Ransomware attacks rarely limit themselves to a simple payment followed by decryption. Both companies and private individuals who fall victim to this type of malware should be aware of all aspects of such attacks, which are not always transparent.
When hackers compromise a server or computer with ransomware, only two courses of action are available: to pay or not to pay. Each path carries inherent dangers, and the choice depends on a multitude of factors. But there are several other aspects that people should be aware of, no matter if it’s about enterprise or consumer space.
Not all ransomware families are created equal
It’s easy to think of ransomware operators as people looking for quick cash. While that’s true most of the time, attackers sometimes use their newfound network access to steal data as well. They can even wait for the best time to strike.
When big companies or organizations are compromised, they are usually targeted, and it’s rarely the result of some accident, with an employee mistakenly opening an attachment on their work computer. The most prevalent threats today are Sodinokibi and Ryuk, which were together responsible most infections in 2019.
It has yet to sink into the public consciousness that Sodinokibi and Ryuk fall into the category of malware-as-a-service. They were developed to rent out to third-parties. The makers of this type of ransomware don’t deploy it themselves. The result is a surge of attacks using Sodinokibi and Ryuk, likely by multiple hackers and not a single group.
There are no guarantees
Ransomware operators ask for a payment, a form of blackmail where access to your data is granted after paying the required amount of crypto-currency. It’s impossible to expect guarantees, but surveys published so far reveal that in most cases, especially in large attacks, the hackers do send decryption tools.
The cornerstone of any ransomware attack is the expected payment, but it’s a double-edged sword. If attackers don’t send the tool, it’s less likely that their next target will pay. It does happen, especially with the groups using less known tools and in attacks against small businesses and regular people.
What most people don’t know is that encrypting files on a system or server is not easy. There have been cases when the ransomware was poorly designed and corrupted large files during decryption. Yes, it’s possible to lose data even if you pay, and the hackers send what you need.
The path of least resistance
Most ransomware attacks share an attack vector, and it’s likely not the one people think off. It’s easy to imagine hackers looking for a vulnerability or a complex method to hack into the company network, but most of the time, the culprit is still the human element.
RDP, or Remote Desktop Protocol, is a Windows technology that allows a user to connect to and control another computer over the network. The process is secured with credentials, and people are inherently bad at choosing user names and passwords. And credentials databases are often stolen or leaked, making it easy for attackers to use real credentials.
Credential stuffing, as well as vulnerabilities in the RDP protocol such as the BlueKeep bug disclosed in 2019, are strong arguments to never expose your RDP instances directly to the Internet. If needed, you should make this service available inside the local network only and accessible only through a VPN connection from outside.
One of the best ways for companies to protect their infrastructure against ransomware attacks is to rotate passwords often and keep an eye on data breaches that might affect them. Of course, a multi-layered security solution is a must as well.
Ransomware is one of the few cybercrimes with a tangible cause and effect for a company, but it’s complex enough to require much more than a simple overview. Many of the subsurface aspects of ransomware attacks remain hidden, empowering bad actors to try again.
Liviu Arsene, senior ehotsanalytiker på Bitdefender