What is Ransomware ?
Ransomware is a type of malicious software (malware) that encrypts a victim’s data upon activation, typically initiated by interactions such as clicking on a malicious link or attachment. Once activated, it encrypts the majority of the data on the victim’s computer and runs as a background process, sometimes undetected. This makes ransomware particularly dangerous, as it can bypass protections such as firewalls and intrusion detection and prevention systems (IDS/IPS). The most dangerous variants not only encrypt data but also exfiltrate it to the attacker’s server, demanding a ransom, usually in untraceable currencies like Bitcoin, for its recovery.
Sign of Ransomware Attack
Indicators of Ransomware can be identified through several methods, including the inspection of network traffic, analysis of application logs, and monitoring of activities to detect any unauthorized access and the installation of malicious software. These are possible indicators Ransomware is already affecting your system:
- Spike in Disk Activity: Increased disk activity as ransomware searches to encrypts files in targeted machines.
- Poor System Performance: Degraded performance due to the high resource usage of the encryption process.
- Creation of New Accounts: Especially privileged accounts created by the attackers.
- Suspicious Network Traffic: Unusual inbound and outbound communication with Command & Control (C&C) servers.
- Unauthorized Software Installation: Malicious softwares such as Mimikatz (Windows) or malicious scripts that could run on Linux machine are installed to perform exploits on certain vulnerability.
- Security System Tampering: Efforts to disable monitoring and detection systems.
- Backup Tampering: Attempts to corrupt or delete backups to prevent data restoration.
- Network Port Scanning: Indications of lateral movement within the network as attackers explore other systems.
- Non-functional Applications: Applications fail to operate as essential files are encrypted and corrupted because byte of the file changed.
Type of Ransomware
1. Crypto Ransomware
Crypto ransomware usually infects systems through malicious emails, compromised websites, or downloading malicious files. Once activated, it encrypts a wide array of files on the victim’s computer, including documents, multimedia, and backups, making them inaccessible. It can also target files stored on networks and cloud drives. The attackers then demand a ransom, typically paid in cryptocurrency, for the decryption key needed to restore access to the encrypted files.
2. Doxware or Leakware
Leakware, also known as doxware or exfiltration ransomware, takes data encryption to another level. In these attacks, cybercriminals first steal sensitive data and then threaten to release it publicly unless a hefty ransom is paid. The exposure of confidential information can seriously harm a business’s reputation and compromise customer privacy. Additionally, leakware attacks often include data encryption, further pressuring victims by restricting access to their critical data.
3. Wiper Ransomware
Wiper ransomware resembles traditional ransomware but is far more destructive. Instead of encrypting data, Wiper ransomware permanently deletes or corrupts it, making recovery impossible even if the ransom is paid. The primary aim of Wiper ransomware is to cause maximum disruption and damage, often linked to cyber warfare or targeted attacks on specific organizations or countries. This malware can destroy system functionality, erase critical data, and significantly disrupt operations, posing a severe threat to both businesses and governments.
4. Ransom-as-a-Service (RaaS)
Ransomware-as-a-Service (RaaS) operates like legitimate cloud services, using a subscription or affiliate model. This approach allows anyone, even without hacking skills, to carry out a cyberattack. Cybercriminals can rent or purchase ransomware from RaaS providers, usually found on the dark web, and often receive customer support and other services. The RaaS model has made ransomware attacks more common by making them accessible to a wider range of individuals. Its user-friendly nature and potential for high financial returns make RaaS a particularly troubling trend.
Source: https://prolion.com/blog/types-of-ransomware
Ransomware Attack Cases in The Wild
1. WannaCry Ransomware
WannaCry was a global epidemic ransomware attack that took place in May 2017 and had a significant impact on over 200,000 computers in more than 150 countries. This ransomware specifically targeted Microsoft Windows systems, encrypting user files and demanding a ransom in Bitcoin for their data recovery, and if this was not paid, the group threatened to release data and information. WannaCry ransomware spreads rapidly using a vulnerability called ‘EternalBlue.’ This security flaw was originally developed by the United States National Security Agency (NSA). The exploit is meant to be used for internal purposes, as it’s only affecting the old version of Microsoft Windows, but as we know, hospitals, emergency services, petrol stations, and even factories are still using old infrastructure and technology, so it would likely affect these sectors.
WannaCry mainly affected old and unpatched versions of Microsoft Windows, and its impact was significant, disrupting numerous sectors such as healthcare, telecommunications, and manufacturing. The UK’s National Health Service (NHS) was particularly affected by this ransomware, leading to the cancellation of medical appointments and surgeries. Even after paying the ransom, there was no guarantee that the data would be restored, leaving many organizations struggling to recover. This incident highlighted the crucial need for up-to-date security patches and strong cybersecurity practices.
County Durham and Darlington NHS Foundation Trust (CDDFT) was not directly attacked during the WannaCry incident. However, the ambulance service safeguarded their network by closing access, which impacted the ambulance handover process, disabled screens, and made the Patient Transport Service booking portal unavailable.
Source: https://www.england.nhs.uk/long-read/case-study-wannacry-attack
2. LockBit 3.0 Ransomware
LockBit and LockBit3, the improved version of LockBit ransomware are constantly evolving, it is currently the most active ransomware group that mainly targeting large organizations and enterprises. They are using method ransomware-as-a-service (RaaS) model, which has significantly impacted companies and infrastructures globally. The LockBit group also maintaining and improving their product by opening Bug Bounty programs that aimed to secure their codes and enhance its security and giving rewards to the person that able to break their cryptography mechanism and bypass their security or finding bugs on their ransomware. LockBit 3.0 ransomware spreads through various methods such as phishing and spear-phishing emails, exploiting exposed vulnerability and vulnerable applications or services by leveraging third-party frameworks like Empire, Metasploit, and Cobalt Strike.
LockBit launched in January 2020 with a version known as LockBit 1.0, but has since released additional versions consisting of LockBit 2.0 (LockBit Red), LockBit 3.0 (LockBit Black), LockBit Linux/ESXI, LockBit Green and were developing LockBit 4.0. Since January 2020, affiliates using LockBit have attacked organizations of varying sizes across an array of critical infrastructure sectors, including financial services, food and agriculture, education, energy, government and emergency services, healthcare, manufacturing, and transportation
Source: https://lockbitvictims.ic3.gov/, https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-165a
In May 2023, LockBit 3.0 ransomware launched a significant attack on PT Bank Syariah Indonesia (BSI). BSI is the most common financial bank used by Muslims in Indonesia to store their funds. The ransomware group hacked vital elements of the bank’s systems and stole millions of pieces of sensitive personal information (PII), such as client data, financial records, and internal communications. Following the breach, LockBit 3.0 demanded a ransom to decrypt the data and prevent further leakage of the stolen information, but unfortunately, around 1.5 terabytes of personal and financial information were leaked, and the group said it stole from Bank Syariah Indonesia after ransom negotiations broke down.
A ransomware cybercriminal group Lockbit 3.0 claimed on Saturday (14/5/2023) that they have acquired 1.5 terabytes of data from PT Bank Syariah Indonesia (BSI). This massive breach comprises of sensitive personal information belonging to a staggering 15 million customers and staff members of the bank including phone numbers, addresses, names, card numbers, transactions and another sensitive data customer.
Source: https://indonesiabusinesspost.com/insider/bsis-data-breach-a-menace-to-indonesias-banking-security
In June 2024, the LockBit 3.0 (Brain Cipher) ransomware group reportedly attacked the Data Center of Indonesia (PDN), which is managed by the Ministry of Communication and Informatics (KOMINFO). Budi Arie Setiadi, Minister of Communication and Information (KOMINFO), stated that hackers requested a total of $8 million in ransom for the attack that began on June 20, 2024. The ransomware is mostly targeted at encrypting sensitive data and internal infrastructure such as VSS, HyperV Volume, VirtualDisk, and Veeam vPower NFS. The attack also involved the removal of sensitive files from the server and interrupted internal services, such as disabling antivirus on the Windows Server. Additionally, Babuk ransomware was found to encrypt the ESXI servers, resulting in two different ransomware variant affecting the PDN servers.
The source codes for both LockBit 3.0 (LockBit Black) and Babuk ransomware have been leaked online, making them accessible for anyone to download and use to create ransomware. In response to a recent attack on the Data Center of Indonesia (PDN), the hacker group Brain Cipher released decryption keys on the dark web. They advised KOMINFO to use these keys to decrypt data on PDN servers. Additionally, Brain Cipher claimed that all data from the PDN servers had already been deleted by their group. This incident caused significant operational disruptions, affecting immigration services and over 210 regional and central agencies, leading to widespread public service interruptions.
Reducing the Risk of Ransomware Attacks
- Regular system backups are crucial for enabling organizations to quickly restore operations and maintain business continuity in the event of a breach, such as to ensure proper system configuration, up-to-date patching, and robust system backups. However, backups alone do not prevent the exposure of data exfiltrated during an attack. It is recommended to keep at least one copy of the backup offline and preferably offsite to ensure maximum security.
- Utilize Anti-Malware software and other advanced security tools capable of detecting and blocking known ransomware variants. These tools employ a combination of signatures, heuristics, and machine learning algorithms to identify and prevent suspicious files and activities.
- Monitoring network traffic and identify indicators of compromise. Look for unusual network traffic patterns or communication with known command-and-control servers. By continuously analyzing network activity, organizations can detect and respond to potential threats more quickly, thereby enhancing their overall cybersecurity posture and preventing ransomware from causing significant damage.
- Conducting regular security audits and assessments is crucial in reducing the risk of ransomware attacks. These evaluations help identify vulnerabilities in the network and systems, ensuring that all security controls are properly in place and functioning effectively.
- Educate and train employees on cybersecurity best practices, including identifying and reporting suspicious emails and other potential threats. This proactive approach enhances overall security awareness and reduces the risk of successful cyberattacks.
Prepare an umbrella before it rains, secure your system before threats come to yours. Contact us today to learn more about how Luminix Labs can help you stay one step ahead of cyber threats.