The Evolving Landscape of Ransomware

Wanna Cry? This, the first large-scale ransomware attack defines what ransomware is. It is a malware attack that makes an organization cry over its negligence of digital security when attacked. Attackers infect their target systems with malware and then demand ransom to undo their doings (attack).

Setting the stage: What is a ransomware?

Ransomware is malicious software made to squeeze money from an individual, organization, or government. This software can range from simple lock screens and data encryption to data exfiltration. Attackers use this software and demand “ransom”, a payment in barter for a decryption key.

Hang in there, let’s have a look at a few statistics before carrying on understanding the technicalities of an attack like its stages, tools used, impact beyond financial loss and strategies to defend.

The Reality Check

• According to Searchlight Cyber, there has been an upsurge of 56% in number of active ransomware groups in the first half of 2024.
• The US Department of State has predicted the annual average cost of cybercrime to hit more than $23 trillion in 2027.
• A survey by SCWorld reports that ransomware victims on average lose 43% of the data affected in the attack.
• A significant statistic is that leaked credentials and malicious emails ranked 2nd and 3rd respectively as causes of successful ransomware attacks. (Statista)

Dynamic Changes

Cybercriminals are continuously refining their tactics by implementing sophisticated tricks like social engineering, vishing, digital extortion, and triple extortion tactics that include DDOS attacks. COVID-19 is a major factor in the increase in these attacks. The pandemic resulted in many people working from home and relying on vulnerable services like remote desktop. This vulnerability created additional revenue for hackers to exploit and unlock access to sensitive data.

AI, cryptocurrencies, and Ransomware-as-a-Service platforms are further factors leading to the surge in attacks. This has made ransomware much more accessible to people who don’t have technical expertise, making this scenario scarier.

This dynamic environment underscores the necessity for all to understand the real-time state of ransomware. So, let’s dive in!

Anatomy of a Modern Ransomware Attack

All ransomware attacks need to gain access to the victim’s machine, insert their payload, encrypt their files, and demand ransom in return for a decryption key. However, they can have different methods and tools for implementing different stages.

Reconnaissance and target selection

Before deciding the type of attack, threat actors research whom to target and then gather information about them which is called reconnaissance. They use different parameters for this but mostly select an organization that heavily depends on digital assets and will be willing to pay a hefty ransom to regain access to their systems.

There are two types of reconnaissance:

1. Passive reconnaissance: Collecting data that is publicly available either on their website, on social media, or on professional networking sites.
2. Active reconnaissance: Scanning for open ports or vulnerabilities in the network, performing phishing on employees or using third-party sources like leaked databases and dark web forums.

Initial Access

An attack is initiated by accessing the victim’s system just like a malware attack. There are a few common entry points that are used by cybercriminals in ransomware attack particularly:

1. Phishing: This is the most famous social engineering method. It is the most used attack vector for any type of malware injection. Spear phishing, vishing, smishing, and watering hole attacks are the types that attackers use to distract people and initiate malware installation. Attackers just send legitimate-looking emails with malicious links or attachments to trick victims into installing malware unknowingly.
2. RDP and credential abuse: Credential abuse is done using techniques like brute force or credential stuffing. Sometimes it is also done by buying credentials off the dark web to get legitimate user access to the victim’s system and infect the network with malware. Malware installed in such ways usually takes advantage of RDP protocol. It acts like a backdoor to the network if not secured properly. RDP gives remote access to servers and desktops of that network which is used by attackers to spread or escalate their privilege.
3. Software vulnerabilities: This is also used frequently for ransomware attacks. Attackers use unpatched or out-of-date software to get access to the victim’s machine. One of the biggest examples of this is the WannaCry attack, which is linked to the External Blue exploit, a vulnerability in the Windows Server Message Block (SMB) protocol.

Lateral movement and privilege escalation

Now that attackers have access, they traverse through the compromised network to find out valuable data, and potential targets to encrypt which is called lateral movement. While doing that, they try to gain control over multiple machines, servers, and devices which makes it easy for them to escalate and hard for victims to defend. Techniques used in lateral movement and privilege escalation are:

1. Exploiting Misconfigurations: Cyber attackers exploit improperly configured network shares and vulnerable passwords to gain access. It also has the potential to elevate their permissions within the network environment.
2. Credential theft and reuse: Threat actors use methods such as keylogging or stealing credentials to obtain user login information in order to gain access, to other systems or elevate their privileges within the network.
3. Pass-the-hash: This method includes taking encrypted login details from breached systems and utilizing them to log in to systems without requiring passwords. Allowing for both, side-to-side movement and gaining higher privileges.
4. Finding Vulnerabilities: Attackers look for weak points inside computer systems and digital networks. They find these system weaknesses to abuse established access control settings and escape boundaries until they can move up to administrator status.
5. Misusing reliable applications or services: Threat actors misuse dependable programs or services to gain unauthorized access by using these tools abilities to travel through the network.

Payload delivery

Attackers achieve their final objective by deploying the planned ransomware to the target system. To carry out their attack hackers encrypt all the victim’s files which results in them asking for ransom money. Some of the most common types of ransomwares include:

• Encryption ransomware: Encrypts the victim’s files, making them inaccessible until they are decrypted with a decryption key — available only after the ransom is paid.
• Locker ransomware: Locks the victim out of their system entirely, preventing access until the demanded ransom is paid.
• Hybrid ransomware: Hybrid ransomware both encrypts victim files and disables computer access to create an urgent feeling in the target.

These various types of files are sent using multiple delivery approaches:

• Email Attachment or Links: Sending harmful files or URLs through manufactured email messages is the main way to deliver ransomware attacks. The victim starts the ransomware download process by engaging with the infected links or files.
• Drive-by Downloads: In this method, ransomware downloads without the knowledge of the user when users open infected websites. Their web browser’s vulnerabilities let malware download onto their system.
• Exploit kits: Automatic exploit kits quickly discover and use system weaknesses, making it the easiest way for cyber criminals to send ransomware.

Data Encryption and impact

During this phase the ransomware locks important data for the target and this leads victims abroad to experience the damage. Ransomware applies strong cryptographic methods such as AES or RSA to translate various kinds of digital files including documents, visuals, pictures, and databases. When an attacker holds the decryption key only the victim must stay locked out from their encrypted file. The following impacts are faced by the victim, whether an individual or an organization:

• Operational disruption: Operations can be compromised, be it an individual victim or an organization since critical systems can be made inaccessible, leading to some loss of productivity, delay in service delivery, and financial implications.
• Data loss and corruption: A victim can lose important data permanently if they lack proper backup management systems. The data encryption by ransomware may break the file structure which makes restoration harder.
• Financial loss: The cost of dealing with ransomware attacks includes paying ransoms along with the expenses needed to undo damage plus possible financial penalties from government agencies. Reputation damage and loss of customers may incur indirect losses.
• Reputational damage: A public disclosure of this attack could hurt how people view and trust the organization. The breakdown in trust between clients and stakeholders leads them to doubt the organization’s security abilities which reduces consumer trust and business opportunities.
• Legal and regulatory obligations: Legal frameworks require companies to pay fines if personal data of individuals undergoes attack.

Ransom notes

This is what the attacker has been waiting for a long time-it’s the time to ask for ransom. Ransom notes can come through various means such as emails and direct messages. Threat actors may also use the Tor network to maintain anonymity so that no one can find out who they are. They also use some tactics mentioned below to demand large ransom payments:

• Bitcoin or cryptocurrency: Cryptocurrencies are the favourite mode of attackers to receive ransom as they aid them in staying pseudonymous.
• Payment deadlines and threats: This technique is used to create pressure by imposing strict deadlines along with threats of deleting the decryption key or increasing ransom as a consequence of not meeting the deadline.
• Proof of data exfiltration: Sometimes hackers, don’t just encrypt the data but also exfiltrate it. They then use it to scare the organization into releasing publicly to make them pay the ransom urgently.

Organizations need to consult legal agencies in such situations as paying the ransom can be counted as illegal.

Real — Life Incidents

Let’s look at some cases with all sorts of endings. The reason is that best way to learn a lesson is from other’s stories.

Starbucks supply chain disruption

In November 2024, Starbucks’ internal operations were disrupted due to a ransomware attack on Blue Yonder, their supply chain management system provider. Blue Yonder is an Arizona- based AI-driven supply chain system provider. This attack didn’t just make their victim suffer but rippled to their clients as well. The impact was also on large grocery chains like Sainsbury’s and Morrisons.

Starbucks relied on Blue Yonder for barista schedule management and payrolls of their employees. So, their backend became a mess even though it didn’t affect their customers. Almost 11,000 of their stores had to revert back to traditional system of pen and paper to track working hours of baristas and calculating paychecks of their employees. This highlights the vulnerabilities of depending on a third-party and not assessing their security posture on a regular basis.

The attack occurred before a peak time for retail and supply chain organizations i.e. holiday season of Thanksgiving. Grocery chains like Sainsbury’s experienced delays in warehouse management systems for fresh food and agricultural products, impacting the smooth flow of goods to stores. Although Blue Yonder took help from other cybersecurity firms to recover early, it could not provide a proper timeline for recovery.

This is an eye-opener event as Blue Yonder had 3000+ clients using its management services. There was no exact result about who were affected or whether any data was stolen. The ransomware didn’t just have an impact on the target company but also its clients and their operations.

NHS London Ransomware attack

This was also in 2024, in the month of June but in a different and even more critical sector, medical. This attack is also very similar to the previous one, where the target was a service provider, Synnovis which affected its clients as well. The attackers compromised sensitive patient data for nearly one million individuals of NHS London. They exploited vulnerabilities in legacy systems used by the healthcare provider.

Synnovis is a pathology partnership between Guy’s and St Thomas’ NHS Foundation Trust, King’s College Hospitals, and SYNLAB, Europe’s largest provider of medical testing and diagnostics. The responsibility for the attack was taken by a Russian group named Qilin, a ransomware-as-a-service group that hires out their malware to fellow criminals in return for a cut in what they get as ransom. Due, to the attack NHS hospital had to get back to the paper records system, where porters hand-delivered records. All of this commotion led to disruption of over 3000 GP appointments and 800 planned surgeries.

The attackers leaked almost 400 GB of data online consisting of people’s birthdates, NHS numbers, etc. All this ate away people’s trust in the hospital’s ability to protect their sensitive data. This reputational damage also led to inspections from regulatory bodies along with a call to improve cybersecurity measures across the healthcare sector. All of this occurred due to possibly outdated IT infrastructure at the National Health Service (NHS) which shows how negligent people are towards cyber security.

This case teaches us how ransomware can go beyond just financial loss. It led to life-threatening consequences for almost 2 million people, across six boroughs in south-east London with delaying of appointments and operations. One more thing to note is that Qilin’s motivation wasn’t money. They admitted their reason for this attack was that the UK did not help enough in an unspecified war.

The Tools of the Trade

Let’s discuss what tools facilitate hackers in ransomware attacks.

Ransomware-as-a-service (Raas)

This is the biggest contributor to the increase in the number of ransomware attack. Raas helps attackers even with less knowledge to attack in exchange of some amount or percentage from ransom payments received. Raas enables cybercriminals to infiltrate into the victim’s network by lowering the entry barriers. Raas platforms provide the threat actors with a user-friendly interface, technical support, and also customer support. Sometimes, they also provide an option to customize the ransomware according to the target.

Deep web

The deep web is the part of internet which is not indexed by search engines like Google, and it comprises 90% of the internet. It consists of vast arrays of private databases and data compiled by government, universities, and other private companies. To get access to information present in deep web, the individual needs required access to the network or clients who own it.

Dark web

The dark web consists only 6% of the internet but is a very dark place. It is the web used by criminals to engage in all sorts of illegal trade of drugs, weapons, credit card numbers, etc. It is also the place where ransomware gangs expose the personal data, they exfiltrated during cyberattacks. Threat actors use anonymous browsers such as TOR to get access of dark web.

TOR

TOR (The Onion Ring) is an anonymous web browser that doesn’t reveal your identity when you browse by using a sequence of anonymous routes that keep changing. It is like a series of relay stations that make requests on your behalf and then return the response to you without making any direct connection. It’s not illegal and it’s often used by journalists and law enforcement authorities. This privacy given by TOR makes it perfect for making any private transactions using cryptocurrency. So, the cybercriminals deploy it inside their ransomware payload to stay undetected while doing their activities.

I2P

I2P or Internet Invisible Project is another way to enter the dark web, better than TOR. It is a decentralized network where every machine in the network acts as a router which is called Garlic routing. It encrypts all the incoming and outgoing traffic over several tunnels making it impossible for government and law enforcement agencies to track browsing activities. Created back in the 2000s, I2P has been able to provide a secure and highly encrypted network with a customizable tunnel length and duration.

Cryptocurrency

Cryptocurrency is used by cybercriminals to demand ransom, which is a payment method based on blockchain, a decentralized technology that keeps all the transactions secret. It depends on peer-to-peer connection so only the sender and receiver know about it. About 98% of ransomware attackers rely on cryptocurrency like Bitcoin to get ransom from their victim.

Abusing legitimate tools

There are some tools that were made for security research and other authorized uses. However, cybercriminals have found ways to modify it and use for malicious purposes.

1. Cobalt strike: This tool was made with an intention to simulate threats. Threat actors have found a way to use it for lateral movement or as a backdoor. It also has capabilities similar to that of remote access trojan (RAT). It has been used in many ransomware campaigns like Clop, WickrMe, and ProLock.
2. PsExec: This one was made to execute processes on other systems. Hackers modified it to execute an arbitrary command shell on the victim’s system and then move laterally in the network. DoppelPaymer, Maze, and Petya are some of the ransomware attacks that used it.
3. Mimikatz: This is a proof-of-concept code for demonstrating vulnerabilities. The way threat actors have modified this tool is very dangerous, which is for credential dumping. Maze, Prolock, and RansomExx are some of the ransomwares which used this tool.

Defense Strategy

Now that we know about ransomware attacks and its impact, let’s talk about how to keep ourselves safe.

“Prevention is better than cure”

So, we will first talk about prevention strategies and then how to cure if we are infected anyway.

Preventing your organization from getting attacked

1. Address Infection Vectors

As we saw above, ransomware attackers have a variety of ways to access an organization’s network. The best practices to stay protected against them are:

• Strong Authentication: Threat actors can easily guess weak passwords and get access to an organization’s systems using RDP or other remote access tools. So, to combat that, organizations can enforce having multifactor authentication (MFA) for all systems making it difficult for hackers to hack.
• Vulnerability Management: Regular vulnerability scans can help patch any existing vulnerability or security gap that can be exploited to gain access.
• Employee Training: Employees should be trained to identify phishing emails.
• Inventory Assets: The organization should have strategies such that a full assessment is done of all IT and OT assets which helps in finding possible weak links in case of attack.
• Assess Ransomware Risk: Every organization must check whether their existing defences align with current security best practices and assess their effectiveness via penetration testing.
• Stay On Guard 24/7: Make sure that security monitoring and incident response are active 24/7 as cybercriminals mostly take advantage of downtime such as weekends and holidays.

2. Advanced threat detection tool

Threat actors may pull off a zero-day attack. To tackle them, advanced technologies need to be used, as suggested here:

• Extended detection and response (XDR): XDR is a security platform that collects and analyzes data from multiple security tools to identify and respond to threats
• Managed detection and response: MDR uses a combination of machine learning, automation, and human expertise to monitor an organization’s networks, endpoints, and systems.
• Sandboxing: A Sandbox is an environment that detaches an asset from the rest of the network. It can be used to check malicious files in a way that doesn’t have an actual impact.
• SIEM: SIEM or Security Information and Event Management tools help in collecting, managing, and analyzing security logs generated by firewalls, antivirus, and IDSes to identify and respond to potential threat and vulnerabilities.
• User and entity behavior analytics (UEBA): UEBA uses machine learning and behavioural analytics to identify and detect abnormal user and entity behaviour, potentially indicating security threats, and enhances zero-trust security programs
• Zero-trust security: Zero Trust security is a security model that assumes no user, device, or application should be trusted by default, even if they are inside the organization’s network, requiring strict authentication and authorization for every access request.
• Cyber deception: Cyber deception is a method where fake hosts and networks are set up to divert attackers. This is done by implementing honeypots, or honeynets that include fake files, database etc.

3. Regular software updates

All the software and system updates must be installed regularly. Many attacks like WannaCry could have been prevented by this measure as the attackers used a vulnerability in SMB protocol of legacy systems, whose patch was already released.

4. Implement Defence in Depth

Defence in depth creates layers of security above assets so that even if an attacker gains access to the network, it is hard for it to move laterally. Technologies and processes that can be included in this are:

• Firewalls
• Endpoint scanning and filtering
• Endpoint detection and response
• Network traffic analysis
• Network segmentation
• Web filtering
• Intrusion detection and prevention systems
• Email security filtering
• Allow listing/deny listing

5. Maintain Good Backups but don’t depend solely on it.

Backups are very important to mitigate attacks as cybercriminals encrypt all critical data that can be retrieved from the backup. Backups should be in a place where attackers cannot reach, disconnected from the network. The best way to backup is external hard drives. Avoid the mistake of depending solely on backups because, as we saw in the above cases, that attackers can exfiltrate data or the impact can also be on clients, or partners.

Curing from Ransomware attack

1. Isolate the Infected Systems
   Whenever it is detected that a ransomware attack has occurred, infected devices should be disconnected from the network. There is a probability that the attack spreads through the network. If required, also disconnect wireless connections like Wi-fi and Bluetooth.
2. Identify the Ransomware Variant
   Once isolated, analyse the system to determine the strain of ransomware as it helps in remediations except that it is a locker ransomware. One can use reputable cybersecurity resources or tools to identify the ransomware variant like Sophos Intercept X with MDR.
3. Remove the Ransomware
   Ransomware needs to be removed before the system can be recovered. Sometimes, ransomware deletes itself, if not then anti-malware/ anti-ransomware tools can be used. For example, Bitdefender and Kaspersky Premium. If required, take help from cybersecurity experts, either from your organization or from a third party. They can help in removing ransomware manually in situations necessary.
4. Restore from Backups
   Analyse the affected systems to see what files have been encrypted or compromised. If those files exist in some backup stored offline or in a secure cloud environment, restore your systems using these copies. If the backup is not available, organization can use decryption tools provided by Avast, Kaspersky, No more Ransom project etc. Remember to scan backups for ransomware before using it to restore system to avoid any reinfection.
5. Rebuild Affected Systems
   If there are no clean backups available, affected systems will have to be rebuilt from scratch. Reinstall operating systems and the required applications, ensuring all software is up to date with security patches.
6. Document the Incident and report.
   Create a document containing all the details of the attack including how it occurred, what was affected, and how it was resolved. This document can be further used to create a report for stakeholders, improve future incident response plans, and prevent similar attacks.

Conclusion: The future of Ransomware warfare

As ransomware attacks are rising, it is clear that all businesses need to improve their security posture. The case studies discussed in this document highlight the devastating consequences of ransomware attacks, ranging from operational disruptions and reputational damage to life- threatening delays in critical services. However, they also emphasize the importance of proactive measures like robust backups, employee training, and cybersecurity preparedness.

In the end, just ponder over what Captain Jack Sparrow is saying in the below image and decide what’s best for you.

Written By: Viriti Mehta