Over the past two decades the ransomware attacks have been increased radically by moderating -at the same time- the operational procedure from a simple opportunistic exploitation to well orchestrated process. The main goal of ransomware is to extort money by targeting not only individuals, but companies as well through encryption of their data. The attackers hold the encryption key, which they are supposed to share when a ransom amount is received from the victim. The demanded amount is flexible, often between $1 million up to hundreds of millions of dollars per single attack.
The ransomware can be characterized as a very sophisticated malware that becomes more advanced as the technology evolves, providing thus a favorable environment to prosper. Successful cyber criminals also try to keep improving constantly and establish strategies that overcome the countermeasures of prevention. Especially, in the next few years when the number of devices connected to the network will be even more, the effect of ransomware is expected to spread to new sectors.
Due to increasing digitalization of the society, it is necessary to prioritize the protections of any data from malicious threats. Ransomware, among others, accounts for a malicious program which is placed without user’s approval and targets directly the system’s protection, in order to control the user system secretly. Ransomware, in contradiction with typical malware, ends its activity by declaring its occupation to the user, because it has already taken the files as hostages and proceeds to blackmail. One of the worth mentioning characteristics of ransomware is that it is very automated and works without the need of a C2 (command and control) in order to get directions. It is also quite difficult for a system to retrieve the files, once encrypted, and thus it is more important to prevent an attack like that, rather than deal with it on a post-detection level.
When it comes to individuals, ransomware can result in a great financial loss, although regarding businesses organizations the impact is more than financial, as the clients’ data of a victim-company can be completely destroyed, leading to unfortunate outcome for the clients themselves, initiating thus a domino effect of financial loss and damage to other sectors as well. Right now, most security analysts can’t fully understand the modus operandi of ransomware, and hence they struggle detecting and preventing it.
In order to find adequate potential solutions to confront these malicious attacks, it is essential to comprehend the operational procedure of ransomware. First of all, the victim-user receives an email that contains a URL link, which superficially seems legitimate. Then, the user is transported to a website that is equally legitimate with the sender of the email, yet when the page is loaded it is initiating the exploitation and the interaction with the system of the victim. Lastly, the encryption is completed by sending the key to the control server of the attacker, which directly forwards a note to the victim demanding ransomware. Following the process part to part we can conclude that the human factor is vital, as it is the initiating point which gives access to the attacker, by pressing the manipulated URL link.
The consequences of such an attack should concern mostly the companies. The motives in this level of target are numerous, including also competition among other businesses. Thus, the organizations have to establish robust IT infrastructures and effective defense techniques if they don’t desire to lose data worth thousands of dollars.
Currently, the United States is the most affected region by ransomware, as it accounted for 54.9% of infections, followed by the UK, which reported 10% . The shift towards a company targeted approach occurred in 2016, when 42% of total attacks were reported to target enterprises, mainly in the manufacturing sector. Besides the fact that the profit is more enormous when it comes to a company, ransomware can attack a network of computers than target only one. Of course ransomware intends to reach the maximum profit through each attack, although the profit can vary depending on the willingness of the victims to pay, the values of the exploited files, the degree of trust in which the criminals will respect their work and so on.
Recommendations for prevention
As it is already mentioned, prevention is the most efficient protection against ransomware, as the actual infection could be completely destructive for both individuals and corporations. Once it is infected, the restoration of the data is a challenging process that may never be achieved at all. Thus, it is highly recommended to follow specific steps in order to reduce the danger of infection. First of all, it is important to set up spam filters to isolate the suspicious emails and examine their attachments on a malware sandbox. It is also necessary to use an exploit execution prevention module and regularly update it according to the latest threat intelligence.
Regarding the companies and the ways of impact limitation, it is recommended the development and execution of a plan for an end-user awareness program. Surely it can be difficult to approve sending regular company-wide security reminders, yet smarter end users will succeed less ransomware attacks. In addition, corporations should validate server backup procedures, as many companies can’t tell if their backups are compromised until it’s too late. Prioritization should be given to file servers of the critical departments. Furthermore, the network drive permissions should be reviewed in order to avoid a great impact from a single user that can have on the organization’s network-shared drives. Last but not least, companies should be ready specifically for a ransomware attack by establishing a response plan, as the following process to recover is very different from typical malware attacks.
Conclusion
Ransomware incidents are growing recently and account for the primary tool of the cyber criminals. Targeting companies for financial gain is preferable to them, rather than focusing on individuals. The human factor is mainly responsible for the successful ransomware attacks, and thus it is essential to establish limitation measures in order to minimize the possibility of threat. The modus operandi of this specific malicious software differs from the typical ones and hence demands an alternative approach of confrontation. The digitalized society of the following years, along with the remote work as a measure of COVID-19, account for an additional motive of maintenance and prosperity of ransomware as a weapon.
References
- Aldaraani, N., & Begum, Z. (2018). Understanding the impact of Ransomware: A Survey on its Evolution, Mitigation and Prevention Techniques. 21th Saudi Computer Society National Computer Conference (NCC). DOI:10.1109/ncg.2018.8593029
- Bhardwaj1, A., Avasthi, V., Sastry, H., & Subrahmanyam, G. V. B. (2016, April). Ransomware Digital Extortion: A Rising New Age Threat. Indian Journal of Science and Technology, Vol.9(No.14), pp. 1-5. DOI: 10.17485/ijst/2016/v9i14/82936
- Cognyte, Ransomware Attack Statistics 2021-Growth and Analysis, Cognyte CTI Research Group, 2021.
https://www.cognyte.com/blog/ransomware_2021/ - Gandhi, K. A. (2017). Survey on Ransomware: A New Era of Cyber Attack. International Journal of Computer Applications, Vol.168, No.3.
- Kharraz, A., Robertson, W., Balzarotti, D., Bilge, L., & Kirda, E. (2015, July). Cutting the gordian knot: A look under the hood of ransomware attacks. In International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (pp. 3-24). Springer, Cham.
- Mansfield-Devine, S. (2016). Ransomware: taking businesses hostage. Network Security, 2016, Vol.10, pp. 8-17.
- Sylvia N. Burwell. (2016) Ransomware- what is it and what to do about it. Accessed in 20/4/2017
https://www.justice.gov/criminal-ccips/file/872766/download - Zimba, A., & Chishimba, M. (2019, January). Understanding the Evolution of Ransomware: Paradigm Shifts in Attack Structures. I. J. Computer Network and Information Security, Vol.1, pp. 26-39. DOI: 10.5815/ijcnis.2019.01.03
By The European Institute for International Law and International Relations.
