Ransomware seems to be everywhere right now. If you're a home user or SME employee on the receiving end of an attack it must feel like a pretty lonely moment when the extortion message appears on the screen of an infected PC demanding a payment of somewhere between $300 and $1,000 in Bitcoins.
The ransomware will have taken control of the computer and encrypted all or most of its files after an employee clicked on an email attachment, usually a PDF or what looks like one. This computer was most likely patched and running up-to-date antivirus but this made no difference. The ransomware still got through.
Infection and C2
It sounds like a simple attack and on the surface it is. An unsuspecting end user does something they normally do every day, clicking on an attachment, and lives to deeply regret it. Unseen, the ransomware is not only encrypting local files it can find but reaching out to attached storage drives and networks shares to encrypt those as well. All of this happens quickly before the user realises what has happened.
Typically, the ransomware also contacts and command and control (C2) server as this is happening as a prelude to downloading more software and phoning home.
After that, retrieving encrypted files is a matter of paying the ransom (in untraceable Bitcoins) and hoping the criminals deliver the key or resorting to backups, assuming they've not been scrambled too.
More recently, the MO of ransomware has evolved beyond this basic attack profile to target larger organisations. Here, simply attacking PCs one at time is no longer sufficient incentive to pay a ransom and the criminals have developed new ransomware families that can spread within an organisation to encrypt multiple PCs. This can even happen by hosting ransomware on a compromised application server rather than by sending attachments as was the case with something called Samas/SamSam.
As defences have evolved, more advanced ransomware is increasingly engineered to operate in a standalone or stealth capacity, for example hiding its activity by not contacting a C2 or even working entirely from memory without the need to save files to disk.
There are now numerous families of ransomware - more are expected to appear in 2016 than in all previous years put together - and a wide range of innovations. Computerworld recently compiled a list of some of the worst recent examples and the level of innovation to avoid boosted defences is startling.
How successful is ransomware?
In terms of infection, very, although few victims in the business world ever talk about this fact and data on the number paying ransoms requires drawing inferences. Most of what we know comes from US and Canadian companies that disclose attacks to meet state-specific data protection regulations. Recent ransomware attacks have included several US healthcare providers and hospitals that have admitted paying ransoms as well as the University of Calgary which was forced to pay a $20,000 (Canadian) ransom to regain data from 100 computers.
Sign up for MIS Asia eNewsletters.