While there are myriad online threats to businesses, organizations and governments, ransomware is by many metrics the worst right now. Other kinds of attack can have personal fallout, but for destructive impact on its targets ransomware is dominant, and for that reason one of the most lucrative for the attackers that deploy it.
Reported ransomware attacks on businesses jumped by over 365 percent in 2019, and increased 50 percent in the third quarter of 2020 compared to the first half of the year.
No one sector seems to be safe from ransomware: large cities including as Baltimore, Atlanta, Akron, Hartford, and New Orleans have faced major disruptions in recent years as well as major companies, a long list of them having suffered outages and extinction-level losses of data. Even cybersecurity companies have been successfully targeted and compromised.
The threat posed by ransomware, and its effectiveness, owes much to its variability. There are several variants and strains, each of which can be used to exploit specific vulnerabilities in a wide array of systems. There is even ransomware tailored to target specific industries. Some ransomware strains are designed to propagate rapidly via wi-fi and print networks, others target and encrypt data backups. Many of the more prominent forms of ransomware are actually updated and retooled all the time to allow hackers to avoid detection.
“While the sophistication and methods of attack may vary, the short answer is that ransomware is a type of malware that encrypts critical data on a computer or computer network so that users can’t regain access without paying a ‘ransom.’ The payment is typically demanded in bitcoin, because it’s difficult to trace and easily transferable,” says CyberScout founder and chairman Adam Levin.
Adding to the complexity of dealing with ransomware is the controversy about what to do if you get hit--specifically, whether or not ransoms should be paid. Baltimore mayor Bernard C. Jack Young faced heavy criticism from his constituents for the $18 million in damage caused by a 2019 ransomware attack when he could have paid an $80,000 ransom.
It can work out. The city of West Haven, Connecticut got hit with ransomware and opted to pay $2000 to the hackers; they quickly found their systems restored.
Other ransomware victims haven’t been as lucky. One study found that of the 45 percent of US companies hit with ransomware attacks, only 26 percent had their data unlocked.
“The safest bet is to prevent these attacks in the first place. But there have been informative examples of companies that mitigated the damage from a ransomware attack. Your Cliffs Notes version: Put yourself in a position where you can’t be affected ransomware,” says Levin.
There are a few attitudes to take--all of them helpful. The first is to focus on prevention, which involves minimizing your company’s attackable surface and understanding how ransomware work and how the hacking groups who develop them operate. Below are three of the more widespread and dangerous types.
WannaCry
WannaCry is a well known form of ransomware that first made headlines in May 2017 after infecting between 200,000 and 300,000 computers located in more than 150 countries. Although WannaCry’s spread was largely halted after about four days, the total damages were estimated to tally up to $4 billion, and affected companies and organizations including FedEx, the UK National Health Service, Nissan, the Russian government, Hitachi, and many others.
Outside of the widespread damage WannaCry caused within a relatively short window of time, what makes this variant of ransomware noteworthy is what made it possible. The hack exploited a flaw in the Windows operating system. The problem’s discovery and resulting hack came out of the U.S. National Security Agency (NSA) and was called EternalBlue. This famous bit of NSA know-how was stolen in 2016 and leaked online in 2017 by a hacking group calling themselves the Shadow Brokers. EternalBlue has also been repurposed into other related ransomware variants, including NotPetya and BadRabbit.
In the wake of the WannaCry attack, the NSA was heavily criticized for failing to disclose a key vulnerability in the Windows XP operating system for more than five years, opting instead to leverage it within their own set of hacking tools.
“We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world,” wrote Microsoft President Brad Smith on the company’s blog following the WannaCry attacks. “An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen.”
The damage caused by these WannaCry hacks was much more expensive than the ransom demanded to decrypt infected systems--$300 to $600 in BitCoin. WannaCry’s code wasn’t designed for extortion, and therefore lacked a way to link BitCoin payments to specific computers, which meant that few, if any, victims who opted to pay the ransom got their data back.
Data collected from a bot tracking ransom payments found that only a few hundred targets paid the ransom, and that the total haul for the hackers was roughly $140,000. Security specialists and the U.S. government tracked the ransomware activity back to the Lazarus Group, a hacking team with ties to North Korea.
“The attack was widespread and cost billions, and North Korea is directly responsible,” wrote Thomas P. Bossert, a security adviser to the Trump administration in the Wall Street Journal.
“We do not make this allegation lightly. It is based on evidence. We are not alone with our findings, either. Other governments and private companies agree.”
There were fortunately two factors that helped to prevent WannaCry from spreading to millions of computers. First, security researchers examining its code found a “kill switch” that deactivated it on infected computers. Second, Microsoft responded quickly and released emergency patches to address the vulnerability.
Regularly patching software is key to preventing cybersecurity incidents, according to Levin.
“Microsoft had released a patch back in March [2017], but not everyone had applied it, particularly on older Windows XP systems… those were the companies affected,” he wrote. “All businesses can reduce their risk by knowing what applications and versions are in their networks.”
While ransomware has been in circulation for decades, the scale and number of computers affected by WannaCry’s spread arguably helped raise awareness of the threat it continues to pose to businesses, organizations, and individuals alike.
Despite the mitigation of the ransomware’s initial spread, it still remains active and accounted for no less than 40 percent of all ransomware detections in Q1 2020, primarily affecting unpatched systems in Thailand, Turkey, and Indonesia.
Ryuk
Ryuk is relatively new to the cybercrime scene, having first been identified in August 2018 as a variant of Hermes ransomware. Although it hasn’t infected as many systems as more ubiquitous ransomware programs, Ryuk has caused enormous disruption by specifically targeting large scale networks. Its victims include, but are not limited to, the city of New Orleans, the U.S. Coast Guard, dozens of U.S newspapers, and several hospitals and health care providers.
The fact that Ryuk has compromised several high profile targets is a key part of its modus operandi. Instead of spreading via phishing campaigns or propagating willy-nilly over networks, it takes a longer approach and typically compromises its victims via a multi-stage process. Ryuk is actually primarily dependent on two other forms of malware called Emotet and Trickbot.
Emotet is what’s referred to as a “dropper” Trojan, which is typically spread via malware-laden attachments and enables hackers to install other programs. Computers and networks compromised by Emotet will often then be infected by the Trickbot strain of malware, which takes control of targeted computers and allows hackers to install ransomware, including Ryuk. This combination is often referred to as a “loader-ransomware-banker trifecta.”
Because Ryuk requires several steps before it’s able to compromise a system, it typically targets enterprise environments and charges relatively high prices to decrypt affected files. The size of the ransom tends to vary according to the size and resources of its targets as well as the sensitivity of the data it encrypts. The lowest known ransom was for 1.7 Bitcoins (roughly $20,000), and the highest was for 99 Bitcoins (roughly $1.2 million), with the average being somewhere between 15 and 50 Bitcoins (roughly $100,000 to $500,000).
One of the more sophisticated elements of Ryuk is that it first targets and stops malware and antivirus-related processes, and then in turn looks for and compromises connected system backups. This activity makes it both significantly harder to detect a Ryuk infection and makes it near impossible to recover system data if external and offsite backups aren’t available.
After using three separate layers of encryption on its target computer, Ryuk then generates a ransom note in every file folder, typically informing its victim that their files are encrypted, and providing a secure email address and bitcoin wallet to deposit the ransom.
Example Ryuk Ransomware Note
Ryuk has been attributed to two hacking groups, Wizard Spider and Cyptotech. A 2019 report from the FBI estimated that this variant of ransomware had netted $61 million in reported cases in the U.S. alone, a figure that is expected to increase significantly in 2020 and beyond.
What to do about Ryuk?
It’s difficult to mitigate once this ransomware takes hold of a system, so the best method is to prevent infection. Companies and organizations should regularly train employees to identify potential phishing emails containing malware-laden attachments, invest in malware and antivirus software to identify and block threats. Most importantly, it is crucial to follow the 3-2-1 strategy of backups:
- Keep at least three copies of data.
- Store two copies on different media.
- Keep one backup copy offsite and offline.
Sodinokibi / REvil
Sodinokibi, also known as REvil, is a sophisticated form of ransomware with an equally sophisticated criminal organization behind it. It currently represents at least a quarter of all the ransomware attacks recorded in 2020.
This variant was first discovered in April 2019 and is considered to be an offshoot of GandCrab, a kind of ransomware that is estimated to have been behind 40 percent of ransomware incidents between 2018 and 2019 taking in a haul of more than $2 billion before it was officially “retired” by its developers, who announced that they were “getting a well-deserved retirement,” and declared themselves “living proof that you can do evil and get off scot-free.”
The retirement of the creators of GandCrab was short-lived, as they claimed responsibility for developing and releasing Sodinokibi, which first targeted two cities in Florida and then infected at least 22 separate municipal governments in Texas. Since then, it has been used in several other high-profile attacks, including Travelex, a currency exchange firm, and the celebrity law firm Grubman Shire Meiselas & Sacks.
While Sodinokibi has proven to be difficult to detect and has multiple means of infecting and encrypting systems, it also stands out due to its business model, which has come to be known as “ransomware-as-a-service,” or RaaS. Rather than deploying their own ransomware, the hacking group behind Sodinokibi leases it out to affiliates, who handle the work of infecting systems, collecting ransom and communicating with victims. The ransom is then split between both parties, with the developers receiving 40 percent of all payments received.
Another Sodinokibi tactic is to pressure victims into paying a ransom by putting the transaction on a two-day timer (screenshot below). If the victim doesn’t pay, the amount required doubles. Because this variant is service-oriented, most attacks provide resources and links to cryptocurrency exchanges and even online chat support.
Although Sodinokibi has several advanced features that make it difficult to detect, many antivirus and malware programs have improved their detection rates and can often block it before it deploys on a network. Sodinkibi has also been seen to exploit known security vulnerabilities, especially on VPN services. In both cases, the best protection is to make sure systems are updated and patched regularly, especially when emergency security updates are made available.
Source: Symantec
One-Two Punch: Two crimes in one
Additionally, the hackers behind Sodinokibi have created a dark website where they auction off data from victims who refuse to pay ransoms, creating a one-two punch of disrupting businesses and organizations and then exposing them to the fallout, including major fines, from a major data breach.
The lost productivity associated with a workforce losing access to its network can be considerable. If a company finds itself also confronted with employees who have suffered identity-related crimes as a result of an adverse cyber event like a ransomware attack, there is the potential for serious disruption. To address this scenario, human resources departments should consider offering identity theft resolution and other cyber solutions to employees as a perk.
Identity theft victims will typically use twice as much sick time and are absent five times more than average dealing with an identity-related crime. It is avoidable.
“Adding cyber-protection to an employee benefits package or an insurance policy is a double win: It helps with retention and helps people engage in better cyber-self-protection,” says Levin. “Anyone who has been the victim of an identity-related crime will tell you that such services are a huge win for everyone involved.”