The rise of ransomware has become a global epidemic. It continues to accumulate victims worldwide, forcing companies to decide between attempting to recover data from backups (and potentially losing vital data since the last backup) and paying significant sums of ransom to hackers.
From CryptoLocker, Locky, and Kovter, to recent attacks leveraging CryptXXX, and Petya, we hear about a ransomware attack every day, with new variants appearing almost every week.
A 2019 study shows that ransomware potentially cost the U.S government, health care providers, and schools approximately $7.5 billion. Criminals are continually releasing new ransomware variants, concealing their purpose and avoiding detection until it has completed its core task.
In most cases, ransomware creators use proprietary, non-commercial packers that thwart automated unpacking routines used by endpoint protection software. This makes it harder to classify and determine the packed executable intention well as more difficult for human analysts to reverse engineer.
While many organizations have protected their files, data, and systems by implementing antivirus software and other signature-based solutions, these methods, while essential, are defenseless against advanced ransomware attacks designed to evade detection by traditional methods. Therefore, organizations need to implement a multi-layered approach to security to address the challenges of modern ransomware and effectively protect their network and endpoint devices.
Ransomware attacks do not occur in just one form. Below, we have summarized some of the prevalent approaches used today.
1. Encryption Ransomware
Encryption Ransomware encrypts personal files, folders, documents, archives, pictures, and videos. Once encrypted, the affected files are deleted. The users then encounter a text file in the same folder as the now-inaccessible files with payment instructions. The problem is often discovered when a user attempts to open one of the encrypted files. However, some encryption ransomware shows a ‘lock screen.’ The typical examples of encryption ransomware include Maktub Locker, CryptoLocker, WannaCry, Cerber, and CryptoWall.
2. Nas Ransomware
A derivative of Encryption Ransomware, NAS Ransomware specializes in attacking Network Attached Storage (NAS) systems, the repositories for backup systems, and user files like home directories.
This type of ransomware first scans the network for NAS – Network File System (NFS) and Server Message Block (SMB) devices. Once a NAS system is targeted, the ransomware either encrypts or deletes these critical files, making them unusable by their users, hypervisors, and backup protection software. This can be incredibly impactful to the business when backup software and hypervisors are involved. If backup images are attacked, a business’s ability to recover from the ransomware attack is compromised. This also targets shadow volumes kept by the operating system as backups. Examples of NAS Ransomware include strains of WannaCry, SamSam, and Ryuk.
3. Lock Screen Ransomware
As the name indicates, a lock screen ransomware locks your computer screen and demands payment. It often presents a full-screen image that blocks all other windows. No personal files are encrypted. It is often easily removable in safe mode with antivirus recovery tools. Examples of this ransomware include WinLocker, MoneyPack.
4. Hardware Locker
Hardware Locker ransomware alters the computer’s Master Boot Record (MBR), which part of the hard drive that allows the operating system (OS) to boot up so that the normal boot process is interrupted. Instead of booting, a ransom demand is showcased on the screen at the boot cycle. Examples include safe-data.ru and MBRLocker, a.k.a. DexLocker.
5. Application / Web Server Encryption
Application/Web Server Encryption attacks encrypt files and web servers through application vulnerabilities. On web servers, they replace the index.php or index.html files with content that has the ransom instructions. Recovery requires finding the infected files and recovering them to their previous state. Examples of Application/Web Server Encryption include CBT-Locker.