Ransomware is the most widespread cyber threat ever. As almost unanimously confirmed by all cybersecurity reports, including the Clusit 2022 Report , this particular category of malware continues to prove to be the most profitable for cybercriminals. On a global scale, we are witnessing the growth of increasingly complex business models , with the aim of increasing the toxicity of the network and above all the amount of money obtained illegally from the victims of the attacks.
Faced with the rampant growth of the phenomenon, escaping the threat of ransomware forever could prove increasingly difficult . Today, it is becoming increasingly important to balance efforts between preventative protection and the ability to respond meaningfully to attacks. It is in fact advisable to know exactly how to behave in the event that a ransomware attack should infect our computer systems, in order to circumscribe them, mitigate them and make them promptly harmless.
A conscious conduct towards the ransomware threat consists of a good technological equipment in the field of cybersecurity, a capillary knowledge of one’s systems and a correct education in terms of IT hygiene.
What is ransomware
Ransom malware, more commonly known as ransomware, is malware that prevents regular access to data and systems in order to demand a ransom from the victim to make them accessible again.
Their story begins in the late 1980s, when ransomware began to spread as deceptive strategies aimed at convincing the victim that they had been the victim of an attack or have committed completely imaginary crimes. Two types of malware that have met with mixed fortunes in this area are scareware and screen lockers.
The scareware displays fake infection warnings, followed by a scam proposal to fix the problem. If the victim falls into this deception, he ends up actually opening the door to the thief, as the attacker finds himself effortlessly inside the network he intends to attack. Scareware are viral tools closely related to social engineering activities, the aim of which is to psychologically condition users to induce them to make an error which in most cases results in the transfer of access data to a service / system.
Attacks using screen lockers also belong to the category of social engineering and were particularly in vogue a few years ago, with even more grotesque dynamics. The malware made a fake screen appear on the screen, with the credentials of an authoritative entity such as the FBI or other law enforcement agencies, with a message that reports that it has found an illegal activity on the system, most of the time coinciding with the visiting sites related to pornographic content or computer piracy. Obviously this notice refers to a completely false condition, but its intrinsic nature is such as to condition an inexperienced user, to the point of intimidating him and convincing him to pay what is subjected as a fine intended to close the matter without further consequences.
The generational turnaround in the busy ransomware world, however, came in 2013, thanks to Cryptolocker, which resulted in a huge fortune for a threat that actually existed previously, despite having remained quite latent in the network. Unlike the pioneering PC Cyborg and CpCode ransomware, which relied on rather weak encryption, Cryptolocker introduced decidedly more robust algorithms, in fact practically impossible to decrypt except thanks to the closely related key.
At this point, the case history boils down to two situations for the victims: paying the ransom, hoping that the criminals would keep their promise of compensation, or restoring systems and data thanks to backups. This type of ransomware, especially in the ways that we will examine later, have been a real boom for cybercrime, as the possibilities of monetizing thanks to malware have increased dramatically compared to what happened previously.
Ransomware attacks have gradually become more advanced and capable of spreading, as we shall see, thanks to increasingly sophisticated organizations. 2017 was an extremely prolific year for the ransomware economy, thanks to the introduction of two authentic giants such as WannaCry , capable at the time of exploiting a sensational Windows vulnerability and NotPetya, originally developed to target Ukraine and revealed itself in followed by one of the most pandemic malware of all time. In 2019, the Maze ransomware ushered in the season of the double extortion threat. The rest is recent history.
How ransomware spreads
Ransomware fall within the generic malware context and therefore find diffusion through various methods, ranging from phising to the action of botnets, without neglecting direct intrusion through the vulnerabilities of the IT security perimeter. More rare, but nevertheless not negligible, are the sabotage actions carried out by users authorized to access the affected systems.
Phising
The most inflated method of spreading ransomware is phising emails, a social engineering technique that has long been dominant in the distribution of malware in a broad sense.. These are bogus emails that offer to click on a link or open content. Both of these actions result in the infiltration of the malware into the computing device. Although this condition is now generally well known, phising attacks continue to have great success thanks to their growing credibility. The fake emails are in fact very accurate in terms of graphics and perfectly reproduce the hypothetical original counterparts. The attackers also use some databases to trace information relating to the potential victim, in order to get the timing of their scam proposal right. It is not uncommon to receive a phising email with a policy proposal close to the natural expiry of our car insurance contract or to take advantage of hypothetical exclusive e-commerce discounts close to Black Friday. Just to mention two rather common circumstances.
Drive by download
Another rather widespread method of spreading ransomware is the “drive by download” which is prepared by infecting some sites, which become real traps for their visitors. Such malicious sites can derive from the alteration of a legitimate site, often not updated in security standards, or from the creation of an ad hoc site, which exploits the browser vulnerability to auto-install malicious software on the devices used for navigation. This exploit is particularly widespread using banners and pop-ups that direct navigation to infectious sites. One more reason to always activate pop-up blockers by default, as well as avoiding the visit of those sites whose reliability is not absolutely certain.
Cyber piracy: software crack and keygen
Those who resort to computer piracy practices are at great risk when they are about to use cracks and keygens useful to activate the counterfeit versions of the software they intend to use. This practice allows you to “save” even several thousand euros compared to the purchase of genuine software, but the use of such cracks / keygens exposes to enormous risks, as they are almost always malware distribution channels. In addition to the classic Trojans and spyware, the executable can also contain ransomware, with all the ensuing effects. There are also no more ransomware campaigns conducted thanks to the cracks of widely used software.
Baiting
Baiting (bait) is a method that involves various deceptive procedures, enticed by an easy opportunity. This is the classic case of the infected USB stick that distributes malware every time we connect it to a computer device. Once again, we are talking about an obvious attack based on social engineering, which consists in distributing USB keys containing malware as bait, which are found by unsuspecting users. In fact, the most inexperienced install them on their systems to verify their content, without posing the slightest problem of opening the doors to the ransomware on duty. A similar dynamic occurs when you connect your USB Key to an infected device, without asking yourself the problem of carrying out an antivirus scan.
Software vulnerabilities
The aforementioned WannaCry has spread widely by exploiting a Windows vulnerability. Specifically, it was a flaw in the Windows Server Message Block protocol. The story is also curious. Microsoft released a patch in March. WannaCry exploited the exploit starting in May and found incredible success due to the fact that the majority of users had not applied the patch. Just to reiterate the fundamental importance of threat intelligence. WannaCry was not the only ransomware that involved the exploits of the Redmond giant’s software. The most attentive to the news related to cybercrime will certainly remember the DearCry ransomware, capable of hitting the mark thanks to a zero-day vulnerability of Microsoft Exchange Server.
Botnets and ransomware-as-a-service
Among the methods of large-scale dissemination, cybercriminal organizations prepare the so-called botnets, which consist in the silent installation of a controller on the machines in order to establish a remote connection , through which to control them. Botnets allow various objectives to be achieved, which in addition to the spread of malware consist in acquiring the firepower necessary to carry out DDoS attacks or illegally mine cryptocurrencies using the idle resources of the machine on which the controller is installed.
Botnets facilitate the spread of malware and are also used in the business models of ransomware-as-a-service, which allow anyone to rent, through special services on the dark web, complete kits of everything to conduct ransomware attacks, without having of particularly high skills and above all without having the firepower of an entire criminal organization at their disposal. The small fish of the ransomware are contributing to significantly increase the toxicity of the network, often going unpunished, in the face of overall damage that is anything but negligible.
As for the geography of the attacks, by reading the reports published by the main antivirus software vendors, it is estimated that most of the ransomware is the result of the development activity of Russian cybercriminal groups, such as Revil, Trickbot and Conti, moreover often suspected of nation-state activity commissioned by the Kremlin and openly deployed against Anonymous and NB65 in the cyberwar between Russia and Ukraine.
Double Extortion Ransomware Attacks: The Most Critical Threat Businesses Face
Ransomware, understood as an agent capable of encrypting files , is today a tool that allows you to implement a much more lethal criminal strategy, which deserves a specific discussion: the practice of double extortion. Its action is less relevant to individual private users. Its intended victims are companies and public bodies, contexts in which data have an intrinsic value that often exceeds their simple use.
Unlike the standard ransomware attack, double extortion involves the preventive exfiltration of data, in a phase in which the victim remains completely unaware of the malicious presence of the attacker within their systems. Criminals manage to infiltrate thanks to vulnerabilities in the corporate security perimeter or authentication with the data of a legitimate user, victim of a scam or fraudulent accomplice of the initiative.
Once the data theft has been achieved, the cybercriminal proceeds with the violent phase of the attack, which involves encryption and the consequent blocking of systems and data inaccessibility. At this point, the victim finds himself caught in a vice from which it is very difficult to escape. The double extortion ransomware threat is therefore much more complex to achieve, but at the same time it is much more critical to manage for those who unknowingly become its victim. While a ransomware attack based on blocking data and systems can be overcome by simply restoring a backup, a data breach cannot be taken as lightly.
The public dissemination or illegal transfer of a company’s data can cause important legal consequences, caused by the revenge of its customers and the violation of the rules on data processing and storage (GDPR legislation in the European case), to which there are heavy financial penalties. The spread of the news that the company was unable to protect the data in its possession is now able to go viral within a few hours, thanks to the action of social networks. This negative publicity often causes significant reputational damage, which in addition to playing directly to the advantage of competitors, leave wounds that are very difficult to heal for the brand image.
The triple extortion ransomware attack has also recently spread, a more invasive variant of the traditional double threat, which consists in blackmailing, in addition to the victim company, also its customers and subjects connected to the reference supply chain. The ransom request is possible thanks to the fact that the data leak of the company victim of the ransomware allows to obtain data belonging also to these subjects, which in turn become susceptible to a request for payment in order not to disclose the information illegally in possession of cybercriminals.
This conduct is particularly ignoble as it also allows humanitarian associations to be targeted, to which many fragile users are connected, such as refugees or socio-politically discriminated individuals, who could be significantly affected by the publication of data relating to their position. Such information would allow their countries of origin to retaliate and proceed with acts of violence or intimidation against them, as well as retaliate against their loved ones who remained at home.
To pay or not to pay? That is the question
According to information released by law enforcement, the payment of the ransom is almost never a solution to the problem and often coincides with the onset of further problems. Very often cybercriminals do not keep their promise, not only for an alleged feeling of cruelty, considering that they are unscrupulous characters. Above all, the criminal tends to avoid leaving traces of activities that could allow law enforcement to trace his position, identifying the servers through which data traffic takes place.
It is the reason why ransom payments are usually requested through cryptocurrencies, whose intrinsic privacy allows the transaction to be traced, but not directly to the identity of the subjects involved. We must never forget that the so-called gang ransomware are forms of organized crime that collect several hundred million dollars every year from direct attacks and the provision of services, such as using botnets to spread threats and renting kits. ransomware-as-a-service.
How to protect yourself from ransomware
Given that paying the ransom is a useless and counterproductive practice, in addition to encouraging the growth of ransomware gangs, the protection strategies against ransomware do not differ from common corporate cybersecurity practices, to which they should be added at least two or three specific measures. In fact, here we will limit ourselves to a series of practical suggestions, which can be implemented by all companies with a minimum of reasoning in the management of IT resources, even without having specialized in-house skills in terms of IT security.
First of all, it is essential to know the geography of the entire computer system, in order to isolate threats in the event that the security systems detect the presence of behavioral anomalies attributable to the action of a malware. This is particularly relevant especially for isolating the most sensitive data from possible exfiltration that cybercriminals could carry out before proceeding with the encryption and ransom demand. If it is possible to limit the infection of the ransomware in peripheral machines or of little relevance from the point of view of the presence of data, the resulting damage is in fact very relative, as well as recoverable in a short time, without generating a significant downtime in the services provided. At the same time, good network mapping is extremely useful when,
Another very important precaution, especially when it comes to protecting yourself against double extortion attacks, is data encryption, i.e. anticipating the action of those who would like to play the same game to our detriment. If a data breach brought an unserviceable copy into the criminal’s hands, the latter would not know what to do with it, so the ransomware attack could be considered failed as regards its main objective: monetizing against the victim. For this reason it is extremely important to encrypt in a robust way, especially backups, which often tend to receive less attention from monitoring systems.. If they remain accessible to the network, backups are a privileged target for criminals, well aware of the defensive conduct of companies and its widespread fragility.
While the first two tips are in fact a sine qua non for avoiding serious damage in the event of a ransomware attack, we must not forget that most of such intrusions occur due to human error. To this end, it would be advisable to constantly implement multifactorial authentication systems, even when not strictly required by regulatory provisions , as occurs for example in the case of online banking and other situations in which the risk of fraud is substantial. In the same logic it is advisable to recommend an antivirus system equipped with a password manager, to avoid that the devices are irresponsibly compromised due to the carelessness of the user who manages them.
What to do in case of ransomware infection
Broadly addressing the actions that should and could be implemented when hit by ransomware would make little sense if we did not focus on the specific context in which the threat takes place. Instead of transcribing dozens of “to-do” in themselves all valid, but not very detailed, we will focus on a series of behaviors that should always be supported by a logical approach. The essential condition is to acquire a clear and unambiguous mindset, which consists in responding to an attack.
A ransomware attack is an action that hides very specific objectives behind its destructive reach. Knowing the attacker’s conduct is essential for initiating any investigative action. These aspects should always be implemented in an incident response plan (IRP) , which contains the fundamental actions to be implemented in the event of a cyber incident, with a specific note regarding ransomware.
A good practice allows not to disconnect the infected machine from the network, but to isolate it from the regions where sensitive data are stored, in order to limit the propagation of the attack as much as possible, confining its malicious action in those contexts where the damage is more easily remedied. If we abruptly cut off the communication between the infected machine and the attacker, the latter would notice that his action has been identified, therefore we would irreparably compromise the action of an incident response team (IRT) called to investigate the matter. The practical objective should therefore coincide with securing the network, isolating the affected machines, but letting the attacker remain convinced that his action is valid,
In this context, for many companies the NIS legislation provides for the obligation to notify the incident. Even when this condition is not explicitly requested, as in the case of SMEs that do not operate in contexts of primary importance in fundamental services and critical infrastructures, it would be at least advisable to report the fact to the police, offering all useful information to facilitate the ‘broadly identify the cybercriminals behind the ransomware attack. For example, only thanks to a collaborative attitude is it possible to eradicate the threat of ransomware propagated thanks to botnets.
This without prejudice to the fact that many companies fear the media exposure that derives from the complaint and the consequent dissemination of the news, with the risk of damage to image. This is a completely legitimate concern, especially considering how the press and social networks often disseminate sources and information in an uncontrolled manner, which point to the victim in a condition that substantially adds insult to the damage. To this end, it would be important to equip the corporate communication team with a resource capable of managing this kind of crisis, disclosing controlled information to the press, avoiding as much as possible the emergence of speculation on the news.
Returning to computer systems, the operations to be carried out from a practical point of view are essentially two. Once the diagnosis is complete and the timeline of the ransomware attack has been reconstructed in detail, it is possible to physically eradicate the threat and resolve the identified vulnerabilities. After successfully completing these steps, it is possible to restore affected systems to the condition immediately prior to the attack, as well as restore data using previously scheduled backups. If the company has a good business continuity plan, these operations usually guarantee the return to correct operations in a relatively short time, in any case consistent with the SLAs (service level agreements) that the company itself guarantees to its customers in the contracts. for the provision of its services.
After discovering how the attack occurred, the vulnerability resolved, the attack eradicated and the data and systems affected by the ransomware restored, it is advisable to proceed with careful monitoring. Since cyber attacks are very often conducted with automated procedures, capable of always detecting the same vulnerabilities, it is extremely likely that the attacker will try again to enter the network of one of the victims previously affected.
If we have done our cyber incident response work well, we will notice an attempted break-in in the presence of one of the vulnerabilities that we fixed after being attacked. Repeat attempts are conducted by cybercriminals on average within two or three weeks of the original incident and generally post-incident monitoring can last from two to three months, although there are no absolute provisions to do so. Each reality must in fact act according to its own sensitivity and skills.