9 ways to recognize and beat ransomware attacks

9 ways to recognize and beat ransomware attacks

The prospects for IT security remain downright terrifying, particularly in light of the growing use of ransomware. A recent survey by Malwarebytes and Osterman Research suggest that an average of 4,000 daily ransomware attacks have occurred since early this year, up 300 percent over the number of daily ransomware attacks in 2015.

Proper defense against ransomware begins with understanding what it is, how it works, how it invades computer networks, and how best to prevent attacks or deal with potential impacts. Spirent Labs, a network and device security testing firm, has compiled a list of the 9 things to know about ransomware, including the targets, different types, and how computers and healthcare networks are affected by it.

1. What is Ransomware?

Ransomware is a type of malware that infects a computer and restricts users’ access to it until a ransom is paid to unlock it. Ransomware has been around for a several years, however, in the recent years, attacks have increased, and have become highly targeted and sophisticated.  In the last couple years, several thousands of computers have been affected by Ransomware which are designed to extort money from users and organizations.

2. Types of Ransomware

Older versions: Locking type Ransomware

*  Deny or block access to computer or files.

*  Demand Ransom to unblock or to provide access.

*  On-screen Alert provides instructions to victim on how to provide payment and regain access.

Recent versions: File-Encrypting Ransomware

*  Encrypt user files with strong encryption such as RSA, AES etc.

*  Demand Ransom to decrypt files.

*  Onscreen Alert provides instructions to victim on how to provide payment and regain access.

3. Examples of Ransomware are: Crysis, CryptoLocker, CryptoWall, CTB-Locker, Locky, SamSam.exe, TorrentLocker, Teslacrypt and RAA. Here is a deeper definition of three common ones:

*  Trojan.Randsom.C is a type of Locking Ransomware that blocks users access to their computer and then issues a ransom fee for access to be paid via phone.

*  Reveton is locking Ransomware that fraudulently claims to be from a legitimate law enforcement authority. Reveton also tracks geographic location of the victim and displays a country-based law enforcement message. For example, if it detects that the victim is from U.S, it will display the alert from FBI. This Ransomware demands a “fine” to restore access.

*  RAA is one of the recent variants of encrypting Ransomware written completely in JavaScript. RAA is primarily delivered through phishing email with an attachment named .text.js. This file will be displayed as “filename.txt,” as in most Windows machines, the extensions are usually not configured to be displayed. Once the user opens file, the Ransomware starts encrypting files and displays a message with instructions to pay and decrypt files.

4. Ransom

The ransom demanded from victims varies greatly depending upon the victim and could be anywhere from a couple hundred dollars to several thousand dollars or more. To avoid traceability ransom is typically demanded in virtual currency such as Bitcoin.

5. Targets

The business of Ransomware has become highly professionalized with cybercriminals targeting not only home users, but businesses, educational institutions, hospitals, law enforcement and other government agencies as well.

6. How do computer or networks become affected by Ransomware?

Ransomware is commonly delivered through mass phishing emails with attachments pretending to be photos, reports, invoices, resumes or other business communications. Attachments are usually:

*  .zip file attachments which contain .exe files that disguised as PDF, Word or Excel documents.

*  .js file attachments disguised using a multiple file extension technique such as filename.txt.js.

When the user opens the attachment, it will install the Ransomware which will start encrypting data files. Ransomware also targets data files in any drives connected to the computer including network shares, or DropBox mappings.

7. Other popular methods of ransomware include:

Drive-by downloading

*  Drive-by downloading occurs when an unsuspecting user simply visits a compromised website and the malware is downloaded and installed without the user’s knowledge.

*  Usually the drive-by-download utilizes known security weakness in browser, plug-ins, or OS.

Malvertising

*  Involves injecting malicious or malware-laden advertisement into legitimate online-advertising networks and web pages.

*  Malware silently travels through the advertisement. This is dangerous because it does not require user action to compromise the system and it does not depend on a vulnerability on the website it is hosted from.

8. Enterprises prove to be lucrative targets

*  Enterprise-targeted Ransomware attacks have started to become mainstream.

*  Newer methods of Ransomware infection include exploiting vulnerable web servers as an entry point to gain access into an organization’s network.

*  Enterprises have many users to target, and it could only take one innocent click to infect the entire enterprise with Ransomware.

The Impact of a Ransomware attack varies based on the target.

Here is a list of the most common effects:

*  Temporary or permanent loss of personal information, or organization’s proprietary information.

*  Financial losses to recover personal files, or financial losses due to business disruption

*  Reputation damage to individual or organization