Ransomware has been in the news continuously for the past couple of years and no organizations are immune from an attack. Nonprofits, hotels, hospitals, and school districts of all sizes have been victims. Ransomware appeals to cyber thieves because it is lucrative and largely untraceable. In 2016 alone, over $75 billion in lost productivity was reported and this past Friday saw the biggest worldwide attack of ransomware so far with WanaCrypt0r.
It’s important to understand how ransomware works. To do so, let’s look at why ransomware attacks have a potential for success. Organizations pay IT professionals to protect their networks from intrusion. They might implement email protection, block ports and unknown IP addresses inbound to their firewalls. Antivirus protection could be added for any infection that might make its way through. A full Unified Threat Management system may be implemented, and fingerprint scanners could be added to the server room. In other words, there are many different measures taken to prevent outside intruders.
But what if the intruder is simply allowed to come in? Much like Dracula needs to be allowed into someone's home, ransomware thieves take advantage of ill-informed users that click or download something that they think is legitimate and to be honest and gain access to the network and the data that exists on the network. There are individuals that will click on anything. Once the intruder is in, the encryption can begin.
There are many variants that exist, but here is a generic process for ransomware:
User clicks on a link that seems legitimate but is instead a phishing email with embedded ransomware.
A program downloads and runs in the background.
The program calls home to get the encryption algorithm.
The program encrypts “important” files like docx, xlsx, pdf, jpg, etc. on the computer and or network shares.
The threat pops up to the user in a window on their desktop.
The threat states that they have X amount of time before the encryption key is deleted and their data is lost forever, known as an extortion attack. (An additional type of attack is called Leakware, where data is threatened to be published to the Dark Web after some time expiration.)
The threat then states that for a nominal fee of N number of bitcoins (a thief's payment of choice) the data can be decrypted.
Usually, there is a customer service number or email to help with the transaction.
The thieves are so happy to take your money that they will help you log into the Tor web browser, setup a bitcoin account, etc. Repeat this tens of thousands of times, and they’ve easily made millions of dollars.
People did not even HAVE to click on an infected email with WanaCrypt0r. The thieves are using a ransomware variant of WannaCry which uses a SAMBA exploit in Windows called EternalBlue. Microsoft added a patch for the exploit but there are hundreds of thousands, if not millions of Windows machines without the patch that allows thieves to remotely attach ransomware into a network and then infect many of the computers that it can reach, even the ones that are patched.
These thieves are, in effect, terrorists and you have to treat them as such. If you get ransomware, report the attack to the FBI and DO NOT pay the ransom. Before you get infected, protect yourself with a backup and recovery solution for all your endpoints. Having a recovery solution is the #1 way to protect against ransomware according to the Department of Homeland Security.