From individual users to multi-million-dollar corporations, anyone with an online connection is at risk for ransomware attacks. Especially troubling for professional organizations is the fact that malicious thieves pose a significant threat to data and can temporarily — or permanently — halt operations.
Understanding what goes into these attacks can help IT managers and those responsible for digital security implement prevention, data file protection, and ransomware recovery strategies for their daily operations. With the right planning and tools, companies of any size can weather a ransomware attack with minimal data loss — and without paying a financial ransom.
Ransomware Infiltration Techniques
Cybercriminals can be incredibly creative, but they tend to use a few common methods to initiate ransomware attacks. Phishing emails are a standard approach using corrupt attachments. If an employee opens the attachment, software is downloaded that infiltrates enterprise systems and allows the sender to deploy ransomware whenever they want.
Malicious URLs function similarly. They are often disguised as coming from legitimate organizations and can lead users to “spoofed” pages that look identical to legitimate websites. Users may be prompted to provide their login credentials, immediately giving ransomware perpetrators access to their accounts.
Deal-seeking internet users may wind up on these spoofed sites as they look for ways to download various apps and other goods at discounted prices. Unlicensed software doesn’t receive updates from the developer, making it susceptible to ransomware attacks. Additionally, any attachments users download from pirated software can contain the stuff that makes an attack possible.
Removable devices are another method commonly used by ransomware attackers. The criminals place infected materials onto a USB drive that when plugged into a computer, infects and infiltrates it and others on the network.
Due to the variety of attack approaches, vigilance is critical. Educating employees is one of the most effective ways you can safeguard against ransomware. Employees should be taught how to detect ransomware attacks, spot suspicious behavior, and follow corrective protocols should they suspect or discover an attack.
Ransomware Encryption Mechanisms
Part of how ransomware works is by encrypting files so users can’t access their data. The name ransomware comes from the idea that data is encrypted and won’t be released until a ransom is paid. Cybercriminals will often employ either symmetric or asymmetric encryption algorithms. Symmetric encryption uses the same key for encryption and decryption, while asymmetric encryption uses a pair of keys: a public key for encryption and a private key for decryption.
With symmetric encryption, attackers use a random key to quickly encrypt all files on a user’s system. Once the user’s data is compromised, the attacker demands a ransom payment. If the victim completes the payment, the attacker will share the symmetric key to decrypt the files. Of course, this assumes that the criminals can be taken at their word — a potentially costly assumption. Symmetric encryption is fast and efficient, often affecting large amounts of data before being noticed. It relies on the secrecy of the symmetric key, because if the user discovers the key before they pay the ransom, they can use it to decrypt their files.
Asymmetric encryption securely exchanges the symmetric key between the attacker and the victim. The attacker generates a pairing of a public and private key. The public key is used for encryption. The encrypted symmetric key is sent to the victim alongside a ransom demand. The victim can’t decrypt the symmetric key without the corresponding private key. Once the ransom is paid, the attacker will send the private key to the victim, allowing them to decrypt all their data. With asymmetric encryption, only the private key holder can decrypt the symmetric key and unlock the files, thus protecting the symmetric key during the negotiation process.
Both methods pose the same problem: As a victim, you would want to avoid paying the ransom and also retrieve your data. The type of encryption a cybercriminal uses will directly affect the ease with which the data can be recovered. But, we’re talking about criminals, so unfortunately, even paying the ransom won’t guarantee that the data will be regained.
Criminal Communication Channels
How can cybercriminals operate for so long without being detected? Many of them use TOR, a free software program that hides a user’s IP address. With TOR, users can exchange stolen data for illegal goods such as hacking tools, ransomware tools, and even information about organizations.
Since TOR prevents websites from tracking the physical location of a user’s IP address, it makes it virtually impossible — or at least cost-prohibitive — for law enforcement and government agencies to trace the individuals responsible for the crimes.
Ransom Payment Methods
While every cybercriminal is different, to remain undetected, most request payments via cryptocurrency such as Bitcoin, Ethereum, and Dogecoin. The anonymity of those payments makes ransomware payment relatively easy for victims and risk-free for attackers. Resigning themselves to the reality of ransomware attacks, some organizations even keep bitcoin ransoms ready in case of an attack.
Ransomware Impact and Consequences
Now that we’ve covered how attacks can remain undetected until they are triggered, let’s take a closer look at whether affected organizations should pay the ransom after an attack.
Paying a ransom raises legal, ethical, and practical concerns. Some ransoms are illegal to pay under certain circumstances, such as when an attacker is subject to economic sanctions or when the payment appears to be support for terrorist activities.
The decision of whether or not to pay a ransom is a challenging one. Thankfully, Panzura has figured out how to make ransomware completely ineffective and keep businesses and users from ever having to make that decision again.