Hello, and welcome back to this next TomCast from GuardSight; we are a tactical cybersecurity-as-a-service organization dedicated to helping businesses protect their data, their assets, and their endpoints.
Today we begin a series of TomCasts on a threat that has adversely impacted many people and numerous organizations. That threat is known as Ransomware. Over the next few TomCasts we will be discussing what Ransomware is, how to respond if you or your organization has been impacted by it, and how to arm yourself and your organization to help prevent Ransomware attacks and their impacts.
So, let’s dive right in. What is Ransomware? According to a guide from the Secret Service, “Ransomware is a type of malicious software (or, malware) which denies access to systems or data and/or exfiltrates data.” When the access is denied, a ransom is demanded. The threat actor threatens various threats if the ransom is not paid to the tune of “your data will be sold”, “your data will be made publicly available”, and more. If the ransom is paid, the idea is that the threat actor will return access to the data or resources once payment has been made.
Ransomware typically displays on-screen alerts that inform/advise the victim that the device or resource has been locked out or the files encrypted. According to the guidance from the Secret Service, in some cases after initial Ransomware infection the Ransomware will attempt to spread to connected devices and systems.
The characteristics of Ransomware are as follows:
- Non-encrypting Ransomware locks the screen and restricts access to files.
- Encrypting Ransomware prevents computers from booting into a live environment by encrypting the master boot record (MBR)
- Leakage or “extortionware” exfiltrates data.
- Mobile device Ransomware infects smartphones through drive-by downloads or fake apps.
Why is Ransomware used? Ransomware is used by threat actors to hold systems, or the data contained therein hostage until a ransom is paid for a decryption key. As stated earlier, threat actors will also threaten to sell the data or files on the dark web, or will threaten to publish the data publicly if the ransom is not paid. With technological advancements in the financial sector, many threat actors now demand virtual currency or cryptocurrency as a payment method.
A very important note to dwell on for a moment here is that paying the ransom DOES NOT GUARANTEE REGAINING ACCESS. There have been documented cases where the ransom has been paid and no decryption key was provided. Imagine being part of an organization that has been infected by Ransomware, the ransom was paid, and nothing happened. A large sum of money has been paid out and now no access to the encrypted data has been provided. Even thinking about a scenario like that drives up the anxiety levels, doesn’t it?
Well, ok, so how does Ransomware get into a system? There are various methods used by threat actors to infect a system with Ransomware. One of the most commonly used ones is a social engineering tactic known as Phishing (phishing with a ph, not an f). We described various types of phishing back in TomCast IV, titled Social Engineering part II. In a nutshell, phishing is “the fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers.”
Basically, someone receives an email that they believe is legitimate, they click the link within the email, and shortly thereafter the threat actor takes over their system and Ransomware is loaded and executed.
Ransomware can also be delivered through vulnerabilities in the operating system or application; this method allows threat actors to deliver the malware directly into the system without having to trick anyone or interact with anyone.
So, who is a target for Ransomware? The best answer I can give to that question is anyone. It all depends on what the threat actor wants at the time. There is no one-answer that can be provided.
Stay tuned; TomCast XXI will discuss how to respond to a Ransomware attack or infection!
We here at GuardSight thank you for taking the time to listen to this TomCast. Please share this if you believe it would be of assistance to anyone in your contact list, and please provide us some feedback in the comments so we can continue to improve. Thanks!