Ransomware is the monster under the bed for cybersecurity teams. A favored tool of cybercriminals, ransomware is employed by nation-state threat actors as well as small-time gangs. This versatile weapon can be used to disrupt infrastructure like we recently saw with Colonial Pipeline as well as stop factory production, encrypt systems and steal data. An estimated 61% of organizations worldwide experienced a damaging ransomware incident in 2020, a 20% increase over the same period in 2019. A successful ransomware attack is inevitably an expensive, disruptive disaster, and the pace is not slowing down. Ransomware losses in 2021 are already up more than 300% over the same period last year, beating 2020’s record-setting pace.

This incredibly devastating form of malware is the preferred weapon of today’s cybercriminals including nation-state actors. Ransomware is intended to encrypt data and/or systems to prevent the victim from accessing those resources. In the most commonly used type of ransomware attack, bad actors encrypt the victim’s files and request that a ransom be paid to have them decrypted or recovered. Ransomware gangs generally demand payment in the form of Bitcoin (an untraceable digital currency). Ransomware can also be used to shut down factories, snarl or stop utilities, interfere with shipping and transportation, steal research and formulas and cause other harm.

Ransomware comes in an infinite number of varieties to suit every cybercriminal’s dream, but it generally conforms to one of two basic profiles in doing its dirty work. 

Crypto Ransomware 

Crypto ransomware encrypts data like files on a computer, making them unable to be accessed. Cybercriminals then offer to sell the victim their decryption key. This type of ransomware does not impact the machines it is used on, just the data.  

Locker Ransomware 

Locker ransomware makes devices unusable, like computers or machinery. The cybercriminals will offer to unlock the affected devices upon payment of the ransom. This is the type of ransomware typically used in infrastructure attacks or attacks against manufacturing targets. 

Ransomware usually starts as an email, carefully designed to trick the target into interacting with it. Once that target swallows the bait by downloading a file or clicking a link to a website, it infects your systems and starts doing its nasty work.  Here’s the typical lifecycle of a ransomware attack: 

• Cybercriminals decide to target your company and plan to take your data and systems hostage.  
• They use information gathered from many sources (including the Dark Web) to carefully craft a phishing email that will be especially appealing to your staff. 
• The email makes it past your security and lands in your employees’ inboxes. 
• One of your employees takes the bait, opens the email, and interacts with it by visiting a poisoned website or downloading a tainted attachment. 
• The malicious payload infects that computer with a ransomware client that takes control of it. 
• The infected computer then establishes a connection with the cybercriminals’ network to begin freezing your systems or encrypting your data.  
• The cybercriminals contact you offering the encryption key that unlocks your systems and data – for a price, payable in cryptocurrency. 
• You have two choices: Pay the ransom or restore your data and systems in another way.  

What is Ransomware’s Most Likely Mechanic?

Every cybercrime gang has its own secret sauce – it’s signature variety of ransomware. That’s a strong selling point for big cybercrime organizations when recruiting affiliates – typically, affiliates have access to the boss gang’s tech. But how that ransomware does its dirty work can have many variations. 

Double Extortion 

Double extortion ransomware is a rising star as cybercriminals double down on their attacks to double their profits by requiring their victims to pay twice: once for the usual decryption code and a separate fee to not have the encrypted data copied by the gang. Practitioners of this tactic were responsible for more than 50% of all ransomware attacks in 2020 

Triple Extortion 

Triple extortion ransomware is beginning to gain popularity. Adding one more step to the traditional double extortion dance, triple extortion ransomware not only requires companies to pay for a decryption key and the return of their uncopied data, but it also includes a payment to avoid another damaging effect like a DDoS attack. 

Targeted Ransomware 

Targeted ransomware is on-trend, and it is exploding. In this style of attack, bad actors don’t craft a spear phishing email designed to appeal to many targets; instead, they design a spear phishing email designed to lure in a few very specific targets, often executives or people with IT management or spending power in an organization in order to increase the likelihood that the message makes it through security and doesn’t raise suspicion, even in the target. 

Source: Agent ID