What is a Ransomware attack?
Ransomware is a pernicious form of malicious software/program that denies you access to the system once it takes control over your computer. The attacker asks for the ransom from the victim to give access back to the computer. This is why this attack is called ransomware.
Also Read: What are the major Cyber-attacks on various Programmable Logic Controllers Manufacturers?
The first ransomware attack is called the AIDS trojan that was emerged in 1989.
Types of Ransomware
Locker Ransomware
Locking ransomware will affect/encrypt entire files in a system and also prevent the administrator from accessing the system. Just like the name implies, this ransomware locking out the entire system.
Crypto-Ransomware
Unlike locking ransomware, crypto-ransomware only affects/encrypts specific files on the system like PDFs, images, word documents, etc.
Scareware Ransomware
It acts like an original antivirus or a cleaning tool. This ransomware claims they have found issues on your system and demand ransom to solve the issues. Some Scareware ransomware can able to lock your computer and some make it annoying with various alerts and pop-up messages.
Doxware
It is also called leakware or extortion ware. This ransomware threatens the victim to unveil the stolen information to other attackers if you don’t pay the ransom. Some victims are ready to pay ransom due to almost everyone stores sensitive information on their systems.
RaaS
It is known as “Ransomware as a service”. It is a kind of SaaS product used by software engineers. The hackers would give the ransomware to people who want to attack systems. By using RaaS, even people without much technical knowledge can attack by just signing up for the service.
Mac ransomware
KeRanger, a malicious software, infected Apple’s MAC operating systems in 2016. This was done by using a software called Transmission. By using this software, attackers would be able to encrypt the victim’s files.
Ransomware on mobile devices
Ransomware attacks on mobiles increased rapidly since 2014
How do ransomware attacks happen on mobile?
Ransomware attacks on mobile are done via an app containing a malicious link, which pops up a message on your device that says your mobile has been locked due to illegal activity.
How does ransomware work?
The ransomware attack is used to take over access to your computer or devices and encrypt the data in your systems.
The attacker’s email messages with attachments contain ransomware and try to open or install the malicious attachments. Ransomware prevents you from accessing your device. Regain to get access to your system, the hacker will demand ransomware as cryptos like Bitcoin, Ethereum, etc. However, there is no guarantee your data will be decrypted even you pay Ransome. This is why ransomware is considered one of the major attacks.
Ransomware attacks 2021
Major Ransomware attacks that happened in 2021 are
- Colonial Pipeline Company
- Acer
- BRENNTAG
- JBS FOODS
- CNA Financial
- QUANTA
Colonial Pipeline Company
There are so many ransomware attacks that happened in 2021 and the attack against the American pipeline system Colonial Pipeline Company is considered as one of the worst attacks that happened in 2021 so far. The attack happened in 2021 May.
This cyber-attack mainly affects the computerized equipment managing the pipeline from Houston, Texas and it cause a shortage of gasoline in the east coast areas of the US for a couple of days.
The company had to pay $4.4 million in bitcoin to avoid further damages. FBI confirmed that the group called DarkSide attacked a colonial pipeline company.
Acer
The Ransomware called REvil attacked the Taiwanese computer giant Acer in March 2021. The attackers unveil data of Acer such as financial data, communication with banks, bank balances, etc.
The attackers also demanded 50 million USD for decrypting the files. However, still it is unaware the computer manufacturer paid the ransom or not.
BRENNTAG The same notorious hackers (DarkSide) group that attack Colonial Pipeline also attacked a chemical distribution company Brenntag in May 2021. DarkSide demanded around $7.5 million in bitcoin after stealing various data of around 150GB. DarkSide ended up paying $4.4 million in bitcoin to regain access.
JBS FOODS
JBS Foods, one of the world’s largest meat processing corporations, was the target of yet another high-profile ransomware attack in May. REvil, the same Russian hacker organization that targeted Acer, is suspected of being behind the attack.
After conferring with cybersecurity specialists, JSB reported on June 10th that it had paid the $11 million ransom demand. This enormous bitcoin payment is one of the most significant ransomware payments ever made.
CNA Financial
A Chicago-based largest insurance-based company named CNA Financial Corp discovered a security breach in 2021 March. The attackers claimed that they could collect sensitive information from 75,000 people. Names, health benefits information, and Social Security numbers of current and past employees, contract workers, and their dependents could have been included in this data.
According to media sources, CNA Financial agreed to pay $40 million to regain access to its network later in May. According to reports, the hackers employed Phoenix Locker, a variation of Hades created by the Russian cybercrime gang Evil Corp.
QUANTA
The same hacker group that attacked Acer and JBS group, REvil gang, has attacked another computer manufacturer Quanta in April 2021. They demanded a $50 million ransom from one of Apple’s major business partners. The hacker group attacked Apple after Quanta refused negotiation.
Ransomware attacks 2020
Major Ransomware attacks that happened in 2020 are
- Travelex ransomware attack
- INA Group ransomware attack
- Communications & Power Industries Ransomware attack
- Energias de Portugal Ransomware attack
- Orange ransomware attack
Travelex Ransomware attack
A Ransomware gang called Sodinokibi (also known as REvil) attacked foreign money exchange company, Travelex, and they had to shut down all of their computer systems in 30 countries. This attack also made the company use pen and paper instead of digital techniques.
The notorious gang downloaded 5GB of customer data such as credit card details, date of birth. The company had to pay $2.3 million in bitcoin after Revil said they would sell the data to the cybercriminals and the ransom would be double every two days.
INA Group Ransomware attack
Croatia’s largest oil company INA group faced ransomware attacks on Valentine’s day of 2020. The hacker group encrypted some back-end servers of the company. Still, the company did provide gas to its customers. Communications & Power Industries Ransomware attack A Ransomware attack against California-based Communications & Power Industries (CPI), a large electronics firm, was uncovered in March. The US Department of Defense is one of the company’s clients, and it manufactures components for military systems and equipment. The Ransomware spread to every CPI office after one of the company’s domain admins unintentionally clicked on a bad link, infecting thousands of devices on the same network.
In reaction to the attack, the corporation reportedly paid $500,000. It’s still don’t know what type of ransomware was used.
Energias de Portugal ransomware attack
Portuguese energy giant Energias de Portugal (EDP) had fallen victim to an attack in 2020 April. The attackers said that they have stolen sensitive data of 10TB and hackers unveil some screenshots of sensitive data on a leak site for proof of possession. The attackers also demanded around 10 million USD to decrypt the data.
Orange ransomware attack
Nefilim ransomware infected Orange, a French telecoms business and Europe’s fourth-largest mobile operator, in July. On July 15th, the company’s commercial services division was hacked, and Orange was included on the Nefilim black website, which keeps track of corporate breaches. A 339MB folder contained samples of data that the Nefilim group claims were stolen from Orange customers.
Nefilim is a ransomware operator that was identified in 2020. The data of roughly 20 enterprise-level customers in Orange’s business services division was harmed, according to the company.
Wannacry ransomware
The WannaCry ransomware attack happened in 2017 May. The attackers attack the system by exploiting one of the bugs in Microsoft Windows OS (operating systems). The damages could have been avoided if people had a clear idea about the need for updated OS and software.
WannaCry is also known as WannaCrypt, WannaCrytor, and Wanna Decryptor. NSA (National Security Agency) leaked Exploit EternalBlue Spreads WannaCry. EternalBlue allows attackers to obtain access to a system by exploiting a zero-day vulnerability. It is designed to infect Windows systems running an old version of the Server Message Block (SMB) protocol.
How does WannaCry work?
The bug in Microsoft’s SMBv1 network resource sharing protocol was exploited by WannaCry. By using these bugs, the attackers can transmit data to any system that accepts data from port 445.
WannaCry uses the EternalBlue exploit to spread.
Step1: The attackers trying to find the network that accepts data from port 445 is the primary step for the WannaCry attack. This can be done by scanning of conducting a port.
Step 2: The 2nd step is to initiate an SMBv1 connection to the device.
Step 3: After making the connection, find a way to gain the access to the targeted system by using butter overflow.
Step 4: After the third step is done successfully, install the ransomware component of the attack to the target system.
Step 5: Without any help from humans, the WannaCry worm works itself and infects another system in the network.
The ransomware can’t decrypt the encrypted data automatically, even the company paid the ransom to attackers. Victims need to wait for attackers to provide decryption. Ransomware removal Prevention is the main thing when it comes to ransomware infections. It can be difficult (in some cases it is impossible) to remove ransomware from the infected systems.
Steps to Remove Ransomware
Step 1: Isolate the infected device
Immediately disconnect the device from other connections such as wired and wireless. This will help to prevent from affecting other devices.
Step 2: Identify the Ransomware type
Identifying the type of ransomware will help to reduce the damage. But if the ransomware is locker ransomware, it is impossible to find the ransomware-type because access is blocked in this ransomware.
Step 3: Recover the system
Try to recover the system by restoring the previous OS version. If backups were not affected or encrypted, restore the files by using system restore.
There are a few more options for the removal of ransomware
Check if the ransomware is deleted: After infecting a system, ransomware may remove itself, or it may stay on the device to infect additional devices or files.
Use antimalware/anti-ransomware: Most anti-malware/anti-ransomware can remove malicious software
Seek professionals for help: Seeking help from cybersecurity researchers/enthusiasts to get help to remove ransomware
Remove it manually: Try to find the malicious software and uninstall it if possible.
How to safeguard (or) prevent systems from Ransomware?
• Take backups regularly
• Check port settings
• Make awareness program
• Never attach external devices
• Keep system update
• Implement an IDS
Take backups regularly
Most cyber security researchers say that always keep a backup of your files. It is the most effective method to recover the data if any ransomware or other security attacks happened. Backups should be properly safeguarded and stored offline or out-of-band so that attackers cannot target them.
Check port settings
Most of the ransomware attacks via RDP (Remote Desktop Protocol) port 3389 and SMB port 445. These ports should be open to only trusted hosts. Always check these settings on both on-premises and cloud environments.
Make awareness program
Conduct an awareness program among the employees about the cyber-attacks. Employees should keep always the following instructions in their minds.
• Never click on unsafe links
• Avoid disclosing personal information
• Do not open suspicious email attachments
• Use only trusted sources to download files
Never use unknown external devices
Don’t connect USB sticks or any other external storage devices to your computer. Cybercriminals deliberately leave storage equipment in the open for others to use Keep system update
Make sure all your systems in your organizations are up to date such as OS, software, etc. Turn ON auto-updates helps the system to update automatically if any security patch is released.
Implement an IDS
An Intrusion Detection System (IDS) compares network traffic logs to signatures that detect known malicious activity to hunt for harmful activity.