We have seen a sharp increase in the number of ransomware attacks being detected by our security systems. That being the case we wanted to shine a light on exactly what ransomware is and how it could affect you if you were to accidentally run these viruses on a system unable to detect the threat.
What is Ransomware and How Does it Work?
Ransomware is a virus that is typically sent as an attachment in an email. The usual modus operandi of an attacker is to send an email to the victim asking them to open an invoice, sales order or some kind of report. Our experience is that the most common group to initiate a ransomware virus is either the accounts department or senior management that may be expecting to receive an invoice or sales order from a third party; crucially, these tend to be users with access to very sensitive corporate data than a standard user.
The infected attachment is typically in the form of a word document (although we are now seeing attacks with other file types so be vigilant regardless of the file type)…
…once opened, the document appears to contain garbled text, with some clear text at the top of the document asking the user to ‘enable macros’ to ‘encode’ the text so that it’s readable. When the user enables macros, the ransomware virus is unleashed.
Other file types simply ask you “Do you want to open this file?” without any requirement to enable macros. As soon as the file is opened, the ransomware virus attack begins. These newer threats that require less clicks and user interaction are clearly more threatening. Always pay attention to the warning text displayed before opening any file – if you’re unsure, contact the Extrinsica Global Support Team
The process by which the virus is initiated is pretty straight forward. The infected email attachment is actually a downloader which initiates the download of the actual ransomware software in the background. As far as the user is concerned, the text in the word file remains garbled and/or there appears to be nothing happening. In reality, the ransomware software once downloaded is happily encrypting all of the files the user has access to on local, USB and network drives.
The encryption process uses both RSA and AES encryption and is virtually impossible to decrypt without the decryption keys that only the attackers hold. Once encryption of all of your important files is complete, the ransomware then conveniently changes your desktop background, opens a website and presents a text document ransom note instructing you on how you can pay to decrypt your data.
Paying the ransom is not a guarantee you will get your data decrypted, ultimately you’re dealing with criminal gangs. There are mixed reports, with some victims saying they paid the ransom but never hearing or receiving anything back from the attackers, with others being sent decryption keys. Other risks exist as well, such as attackers allowing you to download ‘decryptor’ software that could be another virus allowing for further attack vectors in future.
The best defence against ransomware is to NEVER open an attachment or file that you are not expecting and is not from a sender you know or trust – if you are unsure, even if there is the slightest doubt, check by contacting Extrinsica Global Support. However, we are human and attackers are experts at manipulating our trust, and therefore it is likely that these attacks will continue. A multi-layered defence is deployed on the EV3 Cloud Fabric to ensure the highest levels of security, and that threats are stopped before they reach users. Ransomware evolves daily, it is a constant race between anti-virus vendors updating their virus signatures to detect these threats and virus makers updating their virus to avoid the anti-virus protection. It is important to educate your users to the existence of these threats and if there is any doubt as the authenticity of an email or attachment, we are here to assist you.
Ransomware in Action – What an Attack Looks Like
If you’re still unsure of what a ransomware attack can do or sceptical of it’s efficiency at encrypting your data, see a video we created in our virus sandbox environment: