Ransomware is a type of malware that blocks access to the victim’s personal data unless a ransom is paid. Simple ransomware can lock the system, while more advanced ransomware encrypts the victim’s files and demands payment to decrypt them. Attacks typically use Trojan horse malware in an email that the user is tricked into opening or downloading.
Operation of Ransomware:
- The malware is released.
- The malware creates a random symmetric key and encrypts the victim’s data with it. It uses the public key in the malware to encrypt the symmetric key. This results in a small asymmetric ciphertext as well as the symmetric ciphertext of the victim’s data. The malware zeroizes the symmetric key and the original plaintext data to prevent recovery. It puts up a message to the user that has the asymmetric ciphertext and how to pay the ransom to recover the data. Payment is usually demanded using an anonymous web page and usually in a cryptocurrency like Bitcoin. The victim sends the asymmetric ciphertext and money to the attacker.
- The attacker receives the payment, deciphers the asymmetric ciphertext with their private key, and sends the symmetric key to the victim. The victim deciphers the encrypted data with the needed symmetric key.
Any device that is connected to the internet is at risk of ransomware. A vulnerable device makes the local network potentially a victim. Outdated operating systems such as Windows XP that are no longer maintained are at a much higher risk of being a target of ransomware and other cybercrimes.
Paying the ransom can do more harm than good. The biggest risk of doing it is never getting the cipher key to decrypt the data. Paying the ransom also funds the criminal activity and encourages the attacker to do it more. If you pay the ransom, you can be targeted again in the future because the attacker knows you will pay. Unfortunately, most companies have no other choice. A good thing to do is to try to prevent ransomware from happening.
You can prevent ransomware by:
- Using software updates and restarting your computer at least one time a week.
- Backing up your data to a service like Google Drive which will give you a better chance to get your data back if you become a target of ransomware.
- Using virus scanners and content filters on your mail to prevent emails containing ransomware from reaching your mailbox.
- Thinking twice before clicking links or downloading anything.
- Maintaining three copies of your data: the original and two copies. Keep one copy in an off-site location.
- Using network segmentation: dividing the network into multiple smaller networks so the organization can isolate the ransomware and prevent it from spreading to other systems.
To protect against ransomware, keep systems and software up-to-date, use robust antivirus, filter emails for phishing threats, and restrict unauthorized software installations. Employ least privilege principles, multi-factor authentication (MFA), and network segmentation to limit damage. Maintain secure, tested backups in off-network locations and create a practiced incident response plan. Monitor logs, use intrusion detection systems, and train employees on cybersecurity awareness and phishing prevention. Collaborate with cybersecurity communities for threat intelligence and adopt a layered defense approach to mitigate risks effectively.
Sharing threat intelligence is vital in combating ransomware, as it enables organizations to stay ahead of evolving threats by learning from others’ experiences. This involves disseminating indicators of compromise (IOCs), attack tactics, and decryption tools through platforms like ISACs, threat intelligence feeds, and public-private partnerships. By pooling knowledge, organizations can identify trends, gain early warnings, and strengthen collective defenses. Effective sharing requires using standardized formats like STIX/TAXII, ensuring data accuracy, maintaining anonymity, and adhering to legal and privacy standards. Overcoming challenges like trust issues and data overload fosters a collaborative defense against ransomware.