Free Workshop: Investigating Insider Threats — February 20-27

Ransomware: What are the Most Common Types?

What are the Common Types of Ransomware?

The goal of any ransomware author is to find a way to create enough inconvenience for anyone who will be able to pay. The more pain, the larger the demands and the greater the profits. It’s often just a business. A criminal one, of course, but one that’s often aimed at making money.

The word “inconvenience” is often too mild for the malice they deliver. Some victims have lost medical records, retirement benefits or other crucial pieces of data that lead to significant personal trauma. Others have lost businesses or their livelihood. Some may just lose a few dusty spreadsheets or old social media posts, but not everyone is that lucky. The consequences for the victim are often harrowing and sometimes life threatening. For the attacker, though, the process is often merely a business with a simple gambit: how much will someone pay to stop the pain?

There are many different types of inconvenience, but the most common is finding a way to prevent you from accessing your data. Some versions may also shut down networks, block web sites, disconnect users or share private information with others who may use it for blackmail or extortion.

Not all ransomware locks up data. As automation becomes more common, some attackers are shutting down crucial machinery in plants. Even if no data is locked up, ransomware can still disrupt ongoing business operations enough to make the leadership seriously consider paying for relief.

Ransomware usually relies upon a weakness in computer security. The attacks exploit the same kind of backdoor or human mistake as other malware. Instead of using the surreptitious access for spying or exfiltrating data, though, it will aim to create enough trouble to generate a rich payday.

Not all problems come from a specific flaw. When a weakness in computer security doesn’t cause the trouble, an insider may be responsible. Sometimes a trusted employee or frequent customer may exploit their access to install the ransomware.

How big is the problem of ransomware?

Some estimates suggest that ransomware victims may have paid out billions of dollars in ransom alone. Other estimates include the cost of lost business and they may be 5 to 10 times larger.

None of these estimates are very precise. There are no central clearing houses that keep records. In many cases, the businesses are reluctant to speak publicly, sometimes out of embarrassment and sometimes out of fear of encouraging attackers to play the game again.

There are some details available. In 2017, for instance, FedEx estimates that it lost more than $300 million in business for its Dutch subsidiary TNT Express when a ransomware package called “NotPetya” attacked. In 2020, a chain of more than 400 hospitals found all of its computers were locked up in an attack that disrupted patient care dramatically. There are dozens of similar stories of catastrophic attacks on large institutions.

What are some of the ways that ransomware inflicts pain?

Ransomware comes in a variety of forms and the villains continue to create new variations. The most common approach can be to encrypt the data on the device with a key that is only known to the attacker. When the victim pays, the key is delivered to unlock the data. This can be quite efficient for the attacker because it uses the victim’s computer to do the work of encryption. There’s also little communication with outsiders allowing the ransomware to work stealthily.

Encrypting the data also has the advantage of being difficult to cure. Another variety of ransomware merely disables or replaces some of the operating system making the computer inoperable. These attacks can sometimes be fixed by reinstalling the operating system or the missing pieces, the same process that might be needed after a disk crash or other hardware failure. Victims of encrypted data, though, may need the key to recover.

The best defense against attacks is to maintain a current collection of data backups. The most nefarious forms of ransomware will remain hidden, sometimes for months, surreptitiously disrupting the backup process. When it finally announces its presence, the corrupted backups are not useful. This is why the best defense includes often testing the backups for correctness and completeness.

What types are the most dangerous?

The answer depends upon your business and its needs. A bank could fail without the list of deposits for some accounts. A manufacturer may be shut down by a small incursion that cripples a crucial step on the assembly line. The larger the loss that the ransomware may deliver, the greater the chance that the business will make a straightforward economic decision and pay.

Some versions are easier to evade. Some lazier malware writers don’t want to go through the trouble to write the software for correctly encrypting the data so it can’t be recovered. Some of the simpler examples can be defeated with many of the forensic techniques used to fix operating system failures or other glitches. The data is still in the clear on the harddisk and it can be restored by reinstalling the operating system.

Some of the trickiest to find and diagnose are the stochastic attacks that don’t disable the computer but cause trouble by introducing failures or glitches occasionally so they are difficult to debug.

How does Ransomware get onto a device or network?

Attackers can inject malware into networks through any weakness in security. Malware developers are often some of the most advanced and they frequently are pioneers who develop new methods. Security researchers often discover new vulnerabilities by deconstructing ransomware to understand how it succeeded.

For instance, the WannaCry ransomware attack in May 2017 appeared almost immediately after a vulnerability in Windows was discovered. While Microsoft released a patch quickly, the WannaCry package spread even faster by targeting the computers of users that hadn’t updated their software yet.

In many of the most common attacks, ransomware developers depend heavily on weaknesses that can be automated. They are broadcasting their attacks, hoping to catch just enough computers to make the process profitable. Social engineering attacks like Phishing that rely upon the mistakes of users are often easy to automate using easily abused vectors like email.

What are some of the best defenses?

The first step is to use the best available computer security practices because ransomware can’t infect the machines if it can’t get access. The same defenses against spying, fraud or theft can also prevent ransomware from finding a home inside your hardware.

Creating regular and trustworthy backups is also a very good solution. The backup copies also can be useful if a computer fails for other reasons.

Maintaining a good team trained in digital forensics and incident response (DFIR) is also essential. The same tools that analyze the operating systems can also repair them after an attack.

What are some specific types of Ransomware?

Digital forensics researchers have cataloged a number of different varieties of ransomware that have appeared:

  • Encryptors – These scramble the information so it can only be recovered with the key that only the attacker knows.
  • Lockers – These replace some crucial part of the software like a login dialog box with a malicious version that prevents anyone from accessing the machine.
  • Scareware – This may not deny access per se, but it will fill the screen with warnings announcing that it has detected a virus. The only way to remove it is to pay the person who installed it.
  • Doxare (aka leakware) – This will take crucial private information and exfiltrate it, sometimes to blackmailers who will quietly try to exploit and sometimes to the general internet. This is especially worrisome to enterprises that work with their client’s personal information like lawyers or doctors.
  • RAAS (Ransomware As A Service) – Some professional attackers will build tools that handle all of the details for infiltrating a computer. These will sell these tools to others with particular targets.
  • Double Extortion – Some ransomware authors mix two modes together such as encrypting while exfiltrating a copy for extortion.
  • Triple Extortion – Some attackers combine three or more types into one brutal software salvo.

How can I distinguish between scareware and encryptors?

Ransomware usually presents its demands for payment with a dramatic splash screen that locks the computer and offers instructions for how to pay. Investigators can dig below this level to understand what is happening inside the operating system. Was the data actually encrypted? Were parts of the operating system disabled? Or permanently destroyed? Is it possible to restore the computer’s functions without paying anything?

Many of the tools used for general investigations with digital forensics can answer this question. They can look beneath the surface of the operating system to see the data stored on any disk and in memory. If the malware is truly an encryptor, the data will be unintelligible. If it’s merely scareware, the disk files will be largely untouched and in common formats that are easy for the investigator to test, categorize and often restore.

While it may be difficult to believe, scareware is common. Many of the attackers are not sophisticated enough to make the distinction themselves. They’ve often found packages on the Internet and done the bare minimum to get the ransomware to function. If this is the case, many of the techniques from digital forensics will reveal that the data is largely or almost entirely intact.

Which tools for digital forensics are useful for investigating ransomware?

Digital forensics investigators use a wide collection of software packages that range from tools for debugging code to purpose-built software for building legal cases by analyzing the data stored in the most hidden levels of the computer. Some of the most common tools in this category include: Autopsy, CyberTriage, Sleuthkit, CAINE, Exiftool, Neo, and Bulk Extractor.

For instance, Bulk Extractor will scan a file system and check for some basic data elements like email addresses or URLs. If recognizable versions of these are found, it is not likely that the data is encrypted.

Cyber Triage will search the disk for many known indicators of malware. Its engine will scan files and executable code for indicators that can identify the ransomware and any other viruses that may be infecting the computer. If there’s no encryption, a good investigator can often remove these elements and restore the computer to working order.

How can I report ransomware?

Victims can help stop ransomware attacks by reporting them to clearing houses. Security experts will track the events, analyze the ransomware and help manufacturers create patches that can save others.

Some good options are:

How is ransom typically paid in an Ransomware attack?

The attackers who launch ransomware look for payment mechanisms that are difficult or impossible to trace. Some attackers ask for cryptocurrencies, but many victims aren’t adept users of cryptocurrencies which makes it hard for the victims to pay. For this reason, many ransomware look for other options like physically mailing paper currency or initiating hard-to-stop bank transactions.

Finding a simple and anonymous payment mechanism is a challenge for ransomware developers.. They are often not just on the forefront of looking for computer security weaknesses but also in finding ways to exploit the banking and payment systems.

What are the risks of paying Ransomware attackers?

Many organizations and people struggle with the debate over paying the attackers. After all, if the attackers are willing to break the law to invade someone’s computer system, there’s no reason to believe they’re being honest when they promise to undo the damage in return for some payment.

A deeper challenge is whether the payments are legal. A number of laws can constrain organizations and their leadership because the payments could be interpreted as supporting or condoning the crime. Anti-bribery statutes and other rules may apply.

What are some actions to take after an attack?

When a demand for ransom appears, it’s essential to respond immediately. Fast action can make a difference in recovering some, most or even all of the data.

The first indication is usually a ransom demand. Some malware may just display its message on an infected computer. If the attacker communicates with an email, text message or phone call, keep all records in case they can help an investigator.

After the demand for money appears, the first step is to ascertain the depth and breadth of the attack. If possible, disconnect the infected computers from the network. Some ransomware works like a computer virus and it may continue to spread. In many cases, it’s designed to infect as many computers as possible before launching the attack.

Some ransomware may also communicate with the attacker. They sometimes have elaborate command and control systems with chains of command that stretch through a number of compromised machines. Others may operate autonomously in order to make it difficult to trace the connection. In either case, disconnecting the machines may help triage and recovery.

The next step is to check the quality of the backup copies of data. If there are complete secondary copies, it may be possible to fix the problem by wiping all of the computers, reinstalling the operating system, and restoring the complete backups. There may be no need to pay or interact with the attackers.

If there are not good copies, it may be possible to recover some or most of the data by deploying some of the same techniques used for digital forensics. These can reconstruct lost files from the hard disk and in some cases that may be sufficient. These steps can be substantially more complicated and they are often best performed by a trained forensic scientist.

It is often a good idea to call in professional help. While some ransomware attackers are honest enough to unscramble the data after being paid, many are not. Professional digital forensics experts can examine the computers and gather evidence that may be used in a prosecution. They can often restore lost data and determine the attack vector so future incursions can be prevented.

What are the key takeaways for IT leadership?

  1. Good IT hygiene practices are the best way to stop the ransomware before it arrives. (Good passwords, good virus scanning, good preventative maintenance, etc.)
  2. Offline data backups in remote locations can speed recovery and also help with other problems like computer failures or fires.
  3. Plan ahead by developing an incident response plan. Ensure that a team reviews the plans regularly and is ready to activate it quickly.
  4. Know when to ask for help.
  5. Train employees on the best practices for doing their jobs. They should receive regular training on good techniques for preventing incursions like avoiding strange emails.
  6. Harden many of the public facing endpoints. Ensure that the most open parts of the Internet for your company have the best protection.
  7. Pay particular attention to the most powerful control layers of the system stack like the virtualization management and the cloud portals. Restrict access and ensure that only the most trusted can reach these controls.
  8. Embrace resiliency at all layers of software installation and development. Like good backups, designing flexible and adaptive software can pay off in all types of failure, not just ransomware attacks.