Modern Ransomware: How Did We Get Here and What’s Next?

Posted by Geraldine Hunt on Thu, Jun 10th, 2021

Modern ransomware authors create their malware for today’s cyber landscape. They need ways to compromise a system, which is usually via a phishing campaign. Threat actors then need a way to run ransomware on the system, encrypt important data, and then hold the data ransom until they receive payment in exchange for the private key. Several times a year, major ransomware attacks bring down critical systems, so implementing the right cybersecurity and training users to detect phishing are the are methods for combating these threats.

Why Do Phishing and Ransomware Go Hand-in-Hand?

In most ransomware attacks, the start of the compromise is with a phishing campaign. A threat actor could aim for specific people within the organization such as a CIO. A CIO would likely have high-privilege access to all systems, so an attacker could get malware to run across the network using the CIO’s privileges.

Another option for threat actors is to target several people within the organization regardless of privilege level. More recipients receive the malicious message, but it only requires one of them to run malware on their system. Current malware will copy itself across network storage laying dormant for other users to finally find it and execute it.

In the first example, an attacker uses spear-phishing to target specific users. The second method works with the high chance that at least one user regardless of privileges will fall victim to phishing. In either scenario, ransomware runs on a computer connected to the business network. Most ransomware is programmed to scan a network for open resources so that it can add as many critical files as possible to the encryption lock. The more files locked down with encryption, the better chance of forcing the targeted business into paying the ransom.

Ransomware was first seen in 1989, but its popularity and growth began around 2012. Through the years, threat actors have authored ransomware to be much stealthier, and it locks files with methods that cannot be reversed. In early years, some ransomware could be reversed, and attacks stopped by reverse engineering code. Today, threat actors create ransomware to resist anti-malware software, and encryption cannot be decrypted.

Authors use a variety of ways to hide the private key from being stolen. The private key must be obtained to decrypt files, so ransomware can’t simply store it on the drive. Instead, ransomware authors encrypt the private key file with a public key and then decrypt the private key file after the targeted victim pays the ransom.

Spear phishing, the highly targeted variant of phishing, was behind a massive ransomware campaign in December 2020. This series of ransomware attacks targeted around 50 organizations, including several critical infrastructure industries. The attackers used sophisticated spear-phishing campaigns to initiate a ransomware infection.

Protecting Your Business and Files from Ransomware

Cybersecurity professionals suggests to main ways to defend against current ransomware threats. The first method is to train your users so that they have the knowledge to recognize a malicious email and alert the right people within the organization. Some organizations have cybersecurity people on staff, but others only have IT staff that handle reports.

Even with good training, users still make mistakes. User education is always beneficial to cybersecurity, but it should not be your only defense. Training shows users what can happen should they fall victim to a phishing campaign, but it also shows them how to detect a threat. With this training, the chance of your business becoming the next victim is lowered, but risk is not completely reduced.

The primary defense against phishing is email filters that detect malicious attachments. Ransomware can be downloaded using a variety of methods. A user can run an executable and install it on their local device. The user could instead open a Microsoft Office attachment and execute an embedded macro. The macro downloads the ransomware from an attacker-controlled server and installs it on the local device. Another method is to trick the user into clicking a malicious link that leads to a website where the attacker takes advantage of poor browser security or convinces the user to download malware.

In any of these scenarios, good email cybersecurity will detect the malicious message and quarantine it. By quarantining the message, an administrator can review it for any malicious attachments. If the message is determined to be malicious, it never reaches the intended recipient, so users are not responsible for being the only defense against a successful ransomware attack.

Ransomware can be prevented but there is not a single solution to the problem. The Center for Internet Security (CIS) sets out a series of best practices used to protect against ransomware attacks, which include:

• Maintain an incident response plan
• Use prompt and regular patches
• Have multiple iterative backups
• Control internet access and prevent employees from navigating to malicious websites
• A layered security approach: an email filter and content filtering solutions to prevent phishing emails

Email filters should be your first defense with a secondary strategy of educating users. Together with these two strategies, your business can be protected from phishing campaigns, which could result in several malware threats including ransomware, keyloggers, persistent threats, and data theft.

Protect and prevent ransomware attacks with TitanHQ multi-layered security. A combination of email protection and DNS filtering will ensure no human error is made in clicking on a harmful phishing email. Speak to a TitanHQ security expert to discover how we can protect your organization.