Nowadays, both personal and business computers/devices can be held hostage to extortion online. Ransomware can wreak havoc on your systems in five short steps that are executed at a rapid pace. Here is how most ransomware operates:
Step 1: Targeting potential victims
Although computers and devices running on a Microsoft Windows operating system currently get the brunt of ransomware attacks, hackers are increasingly targeting Mac OS X and mobile systems as well, given the popularity of the platforms. They also search for vulnerable websites and software applications (like Adobe) that can be hacked and serve as a host for their ransomware.
Available pools of ransomware victims are organized by country, region, and/or industry. Wealthier countries or industries known for paying the ransom fee are highly targeted.
Step 2: Dissemination
The most common way that ransomware is disseminated is through malicious attachments on spear-phishing emails (emails that appear to be from a legitimate individual or business that you know). The attachments often look like MS Office or Adobe PDF documents, but in actuality, they are Trojans carrying embedded ransomware that activate when the attachments are opened.
Another common tactic that hackers use is sending you a phishing email with a link connected to a compromised website. The email and website can be disguised to look like a financial institution (bank or IRS), law enforcement agency (FBI), or other entity. Once you click on the link and the website appears, the ransomware automatically installs itself on your computer/device. This is known as a “drive-by-download.”
Step 3: Probe and Exploit Vulnerabilities
Hackers are increasingly using exploit kits as a probing mechanism to get details from a potential victim’s system, such operating system type, version, and applications installed.
How does this happen, you ask? Cybercriminals secretly place these kits on legitimate websites or fake websites designed to look like carbon copies of the real sites. Then, they simply wait for you to land on the website so your browser leads them to your system information. As the name would suggest, the exploit kits actively search for vulnerabilities that they can then use to their advantage and move on to the next step in the process — infection.
Step 4: Infection
At this point in the process, either the actual ransomware itself is installed on your computer/ device or a covert malicious downloader has been place on your system. In the latter case, the downloader develops a backdoor so more than one type of malware can pass through, which opens your computer/device up to multiple attacks.
Step 5: Execution
As soon as the ransomware has finished installing on your computer or device, the program starts to disable critical operations or finds and encrypts data files. You are then directed to the hacker’s ransom note with instructions regarding how to send payment. Since bitcoin is untraceable, cybercriminals most often demand ransom in this form.
Common Types of Ransomware:
- CryptoLocker is a well-known ransomware that was first reported in 2013 and keeps resurfacing in many different variations. It encrypts all the files on your computer and demands that you purchase a password in order to decrypt everything.
- CryptoWall (a.k.a. Cryptobit, CryptoDefense, Crowti) is a variant of CryptoLocker that encrypts the files on your computer and directs you to a webpage requesting payment in bitcoins to get the decrypted files back. It attempts to eliminate a method of data recovery by deleting shadow copies of files, which can be damaging if you do not have other reliable backup systems in place.
- Locky is disguised as an innocent-looking email message with an attachment, such as an invoice. The information in the document is scrambled so the recipient enables macros to make it readable. Once macros are enabled, Locky begins encrypting your files. As soon as the encryption process is complete, you receive a ransom message demanding bitcoins.
- TeslaCrypt (a.k.a. Tescrypt) can infect your computer in multiple ways. It can automatically download to your system through compromised websites. Alternatively, compromised websites redirect you to a page with an Angler Exploit kit (malicious code) that hacks your system via Adobe vulnerabilities. This ransomware can also spread through links in spam email, activated when you click the link. TeslaCrypt then installs itself in a temporary folder and proceeds to encrypt text, PDF files, spreadsheets, and even video game files. A plain-text file and HTML file are dropped on your computer, instructing you how to pay the ransom in order to receive a decryption key.
- TorrentLocker, a variant of the original CryptoLocker, is most often sent through geographically-focused spam email campaigns. The emails are effective because they contain local branding and the language of the target region, with few, if any, spelling or grammatical errors. TorrentLocker encrypts your files before demanding payment in bitcoins. Unlike other ransomware, it also collects email addresses from your address book as a way to potentially gain more victims and spread even further.
Unfortunately, this is not a comprehensive list as new variants of ransomware pop up all the time. In the event that your system gets hit with ransomware, here is what you can do.
Next: What You Can Do Once Your System Is Infected with Ransomware
FREE Security Analysis Resolves Your Biggest Data Security Problems and Makes Your Systems Run Like Clockwork
We like to reward life-long learners. As a bonus for learning more about ransomware threats and how to protect your business, we’re offering you a FREE Hassle-Free Security Analysis to check for any vulnerabilities in your systems (and give you peace of mind). We’ll report any issues that need to be addressed and detail the resolution(s). Simply give us a call at (317) 372-7625/ (765) 588-3025 to reserve your free security analysis or complete our short online form.