Let’s start with the simplest part - what it is. Fundamentally, ransomware is a type of
malware. What we mean with this is simply software which doesn’t do what you want it to do. Any type of virus, trojan, spyware or other problematic software on your computer is malware - something that goes against the interests of the user. Most of the time, malware will try to hide - sometimes forever, and sometimes just until it’s too late to do anything about it. Properly speaking, ransomware is a type of virus which will enter your system in some way. Once it has entered, it will do two things - it will try to spread to other connected computers and devices on your network, and it will start to encrypt your data. Most of the time, ransomware will also do a third thing - it will send a key and some other information to a controller - whoever activated the ransomware. Once the ransomware has encrypted all the data it can reach, it will announce itself to the user, saying that all your data is unreachable until you pay a specific amount. In the ideal scenario, if you pay, you will get the key for opening up your data again. In the worst case, the payment doesn’t help, and the data is lost.
There are some variations here. The three most important ones are whether the target is individual or organizational, whether the data is exfiltrated before being encrypted, and whether the encryption algorithm has weaknesses or not.
Most of the ransomware that floats around is geared towards infecting individual systems. In these kinds of cases each computer might be separately encrypted and each computer will be held ransom on its own. This attack does not require coordination between those devices.
Other types of ransomware are more focused on infecting a full organization. The most important point here is that the ransomware will wait with its demand until all or most computers on a system have been infected and then reveal itself.
The reason for this is primarily because it becomes easier for a security team to stop or contain an infection if the ransomware reveals itself on one computer before being done infecting the rest of the organization.
In some cases, ransomware will not only encrypt data and ask you to pay to get it back, it will also send all the information to its controller before taking it hostage. In this way, you have two problems - you don’t have your data, and someone else can potentially publish it. In this scenario, you have two incentives to pay - to get the information back, and to avoid it falling in the wrong hands. This kind of information exfiltration can be very lucrative, but it is also more risky - many organizations have security teams that could notice that a lot of information is being transferred out from the network, making this kind of attack more risky - especially against organizations with a stronger security posture.
Finally, some ransomware has implementation problems. In the case of a well-made ransomware, there’s really nothing you can do to get back the information, unless the controllers give you the key. But as with any kind of software, ransomware can have bugs. In some cases these bugs have led to data being recovered without payment. In other cases, bugs have led to data being irreversible corrupted and destroyed, even when the controller wanted to give the data back…
Most ransomware that exists these days is based on existing software. So chances are that if you get infected with ransomware, someone else will have seen it before. Most groups don’t build ransomware directly from scratch anymore. It’s more economic to reuse and build on what’s already there. This can be both good and bad. In some cases, you can find out information about weaknesses or problems with the implementation. It can also be helpful when trying to detect infections using
intrusion detection systems or
The final thing to keep in mind is that not all ransomware is actually existing software. Especially when it comes to “custom” jobs, such as breaking in to a big company and encrypting their files, no existing software will do the job. In these situations, groups will often do a manual ransomware attack, where they break in and customize existing software to spread over the network - or even do it all manually. The effects will generally be the same, though.
The Who and the Why
And that leads us to the question of who actually uses ransomware. In general, the main motivation behind ransomware is almost always money. Fundamentally, this is a business. You can see that in the behavior of these groups (and it’s usually groups, not individuals). The reuse of existing software packages, the way communication is done, the way payment amounts are managed, all implies that most ransomware attacks are actually done by groups that act like businesses. In fact, several ransomware groups actually have dedicated customer support staff that can be contacted to receive help on how to convert money into Bitcoin (which is usually the preferred currency to pay for ransomware) and how to actually do the payment itself. The reason for this is simple - in order for these groups to continue making money, it needs to be possible for enough victims to be able to actually pay the ransom. And further, it is important for the groups to have a reputation of giving back the data. If they don’t do this, there’s no incentive for anyone to pay, and the business proposition goes away. Because of this, ransomware will often announce the name of the group behind the attack, since the reputation of the group will help in incentivizing the victim to pay.
There are some other kinds of attackers that will sometimes be behind ransomware. There have been known cases where government agencies have created attacks which looked like ransomware, but had the real purpose of disabling a company or an industry in some way. In many cases, these attacks will have all the signatures of a regular ransomware attack, but the functionality for recovering the data will not be there.
In the same manner, some activists or politically motivated groups will sometimes use attacks that look like ransomware. This is not particularly common, since these groups will more often use other types of methodologies. Hiding an attack behind ransomware simply doesn’t match the motivations for a politically motivated attack, in most cases.
The final group you will sometimes see are those that simply want to destroy or mess with systems. In general, these ransomware attacks will not actually ask for a ransom, but instead simply destroy the data. And as with the previous example, if the groups simply want to destroy the information, hiding it behind the mask of ransomware is usually not necessary. But there are some examples of this happening, still. But fundamentally, almost all ransomware attacks are actually criminal business enterprises. Most of the rest are state sponsored attacks. The other possibilities are there, but in a very low percentage.
Ransomware will happen in the same way as almost any other type of security incident. The attack can either be targeted, or a bulk attack. In the case of an un-targeted attack, the group will generally send out a large amount of spam emails that contains some kind of attack software, or a link to such software. Other types of attacks can also be used. For example,
watering hole attacks, where a link is posted to a forum or a group that people frequent. Finally, the attacker can scan for systems exposed to the internet which has a known vulnerability and then use that. The common theme is that these attacks will generally follow a two-stage approach. The first part is to exploit a vulnerability of some kind to get access to a system, and then use that access to inject and run the ransomware. In some cases, an initial vulnerability is not necessary, if you can convince a person to open a document with macros turned on, for example. These initial attacks look the same, no matter if the group attacking you is aiming to infect you with ransomware or is trying to attack you in some other way.
If the attack is targeted against a specific person or organization, the nature of the initial infection will look slightly different, but the general concept is the same. For example, instead of sending bulk email, an attacker might create a document that contains information specific to your organization and craft it so that you will be fooled to open it. In some cases, it can contain specific data about you or your particular situation. In a case that became public a few weeks ago, someone sent attack documents to Indian lawyers and journalists, claiming that they had been charged with a specific crime and were called to a hearing. The information in the document looked valid, but under the covers the document executed an attack against the computers of these people. This style of sending specially crafted emails is usually called
spear phishing. A targeted attack might also involve the group scanning the publicly available information, services and computers for that organization and then start investigating possible security holes. If they can’t find a known vulnerability, a more advanced group might even start develop new attacks or search for unknown vulnerabilities in the software the organization uses.
Once the attack has succeeded, the next step depends on whether the target of the ransomware is the whole organization or individual computers. In the first case, the main focus for the attack software will be to spread. Depending on how sophisticated the software is, it can either use the same kind of method as used to do the initial attack - sending poisoned emails, looking for open file shares on the network and so on - or it can use other vulnerabilities to spread inside the organization. It will also look for any connected drives - both physically connected drives, such as USB - but also connections to file servers of various kinds. This is important to keep in mind, because for ransomware to work, it is important for it to destroy or encrypt backups as well as the main data. In some cases this means that the ransomware will lie dormant for a while before starting its attacks, just to be sure that it can spread to all the places necessary.
The Next Steps
OK, so you have been infected by ransomware. Your computers are down. Your business is frozen. All computer screens are showing the same message, asking you to send money to a specific bitcoin address within a few days time. You have already checked the backups - they were connected to infected computers and all data on them is also encrypted. You had sensitive data on this network and it’s possible the attackers have that data. And it’s data that you need for your business to work. What do you do?
Fundamentally, you really only have two possibilities. Either you pay, or you don’t pay. In the meantime, you should also investigate whether there are weaknesses in the ransomware you have been infected with, which would allow you to recover the data without the key. You might also have backups you have forgotten about which haven’t been infected. So, first steps should be to make sure that your technical team immediately investigates all these possibilities.
In the meantime, you will have to analyze the possibilities of what the attacker could do. What they will do depends a lot on what kind of attacker they are. But in general, there are five possibilities. These are not mutually exclusive - more than one can happen. An attacker can deny you access to your data. They can give you the key to the data. They can leak the data to the public in some way. They can ask for more money. And they can sell the stolen data on private forums. If the ransomware is the simpler version where no data was exfiltrated, two of those possibilities goes away.
One of the first things that should be investigated is to see if the ransomware is a known model or not. If it is, you can usually find out whether a key exists or not, whether weaknesses exists or not. At this stage, you might find out that the data is already gone. You might also find out that the implementation of the ransomware is properly done, and with a key you will be able to recover your data.
Then, you will have to investigate the group attacking you. If the attack is motivated by money, the most likely scenario is that the group will have signed the attack with their name. The reason for this is simple - they want you to pay. But for you to have an incentive to pay, you need to trust that you will get the data back. So if the group has a reputation for returning the data, that means you are more likely to pay. On the other hand, if the group is known for taking the payment but not giving back the data, you have no reason to pay.
Fundamentally, paying in response to a ransomware attack will always be a chance. There’s no guarantee. If the attack is by a well-known group, that makes your chances better. If your security team can be certain that no data was exfiltrated, that also makes your situation better. But there’s always the chance that the attacker will simply not play by the rules. One scenario which is deeply problematic is when data was exfiltrated. In this case, you can pay for getting your data back, and the attacker will give you the key to unlock the data. But since they still have your data, it will always be possible for them to sell the data. In general, they will not leak the data publicly, because that will cause reputation problems when getting paid for other ransomware attacks. But they can still sell the data privately, and make more money without very low risk. For this reason, even if you get your data back, you have to consider that data compromised.
If your attacker is unknown, or it’s one of the other possibilities, your chances of getting the data back is extremely low. It’s all a question of incentives, and even if you pay, an unknown attacker or a state sponsored group simply has no reason to give back the data.
In some cases, a ransomware attacker will also give you “proof of decryption”. The way this works is that they will allow you to ask for the decrypted version of a few files. In this way, the attacker is trying to show that they can decrypt all your data. It’s a little like the “proof of life” convention in kidnapping movies, where you get to talk to the kidnapped person. Except, in the case of data, just because a few files can be decrypted doesn’t mean that they all can be decrypted. There are ways for ransomware groups to create more robust systems to show that they have the capability to decrypt anything, but the investment of doing this, compared to the frequency of attacks against large companies, doesn’t seem worth the time. What this means is that this kind of “proof” is not actually really proof of anything - especially if the attacker is the one giving you a choice of files to decrypt.
Sometimes, a ransomware attack will happen quickly, and the demand for payment will be very high - and you won’t have a lot of time to do it. In some cases, it is possible to negotiate with the attackers. In very rare cases, this has actually been succesful. But the more likely thing to happen is that the attacker will either give up on you, or apply more pressure. Sometimes, this pressure involves leaking some of your data. In other situations, they will increase the amount of money they are asking for. The goal is always to force you to make a decision rapidly.
As we talked about earlier, even if you pay to get the keys for unlocking your data, and you succeed, that doesn’t mean that the situation is over. If the attacker stole data, they could still leak it, after you have paid. They could also ask for more payments in order to not leak the data. Or they could fail to give you the keys, and ask for more money again.
I wish I could give strong advice on what choice to make in these situations. But it depends on too many factors. Hopefully the above discussion gives you an idea about how to think about these problems in a proper way. The most important part is to think about incentives and reason from a game theoretic perspective.
We have talked about what happens once you have been infected with ransomware. But this is obviously a worst case scenario. What can you do to protect yourself before it happens? Sadly, these recommendations will be very similar to any other kind of computer attack. Make sure your systems are updated. Avoid clicking on untrusted links. Don’t open documents you are not sure if you can trust. Prefer simple document formats to complicated ones - prefer text if possible. Have a proper security team for your organization, with proper monitoring. Implement defense in layers - don’t assume that the inside of your network can be trusted. Implement intrusion detection software, firewalls and all the other measures. Think about implementing anti-virus, but understand that it comes with its own problems.
When it comes to ransomware specifically, it is important to focus on proper backups. In general, you want to have backup systems that are not continuously connected to your other systems. If you can have backups that can’t be overwritten - append-only, basically - that provides for good security as well. Even for private individuals, it’s a good idea to have two layers of backups, where you do frequent backups to one system, and less frequent backups to another system. In this way, you can often avoid losing all your data, even if some of that data is compromised.
Sadly, the most important protection mechanism is being vigilant. For individuals, that includes being careful with attachments and links, and making sure to apply updates. For organizations, a proper security team is the most important measure. And of course, if you have a security team, you also need to have a management team that listens to the recommendations of the security team.
Ransomware is a relatively new scourge on the internet. It is something that is likely to be with us for a long time to come. And we are currently in such a state of insecurity that the ransomware groups are winning almost every battle. Things don’t have to be this way. There are things we can do, but it will require a change in attitude. The first step is simply to understand the problem, and start working on fixes. As we have seen, the situation is not that complicated, but how you respond to it can significantly impact your changes of success.
We have reiterated this point many times, but it’s worth mentioning again. Security is a process. It needs investment, time and education. More than you are currently giving to it. In order to have an impact on the wave of attacks, we need more of a focus, and better understanding.
One more thing which is worth mentioning is that many governments and law enforcement agencies around the world recommend that you don’t ever pay for ransomware. Their thinking is that for the good of society, it’s better for everyone if no-one ever pays a ransom. This is completely true for us all, collectively - if no-one pays ransom, the business model of ransomware disappears. But of course, if you get infected and have the chance to get your files back, not paying the ransom for the good of the rest of society will be a hard pill to swallow. This is a classic example of
Tragedy of the commons - where individual incentives are in opposition to collective incentives. Moving forward, as we see things, the right solution is not for governments to stop you from paying ransom. Instead, the right solution is to improve security and backup systems such that a ransomware attack is something you can easily recover from.
If your organization does decide to pay, and you do manage to get your data back, remember that you are now more likely to be attacked again. For this reason, a renewed investment in protection and security is absolutely necessary.