The Anatomy of Ransomware Attacks

Ransomware attacks are plaguing organizations throughout the globe, particularly in the U.S., and have become the attack method of choice for hacking organizations. Big names like Colonial Pipeline, meat producer JBS and the city of Gary, Indiana recently made headlines when their operations screeched to a halt after their data and technology fell victim to bad actors believed to be based in Russia. Operations resumed only after millions of dollars in ransom were paid and it is still unclear whether these organizations were able to recover all the data seized by the attackers. More than likely, they were not. Hashed Out reported that in 2019 cybercriminals successfully launched ransomware attacks against 966 U.S. government, healthcare, and educational entities, combined costing those organizations more than $7 billion. And it is likely to get much worse before it gets better. So fasten your cyber-seatbelts folks, it is going to get ugly.

SO, WHAT EXACTLY IS RANSOMWARE? Ransomware is a type of malicious software that is launched by cybercriminals to extort money from targeted victims. The malware infects the target’s systems, then locks and encrypts its files unless or until a ransom is paid. This prevents anyone from opening those files and accessing data, effectively rendering inoperable all business processes that use that data - and often causing substantial and irreversible data loss. Usually, the companies only have a few hours or a couple of days to pay the ransom before the key to unlock the data is destroyed.

HOW DOES RANSOMWARE WORK? Ransomware attacks often start with a Trojan, which is malware disguised as a legitimate file that a user is tricked into opening or downloading. This is not always the case, as the notorious WannaCry worm spread unfettered by the need for any user interaction. But today, Trojans are for the most part square one in the ransomware attack paradigm. Once the Trojan has been deployed inside the organization, it immediately goes to work spreading itself and encrypting every file it comes across on the first computer it infects and then every computer it is able to get to. Usually a message is displayed on the encrypted host computer, informing the user of the attack, the amount of ransom demanded, details on how to contact the cybercriminal, and instructions on how to pay.

WHAT A RANSOMWARE ATTACK MIGHT LOOK LIKE Brenda works in HR for a billion-dollar shipping company with worldwide offices. While the business has a robust online career platform, Brenda often receives emails from jobseekers with their resumés attached. Monday afternoon, Brenda receives a job inquiry with an attachment entitled “John Smith’s Resumé.” The email references the CEO of the company or some other important person, so Brenda naturally assumes it is legitimate and important. She opens the PDF and notes that the jobseeker included very little on the document. Weird but not remarkable. She exits the PDF and moves the email to her recycle bin. Unbeknownst to Brenda, the document she opened was really just a vessel to carry malicious code - a Trojan - and with that simple click, a group of ransomware attackers from the other side of the planet penetrated the organization and quietly began a sustained assault on the company’s network. Brenda finishes off her day answering emails and screening job applicants, then heads home at 5pm. Tuesday morning, Brenda notices her computer is taking a little extra time to boot. She later thinks that the internet is running slowly, but she chalks it up to Wi-Fi issues. Not a big deal; she will let IT support know if it continues. But what Brenda does not suspect is that for the last 20 hours malicious ransomware code that originated from that PDF she opened yesterday has been spreading like wildfire throughout the company’s systems. And things are only going to get worse. Brenda goes home that evening. A little later, as Brenda is standing over her stove making dinner, ransomware is locking user accounts, encrypting files, and extracting critical data. First thing Wednesday, as Brenda and 5,000 of her coworkers attempt to log on to their computers, a message appears on their desktops informing them their systems are locked and their data encrypted -  and demanding a ransom of $1 million in bitcoin to make the issue go away. The global shipping business comes to a screeching halt, affecting worldwide commerce, but Brenda still has no idea that the malware originated from that weird resumé she opened on Monday. Unable to service their customers, the company almost immediately finds themselves in a money crunch, unable to invoice, collect and process payments. The loss in revenue is staggering. The C-levels and the IT department discuss options, stakeholders are informed, and an emergency meeting is scheduled for later that morning. The IT department strongly suspects the malicious software has spread to their customers and thus the company has informed those businesses of the threat. News of the ransomware attack is making headlines and the media is gathering outside. In the meantime, the executive team begins talks with the FBI to help determine their options. It is almost a no-brainer. The projected cost of idle operations, lost productivity, and customer attrition will far exceed the comparatively modest ransom. On Thursday, the company officially succumbs to the ransom demand to regain access to their systems. However, upon paying the ransom, the company is unable to restore all the encrypted data, and the fallout - including potential data exfiltration and exposure of customer information - is poised to drag on for months, if not years. Friday morning, Brenda is sitting at her desk and the phone rings. It is the FBI. She is shocked to learn the ransomware attack that cost the company millions of dollars started from her desktop with just a simple click on an email attachment. If you think your systems may have been affected by malware or you seek to protect your organization and mitigate damages from ransomware attacks, Ravdal, Inc. can help. Contact us now. Stig Ravdal is the President & Founder of Ravdal, Inc., a leading cybersecurity company. He is an expert in the fields of cybersecurity strategy and technology solutions, and is available for speaking engagements.