Ransomware attacks have been rampant in recent times with many companies battling to stay in operation after experiencing so many damages in the hands of attackers. Many questions have been raised concerning the types of ransomware in existence, how they operate, and who their primary targets are. Ransomware serves as a lucrative method for earning some extra cash or cryptocurrency. As compared to the earlier days, the rate of ransomware attacks have declined to a certain level, yet it poses serious threats till now. In this article, we will be explaining in-depth everything about ransomware malware – what is it, how it works, various types of ransomware, how to protect yourself from various ransomware and more.
It is important to understand that ransomware is mainly staged for a purpose that always boils down to money. Attackers target the most important information of a company to force them to meet a ransom demand. Ransomware is a malware that is used by threat actors to encrypt files after infiltrating a target device, and request for a stated amount mostly in Bitcoin to provide the decryption key to unlock the file.
Image Source: www.news.sophos.com
The explanation of how ransomware works can be explained in a simple way. Threat actors try to get their malware into the device of the victim. After this, the malware searches for some valuable information or asset on the device and lock it down. In other words, the malware denies users access to some valuable information. Most ransomware exfiltrates data before encrypting the data while others do not exfiltrate data but go straight to encrypting files.
What Is Ransomware Virus?
The first that you must ask – is ransomware a virus? Well, it is said that ransomware is a computer virus or a malware that gets installed in your computer without your knowledge and locks your computer. Your system in this condition can be unlocked by paying out a ransom to the attackers who would unlock it and bring back your system in its original condition. The term ‘ransomware’ has been derived from the terms ‘ransom’ meaning ‘holding hostage against a demanded amount’ and ‘ware’ which basically came from the term malware.
Although both ransomware and computer virus come under the same umbrella ‘malware’, yet their modus operandi is a lot different. Where ransomware demands a ransom to unlock an attacker-locked computer system (enters the system during activation and encrypts the files on the infected system), on the other hand, the computer viruses infect a system, corrupts data and replicates themselves. The users are provided with the instructions on how they can pay the ransom fee and retrieve the decryption key. The ransom charged can range from a few hundred dollars and can go up to thousands and are often payable in Bitcoin (BTC).
Types of Ransomware
The types of ransomware depend on the type of files they hold. There are two main types of ransomware namely: Crypto ransomware and Locker ransomware.
Locker Ransomware
The locker ransomware is one of the types of ransomware that does not lock files or valuable resources on a device but encrypt the device itself. This ransomware does not allow access to the interface of the device. It locks the user out of the device and gives limited functions to the user. It only allows the user to communicate with the threat actors to discuss how to pay the ransom. The only way users get access to the device is to pay for the decryption key. A well known locker ransomware is Locky.
Crypto Ransomware
The Crypto ransomware operates a little different from the Locker Ransomware. This ransomware as part of the main types of ransomware only locks down valuable resources or important information on a device and demands payment of ransom before an unlocking key is provided. The malware is designed to search through the device for the said information, and after successful identification and encryption, a ransom note pops up asking the victim to make payment to a provided BTC address to get the decryption key. Some notes even provide a comprehensive guide on how to buy Bitcoin online just in case the victim has no idea of it. Some well known crypto ransomwares are WannaCry, Ryuk, Petya etc.
How Does Ransomware Attack Work?
Ransomware attacks work in various ways and are spread by threat actors convincing targets to click on a malicious link or visit a malicious website, which is one of the most common ways it works. There are a number of ways this is done and some of them are:
Drive-By Download
This is a very potent and common method used by threat actors to get ransomware installed on target computers. They use deceptive means to convince targets to visit a website, and after visiting these compromised websites, the ransomware begins to install on the computers, find valuable information and encrypt them, or lock down the device depending on types of ransomware.
Malicious Links Through Emails or Social Media
This is a very common method of infecting devices with ransomware. The threat actors in most cases target the weakest link of the security chain which is the employees, convince them to click on a malicious link and begin to execute the malware on the device. Most of these links are sent to targets with a very interesting message about a job offer, global event or any other sensitive issue whiles posing as a legit sender. Others even impersonate service providers while others use fake bank invoices as bait to lure targets to click on a malicious link or download a malicious attachment.
Image Source: www.zdnet.com
Pay Per Install
This is another common way ransomware is distributed by threat actors. Most computers are already part of botnets. In this case, they have already been compromised. Threat actors or cybercriminals pay to get access to these devices to install ransomware on them. Targets of ransomware attacks are mostly companies that host a bunch of customers’ personal information or credit card information.
Another modus operandi that the malicious software attackers take help from is an attacker posing as a law enforcement official or agency. They mention that the infected system has been shut down due to the presence of pirated software or pornography of all types in them. They charge a fee termed as “fine” which is not actually a fine but a ransom. This would trigger the victims to refrain from reporting the attack to the authorities. In some of the other cases, the attacker threatens the victim of publicizing his sensitive data present on the hard drive unless he pays out a ransom to the cybercriminal. But encryption ransomware is likely the most common type as extracting and finding the sensitive data is quite tricky for the attackers.
This is basically how the ransomware gets on your computer and infects it victimizing the users.
Why Is Ransomware So Effective And Frequent?
The ransomware attackers instigate fear and panic into their victims and trigger them to click on a specific link that they send or pay out a ransom. Furthermore, the user’s systems can get infected with some additional malware. After an attack, the ransomware displays some intimidating messages such as:
- “All the files on your computer have been encrypted. To regain access to your website you must pay this ransom within 72 hours.”
- “Your computer has been infected with a virus. Click here to resolve the issue.”
- “Your computer has been used to visit various websites having illicit content. For unlocking your computer you must pay a fine of $100”.
What Is The Possible Impact of Ransomware?
Ransomware targets users of various categories such as the residential users, businesses and more leading to negative aftermath including:
- Disruptions to the regular operations
- Potential harm to the affected organization’s reputation
- Financial losses that have been incurred to restore the systems and the files
- Permanent or temporary loss of proprietary or sensitive data.
How Will I Know That My System Has Been Attacked By A Ransomware?
There are several signs that indicate or help you detect that your system has undergone a ransomware malware attack such as:
- Your desktop or web browser is locked and a message (as stated above) is displayed on how to pay the ransom to unlock the system that the system bears and/or the file directories will bear a ransom note file which is usually in .txt format.
- All of the encrypted files in your system will have a new file extension at the end of the file names like – .ecc, .ezz, .exx, .zzz, .xyz, .aaa, .abc, .ccc, .vvv, .xxx, .ttt, .micro, .encrypted, .locked, .crypto, _crypt, .crinf, .r5a, .XRNT, .XTBL, .crypt, .R16M01D05, .pzdc, .good, .LOL!, .OMG!, .RDM, .RRK, .encryptedRSA, .crjoker, .EnCiPhErEd, .LeChiffre, [email protected]_com, .0x0, .bleep, .1999, .vault, .HA3, .toxcrypt, .magic, .SUPERCRYPT, .CTBL, .CTB2, .locky. It may also include a 6-7 length extension consisting of random characters.
Most Popular & Malicious Ransomware Variants Experienced In 2020
By far, 2020 has experienced a lot of malicious ransomware attacks that have crippled a lot of businesses from smaller to the high profile ones. Below are the ransomware variants:
Sodinokibi
Sodinokibi ransomware targets the Windows system, encrypts the important files on the local drives excluding the files that are located on their configuration files and asks for a particular ransom to decrypt them. The targeted files bear the extensions .jpg, .jpeg, .raw, .tif, .png, .bmp, .3dm, .max, .accdb, .db, .mdb, .dwg, .dxf, .cpp, .cs, .h, ,php, .asp, .rb, .java, .aaf, .aep, .aepx, .plb, .prel, .aet, .ppj, .gif, and .psd.
The very first thing that the user sees is usually a ‘ransom note’ after the completion of the encryption. The ransom information bearing the instructions are visible on the desktop as well. If there is no backup or roll back system or any other alternative to recover the encrypted files, then the files will be usable while the information that is stored in them will be inaccessible.
Ryuk
Ryuk is a variant of Crypto-ransomware that utilizes the encryption method to block the access to the system, its files and other devices until the demanded ransom is paid. Often, it is dropped by malware, especially the TrickBot or gains access through the remote desktop services. It uses a second RSA public key. The demanded ransom is in Bitcoin (BTC) cryptocurrency and it directs the victim to the BTC wallet address where he is directed to pay out the ransom. The demanded ransom is typically between 10-50 BTC ($10,000 – $55,000 approximately on bitcoin price conversion).
Phobos
Phobos is a malicious ransomware program that encrypts the data or locks the files that are stored in the infected system and demands ransom against decryption. In the ransom demand, the cybercriminals mention that all the files are encrypted and the victims need to contact them through the [email protected], [email protected], or various other email addresses and the encryption ID assigned to the victims. Also, they ask the victims to pay out the ransom as soon as possible to avoid expedite charges. All the files that get encrypted by the phobos malware possess a .phobos extension along with the unique ID of the victim and an email address. The other most popular extension provided by Phobos are:
- “.[[email protected]].Adair”
- “.[[email protected]].deal”
- “.[re[email protected]].Caley”, “.barak”, “.zax”, “.BANKS”, “.banjo”
- “.[[email protected]].acute”, “.1500dollars”
- “.[[email protected]].blend”
- “.[[email protected]].adage”
- “.[[email protected]].phobos”
- “.[[email protected]].phobos”
- “.[[email protected]].phoenix”
- “.[[email protected]].phobos”
- “.[[email protected]] .phobos”
- “.[[email protected]].phobos”
- “.[[email protected]].phobos”
- “.[[email protected]].phobos”
Dharma
The Dharma ransomware is a crypto-virus that was first seen back in 2016 and is constantly reappearing in new versions off late. The most prevalent extensions that the infected files come are: .bip, .adobe, .cezar, .combo, .java, .ETH, .love$, .LOL, .BANG, and .payB. Some of the other file extensions are: .base, .R3f5s, .bad, .HCK, .hlpp, .FRM, .WCH, .club, .PGP, .well, .space, .BOMBO. The malware utilizes the AES encryption algorithm for encrypting the data and then displaying the ransom notes called either Info.hta or the FILES ENCRYPTED.txt.
Mamba
Mamba is high-risk ransomware and an updated version of Phobos. The malware encrypts the stored files and alters the filenames with the “.mamba” extension along with the victim’s unique ID and the developer’s email address. As soon as the files get encrypted, they become unusable. The ransomware also stores the “info.txt” text file on the desktop and displays an extensive pop-up window (“info.hta” HTML application).
GlobeImposter
GlobeImposter is a ransomware application that encrypts the files on the machine of the victim and demands a payment in the form of ransom to unlock the information. This malware is also known as “Fake Globe” as the structure mimics the Globe ransomware family. This ransomware may be distributed via a malicious spam campaign that is only recognizable with the insufficiency of the message content along with an attached ZIP file. This sort of spam is termed as “blank slate”. GlobeImposter also spreads through malicious advertising, exploits, repacked infected installers and fake updates.
Snatch
Snatch is a high risk computer ransomware developed by the cybercriminals. It creates a ransom message within a text file named “Readme_Restore_Files.txt” and alters the file names by adding extensions such as “.snatch” extension (updated variants changes the file extension to “.jimm”, “.googl”, “.dglnl”, “.ohwqg”, “.wvtr0”, and “.hceem”).
IEncrypt
IEncrypt was first discovered by S!Ri and is a ransomware-type virus that is designed to encrypt the files utilizing AES cryptography. While in the process of encryption, the malware alters the file names with the extension such as “PCname_of_company”. The ransomware targets various organizations rather than individuals. Some of the other extensions in use are: “.kraussmfz”, “.midwestsurinc”, “.0riz0n”, “.n3xtpharma”, “.grupothermot3k” and “.cmsnwned”. For each encrypted file, this ransomware generates an identical text file, each having unique names. But all the text files bear an identical ransom message.
.777
This is a file-encrypting ransomware virus that uses the asymmetric encryption for encrypting the files of the victim. While in encryption, the ransomware generates two keys – a public key to encrypt the files and private to decrypt the files. The decryption of the files without this decryption key is impossible. Thus, the ransom is demanded in exchange for this key. Also, it extends the encrypted file with an extension “[email protected]$.777”. Thus, it is easier to determine which of the files have been encrypted.
MedusaLocker
MedusaLocker is a malicious ransomware software that operates by encrypting the files and making them inaccessible until the ransom has been cleared out. While in encryption procedure, all the files are renamed having the extension “.encrypted”. As the data is encrypted, the ransomware stores an HTML file (“HOW_TO_RECOVER_DATA.html”) that contains a ransom message on the desktop of the victim. Some of the other extensions used by the ransomware are: “.bomber”, “.boroff”, “.breakingbad”, “.locker16”, “.newlock”, “.nlocker”, “.skynet”, “.deadfiles”, “.abstergo”, “.himynameisransom”, “.ReadInstructions”, “.EG”, “.decrypme”, “.ReadTheInstructions”, and “.READINSTRUCTIONS”.
NetWalker
NetWalker, also known as Mailto is a sophisticated family of the Windows ransomware that targets the corporate computer networks and encrypts the files that it finds demanding cryptocurrency payment as ransom for the safe recovery of the encrypted data. It threatens the victim to publish their sensitive data on the internet in case the ransom is not paid. It infects the victim’s computer by sending the poisoned emails disguising to be something from a very important source.
Can You Remove Ransomware?
Yes, you can definitely remove ransomware in case you fall prey to a malware attack. If you own a system with Windows 10 Operating System (OS), you can attempt to do the following for ransomware removal.
- Reboot your Windows 10 to “Safe Mode”.
- Install a trusted “anti-malware software”. (Note: Some antimalware softwares can also be deceiving as they might be ransomware hid behind the veil of anti-malware software.)
- Scan the complete system (in-depth preferred) and find the hidden ransomware program.
- Follow all the prompted steps to restore the computer in its original state.
A piece of important information that needs to be put out is that – while restoring your computer, you will not be able to decrypt the encrypted files as the files have already been modified. If the malware is sophisticated, without the mathematical key that the attacker has in possession, you would be unable to decrypt the files. If you are successful in removing the malware and restoring the files, you probably have paid the ransom to the attackers that they have demanded and gained the decrypt key.
Should I Pay Ransom?
Well, ideally you should not pay the ransom although there are obvious risks associated with or without a ransom payout. While you cannot guarantee that not paying the demanded ransom would demotivate an attacker completely, on the contrary, paying a ransom still does not guarantee that the attacker would provide you with the decrypt key. On payment of ransom, they might give you the decrypt key or keep you hanging, continue with more sophisticated attacks or demand even a larger sum.
Theoretically, the law enforcement agencies urge to not pay the demanded amount via any medium as this provokes the attackers to create more ransom malware, probably more high-end ones. Recent research has stated that 66% of the companies said that they would not pay a ransom while practically 65% of the companies actually pay the ransom when they get victimized.
Ransomware: How To Prevent Ransomware Attacks & Secure Your Data
To avoid ransomware attack, you need to abide by certain dos and don’ts that would ensure you complete data security.
- The main motive of the ransomware attackers is to collect ransom from the targetted individual or organization by crippling their network security. You must not pay out any ransom. On doing so, you are encouraging them to continue their activity and risk the database security of both your company and others. Also, there is no guarantee that on paying the ransom, you would be able to gain access to your encrypted files and folders.
- Ransomware attacks do not come pre-decided on the victim. The best option is to take backups of your data on a regular basis on a good backup infrastructure. This would help you restore the data quickly even after a malware attack.
- On receiving any suspicious mail, unsolicited phone calls or text messages, refrain from providing your personal details or your company details. Also, do not open any suspicious mail or attempt to click on any link (including ads) or download any files. Often the phishers rely on this method posing to be an IT individual gaining your trust. Even if this happens, cross-check with the claims by contacting the legit individual or department. Keep a check on your co-workers as well and alert them before things become complicated.
- Always keep your software updated. Additionally, install a strong antivirus that you trust. Depending on the unreputed antivirus company or brand could also make your systems vulnerable to various cyberattacks including ransomware. There are several fake antivirus softwares posing to be the legit ones but contain ransomware variants that would get installed in your system without your knowledge. Also, check that the firewall on your system is running simultaneously.
- Implement content filtering and scanning on your mail for threat prevention against the inbound and outbound emails. This would help in blocking spam emails and attachments that could pose a threat to your system and your data.
- Reach out for regular patches of the vulnerable softwares and aid in preventing ransomware. The exploit kits that are hosted on the compromised websites are often used to spread the malware.
- Always alert your IT department beforehand when you are about to travel specifically when you are about to use any public Wi-Fi. Apart from this, you must use a trusted VPN service or Virtual Private Network.
- Invest in security awareness training more often. This would upgrade your employees and they would be beneficial for protecting your company’s data from the dangerous elements that might come in your company’s security.
- You must also develop a Disaster Recovery Plan (DRP). You can include certain immediate steps in your DRP such as shutting down most of the organization’s networks immediately from barring the spread of infection, shutting down the BlueTooth networks and the Wi-Fi without any delay, alerting the FBI and the local authorities. You may also include whether to pay the ransom or skip it and restore the data from the backup.
- Change the passwords quite often so this would somehow confuse the attackers and they would not be able to get access to your data that easily.
Disclaimer: Darkweblink.com does not promote or endorse claims that have been made by any parties in this article. The information provided here is for the general purpose only and unintended to promote or support purchasing and/or selling of any products and services or serve as a recommendation in the involvement of doing so. Neither Darkweblink.com nor any member is responsible directly or indirectly for any loss or damage caused or alleged to be caused by or in relation to the reliance on or usage of any content, goods or services mentioned in this article.
