What is Ransomware and Why you can’t prevent it? | Article – HSBC VisionGo
Ransomware is malicious software that encrypts the info of targeted victims. The attacker then tried to urge the victim to pay the ransom to get the key to decrypt the file.
In the 2021 Data Breach Investigation Report, Verizon reported that ransomware cases have increased again and have been on the rise since 2016, and now account for 5% of our total incidents. There are 10% of violations now involve ransomware too.
How does ransomware work?
Ransomware may be a multi-stage attack packaged by attackers in many various ways. the essential principles are usually equivalent. Infiltrate the target network, encrypt the maximum amount of data possible, and demand ransom.
First, the attacker must deliver the malware payload to the target. In most cases, this is often an easy phishing attack that contains malware in file attachments. From here, the ransomware will either run locally or attempt to copy itself to other computers on the network.
2. Secure Key Exchange
Next, the malware will contact the attacker to know that they need to infect the victim and acquire the encryption key required by the ransomware to encrypt the victim’s data.
Ransomware now encrypts the victim’s files. For example, The CryptoWall ransomware deletes the shadow copy files, makes it harder to revive from backups, uses the vulnerability to spread to other computers, then encrypts it.
The victim is locked, and therefore the attacker sends a ransom note. Recently, attackers have used data breach threats as a part of a blackmail conspiracy. Ransomware can’t only encrypt data on the spot, it also can leak data to an attacker! It becomes the threat that pays us or they will release your data.
5. Unlock and restore
The attacker usually doesn’t provide the key, even after getting the cash. Therefore, IT staff must restore data to the maximum amount possible and rebuild machines they can not. The recovery plan also must consider the threat of knowledge release.
What are the new raising violations that involve ransomware?
The new raising violations are often because Actors have adopted a replacement strategy of stealing and publishing data, not just encrypting it. These attacks have a particular diversity in how ransomware enters the system and it can be divided into three vectors.
The utilization of stolen credentials or brute force
The primary vector is thru the use of stolen credentials or brute force. There are 60% of cases involving extortion software installation or installation directly via desktop sharing applications. The remainder of the vectors is divided into emails, network transmissions, and downloads by other malware. There are also 7.8% of organizations that tried to download a minimum of one known ransomware within the Web proxy detection data set in Figure 1. For these sorts of incidents and vulnerabilities, servers become targets to an outsized extent, which is sensible considering the situation of the info.
The second type of attack is the pattern that involves targeting web applications and it process payment cards. This with the support of a few key components of the attack is slightly different. The subsequent of this attack is the use of malware to capture payment card data. Within the system intrusion mode, 60% of the online servers targeted during this mode had malware installed to capture application data, and 65% of the incidents involved payment cards. These sorts of attacks follow the trend of attacks is called Magecart-style attacks based on their first target. For those that aren’t conversant in this attack prototype, the attacker will exploit some vulnerabilities then use stolen credentials or other methods to access the code of the e-commerce website then process credit card data. By using access to the code base or server, they’re going to insert additional code which will not only send payment data to the right endpoint but also their server, stealing valuable data quietly.
The final breakdown of this model involves the overall use of malware found on the system. In many of those cases, people might not necessarily know whether the malware is going to be wont to cause further damage within the future, or whether it’s just to be there and do what the malware likes to try to do. After removing ransomware cases, there are 40% of malware cases involved the use of C2/Trojan horse programs/downloaders. Besides, there are also 30% of malware was installed directly by the attacker, 23% was sent there via email, and 20% was far away from the online application.
One of the primary samples of RaaS was GandCrab, which in 2018 was liable for quite half all ransomware infections around the world. GandCrab generated quite $2 billion in profit in that year, with $150 million going right to the creators and therefore the rest opened up among its many affiliates.
Some go even further, with highly developed affiliate programs that examine applicants’ compatibility. The REvil/Sodinokibi ransomware that is currently circulating was first discovered in mid-2019 and quickly rose due to its affiliate program, that is, creators only allow certain high-yield groups to use their RaaS program.
Since a successful attack will bring huge rewards. attackers are more motivated than ever. In 2019, ransom demand increased by 184% from the first quarter to the second quarter. Experts estimate that the typical cost of each event in 2020 is $283,800. Ransomware-related incidents have increased by 41% since 2018. The total cost of enterprises in 2019 reached US$170 billion, which is in line with some estimates. If these trends continue, the March 2019 attack on Norsk Hydro, which cost the corporate a minimum of $40 million, might become commonplace. With numbers like these, it’s easy to ascertain why ransomware continues to be a favourite criminal endeavour. And albeit enforcement agencies advise against it, organizations keep paying the ransom. It is natural for companies to demand protection of their data, but the value of business interruption often exceeds the ransom itself, which suggests that payment is usually the most important cost-effective option.
Ransomware is cheap
Out-of-pocket costs for running ransomware activities are low. An attacker can purchase a prefab ransomware kit for a comparatively paltry sum. The toolkit contains everything needed to deploy and monetize attacks, including payload dispensers, obfuscation tools, and encryption services. Typical ransomware as a service (RaaS) subscription starts at more than $100 per month. Even more powerful and complex variants may just cost thousands of dollars, but the potential for returns will also increase. Support plans also are included to make sure that attackers can extract the utmost value from the service.
Ransomware has a rapid ROI
The whole process of ransomware moves so quickly. It scans the network to locate files, then encrypts the content and demands a ransom. Also, attackers now can steal data before encrypting it. For example, Cognizant was attacked by Maze ransomware in April 2019. The labyrinth first steals data and then threatens the victim. If the ransom is not paid, the creator will publicly release the information. This strategy eliminates any notion of avoiding payment by way of a robust disaster recovery plan. So it’s few shocks that attackers still pursue this vector. It’s lucrative and straightforward to tug off, and other people keep it up paying.
People are unreliable
People are the particular reason that not able to total prevention. Your employees need access to data to try to do their jobs a bit as ransomware does, so your employees become the attack vector. Ransomware infections always occur because employees will not be highly vigilant about the risks of malicious links and email or phishing attempts in the shortest possible time. Sometimes, even the most security-conscious employees will make short-term misjudgments when clicking links or opening emails.
Solutions against ransomware
Policies and roles that restrict access to data can help, but too many of them can get within the way of productivity. Meanwhile, there is no way to prevent attackers from publishing stolen data. So what we need is early detection, user behaviour analysis, and automatic action when suspicious patterns occur within seconds to guard against ransomware. Protection and prevention of ransomware are more important than counting on data backup for recovery.
To mitigate the threats of ransomware, you can use NetApp’s User Behavior Analysis (UBA) solution, Fpolicy® file screening to detect ransomware and prevent its spread. It helps to prevent ransomware from executing in a storage environment. Meanwhile, to help detect potential ransomware attacks, users of NetApp Cloud Insights can take advantage of NetApp Cloud Secure, which uses an untrusted method when analyzing data access patterns. To help recover from ransomware infiltration, NetApp SnapCenter technology provides business continuity and data recovery options. Even in the worst-case scenario, NetApp ONTAP technology can be used to recover from ransomware attacks very quickly. For the details on the above solutions, we will discuss them on further blogs.
About ATech Communication (HK ) Limited
Leading IT service provider in HK. ATech provides the best value, the most widely used system of quality products, customized solutions, and services strengthen our reputation. We focus on business needs, listen and analyze customer problems, provide solutions, reduces costs, and get the best return on investment. If you’d like to learn more about ATech and the work we’ve done, visit our Cases page. ATech is a long-term partner of NetApp. By cooperating with NetApp, our experts would provide you with the best way to:
- Monitor user activity,
- Detect anomalies and identify potential attacks
- Automated response strategy
ATech is right here in your data protection journey. Join us now!
For more information on ATech, please contact us at email@example.com.