Ransomware Attacks

Ransomware is a type of malware that holds personal data at ransom. In recent years, the virus is not the only threat to organizations but also ransomware. All system admins are trying their best to prevent ransomware attacks.

This article will provide you with an overview of a ransomware attack.

What is ransomware?

Ransomware

Ransomware is malicious software that encrypts victims’ information. Then it prevents or limits users from accessing their system or personal files. Users have to pay ransom to gain accessibility. Ransomware is also known as ransom software or ransom malware.

Victims have to pay a ransom of $150-$500 per personal computer. For organizations, this number can reach thousands of dollars. Hackers often ask for bitcoin or transfer payment. Recently, hackers tend to choose bitcoin ransom because it is secure and hard to trace.

Difference between viruses and Ransomware

The virus is a popular concept. So, many people consider all malicious codes as viruses, including ransomware. Viruses and ransomware are two different things.

They are both malicious codes. But the virus is malware whose spreadability is fast and uncontrollable.

While ransomware is software designed to “extort the victim”. Usually, to spread ransomware, criminals use a phishing attack to seduce victims.

Due to different characteristics, only a few malicious codes are virus ransomware. Virus Ransomware is ransom software that can be spread easily. Wanna Cry is an outstanding example.

How does ransomware work?

Your computer will face ransomware if:

– Use unknown origin cracks

– Click on the attached files in an email (a word or pdf)

– Click on the attached files in the emails

– Access to depraved websites

– Access to scam websites

Besides, many infection methods depend on the creativity of hackers.

Types of Ransomware

A personal computer is often infected by ransomware after only one click. Hackers create ransom files that look harmless like a word, excel, or PDF file. But, these files are executable (.exe). Once users click on them, these files run immediately. There are three main types of ransomware: Encrypting, Non-encrypting, and Leakware. Recently, some new types appear on mobile (Android and iOS), IoT, or even DSLR cameras.

Encrypting Ransomware

Encrypting ransomware is the most popular type. Hackers encrypt users’ data (files and folders) to prevent users from accessing their data. Encrypting Ransomware is also known as Crypto Ransomware.

After penetrating your computer, they secretly connect to the hackers’ servers. Then they create two keys: a public key to encrypt your files and a private key to decrypt them. The file extension will be changed, which causes errors as the user try to open the file.

After encrypting, crypto-ransomware will display a notification on your screen. This notification informs victims about the attack and ransom. In some cases, hackers put more pressure on victims by limiting the payment time. After that, decrypting key will be destroyed, or the ransom will increase.

Non-encrypting ransomware

Non-encrypting ransomware, also known as Locker, does not encrypt the victims’ files. But, it locks and blocks users from their devices. The victims can not perform any function except for turning on – off the screen. On the screen, hackers show detailed payment instructions to resolve the situation.

Leakware (Doxware)

Leakware is ransomware that threatens public disclosure of information for ransom. Many people are used to storing sensitive data on a personal computer. So if that happens, victims might get panic and try to pay the ransom.

Mobile ransomware

With the wide spread of smartphones, ransomware has appeared on mobile. Mobile ransomware is usually non-encrypting software instead of encrypting one. It prevents users from accessing the files. The underlying reason is that mobile data can be restored by online sync.

Mobile ransomware usually targets the Android operating system. Because this system grants installation permission to a third party. When users install APK files with mobile ransomware, there will be two scenarios:

  • A pop-up appears that blocks users from all applications
  • Use clickjacking to make users grant administrative access by accident. Then, mobile ransomware can access the system and perform various forms of violation

For the iOS operating system, hackers have to use more complicated strategies. For example, exploit the iCloud account and use the “Find my iPhone” feature to lock device access.

Ransomware in IoT and DSLR device

Recently, researchers have proved that ransomware can attack ARM architecture. Besides, IoT devices such as IIoT can be targets too.

In 2019, researchers stated that hackers could attack DSLR cameras with ransomware.  A simulation attack at the Defcon security conference in Las Vegas proved it.

Digital cameras often use Picture Transfer Protocol (PTP).  And cybercriminals can exploit vulnerabilities in PTP to attack DSLR cameras.

Major ransomware attacks over the world

Kaseya VSA

On 2 July 2021, many managed service providers became victims of a ransomware attack by the REvil group. This attack caused widespread downtime for over 1,000 companies. Hackers targeted Kaseya limited – an American software company.

The REvil ransomware gang claimed to have encrypted more than one million systems. They initially asked for a $70 million ransom payment. On 5 July, Kaseya informed that between 800 – 1,500 downstream businesses were impacted by the attack.

Colonial Pipeline

On May 7, 2021, Colonial Pipeline suffered a ransomware attack by the Darkside. The attack affected computerized equipment managing the pipeline. Colonial paid the amount of 75 bitcoin (about $4.4 million) to restore the system within several hours. It took a very long processing time to get the system back up in time. It was the largest cyberattack on oil infrastructure in the history of the United State.

WannaCry

WannaCry ransomware attack was a worldwide cyberattack in 2017. Microsoft Windows operating system was the target. Hackers encrypt data and ask for a ransom payment in bitcoin. The attack was halted in a few hours but the consequence was serious. It was estimated to have affected more than 200,000 computers across 150 countries. Total damages ranged from hundreds of millions to billions of dollars.

Ransomware target

Enterprises

Enterprises are top targets of ransomware attacks. Hackers tend to choose thriving firms that have a weak security system. Such enterprises have a good financial situation. So they are likely to pay for ransom.

Health – government – education organization

Besides, some types of organizations might be victims if hackers believe that such organizations can pay the ransom for a short time. For example, government agencies or health organizations usually have to access databases. Law firms own a lot of sensitive information. Or  Education organizations have a huge user information platform but a small security team. They are all potential targets of a ransomware attack.

Individual

Besides organizations, ransomware attacks also aim at individuals. Cybercriminals often target CEO – Founder – Manger of big firms. Hackers believe that those people will pay a large amount of money for their important data.

However, that doesn’t mean individuals not using the internet will not face ransomware attacks. Anyone can be a victim of ransomware. Many types of ransomware can be automatically widespread. Only one click can cause serious consequences.

Mitigate ransomware attacks

Should we pay the ransom?

The most import of ransomware hackers is money. If you give an inch, they take a mile. Not only that, you are facing fraud so the deal is not fair. Ransom payment can not guarantee that you regain your data. Therefore, experts and the government recommend not paying the ransom. You should contact cyber security experts to resolve at the least expense.

How to remove ransomware?

If you are using the company network, you need to disconnect immediately. This action will help to prevent the spread to other devices in the network.

If your computer is not locked, you can follow these steps: turn on safe mode, run an antivirus program, or manually uninstall.

If your computer is locked, ransomware uninstalling is more complicated. You need to ask for advice from an expert or a security firm.

Restore the data

For notorious ransomware, some experts have developed ransomware decryption programs. These programs also help users recover data. It requires a certain level of expertise to create such programs. If you have an interest in such programs, you can look at No More Ransom, and Free Ransom Decryptors.

But, hacker tricks are increasingly sophisticated. So ransomware functions are also unpredictable. When new ransomware is spread, most victims can not restore their data. So the most important thing is anti-ransomware knowledge. You need to learn as soon as possible to prevent regrettable situations.

How to prevent ransomware attacks?

Data backup

First of all, you need to regularly backup your data. If you have a huge amount of data, an external hard drive is a perfect choice. For the amount of data under 50GB, you can choose a cloud storage service such as Dropbox, Google Drive, Mega, or One Drive. If you work with important data every day, you should back up your data daily. In case of a ransomware attack, you don need to worry about the damage to your data.

Update software regularly

Software updates often include security patches. So they can protect your data better. You should pay attention to update your browser, Flash, and Java.

Besides, anti-virus is also an essential program that you should keep your eye on. If your computer does not have an anti-virus program, you should install it as soon as possible. Some trustworthy programs are Kaspersky, Norton, McAfee, ESET, or Windows Defender. If you have already installed an anti-virus program, you should update it frequently. An anti-virus program helps you detect malicious programs like ransomware. At the same time, it prevents the operation of unknown applications on your computer.

This is a common fraud by hackers. Hackers send an email or Facebook message with attached downloadable files. Such files seem important or attractive to the victim. After being downloaded, these files are in the forms of .docx, .xlxs, .pptx, or .pdf. But they are actually executable files (.exe). Right after users click to open these files, malicious codes will be activated.

So, you should carefully check the reliability of the email sender or content. If you have downloaded the files, check the file extension or use Word, Excel, etc to open the file. If it is an executable file, there will be an error notification. And remember never to click directly to open any unknown file.