In modern business computing, ransomware is a significant looming threat. It can adversely affect many businesses and industries. Ransomware attacks are on the rise and attackers are getting bolder. With recent attacks on police departments, hospitals, attorney generals’ offices, infrastructure, and other companies, it should come as no surprise that things are getting worse. Ransomware is dangerous—and potentially life-threatening in the case of hospitals/medical facilities being compromised—and should never be taken lightly. The key to prevention, safeguarding, and recovery from ransomware attacks is knowledge and understanding. Knowing what you’re up against will provide a solid basis for resolving and mitigating ransomware threats. In this article,we’ll take a look at ransomware and the various methods attackers may use when attempting to infect a system with malware.
What is Ransomware?
Ransomware is something you’ve likely heard about in the news or online. Perhaps you’ve been affected by it at some point. Even so, you’ve probably asked yourself, “what is ransomware, anyway?” Ransomware is a type of malware that encrypts the data on your computer, then holds the decryption code/key until they’re paid some form of a ransom. Oddly enough, email and drive-by downloads are still the most common ways a malware payload infects a system.
Hackers want your money and they’ll use ransomware attacks to obtain it. Ransomware is especially dangerous because it can essentially eliminate data recovery options. The best method for recovery from an attack is to create back-ups of important files. That way, if the attack is successful, you can recover your files. Businesses can choose to pay the ransom to recover their files, but sometimes the attacker’s will take the money without releasing the decryption key. Ransomware attacks can be prevented through a few common sense solutions, like avoiding the downloading of malicious scripts and/or files. Funning anti-malware software can also help. Backing up data to the cloud (which is better insulated against attacks) can also be effective in ensuring your data is secured in the event of an attack. In the end, being proactive rather than reactive can better attenuate issues related to ransomware attacks despite the absence of full-proof preventative measures.
Symmetric Encryption
Symmetric encryption uses a single key for both encrypting and decrypting files.
In banking, symmetric encryption is fast and efficient means of encrypting files using a mix of block and stream algorithms to scramble data into a form that can’t be understood without the right key. A single decryption key reverses those algorithms, rendering the data readable. In a ransomware attack, the same principles apply—only for the purpose of messing up the victim’s files. When a ransomware attack hits a system using this method, the key is actually stored somewhere on the local system in most cases. If that’s the case, it’s easier for specialists to rescue and decrypt the data without the need to pay the ransom. In the past few years, a defunct ransomware called TeslaCrypt—once spread through an Adobe Flash exploit—used symmetric encryption to attack its victims. The master decryption key was released in 2016, effectively eliminating the malware.
Client-side Asymmetric Encryption
This form of asymmetric encryption is very different from symmetric encryption. First, it uses a public key (typically a set of cryptographic algorithms known as an RSA key) for the data encryption. The attacker creates a private key for the decryption. It’s a bit slower than other encryption methods and the computer may go offline before the attacker completes the encryption. If that happens, the attacker won’t be able to send the private key to their own server and demand the ransom. Larger files take longer to encrypt as well, rendering client-side asymmetric encryption more difficult for attackers to perform.
Server-Side Asymmetric Encryption
Server-side asymmetric encryption takes a different approach than its client-side counterpart.
In a real-world scenario, server-side asymmetric encryption typically involves encrypting data at the destination by the application where it’s received. Decryption occurs at the time of access. Amazon employs this encryption method with its Amazon Simple Storage Service. But much like it’s client-side counterpart, it’s also used as an attack method in ransomware attacks. In this ransomware attack scenario, the encryption happens when a computer comes online. An attacker will generate a pair of public and private keys, and use the public key to encrypt the victims files. If the ransom gets paid, the attacker should transfer the private decryption key over to you. During the transfer, the private key can be intercepted by your team. It can then be shared with others to render the ransomware ineffective in the future. While that’s a small comfort and a slim chance to stop the attack, it can still wreak plenty of havoc before the opportunity comes up.
Hybrid Encryption
Hybrid encryption is a more powerful form of ransomware. In hybrid attacks, software makes two sets of keys and employs a chain of encryption. It’s like the ransomware version of applying the knowledge earned with a college degree to the final exams. It begins by using symmetric keys to encrypt files. Then, software creates two pairs of keys: one for the client-side and one for the server-side. The client-side public keys encrypt the symmetric files while the server-side public key encrypts the client-side key. That key goes to the hacker. Everything has to work together as a chain to decrypt once the ransom is paid. This is a particularly devious ransomware method and can cause all sorts of problems if your system becomes infected.