I wanted to take a moment and explain what ransomware is, how it works, and how it could affect even the largest and most “secure” organizations out there. Ransomware has been effect for a few years now, and it seems to show no signs of slowing down as attackers are creating more and more sophisticated malware each day. Let’s dive in, and take a look at what ransomware is.
McAfee defines ransomware as malware that employs encryption to hold a victim’s information at ransom. A user or organization’s critical data is encrypted so that they cannot access files, databases, or applications. A ransom is then demanded to provide access. Ransomware is often designed to spread across a network and target database and file servers, and can thus quickly paralyze an entire organization. It is a growing threat, generating billions of dollars in payments to cybercriminals and inflicting significant damage and expenses for businesses and governmental organizations.
How does ransomware actually work?
Ransomware deploys asymmetric encryption that uses a pair of keys to encrypt and decrypt a file. The pair of keys, or key pair is often referred to as a public and private key pair and is uniquely generated by the attacker for the victim.
The attacker must first get the malware into the network. Compromising an organization can come in a few ways:
- Could be an email with a malicious attachment such as a phishing email
- Malware could arrive by a malicious link where an end user will download and open the file
- Insiders could introduce malware by paying off an employee to execute malware on the network
After a successful exploit, ransomware will generally drop and execute a malicious binary on to the infected system. The binary can encrypt all files or certain files of targeted value. For example, excel spreadsheets, as organizations often use excel for pay data, employee data, etc.
The ransomware may spread on to other systems connected via the network. Ransomware may use vulnerabilities that exist within the network to spread. For example, WannaCry, we saw that the ransomware used EternalBlue vulnerability to spread.
EternalBlue is an exploit of Windows’ Server Message Block (SMB) protocol released by The Shadow Brokers. Much of the attention and comment around the event was occasioned by the fact that the U.S. National Security Agency (NSA) (from whom the exploit was likely stolen) had already discovered the vulnerability, but used it to create an exploit for its own offensive work, rather than report it to Microsoft.
Once files are encrypted, ransomware prompts the user for a ransom to be paid within 24 to 48 hours to decrypt the files, or they will be lost forever. If a data backup is unavailable or those backups were themselves encrypted, the victim is faced with paying the ransom to recover personal files.
Can I get data back?
The attacker holds on to the private key, and will use this key to decrypt files stored on the attackers server. The attacker makes the private key available to the victim to decrypt their files only if a ransom is paid. Often in bitcoin or another cryptocurrency, the attacker will demand ransom based on the size or the compromised organization.
While there is no guarantee of an organization getting their data back, even if the ransom has been paid, the attacker(s) still may choose to withhold the key to decrypt files. There is no guarantee an organization will get their data back by paying the ransom.