimate links.
Likewise, cybercriminals, using social engineering, pose as police agencies, such as the FBI, in order to frighten users, thus forcing them to pay the specified amount in order to unlock the files.
Another popular infection method is malvertising, which refers to the use of online advertising for the purpose of distributing malware, without the need for interaction or with reduced user interaction, since the victim, when browsing the Internet, can be directed to criminal servers without having clicked on an ad.
It should be noted that, normally, the Ransomware chooses a unique file extension for each encrypted document so that, in this way, the non-encryption of duplicate files is guaranteed.
Initially, the main victims of this virtual attack were common people. However, cybercriminals began to understand the potential they had and began to expand their attack on companies, where all productivity was stalled, resulting in loss of data and revenue. In terms of preferred geographic areas, the authors of this type of attack follow the money, thus looking for areas of relative wealth and a large percentage of computer use, or, similarly, companies with great monetary power.
The first Ransomware variant to appear was DearCry/DoejoCrypt, which copies and encrypts files, replacing them, and later eliminating the originals. Analysis of this virus revealed that there was no defense against antivirus signatures.
We then highlight the three major types of Ransomware:
Includes rogue security software and fraudulent technical assistance. It happens the moment you receive a pop-up message informing you that malware has been detected on your device and the only way to eliminate it is through a payment. If you don’t act on this threat, chances are you will continue to be bombarded with this type of ads, or even be completely blocked from taking action on your computer. However, your files will basically be safe. In general, cybersecurity software programs do not work this way, meaning it is impossible for this to happen.
When this type of Ransomware invades the computer, it means that all access to the computer, including the most basic functions, is completely sealed off and blocked. In this situation, when the computer starts up, a window opens, accompanied by an official seal from the FBI or the Department of Justice, stating that illegal activity has been detected on your device, and payment of a certain amount is crucial. However, no judicial or political body would ever impede access to your computer or demand the payment of a fine for illegal activity.
Other types of malware, such as Ransomware:
Of the ones that can cause more harm. The “WannaCry” crypto-ransomware, which affects the Microsoft Windows operating system, put thousands of lives at risk when it reached several hospitals around the world, preventing healthcare professionals from accessing patient files.
Doxware (or Leakware)
Variant of Ransomware, where the attacker threatens to publish all stolen confidential information online if no payment is made.
RaaS (Ransomware as a Service)
Anonymously hosted by a hacker who takes care of the entire process, in exchange for a portion of the ransom.
It first appeared in February 2016, sent to millions of users as an invoice or order receipt, via email, as spam. These contained an unreadable Word document, prompting users to allow macros to display the content. Once granted, the malware was downloaded, starting to act, blocking the computer until the ransom was paid.
Defined as a toolkit available at no cost to anyone wishing to download it, it is distributed via an email attachment or a link, which allows you to unsubscribe from a spam email. By clicking on the link, the victim is redirected to the attachment, and the Ransomware is installed, which can act even if the computer is not connected to the internet.
Characterized by the personalization of the ransom note, through the use of data found on the user’s computer, from name, date of birth, location, information on social networks, system details and IP address, among others, being a method that increases pressure on the user. After collecting all data, it locks the device, requiring payment within 24 hours.
One of the most destructive Ransomware. After encrypting the files, the malicious software starts systematically deleting the files until they are paid for, for a period of 72 hours. Once the allotted time expires, all files that were encrypted are deleted.
Known to have infected many businesses across Russia and Eastern Europe, it typically spreads through a fake Adobe Flash application update.
One of the oldest variants of this type of cyberattack emerged in 2013, when hackers used the original CryptoLocker robot approach in Ransomware. Through the use of strong encryption algorithms, it is almost impossible to restore the computer and decrypt files without paying a ransom.
Special type of Ransomware that encrypts files on fixed, mobile and network drives, spreading via malicious email attachments with a double file extension. Like the previous variant, it uses strong encryption algorithms, making it difficult to decrypt it in the desired period of time.
Its main target is the human resources area. It spreads by downloading a file that is infected. When the victim downloads the file, a macro is launched that encrypts all files present on the device.
Most of these Ransomware models had a common principle, Advanced Persistent Threat (APT). This, after introduced into the environment through a phishing attack, remains hidden in the work environment, while APT does the necessary reconnaissance to find user accounts and useful data to be stolen, as well as locates resources to infect, moving through protocols exposed by the environment. Once the entire process is complete, the Ransomware is launched, starting to infect the environment, particularly if there is exposure to public networks such as the Internet.
During the pandemic, and the consequent demand for mostly remote work, exposure to public networks and the resulting lack of security provided by organizations, increased the level of externalization and entry points for threats.
The essential rule to follow in case of a Ransomware attack is never to pay the ransom, having been a recommendation approved by the FBI. With the payment of the ransom, criminals know they can count on the victims’ cooperation in monetary terms, launching additional attacks.
Cyber threats are evolving at an exorbitant rate. According to S21sec, during the first half of 2021, there were several Ransomware attacks, which will continue to be a trend that will affect many more companies until the end of the year. This leads to the use of greater security controls, such as two-factor authentication, in order to mitigate these digital attacks. You can also try to restart your computer, and the software is not guaranteed to be removed when the computer turns on again. In this sense, in order to protect against this type of malware, it is crucial to take the following steps:
- Keep yourself particularly vigilant;
- Check if your system is slower for no apparent reason;
- Ensure that your systems and software are up to date, preferably through automatic installation, thus avoiding forgetting;
- Have good antivirus software;
- Regularly make backup copies of your data, either on external drives or in cloud storage;
- Use VPN whenever possible.
Also, and with the certified help of ActiveSys:
- Count on an effective information security program;
- Apply technology best practices;
- Apply effective Backup strategies;
- Educate employees to protect their data and devices.
In any case, the best thing to do is to ask for expert advice, such as ActiveSys, which will find the best way to solve the problem and, consequently, set barriers that prevent other potential Ransomware attacks.