by Ariel King, Security Engineer
Everyone is all too familiar with your classic kidnapping accompanied by a ransom note with letters cut from magazines. However, how familiar are you with the possibility your files are the hostage and the ransom note is a message in red font splayed across your computer screen? Unfortunately, in 2018 alone, there were an estimated 204 million ransomware attacks.
Ransomware is a type of malware that prevents access to a system or personal files until a ransom is paid. Without payment within a specified time, the victim runs the risk of losing their data entirely, ransom price increasing or having their data published.
Recent Victims of Ransomware Attacks
A data center in Argentina housing local government files and CyrusOne, a prominent data center provider in the U.S., were recent victims of ransomware attacks. In the case of the Argentine data center, 7,700 GB of data were encrypted, and a ransom of between $37,000 and $370,000 was established in exchange for having the files decrypted. Ultimately, the data center was able to recover 90 percent of the encrypted data, but it may take at least 15 days for the data to be unencrypted.
As for CyrusOne, things are not as optimistic, given their attackers were the infamous Sodinokibi. It is a version of the REvil ransomware that led to a hacker receiving $287,000 of bitcoin in only three days. CyrusOne publicly stated they will not pay the ransom and is currently working alongside law enforcement and forensic firms to analyze the attack and help customers restore the lost data.
Sodinokibi ransomware attacks have proven to become a significant and increasingly frequent issue. More than 400 American dentist offices were infected with Sodinokibi ransomware through compromised software providers like The Digital Dental Record and PerCSoft, both medical records retention and backup solution marketed to dental offices. The breached software delivered the Sodinokibi ransomware to hundreds of computers used in dental offices all over the U.S. Both software providers shared a decrypter with the affected dental offices to assist in recovering encrypted files. However, it was stated by several of the offices that the decrypter either didn’t function or did not facilitate full data recovery.
Are You at Risk?
Many are under the misconception that an anti-virus program solves all malware problems; however, the different methods used by hackers to deliver ransomware goes beyond the scope of an anti-virus program. The most common techniques used by hackers to deploy ransomware are through phishing emails and drive-by downloads. Other popular methods are infected USBs and removable media, along with remote desktop protocol (RDP).
Approximately 93 percent of phishing emails are said to contain encryption ransomware. The emails are sent from spoofed addresses that appear to be from a credible source such as a colleague or trusted vendor. Phishing emails deliver either a malicious link or executable file that may come in the form of a ZIP file or word document. These emails may contain a tone of urgency demanding that the user take action by downloading the attachment or clicking on a link that takes the user to a fake webpage appearing to be a trusted site. Another similar method is drive-by downloads that consist of “sketchy” or uncertain sites that contain embedded malicious code. However, not all drive-by downloads are limited to obscure sites; you have legitimate websites whose software vulnerabilities have been taken advantage of and used to insert malicious code. This code does not need to be activated by the user clicking on anything. Instead, the device used to visit the compromised site can be scanned for vulnerabilities, and through those “holes,” the code can be inserted and executed.