A Ransomware attack is a type of Malware, that encrypts or locks a victim’s computer, and demands payment (in bitcoins) for recovery. If your computer is compromised with a ransomware attack, all files (.doc, .txt, .mpeg, .xlsx, etc.) would be encrypted using a public, private combination key. The hackers lock these sensitive files, takes the system control until you pay the ransom.
Now the victim has no option left other than
- Pay in bitcoins (which can’t guarantee anything) or
- Ransomware removal by formatting the computer or server
How Does Ransomware Work
All types of endpoint systems, terminals are vulnerable to ransomware attacks. For example, IT servers, personal computers, point of sales (POS), printers, smartphones, any smart gadgets, even further Smar Cars, Smart Homes are also vulnerable to ransomware.
Lets see how it works:
- Ransomware attack usually starts with a spam link sent by the hacker (not necessarily only through emails, could be third-party websites, any unknown link)
- As soon as, the user clicks on the link malware gets downloaded to the computer
- Then the malware automatically run in the computer and the virus makes a copy in the C drive (all the commands, shells are copied)
- Likewise, newly added registries are copied in the computer
- Now the hacker can connect to the computer using the corrupt registries
- Thereby hacker takes control of your data, uses a key to encrypt these crucial data, and locks the computer.
- Now the victim gets a message from the hacker asking for ransom unless data would be deleted or shared online.
Types of Ransomware
This is kind of a tech support scam, where you’ll get a pop-up message asking for payment against the removal of malware, discovered in your computer. But in this case, your files are safe. If you don’t pay you’ll get repetitive scary messages, that’s it.
Lock screen ransomware locks your computer screen. You won’t be able to access it, a full-screen pop-up will appear with an authentic-looking Defense or Govt logo on it. It will now demand a fine for performing an illegal activity. However, this is just to defraud you, no police will freeze your account.
Cybercriminals take control of your system first and then seize the important files & folders to encrypt them using a sophisticated key. Next, they demand ransom in order to return the control back by decrypting the files. It’s so deadly that no security software or system restore can return the data. And even if you pay the ransom, no guarantee that the hackers will give those files back, all are gone (mostly happens).
Ransomware Attack Types
The most popular and large ransomware, affecting millions of windows machines in 150+ countries, causing multi-billion dollar losses in 2017. It was a self-contained, self-propagated TOR program that spread autonomously from one computer to another. It pop-up appears after windows load as below:
Petya and NotPetya
Petya, dawned around 2016, encrypts the computer hard-disk using a very sophisticated encryption algorithm. This makes the entire disk inaccessible. It’ll ask you to install the Tor browser (darknet) and then the steps for decryption to follow.
Later it reoccurred with the new variant NotPetya, extremely dangerous than the former. NotPetya can propagate by own and is able to spread without human intervention. It asks for ransom in bitcoin and then you need to share your key to the hacker’s mail id for decryption. There’s almost no chance of getting back your files as the hackers used fake email ids.
Petya and NotPetya use the same vulnerability from WannaCry to spread across computers and both infect Windows computers.
It’s a similar kind of file-encrypting ransomware, came up in 2013, the first kind of modern age ransomware. In early 2014 at its high, it infected more than half a million computers via an email attachment. It is obsolete now.
Cerber runs silently into the system to stop all windows security features & antivirus. Cybercriminals use this kind of service while encrypting the files using Windows vulnerabilities.
It spreads across Europe and Asia back in 2017 by fake Flash player updates. Mainly the targets are located are news & media companies in Russia, Ukraine, Tukey, and Germany. However, it is possible to decrypt the files if you pay the ransom, unlike other ransomware variants.
Like other varieties of malware in the past, it also spreads across corporate networks & servers and encrypts data using a combination key so that it cannot be accessed. Very recently in 2020 Indiabulls, Cognizant servers were targeted by the Maze ransomware
Modern variants of ransomware like Ryuk, Robinhood, Thanos emerge in recent years, are extremely harmfulRecent variants of ransomware
What is Mobile Ransomware
Mobile ransomware is a kind of Android malware that affects mobile devices. It doesn’t commonly prevent access to files or steals sensitive data, rather blocks the mobile device. Mobile users don’t understand the risk of clicking fake web links or downloading malicious content. And that’s how this malware is distributed through malicious apps or social engineering attacks. In recent years both Cryptolocker ransomware attack found in both Andriod and Apple devices while Doublelocker affects many android devices PIN and encrypted stored data.
If infected, you need to boot up your mobile device in safe mode and remove all apps in order to get back access. Also, to safeguard you need to install strong mobile security software & update patches regularly.
How to Protect against Ransomware
Normally, Govt agencies, Corporates, Banks are the foremost targets of ransomware attacks who hold sensitive customer data and can pay quickly. During the Covid-19 when corporate workplaces became residential, cyber crooks use this as an opportunity to spread more phishing emails & malware driven attacks.
Here are some best practices that you can follow for protection & prevention against a ransomware attack:
What is Ransomware Protection
Regular data backup is the crucial step, that can reduce the risk of encrypted data or any data loss. So you can format the affected server and restore data quickly for business continuity. If possible keep more than two copies of the backup in two separate locations.
Firewall Activation, Endpoint Protection
Recent Endpoint protection programs provide a good defense against WannaCry, Maze, or Petya type of backdoor attackers.
Additionally, keep a paid antivirus or security app in your system and update them regularly. Though antivirus is not that successful against modern ransomware variants but can safeguard against the most.
You should monitor or scan unusual files, viruses, network traffic, CPU loads.
Avoid untrusted sites, unknown links, Emails attachments
Mostly email phishing and spamming are the beginning of a ransomware attack. You should be always watchful towards malicious email attachments, fake job offers, or any unknown web links. Avoid clicking, or download or open these files and report phishing if possible.
You should use secure web gateways, so configure WPA2 encryption for your home router. It scans the traffic and prevents any malicious web ads that could lead to a ransomware attack.
It is preferable to avoid ‘HTTP://’ pages, and visit only ‘HTTPS://’.