Ransomware is a type of malware that encrypts files on a device and demands some form of payment from the victim (almost always in crypto currency) in order to decrypt and release the hostage files. Like many other forms of malware, ransomware is often introduced as the payload of a phishing campaign, where the attacker tries to get unsuspecting victims to download a file in the form of an email attachment or on a malicious website.
Ransomware is particularly pernicious due to the fact that encrypted files typically cannot be decrypted without the attacker’s private encryption key. Even if a victim is able to remove the malware from her device, she will still be unable to access her files without the attacker decrypting them.
In addition to the cost of the ransom, businesses incur large additional operational expenses. In fact, it’s estimated that it costs over $84,000 for organizations to recover from a single attack.
Therefore, it’s important to attack ransomware at the source before it lands in the inbox or to get it out of email mailboxes before it can detonate.
Victim downloads the file
For example, a user may download a file attachment from what seems to be a known source such as a business partner or friend
Program begins executing
The ransomware detects the files it wants to attack
Files are encrypted using the attacker’s remote private encryption key
User is prompted with a message about the attack, letting them know that their files are encrypted and they’ll need to pay to get them decrypted
The attacker provides a method of payment such as a bitcoin address
User decides whether or not they want to pay the ransom
If the payment is not made, the files will remain encrypted
The user can potentially remove the malware with antivirus software, but this will not decrypt the files
If the user paid the attacker, the attacker will likely—but not guaranteed—decrypt the files and move on
CryptoLocker was an email based ransomware attack that sent infected email attachments through a large Russian botnet. It was targeted at Windows users and encrypted numerous types of files when activated. The program demanded either bitcoin or pre-paid cash vouchers before a deadline when the private key used to initiate the attack would be deleted.
Fortunately, a security firm eventually was able to obtain a database of many of the private keys, but the attackers were still able to collect around $3m dollars from businesses and users around the world.
WannaCry was a sophisticated ransomware attack that exploited a network vulnerability in older Windows operating systems that allowed it to propagate itself across computers in a network automatically.
The program demanded between $300-600 USD in bitcoin to be paid to the attackers. Due to the automatic propagation technique, it was able to spread to over 300,000 computers in only four days. It’s estimated that the economic toll may have been up to $4 billion in the form of ransom payments, business losses, and operational expenses.
One of the first known ransomware attacks, known as the AIDS Trojan Horse, was a malicious file that was sent on floppy disks to people on a mailing list in Europe. The attack claimed that users owed a license fee for running the program and demanded payment be sent in the form of international money order to a PO box in Panama.
The author was eventually arrested. He claims the money was being raised to fund AIDS research.
To prevent a ransomware attack, you must understand where the current threats and attack vectors lie within your organization, implement advanced software systems to detect and remove them, and develop a sophisticated incident response program to help resolve ongoing attacks and make plans to prevent future ones.
Organizations must understand where their current vulnerabilities are and what types of attack vectors exist. Since ransomware typically comes from phishing attacks, it’s particularly vital to gauge the strength of your email email security stack as well as the savvy of your employees.
Phishing simulations can help proactively detect weaknesses in employee understanding of attack types. In addition to running simulations to train employees, phishing emulation can be performed to test the adaptability of the technical defenses.
In an evolving phishing, malware, and ransomware landscape, you need real-time tools that analyze and remove the most advanced threats instantly.
Traditional protection tools often fail against modern attacks. Firewalls, URL filters, and anti-spam software certainly have a place, but they will not protect you, your employees, and your company from today’s sophisticated attacks.
Advanced malware and URL protection and visual learning tools are some examples of technologies that can be deployed to help detect and prevent evolving threats much faster than manual analysis and keep organizations ahead of the attacks.
The IRONSCALES platform leverages advanced malware and URL protection, computer vision and neural network technology to detect and respond to ransomware in real-time.
Unlike traditional ransomware and malware threat protection software, IRONSCALES offers native API integration with no MX record changes required, real-time and continuous inspection of suspicious URLs and attachments in the inbox, and best-of-breed anti malware and AV engines. Our advanced email ransomware protection tools keep your employees and your company safe. Request a demo of IRONSCALES to see how you can keep your company safe from ransomware.