Ransomware Attack: Definition, Examples, and Prevention
Risk Factors
Likelihood
Complexity
Business Impact
What is Ransomware?
Ransomware is a type of malicious software intended to encrypt files, making necessary data or systems inaccessible to their target. Attackers then demand a ransom before they'll relinquish control.
First, ransomware is downloaded. Most ransomware relies on people clicking links, clicking a pop-up, or opening a malicious attachment. Next, files are encrypted—either those on the individual machine or files more broadly across the network. Then, attackers demand a ransom in exchange for a decryption key that will restore access.
Ransomware varies in the type of encryption used, the scale of data encrypted, and their capacity to spread between computers. It has become increasingly sophisticated, with more advanced encryption, new vectors for infection, and the ability to leverage network exploits to infect additional hosts.
Protection Against Ransomware Attacks
Some basic preventative steps:
- Patch quickly
- Monitor for attack behavior
- Educate users on the risks of links from unknown sources
- Limit use of RDP where possible
- Carefully control admin privileges
- Avoid the use of insecure protocols
Unfortunately, preventative measures can only go so far and there is always the risk that attackers will find a foothold. That's why internal visibility—the ability to see east-west traffic in your enterprise—is crucial in order to detect ransomware fast enough to take action before it's too late.
One way to catch ransomware is by using behavioral detections. For example, if a client on the network has read and written data to a high number of files, it can indicate an attack.
Another detection method is specific to the SMB/CIFS protocol. It works similarly, but provides more detail for investigation and for determining if it's ransomware or something less serious. This method involves monitoring the SMB/CIFS protocol and alerting security teams if a client has read from and written data to an unusually large number of files over SMB/CIFS.
Network detection and response can provide a live activity map of suspicious traffic moving through your enterprise so you can immediately disconnect infected computers, identify and block malicious IP addresses, and begin restoring files from backup.
Detection of ransomware attacks can be enhanced using decryption. Many ransomware attacks leverage Microsoft protocols such as SMBv3 which have native encryption. For this reason, it's critical that security tools have decryption capabilities for all commonly encrypted Microsoft protocols such as Kerberos, MS-RPC, SMBv3, and more.
Ransomware History
The first known ransomware was created by Joseph L. Popp and distributed on floppy disks. Because it used symmetric cryptography it was relatively easy to decrypt. It was a strange opening to what would become one of the most damaging categories of cyberattacks.
Ransomware began coming to greater prominence during the mid-2000s, when encryption like RSA made codebreaking no longer a feasible alternative to paying the ransom. Since then, ransomware has continued to increase in usage and has frequently made headlines with high-profile attacks.
Of particular note was the 2017 WannaCry attack. The EternalBlue exploit, which leveraged a Windows vulnerability, was originally created by the NSA. EternalBlue was made publicly available in 2017 by the Shadow Brokers hacker group and subsequently used by the WannaCry ransomware. It quickly spread from computer to computer, affecting as many as a quarter million computers and causing billions in damage before it was stopped.
Related Reading
- Ransomware, Exfiltration, and the Recent REvil Attacks
- Customer Spotlight: Medilink Thwarts Ransomware and Automates Investigation
- What the DarkSide Pipeline Attack Means For Securing Critical Infrastructure
- 2021: New SonicWall Exploitation and Ransomware Warning for SRA and SMA Devices
- MeriTalk: Ransomware Tops U.S. Security Agenda