It's easy to assume that all ransomware is similar, and it’s not uncommon to think that one size fits all in terms of prevention and preparation. However, because each ransomware type is usually developed to attack different, specific networks, they can be very dissimilar in how they work. So, it’s important to understand the different types currently being used (keeping in mind that it’s also possible to combine multiple types of ransomware). If your organization is attacked, and you don’t have a plan to defend against the different types of ransomware, the likelihood is that the attack will have a greater negative impact on your company.
STAYING SMARTER THAN THE HACKERS: WHY YOU MUST KNOW THE LATEST RANSOMWARE TYPES
Ransomware strains are constantly evolving and changing. If you’re not aware of the known types of viruses, then it’s very possible that protection strategies used for certain specific types of ransomware will not protect your network against the other varieties. This is especially true of several strains currently running rampant that can affect any file connected to the network, thus easily infecting backups. If your backup isn’t properly protected and gets infected, then it is much harder to get up and running after the attack, and you are more likely to find yourself in the unenviable position in which paying the ransom is the only realistic choice.
By knowing the type of ransomware attack that you are under, the initial response, such as immediately shutting down network connectivity, can significantly limit the damage that’s inflicted.
Here are five common types of ransomware viruses attacking organizations.
Unstructured data to rise from 9.3 zettabytes in 2015 to 44.1 zettabytes by 2020.
If your organization is attacked by ransomware, there is a high likelihood it is CryptoWall. According to a 2016 threat report1, CryptoWall is responsible for a high percentage of ransomware attacks. Typically, this type of ransomware attacks its target through phishing emails. Unfortunately, the creators of CryptoWall continue to release new versions of this virus designed to get around security protection, so it’s important to watch the news about the evolution of CryptoWall.
In May 2017, the so-called WannaCry ransomware virus, a derivative of the Crypto family, was at the core of the largest cyberattack ever perpetrated. The attack ultimately upset businesses across multiple industries – and in more than 150 countries around the globe. The most dangerous aspect of this type of ransomware is its ability to encrypt improperly protected backup systems, which often forces organizations to pay the ransom.
BEST DEFENSE: Shut down network connectively to the effected systems. Have an off-line backup of all data to allow for quick restoration of files after an attack.
While the name of this virus conveys what it does (locks you out of files and replaces the files with the extension .locky), it misses the most damaging part of this type of ransomware – its speed. Locky has the distinction of spreading to other files throughout the network faster than other strains of ransomware. Another threat report2 found that some industries were more targeted by Locky than others.
While this virus has been around for a while, it has also been reported3 that the latest attack strategy for Locky is to use an infected DOCM file (Microsoft Word template file) attached to an email. Apparently, Locky attacks are beginning with an email with a ZIP attachment from a legitimate-sounding company or through Facebook Messenger.
BEST DEFENSE: Implement a corporate strategy for Data Management which includes awareness training for employees to not open email attachments from unknown senders.
This type of ransomware takes data attacks to a new level – actually kidnapping your data and moving it to a new virtual location. The significance of this aspect of the attack is that, because it qualifies as a breach, if your company works with personal data, organizations must contact anyone who may have information on your network to stay in compliance with local, state and federal guidelines. Similar to other types of ransomware, Crysis attacks start when an employee clicks on a link or opens an attachment. Fortunately, Kaspersky labs has updated their RakhniDecryptor4 program to decrypt Crysis files, so anyone attacked by the Crysis ransomware can unlock their files.
BEST DEFENSE: Have a Data Recovery strategy that ensures geographically-separated backup copies along with network segmentation, if possible.
Anyone using an unpatched WildFly application server in the internet-facing portion of their network are vulnerable to SAMSAM. Once inside the network, the ransomware looks for other systems to attack. For any industry with an urgent need for data, the odds of hackers earning a ransom for their efforts increases.
BEST DEFENSE: If you have WildFly application servers, make sure all servers are patched.
Instead of going straight after the files like other ransomware, Cerber attacks the database server processes to then gain access. Interestingly, the ransomware is sold by its creators to criminals for a portion of the ransoms collected, which ComputerWorld5 estimated at over $1 million in 2016. eSecurity Planet 6 reported that Cerber was one of the top three most common ransomware types, tertiary to Locky and CryptoWall.
BEST DEFENSE: Since Cerber must gain access through an administrator account, restrict use of admin accounts on workstations and have IT staff use these accounts only when absolutely necessary for the specific task being performed.
Win the War Against Ransomware
Estimates predict ransomware attacks will continue to increase at an exponential rate.
RANSOMWARE PREDICTIONS BEING REALIZED IN 2017
Although the only ones happy about this are criminals, the predictions that ransomware attacks would increase and become more damaging in 2017 were accurate. It's essential that ransomware prevention and knowledge stay at the forefront of organizations' security efforts. Unfortunately, since hackers continuously become more sophisticated in their ways to encrypt data and develop new ransomware, organizations must continually monitor for those developments. And then, most importantly, be sure to make any changes in your security and employee training based on the new methods of attack. Your business depends on access to your data.
- 1 Solutionary’s Security Engineering Research Team Quarterly Threat Report, Q2 2016
- 2 FireEye, August 2016
- 3 Health IT News, August 2016
- 4 Kaspersky Lab, May 2017
- 5 Computerworld from IDG, October 2016
- 6 eSecurity Planet, August 2016
Learn more about how Commvault ransomware protection offers a complete recovery solution that covers applications, servers and end user machines to minimize business disruption when ransomware attack occurs in your organization.