Ransomware
What is Ransomware:
A ransomware attack involves locking and encrypting the victim's data, and important files then demanding payment from the victim to decrypt and unlock them.
Ransomware can affect any device -- computers, printers, smartphones, wearables, or point-of-sale (POS) terminals -- by exploiting human, system, network, or software vulnerabilities.
In recent trends ransomware attacks have evolved to a state in which attackers will utilize data exfiltration on top of encryption which can lead to further blackmail involving sensitive data that was stolen. Additionally, attackers have begun targeting how organizations attempt to avoid ransomware by targeting backups that the organization may have created even if they are stored externally from the system.
How Ransomware works:
An example of a ransomware attack is by blocking access to data on a victim's machine to extort money from them. Ransomware is commonly spread through encryptors and screen lockers. Encryption makes data useless without a decryption key, which makes it useless without an encryption key. By contrast, screen lockers simply display a "lock" screen declaring the system encrypts and blocking access to it.
Who should be Worried:
Ransomware can affect any online-connected device. An infected device can also expose the local network to ransomware since ransomware scans a local device and any network-connected storage. An encrypted ransomware file could halt productivity and services if the network is a business. The latest software security patches should be applied to devices connected to the internet, and anti-malware should detect and stop ransomware. The vulnerability of out-of-date operating systems, such as Windows XP, is much higher when they are not maintained.
A recent statistic put out in Computech's report on ransomware argues that in 2021 most “hackers can successfully penetrate 93% of corporate networks”, which if large organizations are unable to counter determined threat actors then most small organizations will be at a large risk, unable to counter this type of cyber attack.
Another aspect to keep in mind when determining on paying a ransom is the United States FBI. Maintains that organizations should not pay a ransom. However, the FBI will not seek prosecution if an organization decides to pay a ransom. In Thycotic`s 2021 State of Ransomware report, it was determined that close to 83% of all victims of ransomware end up paying.
Should You Pay Threat Actors for the Decryption Key:
The user is notified that their files are encrypted and how much money they need to pay to decrypt. Ransoms are usually raised after a certain time if the victim has not paid. Businesses are also threatened with being exposed as victims of ransomware, which will further damage the trust of an organization.
It is riskier to pay if you never received the cipher keys to decrypt the data. In a chart put out by SOPHOS, it was found that only 8% of people were able to recover all of the data they lost after the attack. In addition to losing money, the organization still does not have the decryption keys. To prevent perpetuating the monetary benefit to attackers, most experts advise against paying the ransom, but many organizations are unable to refrain from doing so. To prevent reverse money transfers, ransomware authors require cryptocurrency payments. Cryptocurrency being unregulated also allows them to leave no paper trail.
Examples:
One of the most infamous examples of a ransomware attack in the US was in 2021 on the Colonial Pipeline, which is responsible for 40% of the East Coast’s fuel. The attackers had locked down the organization's ability to bill for their services, which forced the organization to temporarily halt service. Even after Colonial Pipeline paid the 4.4 million dollar ransom, the damage was already done in the form of fuel purchasing restrictions that were placed on 17 different US states.
This is another key element of ransomware attacks, which includes the disruptive nature of an attack. Even when the ransom is paid and the decryption keys are received. It can still take time for an organization to return to the previous state it was in. Another prime example of this is when the city of Baltimore was hit by ransomware in 2019 and the city was paralyzed for over a month Impacting services such as vaccine production, ATMs, airports, and hospitals.
Demonstration:
ransomware_video_updated.mkvAuthors are:
Hasan Hashim
Cyber Security and Digital Forensics
Keegan Thomas
Computer and Digital Forensics
Nicolas Hall
Computer Networking and Cybersecurity
John Tiseo
Computer Networking and Cyber Security