What Is Ransomware?

As our lives are increasingly digitized, ransomware attacks emerge more prominently than ever. With cyberattacks becoming more sophisticated and frequent, the threat affects many sectors. The alarming escalation in incidents and the high recovery costs underscores the urgent need to combat known and emerging ransomware threats.

In this blog, we will delve deeper into the world of ransomware, exploring its many types, understanding the stages involved in an attack, and offering key strategies to protect against such formidable digital adversaries.

What Is Ransomware?

Ransomware is a type of malicious software designed to hold a computer system or data hostage until a sum of money, or ransom, is paid. As reported by IBM's 2023 Security X-Force Threat Intelligence Index, ransomware was responsible for 17% of cyberattacks in 2022 [1]. It's no longer just about encrypting data; modern ransomware employs 'double-extortion' and 'triple-extortion' tactics that amplify potential damages. 

With the average duration of attacks significantly reduced and ransom demands escalating, the cost of ransomware attacks, excluding the ransom itself, averaged USD 4.54 million in 2022. It is projected that in 2023, the overall cost to victims could reach USD 30 billion.

Types of Ransomware

There are four different types of ransomware, which are listed below.

1. Leakware (a.k.a Doxware)

Leakware is a type of ransomware that steals sensitive data from a victim's computer and threatens to publish it unless a ransom is paid. The data that is stolen can include anything from personal information to financial records to business secrets.

Here is an example of a leakware ransomware attack:

In 2019, the British telecommunications company TalkTalk was the victim of a leakware attack. The hackers stole personal information from over 150,000 customers, including names, addresses, phone numbers, and email addresses [2]. The hackers also stole some financial information, such as bank account numbers and credit card details. 

The hackers demanded a ransom payment of £10 million in exchange for not publishing the stolen data. TalkTalk refused to pay the ransom, and the hackers published the data online. The publication of the stolen data caused a great deal of damage to TalkTalk's reputation. The company lost customers, and its stock price plummeted. TalkTalk has since taken steps to improve its security measures. However, the leakware attack is a reminder that even large and well-established companies are not immune to cyber attacks.

2. Destructive Ransomware (a.k.a Wipers)

Destructive ransomware, also known as wiper malware, is a type of malware that is designed to delete or encrypt data on a computer system. Wiper malware is typically used by cyber attackers to cause disruption or damage to a target organization's operations.

Wiper malware differs from traditional ransomware in a few key ways. 

First, wiper malware does not typically demand a ransom payment in exchange for decrypting the data. Instead, the goal of wiper malware is to simply destroy the data, regardless of whether or not the victim pays the ransom.

Second, wiper malware is often more sophisticated than traditional ransomware. Wiper malware may be able to evade detection by security software and may be able to spread to other systems on a network.

Here is an example of a destructive ransomware attack:

The NotPetya ransomware attack, also known as GoldenEye, was a highly destructive cyberattack attributed to the Russian military by the US and UK governments [3]. Targeting companies in Ukraine, it caused significant damage to its government, financial, and energy institutions, as well as global companies with offices in Ukraine, resulting in massive financial losses, including up to $300 million for Maersk. The malware was designed not to be decrypted, making recovery impossible, leading to its characterization as a wiper malware rather than traditional ransomware.

3. Mobile Ransomware

Mobile ransomware is a malicious software that targets mobile devices, usually delivered through harmful apps or downloads. Unlike its counterparts on other platforms, mobile ransomware often uses lock-screen tactics instead of encryption due to automatic cloud backups prevalent on many devices. These lock-screen attacks restrict access to the device until a ransom is paid, however, they can typically be mitigated by removing the offending app or restoring from a backup.

4. Scareware

Scareware is a type of malicious software designed to frighten users into performing certain actions, typically involving payments or installations of harmful software. Using deceptive alerts or warnings, scareware often pretends to be from a legitimate security provider or government agency. 

For example, a user might see a fake notification alleging illegal activities and demanding a fine, or a fraudulent virus alert urging them to buy non-existent security software. In some cases, scareware may lead to further malware downloads or data encryption.

What Is Ransomware Attack?

A ransomware attack is a cyber threat where malicious actors infiltrate a network, usually via a phishing scam, and encrypt critical data, thus preventing access and impeding business operations. This is classified under the MITRE ATT&CK framework as "Data Encrypted for Impact (T1486)". The attackers then extort the victim by demanding a ransom, typically in hard-to-trace cryptocurrencies like Monero or Bitcoin, to provide the decryption key needed to restore the data.

A well-known real-life example is the 2020 attack on Garmin, a GPS technology company [4]. The attackers encrypted Garmin's customer service systems and demanded a ransom to restore it. With its operations severely disrupted, Garmin reportedly paid the ransom, demonstrating the significant impact and efficacy of these attacks.

How Does Ransomware Work?

There are five stages to a ransomware attack. In this section, we are going to examine these five stages with a real-life example carried out by the Cl0p ransomware gang.

An Example Ransomware Attack by the Cl0p Ransomware Gang

• Stage 1: Initial Access

The initial stage involves gaining unauthorized access, which is typically achieved through phishing attempts or exploiting system vulnerabilities. 

In the case of CL0P, initial access was gained through exploiting a public-facing application, CVE-2023-34362 Moveit Transfer zero-day SQLi vulnerability (MITRE ATT&CK Technique T1190).

• Stage 2: Post-exploitation 

Subsequently, in the post-exploitation stage, attackers may employ remote access tools (RATs) or other types of malware to establish control over the compromised system.

After initial access, CL0P ransomware actors used SDBot, a backdoor that enables other commands and functions to be executed on the compromised computer (MITRE ATT&CK Technique T1059.001). 

They also use TinyMet, a small open-source Meterpreter stager to establish a reverse shell to their C2 server. This provides a concealed link from the victim's system to the attackers' command and control server, allowing continued access and control over the system. This backdoor and reverse shell setup allows CL0P to move deeper into the network and helps facilitate the next stage of their attack.

• Stage 3: Understand and expand

In this stage, attackers learn about the compromised system and domain, and they work on lateral movement to access other systems and domains within the network. This helps them increase their control over the targeted organization's infrastructure.

In this stage, CL0P actors used Cobalt Strike to expand network access after gaining access to the Active Directory servers (MITRE ATT&CK Technique T1018). They also used Server Message Block (SMB) vulnerabilities and follow-on Cobalt Strike activity for lateral movement.

• Stage 4: Data collection and exfiltration

Attackers then concentrate on identifying valuable data and stealing it by making copies for themselves. They often prioritize sensitive data like login credentials, customer information, and intellectual property for double-extortion purposes.

CL0P actors utilized Truebot, a first-stage downloader that can collect system information and take screenshots (MITRE ATT&CK Technique T1113). They used the DEWMODE and LEMURLOOT web shells for data exfiltration, interacting with MySQL databases and moving data from compromised devices.

• Stage 5: Deployment and sending the note

In this final stage, crypto ransomware starts identifying and encrypting files on the targeted system. Attackers may also disable system restore features or delete or encrypt backups to increase the pressure to pay for the decryption key. Non-encrypting ransomware may lock the device screen or flood it with pop-ups to prevent usage.

Once the encryption or device lockdown is complete, attackers notify the victim of the infection via a text file or pop-up notification. The ransom note provides instructions on how to pay the ransom, typically through cryptocurrency or another untraceable method, in exchange for a decryption key or restoration of normal operations.

CL0P ransomware gang deploys the ransomware to begin identifying and encrypting files (MITRE ATT&CK Technique T1486). After the encryption process, they leave a ransom note in .txt files or pop-ups with contact and payment information (as seen in the CL0P Ransom Note). 

Figure 1. A Ransomware Note by Cl0p Ransomware Gang [5].

They often threaten to publish extracted data on their leak site if victims do not pay the ransom amount, a practice known as "double-extortion".

What Is Ransomware-as-a-Service (RaaS)?

Ransomware-as-a-Service (RaaS) is a business model where cybercriminal operators develop ransomware tools and sell them to affiliates who carry out attacks. This model mirrors legitimate Software-as-a-Service (SaaS) offerings, providing affiliates with easy-to-use interfaces, support, and sometimes profit-sharing arrangements. 

Ransomware-as-a-Service (RaaS) Groups and Operations

• LockBit

LockBit operates uniquely as a Ransomware-as-a-Service (RaaS) model [6], where affiliates receive a portion of ransom payments. The malware's speed and automation capabilities make it exceptionally potent; it infiltrates and encrypts networks rapidly, leaving victims with paralyzed systems. What distinguishes LockBit is its 'double extortion' tactic; it not only encrypts files but also threatens to publicly disclose them, increasing the pressure for payment. Yet, there's no guarantee of decryption post-payment, a sobering reminder of the ruthlessness of this evolving cyber threat.

• BlackCat (ALPHV)

BlackCat, also known as Noberus or ALPHV, is a highly sophisticated Ransomware-as-a-service (RaaS) variant. Operating since November 2021, BlackCat is considered a successor to prominent ransomware operators like REvil, Darkside, and BlackMatter [7]. The ransomware stands out due to its technical sophistication, developed in the Rust programming language, and adaptability to a range of corporate environments. BlackCat's advanced features include various encryption routines, self-propagation capabilities, and the ability to neutralize hypervisors. Customizability is central to its operation, with affiliates responsible for breaches and device encryption, while the core group handles code maintenance and development.

• Hive

Emerging in April 2022, Hive is a notorious ransomware-as-a-service (RaaS) group that amassed over 1,500 global victims [8], extorting millions in ransom payments. Known for employing pass-the-hash techniques, Hive aggressively targeted a wide array of sectors, with a distinct focus on healthcare organizations. However, in January 2023, a significant blow was dealt to the group when the US Department of Justice seized two of Hive's back-end servers in Los Angeles, disrupting its operations significantly. Despite these setbacks, the group's long-term impact remains a concern.

• REvil

REvil, also known as Sodinokibi, is a prominent ransomware-as-a-service (RaaS) operation that has reportedly garnered over $100 million in a year by targeting global businesses [9].  Operating an affiliate model, REvil develops the encrypting malware, while affiliates conduct attacks, data theft, and ransomware deployment. Affiliates receive the lion's share of the ransom—70-80%, while REvil retains 20-30%. The group profits not only from victims paying to unlock encrypted files, but increasingly from payments to prevent public exposure of confidential data. This strategy has become their main source of revenue. REvil pressures victims with a countdown system, threatening public data leaks after a set period.

Should Organizations Pay the Ransom?

In deciding whether to pay ransom after an attack, organizations must consider the risks and factors involved. As per Cybereason's Ransomware: The True Cost to Business Study 2022, it may not be worth paying the ransom [10]. 

The study revealed that 80% of organizations that paid a ransom were attacked again, usually within a month, often with higher demands. Furthermore, only 42% of those who paid a ransom after a successful attack indicated complete restoration of all services and data. With the majority (70%) facing higher ransom demands in subsequent attacks, the study suggests that meeting ransom demands may not provide the expected solution and could potentially worsen the problem.

How to Prevent Ransomware?

Here are best practices and suggestions that will help you prevent a possible ransomware attack on your organization.

Step 1: Minimize the attack surface

This is a crucial step to reduce the risk of ransomware. 

• It is essential to regularly update and patch your software, focusing particularly on the Operating System (OS) and internet-facing servers. Timely updates help address any known vulnerabilities that could be exploited by attackers.

• Adhering to best practices in identity management is equally important. Implementing measures such as Multi-Factor Authentication (MFA) and applying the principle of least privilege can significantly reduce the risk of unauthorized access.

• Performing vulnerability scans on a routine basis is also advised. These scans can help you detect and prioritize the remediation of vulnerabilities before they are exploited by adversaries, thereby preventing initial access to your organization's systems.

• Finally, ensuring that data is regularly backed up is key. In the unfortunate event of a ransomware attack, having access to a recent backup allows you to restore your systems without needing the decryption key, thwarting the attacker's leverage.

Step 2: Focus On Prevention

Preventing ransomware attacks should be the primary objective by implementing preventive security controls, aimed at reducing the likelihood and impact of a successful threat event.

• Utilize Secure Email Gateways (SEGs) as a preventative security control to guard against phishing attacks which are often the initial point of entry for ransomware.

• Safeguard your public-facing applications with security solutions such as Web Application Firewalls (WAFs) and Intrusion Prevention Systems (IPSs) to ward off potential threats.

• Implement preventive tools against endpoint attacks and data exfiltration. Solutions like Endpoint Protection Platforms, antivirus software, anti-malware tools, and Data Loss Prevention (DLP) systems can be highly effective in thwarting attacks and protecting your data.

Emphasizing on prevention not only minimizes the chances of a ransomware attack but also mitigates the potential damage if an attack does occur.

Step 3: Exchange Your Detection Capabilities

Given that no measure can guarantee complete protection against ransomware attacks, boosting your detection capabilities becomes paramount. Prompt identification of an anomaly or malicious file can enable a quicker response to threats.

Implement advanced detection measures that rely on behavior-based approaches. These strategies aid in swiftly pinpointing any abnormal network behavior, a critical component in early threat detection.

For instance, consider employing Endpoint Detection and Response (EDR) and Security Information and Event Management (SIEM) solutions. These tools offer enhanced visibility over your network, bolstering your organization's ability to identify and respond to potential security incidents before they can escalate into full-fledged ransomware attacks.

Step 4: Validate your security controls against ransomware

Finally, test your ransomware prevention and detection capabilities to ensure your security posture is up to date to protect you against ransomware attacks. 

What should you test? Here is an easy checklist:

Figure 2. Security Control Validation Checklist by Picus Security.

Test WAFs, IPSs, NGFWs, SWGs

Testing security solutions such as Web Application Firewalls (WAFs), Intrusion Prevention Systems (IPSs), Next-Generation Firewalls (NGFWs), and Secure Web Gateways (SWGs) is essential for organizations to fortify themselves against vulnerability exploits targeting web applications and other public-facing applications.

Simulating vulnerability attacks against internet-facing applications allows you to validate the efficacy of these security solutions and proactively address potential issues. Such simulations replicate the tactics, techniques, and procedures (TTPs) used by ransomware attackers, making them an integral part of your cybersecurity strategy.

One of the reasons that make these simulations important is that one of the most frequently used techniques by ransomware actors in the initial phase involves exploiting vulnerabilities in internet-facing assets, public-facing applications, or devices. These assets could be web servers, mail servers, VPN servers, monitoring software, or other internet-facing utilities like the Windows Print Spooler.

For instance, the DarkSide ransomware group is known to have exploited three different vulnerabilities in VMware and SonicWall software, emphasizing the relevance of these simulated attacks.

Test Secure Emails Gateways

Testing Secure Email Gateways is essential due to the prevalence of ransomware attacks initiated through successful phishing. Misleading emails containing malicious links serve as an effective vehicle for delivering cyber threats, often causing significant damage to networks in a brief period.

The reason for the popularity of email attacks is its reach. With nearly half of the global population having an email account, the scope for spreading threats is extensive.

Secure Email Gateways play a crucial role in combating such threats. These specialized firewalls scan incoming and outgoing emails to detect and neutralize threats like phishing attacks, malware, fraudulent content, and even prevent sensitive data exfiltration. Regular monitoring and testing of these gateways are critical in enhancing your organization's resilience against email-delivered cyber threats.

Test Data Loss Prevention (DLP)

​​Testing Data Loss Prevention (DLP) systems is pivotal as data exfiltration and loss can lead to significant reputational and financial damage for organizations. DLP tools classify sensitive data and monitor for any violation of predefined data protection policies, ensuring data, whether at rest, in motion, or in use, is not accessed, lost, or misused by unauthorized users.

However, the presence of a DLP solution is not enough. To ensure its effectiveness, organizations must regularly validate the system's capability. This can be done by simulating attacks and testing methods that may uncover any potential weaknesses in your DLP tools. These tests should encompass scenarios for both data in motion and data in use, ensuring comprehensive protection against unauthorized intrusions.

Test EDRs (Endpoint Detection and Response)

Endpoints, including laptops and devices connected in BYOD (Bring-Your-Own-Device) and multi-cloud environments, are major security risk focus points. Endpoint Detection and Response (EDR) solutions help safeguard these entry points to the network.

However, deploying an EDR solution is not enough. It's vital to ensure the effectiveness of these solutions. Challenges include managing and enforcing software updates across endpoints, enforcing security policies, and controlling network access. Regular testing and validation of EDRs can ensure these systems are effectively mitigating threats and securing the network.

Test the SIEM

Security Information and Event Management (SIEM) tools gather and analyze traffic data, with consultants developing rules to identify what's normal for the IT environment. They're vital for threat detection. However, for effective ransomware detection, a SIEM must be updated, with rules adjusted to both known and emerging threat vectors. Regular testing through attack simulations ensures continuous protection.

To ensure the effectiveness of endpoint security against threats, simulate MITRE ATT&CK techniques often used against cybersecurity solutions. This reveals the platform's performance against attacks, any weaknesses, visibility, and protection against various attack techniques.

How Can You Assess Your Ransomware Readiness with BAS?

Breach and Attack Simulation (BAS) solutions, like the Picus Complete Security Control Validation Platform, significantly enhance readiness against ransomware attacks. The continuous validation of existing security controls, enabled by these solutions, keeps your prevention and detection systems updated and effective. 

Critically, the Picus platform boasts a dynamic Threat Library, which is updated daily with the latest threats, including emerging ransomware variants. This ensures that your defenses are always up-to-date and prepared for the most current threats. 

Figure 3. Emerging Ransomware Threats in Threat Library of the Picus SCV Platform.

Moreover, the platform offers ready-to-run ransomware templates that can simulate these attacks instantly or on-demand. This feature allows you to proactively assess your security posture against ransomware threats, helping you identify and mitigate weaknesses before they can be exploited. 

Figure 4. Ready-to-Run Ransomware Threat Templates in the Picus SCV Platform.

Through such regular simulation, analysis, and mitigation of ransomware threats, organizations can significantly bolster their cybersecurity posture and readiness.