Ransomware is a type of computer virus that seizes control of a user's computer or encrypts the data and then demands a ransom for the return of normal operations. The most famous examples of ransomware are Reveton, CryptoLocker, and WannaCry. Ransomware is usually spread by phishing attacks or click-jacking. Once the virus is installed, users lose the ability to access their computer data or use the machine. Many ransomware attacks demand ransoms to be paid via cryptocurrency, like Bitcoin.
Let’s Define Ransomware
Once ransomware enters a system, it makes itself known by taking control, encrypting files or complete systems, and blocking user access until requests for payments, which are often displayed in warning messages, are fulfilled. Unfortunately, there is no guarantee that the keys needed to break the encryption will be returned upon payment.
This devious malware typically enters opportunistically through drive-by downloads, email links, social network messages, and websites; more recently, ransomware has been distributed through aggressive worms and targeted attacks. Ransomware, like many Trojans, are disguised as legitimate files, with the ransom note appearing on screen , often with threats of deletion or publication without payment. The result is often brand damage, costly lawsuits, or lost customer loyalty.
Attacks such as WannaCry, Petya, Bad Rabbit were headliners in 2017. WannaCry alone spread globally to 300,000 devices in over 150 countries in a single weekend, and caused millions, perhaps even billions, of damage.
Here are some insights from a recent Forrester report:
Ransomware is spread by virus files that must be installed as an .exe by the user. After the virus enters the network, it may be able to spread laterally across devices. In this instance, the ransomware is also known as a worm. A network user may mistakenly install a file on a local computer from a phishing or click-jacking attack. If antivirus is installed on the network, it must either have the signature for the ransomware attack file or detect it by suspicious activity. Otherwise, it can escape detection.
The most common form of ransomware is the encryption attack. All the files on a user's computer are encrypted by the virus and cannot be unlocked unless the ransom is paid. This is the definitive pattern of ransomware. Many people would rather pay the ransom than lose all their data. The other type of ransomware is a deletion threat. In this instance, the data is threatened with deletion if the ransom is not paid by a certain date. Another less common variety is an extortion or doxxing attack.
Known ransomware will be covered by antivirus, but like any threat, a zero-day attack cannot be effectively screened by these utilities. Similarly, even the most well trained and professional users can fall prey to a phishing or click-fraud attack. Ransomware worms spread laterally in a network without human interaction. It depends on the complexity of the exploit code. Antivirus software that detects malicious activity is the best way, i.e. scanning the .exe before installing files from the web.
Ransomware often targets large corporations and government agencies where a single user’s mistakes can lead to a wide infection pattern. Other users may be infected by spam email or phishing attacks.
Install a verified antivirus software from one of the main providers like McAfee, Kapersky, Symantec, or Norton for the best protection and avoid installing any .exe files from web links. Look out for suspicious emails from unknown sources that have attachments. Often these emails will have spelling mistakes, use generic language (i.e. “Dear Sir/Madam”), or will come from a suspicious looking address.
Reveton in 2012 started the ransomware trend by impersonating a police department and demanding a fine. CryptoLocker in 2013 began the trend of BitCoin ransom attacks.
Ransomware makes business owners consider how they approach antivirus, network security, and data backups. Businesses are recommended to use an antivirus scan on the firewall that includes known ransomware attacks. Administrators must consider how much tolerance they have for data loss on worker PCs and how to integrate regular secure backups on desktop productivity machines. Learn how the VMware Service-defined Firewall helps mitigate ransomware and other attacks.
Generally speaking, the answer is not if it can be avoided. And the reason is twofold: there is no guarantee the attackers will release the files and systems held hostage, and it gives ransomware distributors confidence that you are willing to pay.
However, it’s understandably not unusual for companies to pay ransoms, especially in the case of life or death situations that can sometimes arise in ransomware outbreaks. In fact, according to recent research from Cybersecurity Ventures, ransomware was estimated to be a $5 billion crime in 2017, which is a dramatic increase from $24 million in 2016 and $850,000 in 2015.
The 2018 Cyberthreat Defense Report form Cyberedge Group surveyed companies from around the globe and found that 55% of these organizations were victimized by ransomware in 2017. Of the ones that paid ransom, over half of them lost their data, an indication that paying ransom may be ineffective.
As to the ones that did not pay, nearly 87% were fortunate enough to recover their data, although it’s unclear at what the cost of recovery was.
Here is a quick look at how ransomware is quickly evolving into one of the most dreaded types of malware out there.
4,000 Attacks a Day
This, according to the FBI, is a 300% percent increase over 2015 attack volume.
3 Million Computers Attacked
In 2017 researchers identified more than 120 new ransomware families affected systems worldwide
$11.5 Billion Cost Projection
In 2019 a ransomware attack will likely occur every 14 seconds, bringing the daily average to over 6,000
Because of the financial success of ransomware today, attackers are increasingly developing ransomware variants that slip by most traditional malware protection that detects known attack modes. New variants, such as Locky and advanced attacks that leverage PowerShell, scripts, macros, remote shell attacks and memory-based attacks, evade detection from most antivirus software.
However, a next-generation antivirus (NGAV) solution with streaming prevention technology uses deep analytics to inspect files and recognize events that can lead to a ransomware outbreak. By identifying malicious behavior unique to ransomware before an attack actually takes place, the attacks can automatically be blocked. In addition, with full visibility into the attack, companies can quickly remediate the vulnerabilities found by attackers to prevent future outbreaks.
VMware NSX Data Center delivers a complete L2-L7 networking and security virtualization platform — providing the ability to manage the entire network as a single entry from a single pane of glass.