What is Ransomware? Defined, Explained and Explored

Introduction

In 2023, digital spaces are more varied and diverse than they ever have been. As there are increasing advancements in tech every year, functionality is at an all-time high - and there are many individuals who want to take advantage of the internet’s capabilities and exploit businesses. There has been an increase in the use of ransomware and this is becoming a very real concern for anyone established online, no matter their niche, reach, or impact.

What is Ransomware?

Ransomware is a form of malware that utilises encryption tools to seize unsuspecting websites and leverages tools to blackmail individuals or businesses into paying for a safe return. Tactics work to secure critical data via unique encryption so that everything from databases, files and even applications can be locked-down. This process is typically designed to encompass entire networks for an impactful attack that will take over every aspect of a website’s functionality. When this happens, there can be significant damage and a high list of expenses to cater to when regaining access.

Starting with malware, there will be an attack vector that will establish a website presence (usually on an endpoint). It will remain on systems until preset tasks are completed. If attempts are successful, ransomware will step in to perform malicious binary protocols that will search and encrypt any files deemed of value to the attacker. More advanced software will aim to manipulate vulnerabilities in systems and networks - and these can expand across wider structures. Ransoms will be prompted within 24-48 hours, running the risk of losing files in their entirety if demands aren’t met.

How Ransomware Works

Before delving into the working mechanism of ransomware, it’s important to understand that this is an extremely in-depth process involving asymmetric encryption cryptography to function with the most impact. This is how ransomware works in a nutshell:

• Step 1. Infiltration: Adversaries use certain attack vectors such as malicious emails, software vulnerabilities, remote desktop protocol (RDP) and brute force to enter a victim’s system.
• Step 2. Execution: Once inside the system, the ransomware starts spreading laterally to identify and target the most valuable assets while establishing communication with the attacker’s command and control (C&C) server.
• Step 3. Encryption: The ransomware starts encrypting the victim’s files using unique public-private key pairs generated specifically for the attack, making the files inaccessible.  
• Step 4. Ransom Demand: After encryption, the ransomware typically displays a note informing the victim about the attack and demanding a ransom payment.

This one-two punch will encrypt and decrypt files stored on the unwarranted server and the private key will only become accessible to the victim when a sum is paid. Even the most highly functioning security software is currently unable to perform decryption in these cases, so these types of campaigns are becoming increasingly popular and can be extremely detrimental.

Common Ransomware Types

Given the plethora of ransomware types and variants and the continual emergence of new ones, it’s crucial to take note of the most prolific types in order to be better prepared:

• Lockware: As the name implies, lockware completely locks the affected individual out of their system, rendering their files and applications inaccessible.
• Encryptors: This type of ransomware encrypts files on the victim’s system and is usually accompanied by a ransom note with payment demands and instructions for payment.
• Master Boot Record (MBR) Ransomware: MBR ransomware infects the device’s Master Boot Record, resulting in a compromised boot process and requiring a ransom payment to regain system access.
• Scareware: Scareware displays false or misleading messages, tricking victims into believing their system is infected with malware and coercing them to pay a ransom for its removal.
• Leakware: Typically targeting enterprises with sensitive information or trade secrets, leakware encrypts this data and threatens to release it to the public unless a ransom demand is met.
• Ransomware-as-a-Service (RaaS): RaaS refers to a model where cybercriminals develop and distribute ransomware to other attackers, who then carry out the attacks and share the profits with the original creators.

The Costs of Ransomware Attacks

For many under attack, costs can quickly mount up after the initial cost is paid. While it may be understandable that the successes of these campaigns have led to a spike in ransom requirements, it is crucial to recognise that these attacks have the potential to completely block access to vital data and systems, leading to significant loss of capital, resources, and even reputation during the process of restoring, recovering, and maintaining business operations. If production lines come to a halt, there are additional financial considerations including the continuous payments of utilities, staff, contracted services and more. Statistics issued by Sophos data suggest that costs can reach upwards of $1.82 million on average when bouncing back from attack in 2023. This is not accounting for losses felt in revenue relating to lost business opportunities and similar, with around 84% of private sector organisations reporting as much. (1)

Best Practices for Ransomware Prevention

Although it’s hard to predict when and how an organisation may be targeted by ransomware, there are certain procedures that can be put in place to minimise the impact of ransomware campaigns, such as:

• Maintaining data backups: Through consistent data backup practices, organisations can recover their lost data without paying a ransom. Automated backup systems should be the go-to choice to protect data against potential ransom demands.
• Implementing security awareness programmes: Educating staff on how to identify and avoid potential ransomware attacks, including understanding the methods, warning signs, and participating in cybersecurity drills.
• Leveraging network segmentation: Isolating critical systems to reduce the attack surface and enhance control access, thereby limiting the impact of potential ransomware attacks.
• Applying latest patches: Regularly updating software and systems with the most recent security fixes, ensuring vulnerabilities that could be exploited by ransomware are addressed.
• Utilising advanced security controls: Implementing comprehensive security software, such as email and endpoint protection, network monitoring, and DNS security controls to detect and prevent ransomware threats.

The significance of the last point is magnified by the widespread abuse of DNS in ransomware attacks. A report by the United States National Security Agency (NSA) reveals that 92% of cyber-attacks exploit DNS in some shape or form (2). Other studies corroborate these findings (3 & 4), highlighting the critical need for organisations to leverage advanced security controls, in particular DNS security controls, to effectively detect and prevent ransomware threats.

DNSSense: The Ultimate Defence Against Ransomware

Through its DNS Detection and Response (DDR 2.0) solution set, DNSSense offers comprehensive protection against a wide range of threats, including malware, ransomware and phishing attacks. Backed by Cyber X-Ray, the world’s best AI-powered domain intelligence service, DNSSense has access to contextualised telemetry - comprising hundreds of data points - of every single domain and subdomain on the Internet.

By adopting a “Positive Security” model, DNSSense’s cloud-based DNS response service, DNSDome, blocks connection attempts to firstly seen and newly registered domains – the usual suspects in ransomware attacks - until they are deemed safe through instant categorisation.

Leveraging machine learning algorithms, DNSEye detects DNS traffic anomalies to identify malicious queries and trace them back to their root cause. The “Why Visited” module reveals unauthorised traffic redirections to seemingly safe domains, while “Security Incidents” provides real-time automated response to incident scenarios.

Concluding Notes

With ransomware attacks becoming increasingly sophisticated and the potential for substantial financial and reputational losses, organisations need to adopt a proactive cybersecurity approach to protect sensitive data against these threats before they disrupt operations. In the context of ransomware attacks, a proactive defence must inevitably involve a combination of reliable AI-powered threat intelligence, enhanced data monitoring for early detection of traffic anomalies, real-time automated incident response, and perhaps above all, intelligent data enrichment for root cause investigation and cross-layer visibility into attack vectors. In addition, organisations should prioritise regular security awareness training for employees, robust access controls, and timely patch management to further strengthen their proactive defence against ransomware attacks.

References

• https://news.sophos.com/en-us/2023/05/10/the-state-of-ransomware-2023/
• https://www.whalebone.io/post/the-nsa-urges-businesses-take-dns-protection-seriously
• https://heimdalsecurity.com/blog/dns-layer-security/
• https://incyber.org/en/almost-80-of-cyber-security-incidents-involve-a-dns-query/

‍