According to the 2019 Verizon Data Breach Report, ransomware is the 2nd most frequent malware attack behind command & control (C2) attacks. Email is still the top delivery mechanism for all malware, including ransomware. So how do we get users to stop clicking phishing links?
Pro tip: You can’t. Humans will do human things. So we have to approach the problem of ransomware differently. In this post, we will address the basics of ransomware, and explain how an automated detection and prevention system like Varonis is the way to go to prevent ransomware attacks from taking down the network.
What is Ransomware?
Ransomware is malware that encrypts the target victim’s data. The attacker then tries to get the victim to pay the ransom for the key to decrypt their files.
The first ransomware dates back to 1989, got distributed on floppy disks, and asked for a $189 ransom.
In 2019, the city of Baltimore got hit with a ransomware attack, which cost an estimated $18 million in recovery. As you can see, ransomware protection is critical.
But how exactly does ransomware work?
How Ransomware Works
Ransomware is a multi-staged attack that attackers have packaged in several different ways. The basics are usually the same. Infiltrate the target’s network, encrypt as much data as possible, extort for ransom.
1. Infection
First, attackers need to deliver the malware payload to the target. Most often, this is a simple phishing attack with malware in the file attachments. From here, the ransomware either works locally or tries to replicate itself to other computers on the network.
2. Security Key Exchange
Next, the malware reaches out to the attackers to let them know they have infected a victim and to get the cryptographic keys that the ransomware needs to encrypt the victim’s data.
3. Encryption
Now the ransomware does the encrypting of the victim’s files. It might start with the local disk and then try to probe the network for mapped shares or open shares to attack. The CryptoWall ransomware deleted Volume Shadow Copy files to make restoring from backup harder and looked for BitCoin wallets to steal. WannaCry used the EternalBlue vulnerability to spread to other computers and then perform the encryption.
4. Extortion
The victim is totally pwnd, and the attacker sends the ransom note. Usually, there is some dollar figure attached, and a BitCoin link with threatening messages like “pay us or your data gets it.”
It’s worth it to note that cryptocurrency enabled ransomware to become a lucrative profession. Now the lucrativeness of criminal activity is hard to quantify, but the frequency of attacks indicates that criminals see the upside in continuing to use these techniques.
Recently attackers have used the threat of data exposure as part of their extortion plot. Ransomware can not only encrypts the data in place, it can also exfiltrate the data back to the attackers! The threat becomes, pay us or we release your data.
How to Protect Against Ransomware: Basic Tips
In building a defense against ransomware attacks, there are things that individuals can do and things that enterprises can do to prevent the initial infection.
Don’t Click the Link!
I know, I know, you have heard that one before. But it is always worth repeating. Phishing emails delivered a large percentage of malware in 2019. Humans aren’t going to stop clicking the link, and I know this because I have clicked the link. So, as fallible mortal humans, we can at least be a little more skeptical of emails. And maybe that little bit of skepticism drops the amount of malware we allow to infect our companies. Check out our blog “The Anatomy of a Phishing Email,” and blow up the infographic and post it around your office.
Build Email Protections and Endpoint Protections
As the enterprise, we know that humans will click the link.
- Scan all emails for known malware strains, and keep firewalls and endpoint protections up to date with the latest known malware signatures.
- Notify users of out of network emails
- Provide VPNs for users to use outside of the network
Keep Backups
Both for enterprises and personal protection, keep current backups of your important data. The best and fastest way to thwart ransomware is by a quick re-image of the disk, and then a data restore from the last good backup – unless the attacks also exfiltrated the data, which is a different issue.
Protect your Personal Information
Humans are genetically predisposed to trust other humans. It’s one of the evolutionary reasons for the vast proliferation of our species. This basic trust is how mentalists can make us believe it was our idea to make a certain choice, or how attackers get us to reveal our passwords or mother’s maiden names.
Again, be skeptical and follow protocol when someone asks you about sensitive information. It’s the same issue as the links, but this might be a real-life in-person interaction. This advice goes double for users in the C-Suite, who are the targets in whale phishing campaigns.
