WHAT IS RANSOMWARE?
Ransomware is the bad guy of computer viruses – the worst of the worst. It messes with your files by locking them up and then demands a ransom to let you back in. It’s basically a digital extortion scheme, and it often forces individuals or organizations to pay up because it’s the quickest and cheapest way to get their stuff back. Some versions even get nastier, like stealing your data, just to give you more reasons to cough up the cash. Ransomware has pretty much taken over the malware world and is causing all sorts of chaos. It’s infiltrated hospitals and medical suppliers, disrupted city services, and given a hard time to industries across the board.
THE FIRST RANSOMWARE ATTACK
Back in 1989, the very first documented attack was pulled off by Joseph Popp, PhD, an AIDS researcher. He executed this scheme by sending out 20,000 floppy disks to AIDS researchers in over 90 countries, claiming these disks held a program to assess one’s risk of contracting AIDS via a questionnaire. But there was a hidden catch: the disk also contained a malware program that stayed quiet in the computer until it had been turned on a total of 90 times. Once that magic number was hit, the malware sprung to life and displayed a message demanding $189, plus an additional $378 for a software lease. This notorious ransomware episode earned the nickname “AIDS Trojan” or “PC Cyborg.”
RANSOMWARE ON THE RISE
The whole ransomware craze we’re seeing today really kicked off with WannaCry back in 2017. That huge attack got a lot of attention and showed that ransomware attacks could be not only possible but also profitable. Since then, tons of different types of ransomware have popped up and been used in all sorts of attacks. And, well, the COVID-19 pandemic added fuel to the fire. When organizations hurriedly switched to remote work, it left some gaps in their online defences. Bad actors took advantage of these weak spots to launch ransomware attacks, causing a big spike in such incidents. In the third quarter of 2020, there was a whopping 50% increase in ransomware attacks compared to the first half of the year.
LATEST RANSOMWARE STATISTICS
In 2021, over 15.45% of people using the internet got hit by malware, which includes nasty stuff like ransomware. Kaspersky, the antivirus folks, said they stopped ransomware attacks on a whopping 366,256 individual users’ computers in 2021. In total, in 2021 there were 623.3 million ransomware attacks globally in 2021. And in 2022, ransomware still caused about 20% of all the cyber mayhem out there with 20% of ransomware costs attributed to reputation damage.
NORDIC CLOUD EXPERTS?
CloudNordic had some shocking news for its customers after a ransomware attack that pretty much brought the Danish cloud provider to its knees. In a frank online confession, the company told everyone to assume their data was a goner. The attack went down in the early hours of 18 August, with the bad actors taking control of all of CloudNordic’s systems. This resulted in a total shutdown, with both the company’s and customers’ websites and email systems getting encrypted. Since then, CloudNordic’s IT team and some outside experts have been hustling to try and get that data back. But it’s not looking too promising. Even the backups and production data got wiped, and CloudNordic’s standing firm on not coughing up a ransom to the folks behind this mess. The company issued an online alert saying:
“We cannot and do not want to meet the financial demands of the criminal hackers for ransom. Unfortunately, it has proved impossible to recreate more data, and the majority of our customers have thus lost all data with us. This applies to everyone we have not contacted at this time.”
On the bright side, they don’t think the cybercriminals managed to swipe any info before locking everything down.
RANSOMWARE BY COUNTRY
Here we look at ransomware on a global scale from two perspectives – the top 5 most affected countries in the world and those that are most cybersecure. Interestingly, the technologically advanced Denmark comes in at number 5 in this category with only 1.3% of mobile devices infected. It seems strange then that CloudNordic ended up in such a bad way. Anyway, here are the rankings:
RANK | MOST AFFECTED | MOST SECURE |
1 | Israel | United States |
2 | South Korea | Finland |
3 | Vietnam | United Kingdom |
4 | China | South Korea |
5 | Singapore | Denmark |
As an aside, the Vatican City comes top when it comes to overall cybersecurity awareness with Finland in second place. NordVPN said this of the Holy See:
“The residents demonstrated an excellent awareness of digital risks and how to avoid them.”
THE STAGES OF A RANSOMWARE ATTACK
INFECTION
Ransomware, much like other types of malware, can find its way into an organization’s systems through various means. Nevertheless, ransomware operators typically have a few preferred methods of infection. One such method involves phishing emails. These deceptive emails may contain links to websites hosting malicious downloads or have attachments with built-in downloader functionality. If the recipient of the email falls for the phishing attempt, the ransomware is then downloaded and activated on their computer. Another commonly used approach to spreading ransomware capitalizes on services like the Remote Desktop Protocol (RDP). In this scenario, an attacker who has either stolen or guessed an employee’s login credentials can employ them to authenticate and gain remote access to a computer within the organization’s network. Once inside, the attacker can directly download the malware and initiate its operation on the compromised machine. Alternatively, some attackers may try to infect systems directly, similar to how WannaCry exploited the EternalBlue vulnerability. Most ransomware variants, however, are equipped with multiple means of infection.
ENCRYPTION
Once ransomware infiltrates a system, it initiates the process of encrypting the files it targets. Utilizing the encryption capabilities already present in the operating system involves accessing the files, encrypting them using a key controlled by the attacker, and then substituting the original files with these newly encrypted versions. It’s worth noting that many ransomware strains exercise caution in selecting which files to encrypt to prevent destabilizing the system. Additionally, certain variants may go a step further by deleting backup copies and shadow versions of files, making the recovery process without the decryption key significantly more challenging.
RANSOM DEMAND
Once file encryption is complete, the ransomware is prepared to make a ransom demand. Different ransomware variants implement this in numerous ways, but it is not uncommon to have a display background changed to a ransom note or text files placed in each encrypted directory containing the ransom note. Typically, these notes demand a set amount of cryptocurrency in exchange for access to the victim’s files. If the ransom is paid, the ransomware operator will either provide a copy of the private key used to protect the symmetric encryption key or a copy of the symmetric encryption key itself. This information can be entered into a decryptor program – also provided by the cybercriminal – that can be used to reverse the encryption and restore access to the user’s files.
VARIATIONS IN RANSOMWARE
While these three core steps exist in all ransomware variants, different ransomware can include different implementations or additional steps. For example, ransomware variants like Maze perform file scanning, registry information, and data theft before data encryption, and the WannaCry ransomware scans for other vulnerable devices to infect and encrypt.
PROTECT IT BETTER
Zhero will help you develop and implement a cybersecurity strategy that works for your business and protects it against all cyber threats, including dreaded ransomware. Our Protect IT better security offering is based on zero trust principles and designed to crush your cybersecurity risk. Contact us today and find out how we Protect IT better by delivering better IT faster.