Modern ransomware is a form of cryptomalware which encrypts the contents of the target hard drive and potentially all storage media on a network and then demands payment for decryption. This is accomplished through traditional threat vectors to lead a user to execute the malware and begin encryption.
After infection and execution of any number of encryption attacks using typical protocols (RSA, SHA-256), the malware will lock down the infected machine and/or network and demand payment, generally in the form of cryptocurrencies, which may or may not actually result in the decryption of the affected files. If the victim complies and sends payment, the threat actor (ideally) releases to them the private key of the public and private key-pair that was used to encrypt their drives.
These attacks have a proven track record for attackers and have resulted in some big payouts, perhaps most notably and well known being the cryptomalware attack against the Hollywood Presbyterian Medical Center, and other hospitals. Because these attacks almost always come with a time limit after which if payment has not been made to the attacker the private key will forever be lost and all files rendered uselessly scrambled and locked, it is not uncommon for institutions to actually pay up. Because the ransom is generally within a “reasonable” range for the targeted institution considering what is at risk of being lost, it is understandable that stress and urgency would drive such a decision. Of course, U.S. Intelligence sources never suggest cooperating with demands.
According to the FBI, ransomware takes in over $1 billion annually just in payments, with a much larger sum devoted to the costs of remediation. Of course, an ounce of prevention is worth a pound of cure, but because security and convenience relate to each other inversely, we will never be able to fully implement the level of prophylactic security care necessary to stop these kinds of threats from reaching our terminals and workstations entirely.
So what are the options once infection has occurred?
1. If you have a recent backup, and the infection is local enough and not spread over an entire network, you can simply purge and re-image the affected machine. If not…
2. Lose your data, or pay up and hope for the best.
Sad as it sounds, those really are the only options available at that point. If you choose to go the route of paying the ransom and hoping for honesty from your attacker, the process generally plays out as follows.
– When the ransomware encrypted your files, it generated a secret key file (private key) and stored it somewhere on your machine.
-Therefore, you must locate and upload this file or data string to the attacker along with the demanded payment in cryptocurrency.
-If they are “honorable” thieves, they process the result and send you a decryption key.
I can only imagine this to be a greatly disheartening process. Incredibly, some cryptomalware platforms even offer a discount on your decryption if you will “infect a friend”.
Moving into the future, we should expect to see ransomware being written to no longer have the need for direct human interaction during the key exchange and payment process. So-called autonomous ransomware eliminates this risky element of one-to-one communication with infected targets where the attacker exposes himself to higher risk.
There is so much more to say about this topic, but the essentials of what an enterprise needs to know have mostly been summed up here. As these cryptomalware attacks generally target the enterprise over the individual in search of the biggest payout possible, organizations need to be aware that threat actors have them in their sights, eagerly awaiting you to slip up and allow them to take hostage your files, machines, and networks.
Security Technology of South Texas
Contact us at firstname.lastname@example.org
or call 24/7 (210)-446-4863