According to a recent cyberthreat intelligence report, ransomware from over 110 distinct families was detected in the wild during the first quarter of 2021. The top 15 ransomware families accounted for just 52% of the cases. The diversity of ransomware involved in the remaining 48% of attacks as well as the rapid evolution of all strains significantly reduces the effectiveness of anti-ransomware solutions that depend on detection of known ransomware signatures.
Most Common Ransomware Variants
While many of the ransomware variants discovered were relatively rare, a clearer picture emerges from focusing on ransomware strains that infected at least five different hosts: Two ransomware families, Ryuk and Sodinokibi, account for over half of the attacks.
Ryuk has been responsible for attacks on several hospitals, including last year’s attack on Universal Health Services that resulted in a massive system outage, with ambulances being diverted and lab test results delayed. Sodinokibi was the weapon of choice in a number of high-profile, high-cost attacks. It is frequently used in double extortion attacks, in which higher ransoms are demanded to not only restore system functions, but to also stop attackers from selling or publishing sensitive data that’s been stolen.
Ransomware Delivery Mechanisms
Email remains the most common ransomware delivery mechanism, with 32-bit EXE files the file type of choice for holding the ransomware in over 80% of the cases. A variety of other file types are leveraged as downloaders that constitute the initial step of many ransomware attacks. In many cases, ransomware attacks involve complex multi-step chains. For instance, a link in a PDF attached to a phishing email or linked to from a malicious site may lead to a ZIP archive containing a downloader, which then retrieves the actual ransomware.
For ransomware victims, these chains can be complex and difficult to detect and track; on the other hand, they may offer organizations a number of opportunities to intercept and stop the attack before actual ransomware’s delivered and begins to spread throughout the system. Thus, in the example above, the attack might be foiled by an email filter; by a content disarm and reconstruct solution that recognized the link in the PDF as malicious; or if the malicious URL where the ZIP archive resides is opened in an RBI virtual browser, the ransomware will be prevented from reaching endpoints and networks. In each of those cases, the attack would be stopped in its tracks.
Web browsing is the second most common way to fall victim to a ransomware attack. Infected links are generally represented as legitimate sites and promoted as valuable content for users to access. The links may be distributed via…
- Posts on forums or in chat groups
- Instant messaging apps
- In social media channels
- Free software (freeware) offered on public sites
- And, of course, embedded in phishing emails.
Ransom Demands
Some ransomware families, including WanaCrypt0r and Virlock, include a ransom note with a demand for payment in cryptocurrency such as Bitcoin, as well as the relevant sum and a digital wallet address.
Other ransomware families require the victim to contact them for instructions, either via the darknet (using TOR) or by email or group chat.
Protecting Against Ransomware Attacks
The proliferation of new ransomware variants and their rapid evolution virtually guarantees that detection-based anti-ransomware solutions won’t stop all – or perhaps even most –attacks. In fact, in a recent survey, managed security service providers (MSSPs) said that 74% of threats that their customers experienced were zero-day malware that signature-based solutions couldn’t detect at release. 59% of the MSSPs said that ransomware circumvented their clients’ anti-malware filtering and 42% said that legacy signature-based anti-virus solutions failed to stop ransomware.
For these reasons and more, leading enterprises of all sizes are turning toward a Zero Trust approach to cybersecurity, where nothing is trusted unless verified as safe. Of course, given the findings above, virtually no email or website can ever be verified safe.
Given that troubling fact, Remote Browser Isolation (RBI), the Zero Trust approach to web browsing, keeps all active web code away from endpoints and networks while still enabling users to freely access and interact with the websites they need. Websites are executed on a virtual browser that is isolated in a cloud-based container. Only safe rendering data is streamed to the user’s browser of choice, on their device, where users interact with it as they would with the actual site. If a user clicks on an infected link, malware remains in the container and is destroyed once the user stops browsing. Since no active code ever reaches the endpoint, ransomware cannot infect the user device or organization network.
Relying on users to recognize emails as phishing and know not to click simply does not work. Effective phishing emails are expertly crafted to manipulate users, with the best achieving click rates upwards of 10% even among users who have undergone regular anti-phishing training. Organizations with RBI can rest easy, however, since any URLs clicked from phishing emails will be isolated in remote browses.
To protect against phishing attacks that leverage infected attachments, either in the email or on a linked website, Ericom RBI integrates Content Disarm and Reconstruction (CDR). CDR opens attachments from emails or websites in isolation, in the cloud-based container, then detects and sanitizes the files of malware before delivering the attachment to the user with desired native functionality intact. As a result, users – and the organizations they work for – are protected from phishing emails containing weaponized attachments and/or malicious links.
Conclusion
High-profile ransomware attacks were widely covered in news reports in the first half of 2021. Cybercriminals demanded $50 million in ransom from PC maker Acer, who did not disclose whether they paid, insurance carrier CNA Financial reportedly paid a $40 million ransomware demand, the attack on Colonial Pipeline threatened a gasoline shortage on the East Coast, and an attack on Ireland’s Health Service disrupted its operations for months.
The many attacks on small and midsize enterprises are less notorious, but extremely painful for victims, whose operations may be shut down for days or weeks. Ransom payments, generally in the tens or hundreds of thousands of dollars, represent just a fraction of the costs, which include services to root out ransomware and restore data and operations, lost business during shutdowns, fines, and loss of customers.
As the threat environment keeps evolving, the best way to protect against ransomware attacks is to get ahead of them by implementing a Zero Trust security approach.
