Ransomware variants? Inside the dark underbelly of cyber attacks

The spike in such attacks, triggered by heightened vulnerabilities created from the work-from-home mode, had become eye opener for many. TechTarget has reported that the average cyber ransom attack payment has gone up up 43% to $220,298 in the first quarter of 2021 from Q4 2020.

Here, we outline the different variants of ransomware attacks, ways you can detect and defeat them, with some survival strategies thrown in.

What is ransomware?

Ransomware is a type of network malware. Victims are at risk of losing their files; they may also face financial loss (from paying the ransom), lost productivity, IT costs, legal fees, network modifications, and/or loss of customer data and public confidence.

Who is at risk from a ransomware attack?

Anyone with a computer connected to the internet — and anyone with important data stored on their computer or network, including government or law-enforcement agencies and healthcare systems or other critical infrastructure entities.

Do ransomware have “variants”, too?

Yes. The latest ransomware variants almost always opportunistically target victims, infecting an array of devices from computers to smartphones.

What do ransomware attackers do?

One variant is one that involves blocking the confidential, financial, or sensitive information of an organisation. This is usually done by gaining unauthorised access to its network, typically through “phishing” probes.

Most of the current ransomware variants encrypt files on the infected system/network. This is also known as “crypto ransomware”. This makes those files beyond the reach of the victim. A few “variants” are known to erase files or block access to the system using other methods (such as “locker ransomware”).

Then what happens?

Cyber criminals demand certain ransom to return access to blocked files or systems. In case the demanded ransom is not paid on time — or not paid at all — these cyber criminals compromise sensitive data by publicising it.

What’s another “variant” of ransomware attack?

Its called “double-deal” attacks. Hackers have become even smarter in exploiting their victims. After stealing encrypted data, then they gain double income by selling it on cyber criminal forums at cheap rates.

What happens if I fall victim to a ransomware hit?

If you fall victim to ransomeware attack, you face the risk of losing your files. There’s also the risk of financial loss

What is the motivation for ransomware attacks?

It’s usually money.

How much is the typical ransom?

It’s frequently $200 - $3,000 in bitcoins, but this could go much higher, depending on the “value” of the victim, according to the Centre for Internet Security. Other currencies and gift cards are occasionally reported. Once access to the system is blocked, the ransomware attacker demands a ransom (usually in US$, or bitcoins) in order to unlock the files.

Who are the usual targets/victims?

The vast majority of targets are corporations. But ransomware attackers hit everybody. Record shows that they have hit hospitals, insurers, utilities, rail networks, agencies for the homeless, government bodies, resorts, courts, city governments.

In June last year, cybersecurity firm Symantec said Russian hackers have unleased a wave of cyber attacks on Americans working from home, targeting remote employees with ransomware attacks. Back then, Symantec has uncovered attacks against 31 leading US organisations. Many of the targets were large private companies — there were 11 listed companies, eight of which are Fortune 500 companies.

Why are such attacks on the rise?

Cybercriminals grab every opportunity to make money. In the middle of the pandemic, as work-from-home has become widespread, hackers have taken advantage of increased end-user vulnerabilities. Hackers are shameless. They have mounted increasing attacks even on health-related organisations fighting COVID, such as hospitals and healthcare facilities. In general, incidents of ransomware attacks have spiked across the globe.

Why are ransomware attacks on the rise?

The Black-fog website, which tracks publicised ransomware attacks each month, blames the lack of work-from-home security measures as the biggest reason behind the surge in cyber attacks in recent months. Hacking threats have also evolved with technology. Cyber criminals have increased in sophistication, and are now now seen launching back-to-back cyber attacks to breach data of organisations both big and small.

It’s not just ransomware variants but “families” — Dark Web gangs working to gain more function — out to steal sensitive data through highly sophisticated techniques. Industries like BFSI (banking, financial services, and insurance), IT, government, manufacturing, etc., are gold mines right now for these cyber criminals to steal sensitive data.

What’s the local scene in the UAE?

In 2020, the UAE recorded a 183% surge in Distributed Denial-of-service (DDoS) attacks, according to Etisalat’s Help AG. “This increase has made DDoS attacks by far the most prolific form of cybersecurity threats faced by organisations today,” said the report from Help AG.

The sophistication has increased in that the DDoS attacks are just used as a decoy, or smokescreen, to distract security monitoring and response teams, in order to mount a ransomware attack, according to the cybersecurity company, which has identified a ransomware threat group leveraging built-in features of Windows 10 to initiate attacks.

Also last year, global technology company Acronis International reported to the local media they had witnessed a significant spike in numbers of ransomware attacks among the firm's UAE clients since the COVID-19 outbreak. Acronis reported 308 cyber attacks on its UAE clients in March 2020 compared to 115 in the same month in 2019.

What are the some of the known ransomware gangs in the world?

What are the recent examples of ransom attacks?

May 18, 2021

On Wednesday (May 18, 2021) a ransomware attack reportedly hit AXA units in Asia. At about the same time, a cyberattack on a public health provider in New Zealand took down information systems across five hospitals, forcing staff to cancel surgeries and creating all sorts of other problems.

May 14, 2021

Ireland reportedly shut down its health IT system following an attack blamed on cybercriminals. Ireland’s Health Service Executive apologised for the “inconvenience” on Twitter, adding: “We have taken the precaution of shutting down all our IT systems in order to protect them from this attack and to allow us (to) fully assess the situation with our own security partners.”

May 9, 2021

A ransomware hit reportedly shut down Colonial, the biggest US gasoline pipeline, forcing it to take certain systems offline to contain the threat.

April 23, 2021

Mining technology company Gyrodata reported witnessed a cyber attack that has leaked employee data, according to cybersecurity news site portswigger.net. The report states that an “unauthorised actor” gained access to names, addresses, dates of birth, drivers’ license numbers, social security numbers, passport numbers, tax forms, and information related to health plan enrolment.

How much is the damage from cybercrime?

On March 18, 2021, data provider Statista stated that from 2001 to 2020, the value of financial damage caused by cyber crime reported to the IC3 (in the US) increased significantly.

“The annual loss of complaints referred to the IC3 amounted to $4.2 billion, up from $1 billion in 2015,” Statista reported. The IC3 logged 5 million complaints on March 12, 2020. After a period of record reporting, the centre received its 6 millionth complaint on May 15, 2021. “These numbers indicate more people are being affected by online crimes and scams,” said IC3 Chief Donna Gregory.

How many major ransomware attacks so far this year?

Blackfog, a data protection and ransomware prevention firm, has tracked at least 68 major ransomware attacks — 19 in January, 23 in February and 25 in March 2021.

How to mitigate ransomware risks?

According to the Centre for Internet Security, there are some basic steps that can be done to curb the risk of ransomware “infections". To wit:

1. Secure networks and systems: Have an incident response plan that includes what to do during a ransomware event.

2. Have regular backups: These are mission critical. Use a backup system that allows multiple iterations of the backups to be saved, in case a copy of the backups includes encrypted or infected files. Routinely test backups for data integrity and to ensure it is operational.

3. Use antivirus and anti-spam solutions.

4. Disable macros scripts.

5. Keep all systems patched: These include all hardware, such as mobile devices, operating systems, software, and applications, including cloud locations and content management systems (CMS), patched and up-to-date. Use a centralized patch management system if possible. Implement application white-listing and software restriction policies (SRP) to prevent the execution of programs in common ransomware locations, such as temporary folders.

6. Restrict Internet access: Use a proxy server for Internet access and consider ad-blocking software. Restrict access to common ransomware entry points, such as personal email accounts and social networking websites.

7: Apply the principles of least privilege and network segmentation. Categorise and separate data based on organisational value and where possible, implement virtual environments and the physical and logical separation of networks and data. Apply the principle of least privilege.

8: Vet and monitor third parties that have remote access to the organization’s network and/or your connections to third parties, to ensure they are diligent with cybersecurity best practices.

8: Participate in cybersecurity information sharing programs and organisations, such as MS-ISAC Centre for Internet Security and InfraGard. [Source: https://www.cisecurity.org/]