Ransomware is a type of malware attack in which the attacker locks and encrypts the victim’s data and then demands a payment to unlock and decrypt the data.
This type of attack takes advantage of human, system, network, and software vulnerabilities to infect the victim’s device — which can be a computer, printer, smartphone, wearable, point-of-sale (POS) terminal, or other endpoint.
The device is infected when the victim clicks a link, visits a web page, or installs a file, application, or program that includes malicious code designed to covertly download and install the ransomware. This can happen in a variety of ways:
|Ransomware distribution techniques||Description|
|Phishing email||Clicking a link embedded in an email, which redirects to a malicious web page.|
|Social media||Clicking a malicious link on Facebook, Twitter, social media posts, instant messenger chats, etc.|
|Malvertising||Clicking a legitimate advertising site seeded with malicious code.|
|Infected programs||Installing an application or program containing malicious code.|
|Drive-by infections||Visiting an unsafe, suspicious, or fake web page; or opening or closing a pop-up.
|Traffic Distribution System (TDS)||Clicking a link on a legitimate gateway web page that redirects the user to a malicious site, based on the user’s geo-location, browser, operating system, or other filter.|
|Self-propagation||Spreading the malicious code to other devices through network and USB drives.|
Table 1: Infection pathways
After a device is exposed to the malicious code, the ransomware attack proceeds as follows.
Figure 1: Ransomware seven-stage attack
- Infection: Ransomware is covertly downloaded and installed on the device.
- Execution: Ransomware scans and maps locations for targeted file types, including locally stored files, and mapped and unmapped network-accessible systems. Some ransomware also deletes or encrypts any backup files and folders.
- Encryption: Ransomware performs a key exchange with the Command and Control Server, using the encryption key to scramble all files discovered during the Execution step. It also locks access to the data. (See Figure 2.)
- User Notification: Ransomware adds instruction files detailing the pay-for-decryption process, then uses those files to display a ransom note to the user.
- Cleanup: Ransomware usually terminates and deletes itself, leaving only the payment instruction files.
- Payment: Victim clicks a link in the payment instructions, which takes the victim to a web page with additional information on how to make the required payment. Hidden TOR services are often used to encapsulate and obfuscate these communications to avoid detection by network traffic monitoring.
- Decryption: After the victim pays the ransom, usually via the attacker’s Bitcoin address, the victim may receive the decryption key. However, there is no guarantee the key will be delivered as promised.
NOTE: Ransomware can remain dormant on a device until the device is at its most vulnerable.
Figure 2: One infected user can result in a data lockout for all users
Methods of Mitigation
Mitigating the threat of a ransomware attack requires implementing both prevention and detection measures.
- Keep the device’s operating system up-to-date.
- Regularly back up data to an external hard-drive, using versioning control and the 3-2-1 rule (create three backup copies on two different media with one backup stored in a separate location). If possible, disconnect the hard-drive from the device to prevent encryption of the backup data.
- Increase browser security settings.
- Disable Adobe Flash or use a browser (such as Google Chrome) that disables it by default.
- Disable macros.
- Don’t click questionable links in an email or on a web page.
Use real-time alerting and blocking to automate identifying ransomware-specific read/write behavior and then blocking users and endpoints from further data access.
Use deception-based detection, which strategically plants hidden files on file storage systems to identify ransomware encryption behaviors at the earliest attack stage. Any write/rename actions on the hidden files automatically triggers a block of the infected user or endpoint, while continuing to allow access by uninfected users and devices. (See Figure 3.)
Use granular reporting and analysis to provide detailed audit trail support for forensic investigations into who, what, when, where, and how users access files.
Figure 3: Deception-based detection measure ensures that only the infected user is blocked from accessing data
Learn more about Imperva ransomware detection solutions.