The Ransomware Threat Landscape
eBook - ePub

The Ransomware Threat Landscape

Prepare for, recognise and survive ransomware attacks

  1. 85 pages
  2. English
  3. ePUB (mobile friendly)
  4. Available on iOS & Android
eBook - ePub

The Ransomware Threat Landscape

Prepare for, recognise and survive ransomware attacks

Book details
Book preview
Table of contents
Citations

About This Book

The fastest-growing malware in the world

The core functionality of ransomware is two-fold: to encrypt data and deliver the ransom message. This encryption can be relatively basic or maddeningly complex, and it might affect only a single device or a whole network.

Ransomware is the fastest-growing malware in the world. In 2015, it cost companies around the world $325 million, which rose to $5 billion by 2017 and is set to hit $20 billion in 2021. The threat of ransomware is not going to disappear, and while the number of ransomware attacks remains steady, the damage they cause is significantly increasing.

It is the duty of all business leaders to protect their organisations and the data they rely on by doing whatever is reasonably possible to mitigate the risk posed by ransomware. To do that, though, they first need to understand the threats they are facing.

The Ransomware Threat Landscape

This book sets out clearly how ransomware works, to help business leaders better understand the strategic risks, and explores measures that can be put in place to protect the organisation. These measures are structured so that any organisation can approach them. Those with more resources and more complex environments can build them into a comprehensive system to minimise risks, while smaller organisations can secure their profiles with simpler, more straightforward implementation.

Suitable for senior directors, compliance managers, privacy managers, privacy officers, IT staff, security analysts and admin staff – in fact, all staff who use their organisation's network/online systems to perform their role – The Ransomware Threat Landscape: Prepare for, recognise and survive ransomware attacks will help readers understand the ransomware threat they face.

From basic cyber hygiene to more advanced controls, the book gives practical guidance on individual activities, introduces implementation steps organisations can take to increase their cyber resilience, and explores why cyber security is imperative. Topics covered include:

  • Introduction
  • About ransomware
    • Basic measures
  • An anti-ransomware
    • The control framework
    • Risk management
    • Controls
    • Maturity
  • Basic controls
  • Additional controls for larger organiations
  • Advanced controls

Don't delay – start protecting your organis ation from ransomware and buy this book today!

About the author

Alan Calder?is the Group CEO of GRC?International Group?plc, the AIM-listed company that owns IT Governance?Ltd.?Alan is an acknowledged international cyber security guru, and a leading?author on information security and IT governance issues. He has been?involved in the development of a wide range of information security management?training courses that have been?accredited by IBITGQ (International Board?for IT Governance Qualifications).

Alan has consulted for clients?across the globe and?is a regular media commentator and speaker.?

Frequently asked questions

Simply head over to the account section in settings and click on “Cancel Subscription” - it’s as simple as that. After you cancel, your membership will stay active for the remainder of the time you’ve paid for. Learn more here.
At the moment all of our mobile-responsive ePub books are available to download via the app. Most of our PDFs are also available to download and we're working on making the final remaining ones downloadable now. Learn more here.
Both plans give you full access to the library and all of Perlego’s features. The only differences are the price and subscription period: With the annual plan you’ll save around 30% compared to 12 months on the monthly plan.
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, we’ve got you covered! Learn more here.
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Yes, you can access The Ransomware Threat Landscape by Alan Calder in PDF and/or ePUB format, as well as other popular books in Computer Science & Cyber Security. We have over one million books available in our catalogue for you to explore.

Information

Publisher
ITGP
Year
2021
ISBN
9781787782808
Topic
Computer Science
Subtopic
Cyber Security
Index
Computer Science

CHAPTER 1: ABOUT RANSOMWARE

In general, there are three types of ransomware:
1. Scareware
2. Screen lockers
3. Encrypting ransomware
Before we go further, I should note that this book is primarily interested in ‘encrypting ransomware’.
Scareware is typically little more than malicious advertising. The user might see a pop-up advising that malware has been detected and instructing them to visit a website or make a payment to have the malware removed. This can be served on a website (in which case it’s likely you’re not infected at all and it’s just an obnoxious pop-up) or from a malware infection on your device. In most cases, this is all that the malware will do, so it could be little more than an annoyance – but if you have this sort of infection, it’s likely there’s more malware that you just don’t know about.
Screen lockers, meanwhile, look an awful lot like encrypting ransomware. They freeze up your device and often present a message stating that the user must either pay a ransom or that they are under investigation by the FBI or some other authority. This is obviously a more significant threat than scareware, but in most cases your data is otherwise safe – the malware is simply preventing you from accessing the device and trying to scare you into making the payment.
Encrypting ransomware is a much greater issue, because it’s not possible to recover your files without either a great deal of luck (if the ransomware is old enough that there is a known solution) or by paying the ransom – and there’s no guarantee that the criminals will hold up their side of the deal.
There’s a growing subset of this in which the criminals will also take copies of your data. This usually acts as an additional threat in the ransom: if you don’t pay up, not only will you lose your data, we’ll release it onto the Internet; if you do pay, we’ll unlock your files and dispose of the copies. Again, however, you have no idea if the criminals will actually delete their copies. If you know much about criminals, you’ll join me in being sceptical.
There is a strong argument to never pay the ransom. Regardless of any ethical considerations, there’s a simple practicality: you have no way of knowing if the criminals will actually unlock your information, nor any guarantee that they then won’t mark you as an easy target (see the end of this chapter for more on the ransomware ‘business model’). By far the best solution, as you’ll see, is to be prepared so that you can prevent as many infections as possible, contain any ransomware that does make it through, and recover your systems and information quickly and with minimal interruption.

How it works

The core functionality of ransomware is two-fold: to encrypt data and deliver the ransom message.10 Depending on the complexity of the malware and its mechanism for gaining access, the encryption can be relatively basic or maddeningly complex, and it might affect only a single device or a whole network.
Encryption is a relatively common feature in modern computing, and most users encounter it without ever realising. Most of the time, encryption is a valuable tool: it protects data from being accessed or interfered with by unauthorised parties. Not all information needs to be encrypted, but most people would conclude that it’s valuable and often a ‘better safe than sorry’ solution, even for relatively mundane information.
An ideal system encrypts data to be sent (or stored) and the receiving device decrypts the information, all without the users necessarily being aware of the fact. This relies on cryptographic keys, which instruct how the information is encrypted and decrypted. In some cases, the same key can be used to encrypt and decrypt, while others use one key for each purpose. In any case, a key is necessary to access the information.
Ransomware’s main problem is that the victim has no access to a key to decrypt the data. Depending on the strength of the encryption algorithm, this can mean that the data is essentially unrecoverable. While some older algorithms can be broken given enough time and are still occasionally used in business either because the infrastructure is outdated or there’s a perceived benefit to having simpler encryption, there’s no need for a ransomware attacker to use this – they don’t want the data to be readily accessible. For all practical purposes: if you’re hit by ransomware, your data is lost unless you get the key or can recover it from somewhere that hasn’t been affected.
Once the data has been locked up, the ransomware needs to notify the user, which is generally in the form of a pop-up or other notice on your screen, which will (possibly gloatingly) explain that your files have been encrypted and how to pay to get them unlocked. Depending on the scale of infection and the purpose of the ransomware, it might leave some systems accessible, even if in a limited capacity. For instance, the ransomware might lock down the device in its entirety, leaving only a message explaining how to pay the fee; alternatively, it might leave the user able to access the Internet so that the ransom can be paid.
One of these messages is usually the first sign anyone gets that they’ve been infected. So, how did it get there?

Mode of access

Ransomware, just like any other malware, needs a way in. This is generally called ‘infiltration’, and there are two primary methods:
1. Social engineering, such as phishing.
2. Technical vulnerabilities in the network perimeter.
Social engineering often relies on human error – clicking links in phishing emails, allowing an unknown application to execute, and so on. The aim for any malware developer is to reduce the number of times they need humans to make errors: if they rely on someone to click a link, then accept a download and actively execute the file, that’s three points at which the target might wake up and realise they’re making a mistake. If the target only needs to click a link, the criminal’s doing much better. If they can find a way to get the malware directly onto the target’s device without them realising, they have an absolute winner.
Among the most popular methods is phishing, which has long been proven an effective way of slipping past technical defences. In this scenario, the target opens an attached document (probably Word or a similar format, with the malware payload delivered by a macro) or clicks a link, and they’re promptly infected.
Ransomware can be delivered a number of other ways – via a wider infection once it gets into a network, for instance, within an infected USB device, packaged with a more ‘benign’ download (such as bundled with an app or other software from a disreputable source), and so on. As you can see, in many cases, the initial infection is due to human error.
It is also possible to deliver ransomware without human intervention, however, by directly attacking the network via vulnerabilities in the perimeter. Criminals are constantly probing network boundaries looking for the tell-tale signs of a vulnerability that they can exploit to gain access.
Undirected attacks against networks look for common flaws that can be automatically exploited. The WannaCry attack was able to propagate, for instance, by taking advantage of an NSA backdoor that had been recently revealed. There was a patch available, but too few machines had been updated.
More complicated attacks – clearly targeted – will combine data from a number of sources in order to gain access. For instance, responses from a login portal (such as making it clear if a specific username is correct even if the password is wrong) could be combined with information gleaned from LinkedIn (a list of employees) and previous data breaches (connecting a user with passwords they’ve previously used), which could give criminals a set of likely user credentials to attempt.
Other criminal groups sell known backdoors or details of previously compromised networks that ransomware attackers can target without needing to do too much of their own work to gain access. This access will generally have been gained the same way as those methods described above.
All of this is a way in, but ransomware also needs to establish itself without being detected. As malware is often single-purpose, ransomware can have some difficulty gaining a foothold anywhere, which is why it is often paired with one or two other malicious programs. As mentioned in the introduction, Emotet is a popular Trojan that does most of the legwork for ransomware, but there are others that do much the same.

The infection

The actual speed of movement once the malware is within the network can vary considerably, depending on the attacker’s ambitions, the attack method and any internal technical security measures.
An attacker who isn’t concerned about the specific data they’re locking up will simply attempt to lock up as much as possible as quickly as possible until it’s stopped. Indiscriminate, untargeted ransomware attacks are more likely to follow this approach. In this case, the ransomware will simply start grabbing files and encrypting them, often starting with files that aren’t system-critical in order to minimise the risk of being spotted. It should be noted that this is a pretty primitive method, and most modern ransomware will take a more intelligent approach to maximise its impact.
A more complex ransomware attack will put measures in place to cripple defensive measures or hide from them, which can slow the rate of encryption – at least initially. This might include disabling antivirus and intrusion detection systems, system logs, and so on. The aim in these cases will be to maximise the amount that can be encrypted.
More advanced attacks will also attempt to spread through a network, not encrypting anything until as many systems as possible are carrying the infection. As with the initial entry into the network, this will be facilitated by other malware desig...

Table of contents

  1. Cover
  2. Title Page
  3. Copyright Page
  4. About the Author
  5. Contents
  6. Introduction
  7. Chapter 1: About ransomware
  8. Chapter 2: Basic measures
  9. Chapter 3: An anti-ransomware programme
  10. Chapter 4: Basic controls
  11. Chapter 5: Additional controls for larger organisations
  12. Chapter 6: Advanced controls
  13. Further reading