Let’s start with the basics: What is ransomware? Ransomware is software used to maliciously block or impede access to a system until a certain sum is paid. Once the financial demands are met, the malicious party will, in theory, release control of the targeted system and give it back to the original owners.
There are three pieces that, when put together, fully define what ransomware is and illustrate how a ransomware attack works. These also show some of the common gaps in security, as well as the pitfalls of negotiating with nefarious parties.
Release of Control
The most common ransomware infection occurs when a user visits a security-compromised website. A popular method attackers use sends a targeted and seemingly safe phishing email that contains a link to a website that hosts the ransomware code. This form of attack, also known as “social engineering,” does everything possible to look legitimate and make its message almost impossible to ignore.
The ransomware attack code is designed to target systems through one of many commonly known software or operating system vulnerabilities. Additional forms of ransomware infections are specifically focused on users with higher levels of permissions, such as administrators, to inject malicious code. Any of these can allow an attack to proceed undetected until it’s too late to prevent or proactively respond to it.
Once the code has been delivered and executed on a system, two things can happen. Locker ransomware will shut users out of the system. Crypto ransomware encrypts data using advanced mathematical encryption keys. Systems affected by a ransomware attack can see widespread damage or a specific file or system types—such as SQL databases or Microsoft Office files—targeted.
In almost every case, the user or owner ...
... of a targeted system will receive instructions on how to regain access. This information is most commonly received via an instruction screen on the affected system or through email. In all cases, a ransom is clearly presented, as are the preferred denomination and payment method, while sometimes including a deadline for the ransom payment.
Whether to negotiate with criminal parties ...
... is a gray area. Although submitting a ransom payment may be the only way to recover valuable information, it can create an ethical dilemma. It’s best to work with law enforcement when determining a response.
Release of Malicious Control
If the terms of a ransom have been met, the return of data control back to the owner gets muddy. Sometimes the decryption code is provided, and in other cases, the attacker triggers a release of code remotely. However, in some cases, the attackers simply take the money and run. They may even destroy the compromised data and any potential traces of code to avoid forensic analysis or detection. It’s this uncertainty that adds yet another layer of risk to a ransomware breach.
The History of Ransomware
Where does ransomware come from? And how did ransomware become so prevalent? Ransomware got its start more than 30 years ago when, in 1989, the “AIDS” Trojan horse (or PC Cyborg Trojan) appeared. Although other forms of ransomware emerged throughout the 1990s, such as the von Solms-Naccache scenario in 1992, the impacts were limited due to the lack of interconnectivity between systems, whether business, consumer, or government.
This all changed in 2010, when the emergence of cryptocurrency like Bitcoin, smartphones, and hyperconnectivity created a perfect storm in which ransomware could thrive. Cryptocurrency allowed for better anonymity in receiving ransoms. New levels of connectivity made it easier to disperse code faster and provided access to websites such as LinkedIn to generate a precise list of targets. And all of this could now be run from an attacker’s smartphone, making the source of the attack more difficult to pinpoint.
The numbers behind the growth of ransomware attacks are startling. Just in the first half of 2021, there has been a 93% increase in ransomware attacks. These attacks are becoming more visible, as well, with notable incidents such as the DarkSide attack on Colonial Pipeline and the REvil attack on Kaseya making headlines.
Like most forms of malware or viruses, variants in how ransomware attacks are carried out are being seen. The most prevalent variant is when the malicious party takes possession of information and threatens its release to the public. These attacks, called leakware or doxware attacks, can have a severe impact on secret information, as well as on an individual’s personal information.
The Ransomware Ecosystem
The ransomware ecosystem is largely self-contained and is capable of powering itself. In other words, it has become its own unique economy, complete with innovation and investment opportunities. The resources and tools necessary for carrying out a ransomware attack have been simplified as a result, opening the formulation of these attacks to a wider, nontechnical audience.
Ransomware as a Service (RaaS) is a popular way this has been accomplished. RaaS is an adaptation of Software as a Service (SaaS). Like SaaS, RaaS is a subscription-based model that provides ransomware tools in exchange for giving the developer a portion of the proceeds. This eliminates the coding requirement for many attackers that have been instrumental in fueling the explosion of ransomware attacks in recent years.
TOOLS OF THE TRADE
Attack tools used will vary. However, the growing prevalence of exploit kits such as Globe Ransom Builder introduces a new twist. These tools allow users to build a ransomware tool to suit attackers’ exact needs or to modify an existing ransomware tool. The increasing availability of these toolkits makes it certain that the market for ransomware tools will continue to heat up.
Sign Up To Receive Our Monthly Ransomware Newsletter
Don't Worry, We Hate Spam Too
Ransomware Is Big Business
The financial windfalls to be gained by a malicious party through a ransomware attack means this isn’t going away anytime soon. Attackers sought $70 million from Kaseya, while Colonial Pipeline paid out $5 million in Bitcoin, though the FBI was able to recover $2.3 million in Bitcoin shortly after the ransom was paid.
A Growing Market
The potential for financial gain in the ransomware marketplace has seen an interesting trend develop where attackers have started to attack each other. These attacker-versus-attacker incidents are expected to increase as the amount of money collected through successful attacks continues to grow. This will only add to the complexity of the ransomware market.