Ransomware has been around for quite some time and has evolved into a multi-million-dollar business for cybercriminals. As the name suggests, ransomware encrypts illegally accessed files and demands a ransom from the victim in exchange for decryption.
Source: midjourney.
The origins of ransomware date back to 1989 when the AIDS Trojan (PC Cyborg Virus) was distributed via floppy disks.
The AIDS trojan ransomware screen. Source: wikipedia.org.
Over time, ransomware became more sophisticated, but the motivations have remained the same: illicit financial gain through holding a user or organization’s files hostage.
In 2010, GPcode introduced RSA encryption, making data recovery nearly impossible.
The GPcode ransomware prompt. Source: cs-people.bu.edu.
In 2017, WannaCry made global headlines. Exploiting vulnerabilities in Microsoft Windows, it spread rapidly, locking users’ files and demanding Bitcoin payments.
Source: wikipedia.org.
Modern ransomware variants
Today, ransomware has developed into multiple variants, each designed to exploit different weaknesses and achieve specific goals. The following are some of its most common forms today:
Ransomware-as-a-Service (RaaS)
LockBit ransomware. Source: cisa.gov.
The RaaS model is similar to software-as-a-service (SaaS), but with malicious intent. In this model, cybercriminals (i.e., affiliates) use ransomware kits developed by others.
Multi-extortion malware
Doppelpaymer ransomware. Source: pcrisk.es.
Unlike traditional ransomware, these attacks often involve data exfiltration rather than encryption. Cybercriminals steal sensitive data and threaten to expose it unless a ransom is paid.
Wiper ransomware
NotPetya wiper ransomware. Source: csa.gov.sg.
As its name implies, Wiper is disguised as ransomware, but instead of encrypting data, it permanently deletes it (i.e., wipes it away for good).
Locker ransomware
MoneyPak ransomware. Source: wikipedia.org.
Rather than encrypting files, this type of ransomware locks the victim’s screen, preventing access to the system.
How to protect against ransomware
The Cybersecurity & Infrastructure Security Agency (CISA) recommends several no-cost resources to help mitigate ransomware threats:
Reduce attack surfaces
- Use tools like Shodan, Censys, and Thingful to identify and secure publicly exposed assets.
- Shodan, for instance, can detect internet-accessible SQL servers and devices using default credentials.
Keep software updated
- Regularly patch systems to fix vulnerabilities.
Be wary of email attachments
- Many attacks originate from phishing emails with malicious attachments.
- Since some email programs auto-download attachments, disable this feature to reduce risk.
Secure all user accounts
- Implement Multi-Factor Authentication (MFA) and apply the least privilege principle.
- Regularly audit and remove unused accounts.
- Change default credentials and enforce strong passwords.
- On Linux/macOS, use the
apgcommand to generate strong passwords.
Recovering from a ransomware attack
Recovery depends on the type of ransomware involved. Some possible methods include:
- Using data recovery software
- Restoring from system backups
- Recovering from previous file versions
- Use decryption tools, if available.
Ransomware has caused billions in financial losses, and for many businesses, it can mean the end of operations. Organizations must invest in disaster recovery plans to prevent, mitigate, and recover from attacks. By implementing security best practices and following strict operational procedures, businesses can minimize the impact of ransomware and recover quickly in case of an attack.
