Cybersecurity
Ransomware: what they are, how to avoid and eliminate them
At a time when digital security remains a major concern for IT managers, ransomware is emerging as one of the most dangerous threats to businesses, institutions, and even individual users.
This type of malware, which encrypts victims’ files by demanding a ransom for their unlocking, is a serious and growing problem for any type of business, regardless of their size.
In this article we aim to understand what ransomware actually is, how it works, and how to protect your digital assets by reducing the risk of attacks.
In this article we aim to understand what ransomware actually is, how it works, and how to protect your digital assets by reducing the risk of attacks.
What is ransomware?
Ransomware is malware that locks and encrypts data, files, devices or systems, rendering them inaccessible and unusable until a ransom is paid.
It is a growing and otherwise evolving threat.
Early versions of ransomware relied solely on encryption to prevent victims from accessing their files and systems.
Victims who had regular backups could restore their data, thus avoiding having to pay a ransom.
Over time, however, attackers began to integrate more sophisticated extortion tactics into their malware, with additional threats and also targeting victims’ backups to prevent organizations from restoring their data.
According to data collected by the Italian open source project DRM – Dashboard Ransomware Monitor., which monitors all ransomware criminal groups in real time, Italy experienced a real surge in ransomware attacks last year, ranking fourth worldwide in terms of numbers, with 182 attacks claimed during the year, compared to 91 attacks in 2022.
The last quarter alone showed a 420 percent increase over the same period last year, with 47 attacks compared to the previous 9, highlighting a growing vulnerability of Italian companies to this threat.
It is a growing and otherwise evolving threat.
Early versions of ransomware relied solely on encryption to prevent victims from accessing their files and systems.
Victims who had regular backups could restore their data, thus avoiding having to pay a ransom.
Over time, however, attackers began to integrate more sophisticated extortion tactics into their malware, with additional threats and also targeting victims’ backups to prevent organizations from restoring their data.
According to data collected by the Italian open source project DRM – Dashboard Ransomware Monitor., which monitors all ransomware criminal groups in real time, Italy experienced a real surge in ransomware attacks last year, ranking fourth worldwide in terms of numbers, with 182 attacks claimed during the year, compared to 91 attacks in 2022.
The last quarter alone showed a 420 percent increase over the same period last year, with 47 attacks compared to the previous 9, highlighting a growing vulnerability of Italian companies to this threat.
Types of ransomware and examples
But let’s see what are the most common types of ransomware and their characteristics.
Crypto Ransomware or Encryptor
Encryptors are one of the most well-known and malicious variants.
This type encrypts files and data within a system, making the contents inaccessible without a decryption key.
This type encrypts files and data within a system, making the contents inaccessible without a decryption key.
Locker
Lockers completely block access to the system, making files and applications inaccessible.
A lock screen displays the ransom demand, possibly with a countdown clock to increase urgency and prompt victims to act.
A lock screen displays the ransom demand, possibly with a countdown clock to increase urgency and prompt victims to act.
Scareware
Scareware is fake software that claims to have detected a virus or other problem on the computer and invites the user to pay to fix the problem.
Some types of scareware lock the computer, while others simply flood the screen with pop-up warnings without actually damaging files.
Some types of scareware lock the computer, while others simply flood the screen with pop-up warnings without actually damaging files.
Doxware or Leakware
Leakware threatens to distribute sensitive personal or business information online.
Many people panic and pay the ransom to prevent private data from falling into the wrong hands or becoming public knowledge.
One variant is police-themed ransomware, which pretends to be a law enforcement officer and warns that illegal online activity has been detected, for which payment of a fine is required.
Many people panic and pay the ransom to prevent private data from falling into the wrong hands or becoming public knowledge.
One variant is police-themed ransomware, which pretends to be a law enforcement officer and warns that illegal online activity has been detected, for which payment of a fine is required.
RaaS (Ransomware as a Service)
Ransomware as a Service (RaaS) refers to malware hosted anonymously by a “professional hacker” who manages all aspects of the attack, from distributing the ransomware to collecting payments and restoring access, in exchange for a share of the loot.
Extortionware
Extortionware is a type of ransomware in which the attacker locks the victim’s device but also threatens to disclose private information unless a ransom is paid.
Once extortionware is on the device, attackers use any stored information against the device owner.
But let’s also look at what have been, over the years, the most dangerous ransomware attacks.
Once extortionware is on the device, attackers use any stored information against the device owner.
But let’s also look at what have been, over the years, the most dangerous ransomware attacks.
- WannaCry was the largest ransomware attack in history.
On May 12, 2017, it hit hundreds of thousands of computer systems worldwide, encrypting data on more than 200,000 computers in 150 countries.
WannaCry exploited a vulnerability in Microsoft Windows to spread and demand a ransom for decrypting data, causing an estimated $4 billion in damage. - NotPetya started on June 27, 2017, infected mainly computers in Ukraine and Russia, with an estimated damage of around $10 billion.
NotPetya is distinguished by its ability to encrypt the computer’s hard drive and present a ransom demand, along with a destructive payload that deletes critical system files, making it impossible to access data without the decryption key. - SamSam primarily targeted hospitals, businesses, and U.S. government agencies since Jan. 6, 2016, differs in its mode of dissemination via remote desktop protocol (RDP) and the damage caused, exceeding $30 million.
This attack is a true warning with respect to the vulnerabilities of critical infrastructure to cyber threats. - CryptoLocker dated September 5, 2013, is known to use asymmetric cryptography, making it extremely difficult to decrypt files without the private key.
This attack demonstrated the ransomware’s effectiveness in generating profits for attackers, with earnings exceeding $27 million in ransom payments before the FBI intervened. - Bad Rabbit spread on October 24, 2017 through a malicious dropper disguised as an Adobe Flash installation or update.
It used advanced techniques to propagate rapidly, causing significant damage and demonstrating that even smaller attacks can have a large impact.
How you get infected with ransomware
Ransomware attacks follow a well-defined process to encrypt victims’ data and demand a ransom.
This process can be divided into (at least) three main phases, and each ransomware variant implements them in slightly different ways.
The three steps form the core of all ransomware attacks, while different malware variants may include additional implementations or steps.
This process can be divided into (at least) three main phases, and each ransomware variant implements them in slightly different ways.
The three steps form the core of all ransomware attacks, while different malware variants may include additional implementations or steps.
Step 1: Infection and vectors
Infection begins when ransomware gains access to an organization’s systems through various infection vectors such as phishing emails that contain links to malicious downloads or attachments with embedded download functionality.
If the email recipient falls into the trap, the ransomware is downloaded and executed on his or her computer.
Another common infection vector exploits services such as the Remote Desktop Protocol (RDP), allowing the attacker to access and control a computer within the corporate network.
Some ransomware variants can exploit direct vulnerabilities, as WannaCry did with the EternalBlue vulnerability.
If the email recipient falls into the trap, the ransomware is downloaded and executed on his or her computer.
Another common infection vector exploits services such as the Remote Desktop Protocol (RDP), allowing the attacker to access and control a computer within the corporate network.
Some ransomware variants can exploit direct vulnerabilities, as WannaCry did with the EternalBlue vulnerability.
Step 2: Data encryption
Once inside the system, the ransomware begins encrypting files.
Using encryption capabilities built into the operating system, the malware accesses files, encrypts them with a key controlled by the attacker, and replaces the originals with encrypted versions.
Ransomware variants carefully select the files to be encrypted to ensure system stability and may also delete backups and shadow copies of files to make recovery more difficult without the decryption key.
Using encryption capabilities built into the operating system, the malware accesses files, encrypts them with a key controlled by the attacker, and replaces the originals with encrypted versions.
Ransomware variants carefully select the files to be encrypted to ensure system stability and may also delete backups and shadow copies of files to make recovery more difficult without the decryption key.
Step 3: Redemption request
Once the encryption of files is complete, the ransomware presents its ransom note.
This can be done in various ways, such as changing the desktop wallpaper with a ransom note or placing text files with the ransom note in each directory containing encrypted files.
Typically, these notes demand a certain amount of cryptocurrency in exchange for access to the victim’s files.
If the ransom is paid, the ransomware operator provides the private key used to protect the symmetric encryption key or a copy of the symmetric key itself, which can be used in a decryption program (provided by the cybercriminal) to reverse the encryption and restore access to the user’s files.
This can be done in various ways, such as changing the desktop wallpaper with a ransom note or placing text files with the ransom note in each directory containing encrypted files.
Typically, these notes demand a certain amount of cryptocurrency in exchange for access to the victim’s files.
If the ransom is paid, the ransomware operator provides the private key used to protect the symmetric encryption key or a copy of the symmetric key itself, which can be used in a decryption program (provided by the cybercriminal) to reverse the encryption and restore access to the user’s files.
Methods to eliminate a ransomware permanently
- It must be said that ransomware removal and recovery from the ‘attack requires coordinated and well-planned action, which can be summarized in a series of essential steps.
- Validation At the first sign of a ransomware intrusion, it is critical to immediately activate the incident response plan, starting with validation of the attack.
The security team needs to confirm whether what is occurring is indeed a ransomware attack and involve all figures with some responsibility for it: not only the IT team, but also executive management, legal and communications teams. - Analysis and Containment In order to effectively manage the attack, it is essential to determine how far the malware has spread.
At this point, it is necessary to immediately disconnect and quarantine infected systems and devices to minimize the impact of the malware.
Implementation of network management technologies capable of automatically quarantining endpoints that exhibit atypical behavior, blocking connections to command and control servers, and shutting down network segments to prevent lateral movement would be desirable.
After the infection is contained, it is necessary to verify that backup resources are intact and secure. - Eradication of malware At this point, the elimination and replacement of the infected core system instances and the formatting and restoration of the affected endpoints with clean backup data can proceed.
Next, it is important to scan the restored data to confirm the elimination of the malware.
Finally, change all system, network and account passwords. - Communication According to current regulations, details of the incident must be communicated to the appropriate stakeholders, following the provisions of the incident response plan.
- Managing post-attack Once the ransomware has been eliminated, it is necessary to ensure that all systems, data, and applications are accessible and operational, with no remaining vulnerabilities that could allow attackers to re-enter the environment.
Once the situation has stabilized and the organization is operating back to normal, carefully analyze the details of the attack to identify any security gaps that need to be addressed to prevent future incidents.
Review incident response efforts, identify lessons learned, and update the incident response plan accordingly.
Who are the people at risk
- There is one point on which experts and analysts agree: although some entities, such as critical infrastructure or healthcare, may be more at risk than others, no specific sector is exempt from risk.
Every organization, regardless of its size, is a potential target for cybercriminals, who operate like real businesses seeking maximum financial impact.
Here, then, are sectors such as retail, energy, education, and utilities, as well as financial, professional, legal, healthcare, manufacturing, and technology, showing significant attack rates, demonstrating the breadth and variety of ransomware targets.
How to defend against ransomware effectively
- Dealing with the ransomware threat requires a layered and thorough defense strategy. Although stopping an attack in its early stages (such as surveillance or distribution) is ideal, organizations must also be prepared to detect and respond to threats that have already penetrated their initial defenses and are in the process of executing their end goals.
Best practices start with education and awareness training: it is critical to teach users to identify and avoid potential ransomware attacks.
Continuous data backups are also essential: ransomware is designed to make paying a ransom the only way to restore access to encrypted data.
Automatic and secure data backups allow the organization to recover from an attack with minimal data loss and without paying the ransom.
Patching is also a critical component in defending against ransomware attacks, as cybercriminals often look for vulnerabilities not yet covered in available patches, targeting systems that have not yet been updated.
The same can be said for user authentication is critical: accessing RDP services with stolen user credentials is a technique in use among attackers.
The use of strong authentication systems can make it more difficult for an attacker to use a guessed or stolen password.
Finally, the adoption of an anti-ransomware solution that can detect a wide variety of variants quickly and perform automatic recovery just as quickly is important.
