EXECUTIVE SUMMARY:

Stories about ransomware takeovers have grown increasingly common in recent months and weeks. From the Colonial Pipeline attack to the JBS attack, ransomware represents a threat to businesses everywhere.

Broadly speaking, the term ransomware commonly denotes an attack that involves extorting financial resources from a target. However, ransomware is more nuanced than you might think. There are a variety of types of ransomware. Let’s examine a few of the ransomware attack types.

Commodity ransomware

Commodity ransomware functions in an automated way. Although an attacker could compose a unique phishing campaign to send the malware to a specific victim, commodity ransomware is entirely automated. It can execute its mission as soon as it’s on a network. This type of ransomware usually arrives with a modest ransom request. Hackers intend to infect a large number of businesses, and anticipate that a certain percentage of them will pay.

When this type of ransomware first emerged on the scene, each successful infection resulted in total file encryption. Certain versions also inadvertently encrypted files on network drives.

As this malware evolved, hackers had it search network drives. Specifically, it searched the ones that the system’s user had the right to access and those that had not already been mounted. At this stage in the game, the attackers’ ideal target shifted from an individual to an organization.

The thinking behind this makes sense. Encryption of more files, say in a business setting, would increase the probability that a victim would pay.

In this ransomware’s final evolutionary step, it was integrated with a worm. Thus, the malware became self-replicating. The infamous WannaCry ransomware represents the first of this further evolved commodity ransomware generation.

Human-Operated Ransomware

In contrast with commodity ransomware, this type of ransomware relies on more sophisticated and precise mechanisms. Hackers aim to achieve an even greater payday than with other ransomware types.

Human-operated ransomware typically begins via an initial foothold in a firm. Numerous steps are involved. Many of the steps require a human to click through specific screens and to navigate through systems, as the ransomware must be uniquely tailored to the target. The majority of hacker hives that engage in these kinds of operations rely on a group of existing technological tools. Nonetheless, the circumstances of a given situation may force the hackers to expand toolchains.

These attacks require days, if not weeks, to launch. Hackers put time into organizing the effort. The process could be compared to preparing for a large party of dinner guests; you might put an entire day or multiple days into preparing, but the party itself lasts for only an hour or two.

At the designated hour, the hackers engage the attack tools and encrypt all targeted data. In 2018, the SamSam gang relied on this method to attack municipalities, hospitals, healthcare systems and other organizations.

Backups, and the capacity to restore them, help organizations mitigate this attack threat. Before organizations began to regularly backup systems, hackers exfiltrated and encrypted with this attack type. Organizations felt pressured to pay due to the fact that hackers threatened to publicly release sensitive data.

Ransomware Brands

 With human-operated ransomware, organizations faced the challenge of figuring out how 1) to ensure that payment of ransom resulted in decryption and prevent data leaks and 2) how to guarantee that the payment to the hackers did not finance terrorism or other abusive causes.

Eventually, the notion of ransomware “brands” emerged. “If you heard that someone with brand X ransomware paid a ransom and still lost their data, you would be less likely to pay the ransom.”

Individual ransomware gangs effectively produced their own PR strategies. They aimed to ensure that “customers” would have positive experiences with payment.

Preventing Ransomware Attacks

Organizations can block older generations of commodity ransomware with relative ease. New forms of commodity ransomware can bypass preventative measures. Ensure that your organization maintains backups of all systems.

To avoid the latest forms of commodity malware, ensure that your organization also considers micro-segmentation, zero-trust, identity access management, and other policy-driven risk-reduction initiatives.

Countermeasures for human-operated ransomware attacks look very similar to those for commodity ransomware attacks. Nonetheless, defending against these attacks also merits a discussion about cyber security tools. Look for tools that provide a high degree of visibility, along with the capacity to  threat hunt, and to quickly identify malicious activities. Organizations must avoid hitting the point of no return with ransomware. Implementing these tactics can also assist with the prevention of supply chain attacks.

For more on different types of ransomware, visit ThreatPost.com. For more on the evolution of ransomware throughout history, click here.