How Ransomware Attacks Are Carried Out
Ransomware attacks can be devastating to the victims – both individuals and companies. The hacker attacks usually intrude on the target machines by following one of these infection scenarios:
- Software Vulnerabilities – Ransomware delivered by exploit kits usually enter the target systems through some kind of a security bug. This may include infection via flawed protocol implementation or weaknesses in the software packages themselves.
- Bad Software Configuration – The intrusion path here is ransomware that is being delivered to secure software that are configured in an inappropriate way. The most common examples are the use of default account credentials on live Internet machines that are accessible from the external network. A good example is the SSHowDowN Attack which affects more than 2 Million IoT (Internet of Things) devices, click here to learn more.
- Social Engineering – This is the most popular type of ransomware distribution. Hackers typically use various tricks to make the user download an infected attachment or click on a malicious link leading to the ransomware binary. The attackers might even take the time to modify headers and issue certificates to pose as legitimate companies and even personalize the message contents. This is the preferred way of distributing popular ransomware such as Comrade Circle.
The Impact of Ransomware Attacks
When a ransomware attack has successfully compromised the target victim machine, then in most cases a typical scenario is followed:
- Depending on the ransomware family (shared code between several variants) the virus may set up stealth protection features that hide its presence from the anti-virus and anti-spyware software installed on the computer. Some of the employed methods include injection into system processes, running the code with administrative privileges and other ways of bypassing the security measures.
- The installed ransomware then prevents the user or the operating system and the available programs from interfering with its process.
- An encryption process is then initiated. This targets specific file name extensions which are encrypted using a strong cipher (usually AES or RSA with at least 256 bits). Depending on the code the ransomware may also opt to append a specific type of extension, usually connected with its name. Some ransomware variants such as the SMRSS32 ransomware virus also do not target system-specific files that could prevent the operating system from functioning properly. Read our removal guide about it to learn more about its operation.
- Some ransomware strains also affect mounted network shares in addition to local partition drives. The more advanced viruses also include additional code that can launch attacks against the network and brute force its way into network computers as well.
- The ransomware crafts a specific (personalized) or a typical message indicating that the computer has been compromised. Depending on the threat may use a different scenario to frighten the victims. In some cases they might pose as a law enforcement agency that accuse the users of computer crime. The most typical scenario is the one where the ransomware simply display an alarming message or a pop-up saying that the computer has been hijacked, an example of this is the JohnyCryptor threat. The victim computer users are then extorted to pay a ransom sum to restore access to their files. The requested money transfer is usually through a crypto currency like Bitcoin. These are secure and practically untraceable ways of sending and receiving money.
- Note that many ransomware strains also have the ability to install additional malware to the compromised machines. This includes remote access Trojans which can spy on the users behavior and steal valuable information such as private documents, browsing history, account credentials and other related data.
The user is typically given detailed instructions on how to complete payment. In many cases they need to specify their unique infection ID to the hackers in order for them to release the private keys. However security experts strongly suggest that users do not fall for this trap, as the hackers in many cases have not released the decryption key. This has rendered their machines permanently compromised and damaged. The only way of efficiently restoring the files, deleting the ransomware and other malware installed on a compromised system, is to use an efficient and trustworthy anti-malware tool.
What Can We Expect in Future Ransomware Attacks
The recent ransomware attacks have given security researchers and specialists the ability to interpret where the ransomware attacks are headed. From the statistics and the many analyses of compromised networks, distribution methods and increased activity, we can deduce that the following trends are the highlight of the current ransomware development:
An Increase of the Ransom Fees – Some of the recent identified malware samples have increased the requested sum from 1 Bitcoin to higher sums. Many of them also employ a custom sum that is calculated depending on the contents of the affected files and their value.
Targeted Attacks – The massive data that we have witnessed in the last few months have given a lot of source materials that hackers can employ. Using personalized messages they can now easily target victims that are part of a single company or organization.
Development of Ransomware for Alternative Platforms – The desktop users are no longer the one and only platform that the hackers target. One of the breaking news last month was the Umbreon Rootkit that targets both the x86 and ARM architectures.
Ransomware Attacks Management
This week security experts have received a report that the total number of ransomware families have reached 200. This is a milestone increase that proves how dangerous this type of malware is. This is another proof that shows that the attackers continue to refine and develop dangerous strains. The fact that ransomware can inflict hundreds and thousands of Dollars in financial damage shows that prevention is necessary to guard against infections.
System administrators need to employ a variety of techniques to ward off possible ransomware attacks. These include the following security measures:
- Good Password Security Policy – We have written on numerous occasions about how weak passwords can lead to security intrusions. Furthermore password management can probably be troublesome for some users. Our best advise is to abide by a good password policy and use a password manager. You can read our tutorial for using KeePass to store and manage your passwords.
- Amend Software Vulnerabilities – Careful monitoring of all installed applications and update them whenever a security patch is released. This includes not only the local desktop machines, but also all servers and network appliances.
- Educate Computer Users – Referring to trustworthy security sites for the latest information is a good practice. We aim to be one of the best online resources for accurate and in-depth information.
- Endpoint Protection – Using good anti-virus and anti-spyware solutions can efficiently prevent and remove all advanced malware threats, including ransomware variants. We recommend an industry-leading product that has proven to be the best at handling all kinds of infections.