Ransomware has become one of the most infamous types of cyber crime in recent years, with security professionals and the public alike fearing the prospect of attack.
But although many of us broadly understand how ransomware works – computers are infected with malware, locking users out of their files until they make a payment – there is little in-depth knowledge about why the attacks are so successful.
Cyber security company Sophos has addressed than in its recent report, How Ransomware Attacks. It provides a detailed breakdown of how ransomware works, the different types of malware and how organisations can protect themselves.
One of the biggest factors behind the rise in ransomware is that cyber criminals are constantly creating new ‘strains’ of malware. This is important to understand, because it shows that it’s not simply a case that ransomware is unstoppable.
Rather, it shows that infections work in the same way as physiological viruses. Organisations, like our immune system, become aware of an attack and develop ways to protect ourselves – whether it’s antibodies or security controls like antimalware software.
However, once the virus has been detected and secured against, it mutates to exploit another vulnerability.
Every ransomware strain generally has one thing in common, though, which is that they are designed to conceal their purpose and avoid detection until they have encrypted files.
As Sophos explains, it’s “easier to change a malware’s appearance (obfuscate its code) than to change its purpose or behaviour [sic]”.
It generally does this by using non-commercial packers – curated files that self-extract when the packed file is executed – to make it harder for antimalware technology to identify its intention and for analysts to reverse engineer.
Types of ransomware
Ransomware can be broadly split into three categories, based on the method of attack and how they spread:
This is a standalone type of malware that replicates itself onto other computers, spreading as widely as possible.
Generally, the infection is limited to a specific network, enabling the cyber criminal to stay on top of who they are attacking. However, sometimes – as with the WannaCry attack in 2017 – the ransomware spirals out of control, attacking tens, if not hundreds, of organisations.
2. RaaS (ransomware as a service)
These are types of malware sold on the dark web that are typically delivered via phishing emails. Relatively straightforward in design, RaaS tends to be used on a mass scale rather than in a targeted attacked.
3. Automated active adversary
This form of ransomware is used by attackers who use tools to automatically scan the Internet for poorly protected systems. When they detect a weakness, they’ll break in and plant the ransomware where it can cause maximum damage.
How to prevent ransomware infection
Things might look pretty bleak for organisations trying to protect themselves, but Sophos urges potential victims to recognise that “there’s hope in this fight”.
It does so by pointing to technologies and policies that organisations can implement to protect themselves from ransomware.
One of those is Windows 10 Controlled Folder Access whitelisting, which permits only trusted applications to edit files in a specified location. This prevents ransomware from overwriting and encrypting files.
An equally important measure is staff awareness training. The most common way of falling victim to ransomware is by clicking a phishing email that contains a boobytrapped attachment.
By teaching your staff how to detect a suspicious email, you can greatly reduce your chances of becoming infected.
Those looking for guidance on how to counter email-based ransomware attacks should enrol on our Phishing and Ransomware – Human patch e-learning course.
It describes the link between phishing attacks and ransomware, and what staff need to be aware of to help prevent attacks.