Any malicious software, or as it is more commonly known – Malware, is a threat to any organisation that is dependent on their IT systems, from a small company to a large enterprise, to a government institution. One of the most dangerous Malware categories besides Viruses and Trojans is Ransomware. Over the last few years, the number of Ransomware attacks has increased rapidly and today every company should have stringent security measures in place to protect their data. If relevant steps are not taken, we could be reading about them in the news soon enough.
Ransomware is a subcategory of Malware whose purpose is to attack data via locking or encryption. Attackers then demand a monetary ransom, usually in the form of cryptocurrencies, in exchange for providing information on how to reverse the damage.
Ransomware usually starts its destructive work from client machines, and there are several ways it can access these, such as phishing emails or compromised web links. As soon as the Malware is launched it will try to exploit certain infrastructure systems and escalate user privileges to maximize the attackable surface.
Most ransomware attacks appear to have a financial motive, where the criminal groups behind the software earn their money via blackmailing; some of them becoming quite wealthy from the practise.
However, as there is no guarantee that criminals will provide the recovery instructions once paid, there is no definite answer if giving in to their demand is the best course of action. You can find a more detailed analysis on this topic in our earlier post “Ransomware… to Pay or not to Pay??”
As countless different types and variants of Ransomware exist – which may or may not have been created to serve a special purpose – it is not easy to define a common classification. Nevertheless, usually they fall into one of the two main types which are locker-ransomware and crypto-ransomware.
Locker-Ransomware is designed to lock victims out of their devices, but no data will be encrypted.
The purpose of Crypto-Ransomware on the other hand is to encrypt valuable files. Unlike locker-ransomware which usually will limit its action on the client devices only, crypto-ransomware also will affect data on mounted file shares. During the encryption process the user interface can still be accessed and so the executed Ransomware may only be discovered when it is already too late.
All Ransomware is designed and built with a certain intention and contains instructions on which file types and IT systems should be targeted. If we view ransomware as a well-designed software tool, some of their configuration parameters will be easily to adopt. This approach led to the invention of a new business model: Ransomware-as-a-Service (RaaS). Criminals who do not have the required knowledge to create it on their own can just pay for an attack against certain companies or individuals as a service.
According to security experts the RaaS sales model is one of the reasons why the number of attacks has massively increased over the last few years. To compound matters, the actual developers of the Ransomware software stay hidden in the background, so it is very difficult to track them down, and as a result they continue to grow their business.
Effective ransomware protection needs concerted effort on multiple security layers. On the client machine an up-to-date antivirus software must be installed, and user accounts should always be set up with the least possible permissions. If the client does get compromised, the most important thing is to limit the damage, and to protect the data shared by multiple users.
ProLion CryptoSpike offers real time Ransomware protection and access transparency for ONTAP storage. This protection is essential as Ransomware can disable backup and bypass endpoint security.