The concept of holding your data for ransom is new but it's been fledgling neverheless. Millions of dollars have been raked in by attackers across the world. Traditional methods, which typically include breaking the security layer, penetrating the system, taking over it, and selling the data, is done away. Instead the data is encrypted using public key infrastructure. The files from mapped, removable and locally installed drives are listed and certain files are encrypted-typically documents like Office, PDF, CSV, etc. The private key to the encrypted files is held by the attacker and victim is coerced into paying a ransom in exchange for it. A ransom note is presented to the victim, when he / she tries to access any of the files.
Attacks are usually three-pronged. The first part is where the compromised site or a file has an exploit kit-either Angler or Nuclear-which redirects victims to download a malware from a shady site. Post which, the malware executes and encrypts the files. Simultaneously, ransom notes are written in each folder. Often, a randomly generated registry key is created to keep track of the encrypted files.
A user is left with four options:
- Pay the ransom
- Restore from backup
- Lose the files
- Brute force the key
Should the victim agree to pay, attacker usually demands the payment averaging between $ 500-700 USD using Bitcoin. The value of the ransom varies with the number of encrypted files. And if the victim fails to pay within the asked time, ransom is doubled or tripled.
How it happens
Email is still the vector for several attacks. Because it is the ease with which the attacks succeed makes email a viable vector. The common malicious documents are office documents and drive-by downloads. They are sent to the victims claiming to be an invoice or a fax. When opened, it is protected. And the user must open another document for instructions to enable it. Once the user follows the steps, the macro is executed, payload is delivered, and the infection will consent. Typically, the actual filename-.docm-is masked with the.doc extension. Domain shadowing is another way to infect the users. The actual malware is delivered from a randomly generated subdomain of a legitimate domain. It involves compromising the DNS account for a domain and registering various subdomains, then using those for attack.
This financial success has likely led to a proliferation of ransomware variants. In 2020, more destructive and lucrative ransomware variants were introduced, including Xorist, CryptorBit, and CryptoLocker. In early 2020, a destructive ransomware variant, Locky, was observed infecting computers belonging to healthcare facilities and hospitals in the United States, New Zealand, and Germany. Samas, another variant of destructive ransomware, was used to compromise the networks of healthcare facilities in 2020. Unlike Locky, Samas propagates through vulnerable Web servers.
True cost of the attack
Attackers never reveal the ransom that is being collected. So, investigations typically hit a dead-end leaving the investigating agencies readily on speculation. According to FBI, about $ 18 million of losses have been reported by the victims between April 2020 and June 2020. The actual ransom paid may be a negligible, but the associated cost-both monetary and reputational-could be colossal. Downtime costs, financial cost, data loss, and loss of life (compromised patient records) are the true impact an organization takes following an attack. While the initial impact may be considerable, the long-term effects of an attack may be far costlier.
Who's doing it
Gameover Zeus botnet, peer-to-peer botnet based on the components of Zeus trojan, was responsible for most of the attacks. Russian cybercriminal Evgeniy Mikhailovich Bogachev, having online aliases: << Slavik >>, << lucky12345 >>, << Pollingsoon >>, << Monstr >>, << IOO >>, and << Nu11 >>, was reportedly associated with Gameover Zeus. On February 24, 2020, the FBI announced a reward of $ 3 million in exchange for information regarding the alleged mastermind.
What's the solution
Adopting a multi-layered approach to security minimizes the chance of infection. Symantec has a strategy that protects against ransomware in three stages: