Earlier this year, the National Cyber Security Centre declared ransomware the number one threat facing UK businesses.
Ransomware can be detrimental both financially and operationally and with plenty of notable attacks over the last twelve months, it’s clear more needs to be done if businesses want to minimise their risk.
Of course, one of the best ways you can go about protecting against a threat is by learning more about it, so in this article, we look at the main types of ransomware and the effect they can have on an organisation.
What is ransomware?
First, let’s deal with the basics. Ransomware is essentially a malicious piece of software used by cybercriminals to blackmail individuals or businesses, usually by disabling access to a computer system or certain files until a large sum of money is received.
Normally, the bad actor will send you instructions to send money in Bitcoin currency and upon receipt of the transfer, you’ll get access to your files again. But of course, hackers are not known for their trustworthy nature, so there’s no guarantee this will actually happen.
This is why there’s a lot of debate around whether or not to pay the ransom. Most security specialists will advise against it, for the reason stated above. If you pay, this also says to the hacker that you may well be susceptible to future blackmail too and you increase your chances of being re-targeted.
It is difficult to always apply this logic when you’re the victim of a breach, however, and ransomware can make things very hard on an organisation by crippling its standard operations and putting client data in jeopardy.
Types of ransomware
So what do we mean by ‘type’? There are different variants of ransomware, which are delivered through different means, using different methods, and with varying intentions.
Here are some of the most common types of ransomware we’ve seen:
This type of ransomware is designed to lock you out of your device, making it inoperable until a ransom is paid successfully. A lock screen or pop-up may provide instructions for making this payment. Although important files are not necessarily targeted themselves, locker ransomware can make it impossible to continue business operations until something is done. This panic can cause a lot of companies to just pay the ransom.
Another popular type of ransomware, Crypto attacks specifically go about encrypting important data, so while a user may be able to carry out basic computer actions, they won’t be able to access their files. In this way, the attacker holds the files for ransom and often threatens to delete or share the data unless you pay them. Again, this triggers a sense of panic, with many companies knowing the damaging consequences of leaked customer data, for example, regulatory fines or loss of customer trust.
RaaS, or Ransomware as a Service is a method of spreading ransomware, where bad actors will actually develop ransomware and offer it as a service to cybercriminals on the Dark Web. Other attackers will pay the ransomware developers perhaps a monthly subscription fee or a percentage of the ransom from the target. Since the infrastructure and malicious software come ready-made, the buyer doesn’t have to have any particular technical expertise to carry out attacks.
Scareware is a type of ransomware that uses social engineering to trick its victims into paying the hacker. Usually, attacks using scareware involve a pop-up or notification to tell the user that they need to download and buy some software, perhaps anti-virus, to address a problem on their computer that’s not really there. Often this software that the user purchases is either completely useless or actually infects the device itself. Either way, scareware encourages payment to the bad actor.
There have been plenty of attacks using these techniques over the years, many of which you’ll know the names of.
Let’s explore some of the major variants seen over the last 10 years and their approaches, so you can be prepared for the dangers and watch for the warning signs.
The WannaCry ransomware attack of 2017 affected millions in the Healthcare sector. Attackers targeted Windows computer systems, encrypting files and blocking users until a ransom was paid. This was able to happen largely because the computers were operating out-of-date software. Although Microsoft released the necessary security update months before the attack, many failed to install it, leaving them vulnerable.
Victims had 3 days to pay the $600 ransom, but as we’ve said before, this was no guarantee that they’d get their files back. Indeed some researchers have claimed that the hackers were actually unable to associate the victim’s payment with their files so wouldn’t know what files to restore even if that had been the intention.
The attack affected around 230,000 computers and cost just the NHS £92m in damage. It’s estimated that WannaCry cost around $4bn in total globally.
The Maze ransomware variant was first discovered in 2019 (originally known as ChaCha). Commonly distributed via spam emails and exploit kits, Maze seeks to exploit a weakness in an organisation’s network and target files for encryption. Using social engineering often has a good chance of success for hackers since humans are prone to error.
Rather than deletion of those files, the threat in the case of Maze if a ransom is not paid, is that the attackers will release the data publicly on the Dark Web. Not only are the attackers asking for a ransom for the decryption of the files then, but also to delete them from the site.
Maze has now supposedly been axed and the site no longer being updated, the group claiming that their attacks were to raise awareness around cyber security. But who’s to say whether this is really goodbye for good…
Cryptolocker is a Trojan virus that infects Windows systems via malicious attachments in emails or downloads from websites. Once downloaded, the virus can look for files and encrypt them. Victims would be given a deadline to pay a ransom and stop their files from being permanently destroyed.
Cryptolocker ransomware was at large in 2013-2014 and the attacks had hit between 200,000 and 250,000 machines by the end of 2013, but a free encryption tool was released in 2014, seemingly putting an end to Cryptolocker. However, there are still variations of the virus at work today affecting organisations.
The NotPetya ransomware was a far more powerful strain of the previous year’s Petya ransomware attack, coming into play shortly after WannaCry hit the news in 2017. NotPetya actually used the same exploit as WannaCry, however, it also utilised an exploit to extract passwords from RAm, allowing it to travel quickly through an organisation without needing user error.
NotPetya had a serious impact on organisations across the globe. Just one example is shipping giant, Maersk, who lost up to $300m as a result of the attack. Experts estimated the total financial damage from NotPetya was around $10bn.
The worst part - though attackers behind NotPetya demanded a ransom for the recovery of files, this was a complete scam. As it turned out, NotPetya had been designed to make it technically impossible to recover victims’ files.
The fact that NotPetya was not traditional ransomware and intended to cause permanent damage led to suspicions that the attacks were actually politically charged, deployed by Russian hackers. This would make sense with 80% of systems affected being in Ukraine, a country that has had a history of tension and conflict with Russia.
REvil ransomware is an example of RaaS and has been reported as one of the most widespread ransomware threats to businesses. First appearing in 2019, REvil ransomware is spread by affiliates, other hackers that have paid for access to the malware and then carried out their own attacks. This model allows for the widespread execution of attacks.
One of the biggest attacks for which the REvil group were responsible was that of software company, Kaseya, in 2021. Targeting MSPs, the primary users of Kaseya’s software, REvil ransomware spread downstream, affecting MSP customers too. It was estimated that around 1500 companies were affected. The attackers even tried to offer a universal decryptor in exchange for $70m in Bitcoin.
Though Russian authorities claimed that the REvil ransomware group was dismantled and arrests made in early 2022, just a few months later they appeared to be back in action, their site on the Dark Web re-launched.
Protecting Against Ransomware
The advice for protecting against such attacks carried out using these various types of ransomware is the same.
- Keep your software and devices up to date
- Educate your workforce on the ransomware threat and make sure they’re trained to spot things like phishing emails, commonly used as entry points for ransomware.
- Ensure you regularly back up data and check backups can be restored swiftly and smoothly.
- Reduce the potential attack surface by limiting access privileges to only those that need them.
- Always have anti-virus active on devices.
- If possible, implement security monitoring software to catch any suspicious or anomalous activity.
Ransomware is not leaving the threat landscape any time soon so it’s imperative for your organisation to know what it’s up against and be prepared for the worst. Following the above recommendations will go a long way towards both protecting against potential ransomware attacks in the first place but also ensuring a smoother recovery should you be successfully breached.
Cyber Essentials is a helpful way for businesses to make sure their security is up to scratch in all these fundamental areas. Achieving the certification is straightforward and affordable and many now even require it from their suppliers in order to defend against supply chain attacks like REvil’s on Kaseya.
For more information and guidance pertaining to your own organisation, contact our team today at firstname.lastname@example.org