Ransomware has rapidly risen to the top of the cyber threat landscape and continues to gain momentum at an alarming rate. Criminals have evolved ransomware attacks from merely targeting individuals to now effectively extorting businesses for larger sums of money by threatening to publicly share or destroy private company data. Such attacks do not only affect the targeted organization, but also its customers and users – and, as a result, do not only cause financial loss, but also affect the reputation of targeted organizations.
In this exploration of ransomware, Agari will cover the bases of ransomware attacks, uncover delivery techniques and examples from criminals, as well as share countermeasures you can take to prevent these attacks from reaching your organization and employees.
Ransomware is a form of malware that typically encrypts the hard drive of the compromised computer, requesting a payment in return for giving the victim the decryption key. Some ransomware is spyware, extracting valuable or embarrassing information that is later used for purposes of extortion. Ransomware benefits from the existence of non-traceable communications (like Tor) and non-traceable payments (like Bitcoin).
Ransomware uses obfuscation techniques such as crypters to evade antivirus tools, and their success almost always hinges on the willingness of end-users to be tricked or seduced into installing them. The most common delivery technique involves email, since email is pervasive and poorly defended against abuse.
Ransomware does not only cause financial loss, but also affects the reputation of targeted organizations.
While ransomware itself relates to the payload of malware, as opposed to the manner in which it propagates, it is worth noting that most ransomware attacks are delivered by Trojans. A Trojan is a type of malware that is commonly spread by email, and is installed when unsuspecting users open dangerous attachments. The emails typically come from senders the victims know, think they know, or with tantalizing names.
Sometimes, malicious emails contain links to sites where visitors are prompted to install Trojans – often masquerading as popular games or file sharing applications. Such sites also attract visitors using search engine optimization techniques, and in some cases, online advertisements.
An example Trojan-associated email spread on Yahoo groups:
The above message was sent with various subject lines intended to attract attention, such as “Powerful” and “Interesting?” from corrupted computers of users on the group.
Some Trojan campaigns specifically aim to spoof legitimate emails sent from legitimate companies. These campaigns typically relate to common services, such as banking, healthcare, parcel delivery or government facilities – areas that most email recipients are likely to be able to relate to.
A common storyline used by distributors of Trojans is that the recipient has received a parcel from a popular delivery company, such as FedEx. An attachment or a hyperlink supposedly provides more information about the delivery – although, in reality, clicking on either will lead to a Trojan being installed.
So how can email recipients know whether an email is genuine or fake?
It is worth nothing that most ransomware attacks are delivered by Trojans through email.