Open Access is an initiative that aims to make scientific research freely available to all. To date our community has made over 100 million downloads. It’s based on principles of collaboration, unobstructed discovery, and, most importantly, scientific progression. As PhD students, we found it difficult to access the research we needed, so we decided to create a new Open Access publisher that levels the playing field for scientists across the world. How? By making research easy to access, and puts the academic needs of the researchers before the business interests of publishers.
We are a community of more than 103,000 authors and editors from 3,291 institutions spanning 160 countries, including Nobel Prize winners and some of the world’s most-cited researchers. Publishing on IntechOpen allows authors to earn citations and find new collaborators, meaning more people see your work not only from your own field of study, but from other related fields too.
To purchase hard copies of this book, please contact the representative in India:
CBS Publishers & Distributors Pvt. Ltd.
www.cbspd.com
|
customercare@cbspd.com
Ransomware refers to a type of malware that encrypts files on an infected computer and holds the key to decrypt the files until the victim pays a ransom. Ransomware has seen explosive growth over the past few years and has rapidly evolved into a highly lucrative business model. Sophisticated advanced persistent threats (APTs) are employing ransomware to maximize their profits with multiple layers of monetization strategies. New versions appear frequently with ever-evolving tactics and techniques making detection harder. In this chapter, we present a brief history of ransomware, top threat actors employing ransomware, tactics used, and key strategies firms need to deploy to prevent, detect, and respond to ransomware in attacks.
Cyber Security Specialist, Princeton, NJ, United States of America
*Address all correspondence to: arun.warikoo@gmail.com
1. Introduction
Ransomware attacks have emerged as one of the most prominent cyberattacks in the last 5 years affecting organizations globally. The Verizon Data Breach Investigation Report (DBIR) 2021 states that 37% of global organizations said that they were hit by ransomware [1]. The world saw a 151% year-on-year increase in the number of ransomware attacks by mid-2021 [2].
Ransomware is a family of malware that is designed to block or limit victims from accessing their system by either locking the system’s screen or encrypting files on a system until ransom is paid. Ransom operators demand the victim to pay the ransom in crypto, usually, bitcoin.
Ransomware variants are of two types—encryptors and lockers [3]. The encrypting ransomware encrypts the files on the victim’s machine and demands a ransom for the decryption key. On the other hand, lockers do not encrypt the file but lock the victim’s system so that the files are inaccessible.
Ransomware tactics and techniques have evolved considerably over the years. The evolution of ransomware can be broken down into three key timeframes: pre-2014, between 2015 and 2017, and post-2017. During the pre-2014 era, ransomware attacks were widespread but random with a very low ransom demand. Post-2015, attackers started deploying ransomware post-exploitation. This shift reduced the number of victims that an attacker could exploit, but this gave operators much more control over ransomware deployment. This enabled targeted and successful encryption of files on the victim’s network and justified demands for a higher ransom. Led to the rise of targeted attacks that were highly successful leading to a higher ransom demand. Post-2017, the ransomware threat landscape witnessed the emergence of ransomware as a service (RaaS) and big game hunting (BGH). Big game hunting refers to when attackers leverage ransomware to target large and high-value organizations [4].
Subsequent sections highlight a brief history on ransomware, how ransomware is distributed, high-profile ransomware groups, and how to prevent, defend, and respond to ransomware attacks.
This section details a brief history on ransomware from its inception as a petty cybercriminal act into what is now a billion-dollar cyber-crime industry.
The first known ransomware attack occurred in 1989 and targeted the healthcare industry. An individual known as Joseph Popp, an AIDS researcher, carried out the attack by mailing 20,000 floppy disks to the WHO AIDS conference event attendees [5]. The attacker employed social engineering to trick the victims by claiming that the disks contained a questionnaire to determine an individual’s risk of acquiring AIDS. However, the disk also contained a malware that was dubbed as the AIDS Trojan that encrypted files on the victim’s machine and displayed a message demanding a payment of $189 to a P.O. box in Panama in exchange for access to their files [5]. AIDS Trojan used a simple symmetric encryptor to encrypt file names and a decryption key was soon available to decrypt them [6].
Figure 1 highlights the timeline on ransomware since the launch of AIDS Trojan in 1989 to Hive in 2022.
Figure 1.
Ransomware timeline.
The first modern ransomware, GPCode, was launched in 2004 and infected systems via phishing emails [6]. GPCode also known as GPCoder used symmetric encryption to encrypt files and requested $20 for a decryption key [5]. The Year 2006 saw the launch of Archievus that employed strong encryption for the first time and used an advanced 1024-bit RSA encryption [5]. Reveton emerged in 2012 as a ransomware locker, a variant that displayed fraudulent law enforcement messages accusing victims of committing a crime. The attackers threatened victims with jail time if the ransom was not paid [5]. The year 2013 saw the emergence of a ransomware strain known as CryptoLocker that was delivered via phishing emails. CryptoLocker used strong 2048 RSA encryption and was both a locker and a crypto variant [5]. CryptoWall gained notoriety after the downfall of the infamous CryptoLocker in 2014 and was widely distributed using various exploit kits and spam campaigns. TeslaCrypt gained notoriety in 2015 and targeted computer gamers. After a successful infection, the malicious program demands a $500 ransom for the decryption key; if the victim delays, the ransom doubles.
Petya emerged in 2016 as the first ransomware variant to not encrypt individual files but overwrite the master boot record and encrypt the master file table. These locked victims out of their entire hard drive more quickly than other ransomware techniques [5]. The infamous WannaCry shocked the world in 2017 and hit hundreds of thousands of machines across more than 150 countries. WannaCry spread via the Eternal Blue vulnerability, an exploit leaked from the National Security Agency [5]. A major cyberattack began targeting Ukraine in June 2017 using a new variant on Petya known as NotPetya. NotPetya soon spread and impacted organizations globally. In 2018, a sophisticated ransomware variant known as Ryuk was released and became one of the most successful ransomware campaigns of its time. Ryuk attacks were targeted, and ransom amounts associated with Ryuk typically range between 15 and 50 Bitcoins, or roughly between $100,000 and $500,000 [7]. REvil, also known as Sodinokibi, first appeared in April 2019 and immediately became immensely successful [8]. Another ransomware variant by the name Maze was discovered in 2019 and introduced the tactic of double extortion wherein data are exfiltrated before ransomware deployment. Shortly after Maze disbanded in 2020, the Egregor RaaS double extortion variant appeared. 2020 saw the emergence of a Conti and Darkside that were responsible for major cyber incidents globally. LockBit 2.0, a new variant of Lockbit with advanced capabilities appeared in 2021. LockBit 3.0, the current version, was discovered in June 2022 and has added a Big Bounty Program (BBP) to its arsenal [9]. The year 2022 saw the fall of a notorious ransomware group known as Conti and the emergence of new groups such as Blackbasta, Hive, and Quantum that continue to drive the ransomware threat landscape [10].
Figure 2 highlights significant ransomware incidents that have occurred over the last 5 years.
Figure 2.
Significant ransomware incidents.
Figure 3 shows the various stages involved in a ransomware attack.
Ransomware is spread through multiple distribution methods. These are as follows:
Phishing—The most common attack vector used by attackers as shown in Figure 4. Attackers send an email that is designed to lure the victim to open the weaponized office attachments. When the user opens the attachment (word or excel) and enables the macros, a malicious program is executed that executes a PowerShell command to download a 2nd stage malware from the Command and Control (C2) Server. Additional payloads are downloaded for lateral movement and once control is gained on the active directory (AD) domain, the attacker downloads ransomware as a final payload and deploys it to multiple devices.
Figure 4.
Attack vector phishing.
Exploit kits—An exploit kit is a toolkit designed to exploit vulnerabilities on victim’s system while web browsing. When a user visits a compromised website, the victim is redirected to another landing page. The victim’s machine is scanned for any browser-based vulnerabilities and malware is downloaded. Ransomware groups employ malvertising to redirect users to the attacker’s website, exploit is executed that leads to the eventual deployment of ransomware (Figure 5).
Figure 5.
Attack vector exploit kit.
Buying credentials from access brokers—Attackers buy credentials from initial access brokers (IABs) to gain initial access. Remote desktop protocol (RDP) is the most common credential used to achieve a foothold.
Exploiting vulnerabilities—Ransomware operators also gain initial access by exploiting vulnerabilities in Internet-facing applications.
3rd Party Vendor—Supply chain has become the latest attack vector that has led to ransomware deployment.
The modern ransomware threat landscape is driven by the advent of the ransomware as a service (RaaS) business model and the adoption of multiple levels of extortion.
4.1 Ranvsomware as a service
Ransomware as a service (RaaS) is a business model launched by ransomware operators wherein the operators sell ransomware to their customers known as affiliates in exchange of a cut from the ransom. The affiliates launch the cyberattack against the victims whereas negotiations with the victim are managed by the operator.
RaaS has taken ransomware to a whole new plane and is one of the primary reasons why ransomware attacks have become so frequent. RaaS business model is a win-win situation for all the parties involved. A report by Crowdstrike, a cybersecurity firm, states that the ransomware revenues in 2020 were around $20 billion, up from $11.5 billion the previous year [11].
The operator now only focuses on developing and monetizing its product. Less sophisticated actors with very little knowledge can enter the playing field, buy the service, and launch targeted attacks. Figure 6 highlights the RaaS ecosystem. The ecosystem also comprises of initial access brokers (IABs) and Mules. Access brokers are an important component as they are the ones who scan the networks to look for vulnerabilities and gain credential access. Access brokers sell credentials access to the affiliates who leverage that for initial access during an intrusion. The RaaS operators handle the ransom negotiations with the victim. Mules complete the ecosystem and are used for converting cryptocurrency into real currency.
Figure 6.
The RaaS ecosystem.
4.2 Extortion
The advent of extortion as a tactic has emerged as one of the major reasons for high-profile ransomware attacks in the last few years. Three are four types of extortion prevalent that are highlighted in Figure 7.
Figure 7.
Types of ransomware extortion.
Single extortion refers to the deployment of ransomware post-exploitation. The attacker demands a ransom in exchange for decrypting the files.
Double extortion refers to attackers exfiltrating data before the deployment of ransomware. The attacker then threatens the victim to leak the data publicly. The Maze ransomware group pioneered this when they added double extortion as a tactic to their playbook. More threat actors followed suit had started to have dedicated leak sites (DLS) to release the stolen data.
In 2020, threat actors took extortion to another level and added DDoS attacks to encryption and data exposure threats. This is known as triple extortion. This was first performed by SunCrypt and RagnarLocker operators in the latter half of 2020 [12].
In 2021, a fourth level known as Quadruple extortion was introduced. With quadruple extortion, ransomware operators also reach out directly to a victim’s customers and stakeholders, thereby adding more pressure to the victim. DarkSide operators employ the quadruple extortion scheme in some of their attacks by launching DDoS attacks and directly contacting customers through designated call centers [12].
This section highlights some of the high-profile threat actors that have revolutionized ransomware campaigns.
Conti also known as Wizard Spider is a Russia-based cybercriminal operational since 2016 [13]. The group is known for being the operator of Ryuk and Conti ransomware variants and resorts to big game hunting (BGH). Conti used the Ryuk ransomware variant since September 2018 but switched to Conti in 2020 [14].
Carbon Spider also known as FIN7 is another Russia-based cybercriminal that operated since 2013. The group pivoted to ransomware and big game hunting in 2020 and marketed its own RaaS program dubbed as “DarkSide” [15]. In May 2021, the Colonial Pipeline ransomware attack made headlines across the globe that FBI attributed to the DarkSide group [16].
Pinchy Spider is a sophisticated cybercriminal operational since 2018 that is known to be operation of the REvil RaaS program [17]. Pinchy Spider is associated with some of the most high-profile ransomware attacks in history.
The LockBit group is a sophisticated cybercriminal operational since 2019. The group is known to consistently develop new tactics and techniques to stay ahead of other ransomware groups [12]. In 2021, a new variant known as Lockbit 2.0 was released that followed the RaaS model and LockBit 2.0 operators allegedly only work with experienced penetration testers [18].
BlackByte is ransomware as a service (RaaS) that first emerged in July 2021 and primarily exploits vulnerabilities to gain a foothold in the victim’s environment [19].
Table 1 highlights significant ransomware families over the years with additional details such as operator, operating since, and encryption.
Organizations need to take a multipronged approach to prevent and defend against a ransomware attack. The best strategy to tackle ransomware is a combination of prevention, detection, and recovery capabilities.
6.1 Prevention
Organizations need to have controls in place to cover all the distribution methods as highlighted in Section 3 and as part of defense-in-depth deploy controls at multiple levels.
At the network layer, organizations need to implement solutions such as Email Gateway Security and a sandbox solution to prevent against phishing campaigns which is the most common attack vector for ransomware. Web application firewalls (WAFs) enable in preventing initial access from exploits that target public-facing applications. Intrusion prevention systems (IPS) and content filtering solutions enable in preventing communication with command and control servers. Most sophisticated ransomware operations also exfiltrate data as a form of extortion. Data loss prevention (DLP) solutions are an important control for preventing against data leakage.
At the endpoint layer, apart from an anti-virus (AV) solution, organizations need to implement endpoint detection and response (EDR) solutions to detect malicious activity such as the spawning of a malicious process. In addition, organizations need to configure their information technology (IT) environment to prevent enabling of macros in documents received from outside the network without interrupting any business processes. It is also advisable to install browser protection and ad blocking on end-user workstations as this will prevent JavaScript-based malware from executing on the system [20].
Organizations must also have a robust vulnerability management program that focuses on hardening workstations and servers within the network. Attackers leverage exploit kits to exploit a vulnerability in systems and technologies. As an example, the Locky ransomware is frequently delivered via the Rig exploit kit that targets some of the Adobe flash vulnerabilities [20]. Therefore, it is imperative to have your systems and applications fully patched and up to date.
Most ransomware distribution methods require end-user interaction. Therefore, organizations need to create a robust security awareness training for their employees and train them on how attackers leverage social engineering to trick the users.
6.2 Detection
Detective controls play an important role in the fight against ransomware. In a modern ransomware attack, there is a significant dwell time before ransomware is deployed and executed. With the advent of big game hunting, attackers spend considerable time in identifying high-value targets post-compromise. The dwell can be as little as a few days and can go up to weeks before the deployment of ransomware. This enables defenders to deploy detective controls in order to identifying unusual activity pointing to an ongoing ransomware attack.
Ransomware detection can be done by mirroring the behavior depicted by various ransomware variants. Ransomware behavior involves the generation of network traffic to C2servers that includes domain name service (DNS) queries [21]. Detective controls such as an intrusion detection system (IDS) and a security information and event management (SIEM) have inbuilt signatures and rules to detect for such events. In addition, custom rules can be created to look for specific behaviors such as anomalous SMB traffic, creation of new privileged accounts, anomalous outbound traffic, and monitoring of processes and PowerShell. Alerts from detective controls are investigated in a Security Operations Centre (SOC). Alerts from detective controls have a high false positive rate and it is imperative that SOC analysts work with the threat detection team to tune the platforms and reduce the noise [22].
Organizations need to develop cyber fusion capabilities to tackle advanced persistent threats. This can be achieved by the creation of a Cyber Defense Centre (CDC) that comprises of teams such as CSIRT, Red Team, VA, threat detection, and cyber threat intelligence team (CTI). Cyber threat intelligence plays a vital role in providing intel on ongoing campaigns to ensure that your enterprise defenders are ready for the threat and know what to look for. Organizations also need to conduct Table Top exercises quarterly and look at specific scenarios based on intel received from the threat intelligence team.
6.3 Response
It is imperative to create a Ransomware Incident Response Plan that will be executed by an organization’s computer security incident response team (CSIRT).
Identify the infected systems within the network and isolate the infected devices immediately. It is extremely important to determine the scope of the infection. Look for symptoms such as file name changes and service tickets from employees on not able to access files.
Secure your backup data by taking them offline and ensure that the backup data is not infected by running a full scan [23]. Restore compromised files with backup data once all the devices have been decrypted and running antivirus.
The incident response team must also identify the attack vector and chart out the attack timeline. This is important to help in identifying how the attack happened, identifying the control gaps, and preventing recurring ransomware attacks in the future.
Report the incident to law enforcement immediately as typical ransomware attacks involve data leaks. Within the United States, report the incident to the nearest FBI office which can help identify those responsible and prevent future attacks [23].
Once normal operations resume, it is always advisable and recommended to conduct a post-incident activity to review the lessons learned from the ransomware attack.
Ransomware has become one of the most prevalent cybercrimes that threat actors leverage to maximize their profits. Nation-state actors have also employed ransomware to maximize their geopolitical interests. Organizations can no longer rely on resiliency and backups to thwart such attacks. Threat actors have evolved their tactics and are now employing multiple layers of extortion to threaten victims. The advent of RaaS has made matters worse as less sophisticated attackers can also launch ransomware attacks by buying the service.
Organizations need to employ a multipronged strategy to prevent, defend, and respond to such persistent attacks. Firms need to invest deeply in building a cyber fusion model that focuses on developing collaboration and cohesiveness between various cyber defense teams. Cyber threat intelligence exchange with ISACs and law enforcement agencies is extremely important to gain an understanding on the campaigns of interest. It is also recommended to adopt a Zero Trust Approach while designing the network.
Adversarial Tactics, Techniques, and Common Knowledge
AV
Anti-virus
BBP
Big Bounty Program
BGH
Big Game Hunting
BTC
Bitcoin
C2
Command and Control
CDC
Cyber Defense Centre
CISA
Cybersecurity and Infrastructure Agency
CSIRT
Computer Security Incident Response Team
CTI
Cyber Threat Intelligence
CVSS
Common Vulnerability Scoring System
DBIR
Data Beach Investigation Report
DLP
Data Loss Prevention
DLS
Data Leak Sites
DGA
Domain Generation Algorithm
DNS
Domain Name Service
DoS
Denial of Service
DDoS
Distributed Denial of Service
EDR
Endpoint Detection and Response
ECDSA
Elliptic Curve Digital Signature Algorithm
FBI
Federal Bureau of Investigation
IAB
Initial Access Broker
IT
Information Technology
IDS
Intrusion Detection System
IPS
Intrusion Prevention Systems
IR
Incident Response
ISAC
Information Sharing and Analysis Centers
MFA
Multi-Factor Authentication
NIST
National Institute of Standards and Technology
OSINT
Open Source Intelligence
RaaS
Ransomware as a Service
RDP
Remote Desktop Protocol
RSA
Rivest-Shamir-Adleman
SIEM
Security Information and Event Management
SOC
Security Operations Center
SQLi
Structured Query Language Injection
TB
Terabyte
TTP
Tactics Techniques and Procedures
VA
Vulnerability Assessment
VPN
Virtual Private Network
XSS
Cross Site Scripting
WAF
Web Application Firewall
WHO
World Health Organization
References
1.Bassett G, Hylender D, Langlois P, Pinto A, Widup S. Verizon Data Breach Investigation Report [Internet]. 2021. Available from: https://www.researchgate.net/publication/351637233_2021_Verizon_Data_Breach_Investigations_Report [Accessed: September 19, 2022]
2.Sonica Wall. Cyber Threat Report: Mid-Year Update [Internet]. 2021. Available from: https://www.sonicwall.com/resources/white-papers/mid-year-2021-sonicwall-cyber-threat-report/ [Accessed: September 19, 2022]
3.Aurangzeb S, Aleem M, Iqbal M, Islam A. Ransomware: A Survey and Trends [Internet]. 2017. Available from: https://www.researchgate.net/publication/317380115_Ransomware_A_Survey_and_Trends [Accessed: September 19, 2022]
4.Cyber Big Game Hunting [Internet]. 2022. Available from: https://www.crowdstrike.com/cybersecurity-101/cyber-big-game-hunting [Accessed: September 19, 2022]
5.Harford, I. The history and evolution of ransomware [Internet]. 2021. Available from: https://www.techtarget.com/searchsecurity/feature/The-history-and-evolution-of-ransomware [Accessed: September 16, 2022]
6.Richardson R, North M. Ransomware: Evolution, Mitigation and Prevention. Vol. 4276. Faculty Publications; 2017. Available from: https://digitalcommons.kennesaw.edu/facpubs/4276
7.Constantin L. Ryuk explained: Targeted, devastatingly effective ransomware [Internet]. 2021. Available from: https://www.csoonline.com/article/3541810/ryuk-explained-targeted-devastatingly-effective-ransomware.html [Accessed: September 16, 2022]
8.Constantin L. REvil ransomware explained: A widespread extortion operation [Internet]. 2021. Available from: https://www.csoonline.com/article/3597298/revil-ransomware-explained-a-widespread-extortion-operation.html [Accessed: September 16, 2022]
9.Myers L. LockBit 3.0 Ransomware Abuses Windows Defender to Load Cobalt Strike [Internet]. 2022. Available from: https://blogs.blackberry.com/en/2022/08/lockbit-3-0-ransomware-abuses-windows-defender-to-load-cobalt-strike [Accessed: September 19, 2022]
10.Righi I. Ransomware in Q2 2022: Ransomware is Back in Business [Internet]. 2022. Available from: https://www.digitalshadows.com/blog-and-research/ransomware-in-q2-2022-ransomware-is-back-in-business/ [Accessed: September 19, 2022]
11.Baker K. Ransomware as a Service (RaaS) Explained [Internet]. 2022. Available from: https://www.crowdstrike.com/cybersecurity-101/ransomware/ransomware-as-a-service-raas/ [Accessed: September 19, 2022]
12.Trend Micro Research. Lockbit [Internet]. 2022. Available from: https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-lockbit [Accessed: September 13, 2022]
13.Feeley B, Hartley B. Lunar Spider Sharing the Same Web [Internet]. 2019. Available from: https://www.crowdstrike.com/blog/sin-ful-spiders-wizard-spider-and-lunar-spider-sharing-the-same-web/ [Accessed: September 17, 2022]
14.Hanel A. Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware [Internet]. 2019. Available from: https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/ [Accessed: September 17, 2022]
15.Sood K, Hurley S, Arsene L. Dark Side Goes Dark: How Crowd Strike Falcon Customers Were Protected [Internet]. 2021. Available from: https://www.crowdstrike.com/blog/falcon-protects-from-darkside-ransomware/ [Accessed: September 17, 2022]
16.Osborne C. Dark Side explained: The ransomware group responsible for Colonial Pipeline attack [Internet]. 2019. Available from: https://www.zdnet.com/article/darkside-the-ransomware-group-responsible-for-colonial-pipeline-cyberattack-explained/ [Accessed: September 17, 2022]
17.Meyers A. The Evolution of PINCHY SPIDER from Gand Crab to REvil [Internet]. 2021. Available from: https://www.crowdstrike.com/blog/the-evolution-of-revil-ransomware-and-pinchy-spider/ [Accessed: September 17, 2022]
18.Elsad A, Gumarin JR, Barr A. LockBit 2.0: How This RaaS Operates and How to Protect Against It [Internet]. 2022. Available from: https://unit42.paloaltonetworks.com/lockbit-2-ransomware/ [Accessed: September 18, 2022]
19.Elsad A. Threat Assessment: BlackByte Ransomware [Internet]. 2022. Available from: https://unit42.paloaltonetworks.com/blackbyte-ransomware/ [Accessed: September 19, 2022]
20.Liska A, Gallo T. Ransomware. OReilly; 2016. pp. 53-55. ISBN: 978-1-491-96788-1
21.Berrueta E, Morato D, Magana E, Izal M. A Survey on Detection Techniques for Cryptographic Ransomware. IEEE; 2019. DOI: 10.1109/ACCESS.2019.2945839
22.Hills M, editor. Why Cyber Security Is a Socio-Technical Challenge: New Concepts and Practical Measures to Enhance Detection. Nova; 2016. p. 188. ISBN: 978-1-53610-090-7
23.Hassan A. Ransomware Revealed. Apress; 2009. 209 p. DOI: 10.1007/9781484242551
Written By
Arun Warikoo
Submitted: 21 September 2022Reviewed: 04 October 2022Published: 24 January 2023
Open access peer-reviewed chapter
