Ransomware is a particularly virulent form of malware in which cybercriminals encrypt a victim’s data and hold it for ransom. It has evolved to become much more dangerous and damaging than when it was first encountered in 1989. Companies need to be prepared to address the dangers of modern ransomware or risk losing access to their mission-critical data for an extended length of time.
There has always been a high degree of risk involved when dealing with the entities behind a ransomware attack. Though the perpetrators promised to provide the decryption keys after the ransom was paid, there were no guarantees. Negotiating with criminals could be very frustrating and sometimes the keys were not provided even when all ransom demands were met.
As we’ll see, cybercriminals wielding ransomware are no longer satisfied with encrypting data and demanding payment. Organizations began protecting their systems with backups that could be used to quickly recover victimized systems and avoid acquiescing to the ransom demands.
How Ransomware Works
Before a ransomware attack is launched, cybercriminals need to identify a target. In some cases, this is done randomly with a widespread phishing campaign that attempts to gain entry into any enterprise infrastructure. Ransomware gangs have found it is more profitable to target specific organizations that possess high-value data and may be highly motivated to meet the criminals’ demands to maintain access to their systems.
Attacks are conducted by following a fairly standard playbook comprised of the following steps.
- Distribution campaign – The first step cybercriminals must take is to find a target for a ransomware attack. This may be done with a mass phishing campaign that attempts to trick unsuspecting users into divulging login credentials or allowing unauthorized access to enterprise infrastructure. Targeted spear-phishing is used when cybercriminals attempt to gain access to a business by using the contact information of specific individuals.
- Infection – Once access to the targeted computing environment has been obtained, an executable file is downloaded and installs the ransomware. This is a preliminary step and the malware is not activated at this time.
- Payload staging – After being installed on a target, the ransomware embeds itself into the system so it will persist after a reboot. Depending on the type of ransomware, the goals of the cybercriminals, and the level of access they have gained, the malware may attempt to move laterally through the network to embed itself on other systems.
- Scanning – In this step, the ransomware identifies the specific files it will encrypt. It targets data on the local system and may also identify other valuable files it can reach throughout the network.
- Encryption – When appropriate targets have been identified, they are encrypted. The victim loses access to the files or systems that have been affected by the malware attack.
- Extortion – After files have been encrypted and systems affected by the attack, a ransom note is typically delivered to the victims, outlining the cost of regaining access to their data, with instructions on how to make payment.
Ransomware 1.0 Encrypts Production Data
The initial ransomware attack was carried out via infected floppy disks and demanded that a ransom of between $189 and $378 be mailed to a P.O. box. After being introduced to a computer, the ransomware was dormant until the machine was turned on 90 times. At that point, the malware began encrypting the system’s files and displayed a ransom note to the shocked users.
Current ransomware attacks demand substantially larger payments, often to be made in a form of cryptocurrency. Companies began taking ransomware 1.0 more seriously as the cost of recovering from an attack increased. IBM’s 2022 cost of a data breach report puts the average cost of a successful ransomware attack in the United States at $4.54 million.
Ransomware 1.0 follows the steps previously outlined. Its goal is simply to encrypt files and force the victims to pay to regain access to them.
Ransomware 2.0 Destroys Backups
The best defense for ransomware 1.0 is a reliable recovery strategy that can quickly restore the affected files and systems. If the impacted systems could be recovered promptly, there would be no incentive to pay the ransom. Smart IT decision-makers began concentrating on implementing enhanced backup and recovery tools to minimize the risk of ransomware.
As companies began improving their backup and recovery schemes, the criminals behind ransomware had to come up with a new method of extorting their victims. The technique they came up with is the defining characteristic of ransomware 2.0. In addition to encrypting files, this type of malware attempted to corrupt the software and media required to perform the recovery. If the ransomware could successfully prevent recovery, victimized companies would still be motivated to meet the ransom demands.
Ransomware 3.0 Steals Data
More effective recovery measures were necessary to defeat ransomware 2.0. These included creating immutable backups that cannot be corrupted by malware. But the cybercriminals behind ransomware 3.0 ramped up the damage to a new level. In addition to encrypting data and trying to damage recovery media, they added a new tactic to their arsenal. Ransomware 3.0 steals data and threatens to expose it or make it public if the criminals’ financial demands are not met.
The defense against ransomware 3.0 is more complicated than simply implementing better recovery procedures. It requires a comprehensive strategy that combines data security and governance to identify and protect sensitive data so it cannot be accessed by criminals. Implementing this level of protection demands modern data protection tools that provide anomaly detection and data resiliency.
VAST and Cohesity Provide a Formidable Defense
VAST is an authorized partner of industry leader Cohesity. Together they provide data backup and management solutions that protect your business from the dangers of ransomware. VAST’s managed services leverage the power of the Cohesity Data Cloud to provide customers with a comprehensive data management and protection solution.
The Cohesity Data Cloud includes:
- Immutable backups and recovery at scale;
- Intelligent threat detection;
- Enhanced data access and mobility;
- Insight into data resources with search, classification, and analytics features.
Your protective measures need to evolve to meet the new and dangerous ransomware that can put your company out of business. Contact VAST today and see how they can help protect your organization from the dangers of all flavors and iterations of ransomware.