Ransomware: Extorting Business and Consumers

Ransomware isn’t a new threat and has grown manifolds in the past few years. The growth is not merely in number of infections, but as well in sophistication of the attacks. Over the period we have observed and highlighted the consistent growth in ransom demands, detections, and additions to the ransomware families. Symantec’s Internet Security Threat Report Vol 22 revealed that ransomware was one of the most significant threats facing both individuals and organizations last year. The report revealed that the daily rate of antivirus detections for ransomware was averaging at approximately 846 per day at the beginning of the year and rising to more than 1,539 a day at year end. Overall the detections of ransomware increased by 36 percent last year. Due to its prevalence and destructiveness, ransomware remained the most dangerous cybercrime threat facing consumers and businesses.

Over the time attackers have honed and perfected the ransomware business model, using strong encryption, anonymous Bitcoin payments, and vast spam campaigns to create dangerous and wide-ranging malware. Ransomware is spread in many different ways. However, the two primary infection vectors include; spam campaigns and exploit kits. In the case of ransomware distributed via email, most attacks (hundreds of thousands per day) are blocked by anti-spam defenses. Most ransomware emails come with a downloader hidden in a malicious attachment. The downloader is used to download and install the ransomware on the victim’s computer and a significant number of attacks are blocked at this stage, before the ransomware can be downloaded to the target’s computer. In the case of web attacks, a significant number of ransomware attacks are performed using exploit kits, exploit kit attackers usually compromise third-party web servers and insert malicious code into the web pages hosted on them. This enables them to direct browsers to the exploit kit servers.

The other key tactics used to spread ransomware include; exploiting server vulnerabilities, brute-forcing passwords, via third party app stores among others.

Arrival of Ransomware-as-a-Service

2016 saw the advent of Ransomware-as-a-Service (RaaS) that involves malware developers creating ransomware kits, which can be used to easily create and customize their new ransomware variants. The developers usually provide the kits to attackers in exchange for a percentage of the proceeds.

How ransomware can affect consumers

In many cases, the victim would receive a spam email designed to lure the recipient into opening a malicious attachment, e.g. opening the attachment can set the process of infection. It can run a small piece of malware, known as a downloader, which will download the ransomware and install it on the victim’s computer. Once installed, the ransomware will then begin encrypting a pre-programmed range of files on the computer. Most newer ransomware families employ strong encryption, meaning the victim has no hope of opening encrypted files without an encryption key. Often the victim will be unaware of anything untoward until a ransom message is displayed on their screen.

How ransomware can affect businesses

Most ransomware threats are indiscriminate and the infection experience is similar for businesses and consumers. However, a small number of groups have begun to specifically target businesses with ransomware attacks designed to infect multiple computers on a single network and encrypt valuable data.

What can you do?

Backing up important data is the single most effective way of combating ransomware infection. Attackers have leverage over their victims by encrypting valuable files and leaving them inaccessible. If the victim has backup copies, they can restore their files once the infection has been cleaned up.

* New ransomware variants appear on a regular basis. Always keep your security software up to date to protect yourself against ransomware.

* Keep your operating system and other software updated. Software updates will frequently include patches for newly discovered security vulnerabilities that could be exploited by ransomware attackers.

* Email is one of the main infection methods. Delete any suspicious-looking email you receive, especially if they contain links and/or attachments.

* Be extremely wary of any Microsoft Office email attachment that advises you to enable macros to view its content. Unless you are absolutely sure that this is a genuine email from a trusted source, do not enable macros and instead immediately delete the email.

* Using cloud services could help mitigate ransomware infection, since many retain previous versions of files, allowing you to “roll back” to the unencrypted form.

Ritesh Chopra
Country Manager, Consumer Business Unit at Symantec