Every day, organizations around the world are subjected to a ransomware attack. Ransomware attacks can take many forms, in fact, the variety and ingenuity of these attacks increases as the business community becomes more aware of the challenges and adept at meeting them. But all forms of ransomware follow the same basic pattern: an employee receives an email containing an attachment.
The email is written in such a way as to coax the user into opening the attachment: it purports to be time-sensitive information from a superior or an invoice from a vendor, for example. Upon opening the attachment, a virus runs that encrypts information on the local computer. The user is then greeted with a dialog box or window informing them that their information is locked, and they must pay a ransom to regain access to it. Learn more about ransomware attacks and see how ransomware protection can help your organizations.
Even though a ransomware attack directly affects only the user that opens it, the entire organization can suffer because of mapped network drives or even shared cloud storage.
The challenge is that ransomware attacks grow more sophisticated as corporations become more aware of the problem. Since ransomware is launched via email, defensive strategies must focus on email security.
By the time any business is aware that they are the target of a ransomware attack, the damage has already been done. Once a user clicks on a malicious link or attachment, access to local data on that employee’s computer is locked. In order to unlock the data, some form of ransom must be paid. In about 91% of cases, the vector for ransomware is incoming email, often in the form of a spear phishing attack that purports to be from a sender known and trusted by the victim.
Examples of Ransomware Attack – Variations on a Theme
While there are many different types of ransomware, all follow the same basic pattern and have the same goal: to extort payment from your organization by making the information vital to your organization’s success inaccessible.
Here are some of the more commonly seen variations on the theme of data kidnapping.
CryptoLocker and its spiritual successor, CryptoWall, share the dubious distinction of being the reason for the more widespread awareness of ransomware in recent years. Some form of ransomware has been in existence since the early days of the internet, but it only became a household word with the emergence of CryptoLocker. With the shutdown of the original CryptoLocker botnet in 2013, CryptoWall and its successors emerged. Today, variations on the CryptoLocker approach are still widely used. The original CryptoLocker attacked files on Microsoft Windows computers, encrypting them with PKE, and storing the private keys on the CryptoLocker servers.
Like most newer forms of ransomware, is capable of encrypting both local and shared network drives as well as removable media, meaning it can spread throughout a corporate network extremely quickly. It makes use of a very strong encryption algorithm that is nearly impossible to crack within a reasonable period of time. Double file extensions are usually used to make the file appear to be non-executable to Windows users. Crysis has also been disguised as an application installer in addition to being an email attachment.
It takes a “franchise” approach to ransomware, outsourcing the distribution and infection tasks to partners, who are then cut in for a share of the profits. This approach ensures rapid spread of infection and maximizes revenue within a short time frame.
Rather than encrypting files, Jigsaw deletes them until the ransom is paid. After one hour, a single file is deleted, and the number of deleted files increases with each hour. After 72 hours, all remaining files are deleted.
Its ransom demand approach begins with an “invoice” in an email. When the invoice is opened, its content is obscured, and the user is directed to enable macros in order to unscramble it. Once macros are enabled, the payload goes to work, using AES encryption to lock down a wide variety of file types.
It takes a wholesale approach: rather than locking individual files, it overwrites the master boot record. After the computer is restarted, the operating system no longer boots.
TorrentLocker (sometimes referred to as CryptoLocker) usually is sent out as an attachment to a spam email sent to specific targeted regions. It uses an AES encryption technique to not only lock out files, and it also grabs email addresses from the user’s contact list in order to continue propagating itself.
WannaCry is spread through the EternalBlue Microsoft exploit and has become one of the most damaging and widespread examples of ransomware in the world. Over 125 thousand companies in over 150 countries have been affected by this malware, which demands ransom payments in BitCoin, as well as installing backdoors for future exploits on infected systems.
What Can Be Done About the Threat of Ransomware?
The only adequate defense against ransomware attacks is two-pronged: strong ransomware protection technology must be coupled with secure and accessible email backup and archiving that gives users access to email in the event the organization falls victim to attack. DuoCircle’s Advanced Threat Defense is a multi-layered approach to email threat protection that pulls all the features you need together in a single integrated solution to fight…
- Phishing attacks
With Advanced Threat Defense, DuoCircle protects your employees (and your entire enterprise) from spam, malware, ransomware, phishing, and malicious attachments. Our sophisticated classification engine detects and defends your entire organization against these threats in real-time, and with the highest possible level of accuracy.
Advanced Threat Defense from DuoCircle provides:
- Protection from malware and zero-day attacks, with 100% availability.
- Spam protection that eliminates 99% of all incoming spam with a false positive rate of less than one in ten thousand.
- Unlimited users and unlimited inbound message volume
- Protection against domain name spoofing
- Blocking of malicious attachments.
- Real-time activity logs, with access to the email queue and click reporting
- Smart Adaptive Quarantine, which puts the burden of sorting spam messages on the sender rather than the recipient.
- A thirty-day backup queue – 30 days of MX backup service included
- Chat, email and phone support is available 24/7