Types of attacks
Ransomware, like all specialized products and tools have a lexicon of terms, like commodity ransomware, or human operated ransomware. Knowing some of these key headline terms is useful to gain a better insight into what type of ransomware attack is taking place and how you can start addressing it.
Commodity ransomware
Commodity ransomware has helped low-skilled and potential cybercriminals quickly deploy attacks. This type of ransomware is usually developed by a cybercriminal organization and made for sale on the dark web. These kits can be quickly configured and deployed by individual cybercriminals, or smaller groups of threat actors. Traditionally, these ransomware attacks rely on lapses of judgment to trick people into opening files that install malicious software (malware) on devices.
Human-operated ransomware
As ransomware attacks have become a complete business for cybercriminals, they're seeking to maximize their income. They actively attack specific businesses who are either in a position to pay a large ransom or are in an industry where they can't afford client information to be in the public domain. This is known as human-operated ransomware.
In general, attacks are becoming:
- More targeted on well-funded organizations.
- More targeted on organizations where the impact on customers will be most severe.
- More expensive as the ransom demands are rising dramatically.
Example: A human-operated attack occurred in the US, where a cybercriminal managed to take charge of the computer system that controlled the drinking water of a major city. They were able to increase the levels of sodium hydroxide in the water to dangerous levels.
The following section explains the main types of attacks, and how they work, and looks at some typical symptoms.
Ransom distributed denial-of-service attacks
A ransom distributed denial-of-service (DDoS) attack occurs when legitimate users can't access their normal system because it has been flooded with spurious traffic from a cybercriminal. The actor keeps sending requests to the target or network until the system effectively crashes. There are variations of the DDoS attack so you may hear terms such as:
- Smurf attack
- SYN flood
In essence, they all work by flooding a company with spurious requests to the network until the service is overwhelmed. A ransom is then demanded to enable the company to use its systems. Sometimes, just preventing a company from carrying out its legitimate work can be enough of a reward.
Symptoms of a ransom DDoS attack are likely to be:
- Files take a long time to open.
- Websites take very long times to load.
- Websites don't load or aren't available.
Example: A European gambling company was hit by the biggest and most complex attack ever recorded. Luckily, the attack was stopped before any ransom was paid, but in another case, a high-profile online shopping site was subjected to an attack that lasted three days.
Encryption and locking malware attacks
Encryption ransomware attacks are where the cybercriminal adds extra code to files to prevent them being accessed on the users' IT system; this is known as encryption. When the ransomware has downloaded, a message will appear on the screen informing the user of the ransom demand.
When files are encrypted, they're locked down by the cybercriminal and can't be opened until the ransom is paid.
The ransomware can be downloaded onto a system via several different routes. For example:
- Social engineering attacks
- Security vulnerabilities
Social engineering attacks
Social engineering attacks rely on tricking users to give up their username and password, or provide information that allows cybercriminals to access devices or networks. They can cause a user to download files that could lead to a ransomware attack.
There are three main types of social engineering attacks:
- Phishing
- Vishing
- Smishing
Phishing
Phishing uses email or websites to solicit personal information from individuals that then allows the cybercriminal to gain access to unauthorized areas, such as bank accounts or other sensitive fields. The email or website used will look very professional and often pretend to come from legitimate organizations, taking advantage of current events to play on public sympathies. Although phishing is often used to extract money from users by trickery, the emails can contain attachments that, once opened, lead to a ransomware attack. It's estimated that 90 percent of all data breaches are due to a phishing attack, highlighting the fact that the weakest link in any IT system is the user.
Example: In 2016, a hacker organization started sending emails with a Word attachment which, when opened, encouraged users to enable macros. In turn, this installed the malicious ransomware and launched a virus called Locky, which encrypted files. A link then took users to a website that demanded payment via Bitcoin to release the files.
Vishing
Vishing uses voice communications to deceive a victim. The caller may pretend to be from a legitimate organization and come across as sincere and believable to extract sensitive information. They may encourage someone to phone a fake number to verify account or other security information. This method is unlikely to lead to a ransomware attack but is commonly used to trick people into revealing bank account information to extract funds.
Example: A caller may say you're due a tax rebate but before it can be processed, it's necessary to verify your account details. When you've divulged your personal details, the account will then be emptied.
Smishing
Smishing uses text messaging to try to exploit people. The messages contain links that lead to fraudulent sites that imitate legitimate sites. Although these links are often used to extract money from users, they can also entice people to download files, which can then run ransomware and lead to an attack.
Example: Texts pretending to be from rogue companies, claiming that they've tried to deliver a parcel and demanding a payment to redeliver it. Simple tricks like this are easy to fall prey to if you genuinely are expecting a parcel and could have missed the delivery.
Security vulnerabilities
Any ransomware has the potential to exploit gaps in security. Just as a house can have a door left unlocked or a window not securely fastened, cybercriminals are looking to find ways into systems that haven't been locked properly. That's why it's important to install security updates on any hardware or software.
Example: In 2021, an attack was made on a major software company in the United States. It affected up to 60,000 private companies, nine government agencies, and thousands more globally as attackers exploited a vulnerability on the organization's system.
Leakware attacks
Leakware attacks are also known as exfiltration attacks and combine a standard attack, which encrypts data, with the theft of data. Normally, specific companies or individuals are targeted where the threat of data being made public could be very damaging. To put additional pressure on the victim to pay, cybercriminals will also start emailing clients, business partners or other individuals who could be affected if the data were made public.
Even if payment is made, it's doubtful whether all information will be returned, as data could be sold on the black market and used to hold the victim to ransom again.
Example: A major computer hardware company was attacked by a cybercriminal group called REvil. This resulted in data being leaked into the public domain and $50 million in ransom being paid.