Ransomware
Module 13 explores ransomware, a type of malicious software that blocks access to computer systems or files until a ransom is paid. It highlights the significant and widespread impact of ransomware, which poses threats to individuals, businesses, and government entities. This module examines how ransomware infiltrates systems—often through phishing emails, malicious attachments, or compromised websites—and encrypts files, rendering them inaccessible without a decryption key.
The module discusses the financial motivation behind ransomware attacks and how cryptocurrencies like Bitcoin facilitate these transactions due to their pseudonymous nature. It categorizes different types of ransomware, including crypto-ransomware, locker ransomware, and doxware, and mentions notable strains such as WannaCry and NotPetya.
This module also emphasizes why businesses and institutions are prime targets due to their critical data and the potential for higher ransom payouts. It covers the severe consequences of ransomware attacks, including financial loss, reputational damage, and operational disruptions, particularly in critical sectors like healthcare.
Learning Objectives
After completing this module, you should be able to:
- define ransomware and explain its impact on individuals, businesses, and government organizations.
- identify common methods by which ransomware infects systems, including phishing emails and compromised websites.
- describe the various types of ransomware, such as crypto-ransomware, locker ransomware, and doxware, and provide examples like WannaCry and NotPetya.
- discuss the financial motivations behind ransomware attacks and the role of cryptocurrencies in facilitating ransom payments.
- analyze the potential consequences of ransomware attacks, including financial losses, reputational damage, and disruptions to critical infrastructure.
- evaluate different strategies to prevent and mitigate ransomware attacks, such as software updates, antivirus software, firewalls, and data backups.
- examine the controversy surrounding the payment of ransom and its implications for future cyberattacks.
- explore the evolving nature of ransomware tactics, including double extortion and Ransomware-as-a-Service (RaaS), and the importance of international collaboration in combating these threats.
Summary
Ransomware is a type of malicious software designed to block access to a computer system or files until a sum of money, or ransom, is paid to the attacker. It has become a significant and widespread cybersecurity threat, affecting individuals, businesses, and even government organizations.
Ransomware typically enters a system through phishing emails, malicious attachments, or compromised websites. Once inside, it encrypts files on the infected system, rendering them inaccessible without the decryption key.
Attackers use ransomware for financial gain. Victims are coerced into paying the ransom to regain access to their files. Cryptocurrencies, such as Bitcoin, are often demanded as payment due to their pseudonymous nature, making it more challenging to trace the transactions.
Ransomware comes in various forms, including crypto-ransomware, which encrypts files; locker ransomware, which locks the system; and doxware, which threatens to expose sensitive information. Notable ransomware strains include WannaCry, Ryuk, NotPetya, and Maze.
While individuals can be victims, businesses and institutions are often prime targets due to the potential for larger payouts and the critical nature of their data. Regularly updating software and systems can help patch vulnerabilities that ransomware exploits. Employing robust cybersecurity measures, such as firewalls and antivirus software, can help detect and prevent ransomware attacks. Regularly backing up data and storing it in a secure, offline location can mitigate the impact of an attack.
Ransomware attacks can have severe consequences, causing financial losses, reputational damage, and operational disruptions. Critical infrastructure, such as healthcare systems or government services, can be particularly vulnerable, with potential life-threatening implications.
Paying the ransom is a controversial topic. Some argue that paying encourages further attacks, while others argue that it may be the only way for some organizations to recover their data. Governments and law enforcement agencies work to track down and prosecute ransomware operators, but the international and decentralized nature of such attacks makes it challenging.
Ransomware tactics continue to evolve. Attackers may now engage in double extortion, where they not only encrypt files but also threaten to release sensitive information. Ransomware-as-a-Service (RaaS) allows less technically proficient individuals to launch ransomware attacks, further increasing the threat landscape.
Addressing the ransomware threat requires a multi-faceted approach involving technological defenses, user education, and international collaboration to track and prosecute cybercriminals. Organizations and individuals should remain vigilant to minimize the risk of falling victim to ransomware attacks.
Key Terms/Concepts
CISA
Cyber risk assessment
Crypto ransomware
Double extortion
Leakage or "extortionware"
Locker ransomware
Mobile device ransomware
Negotiators
Non-encrypting ransomware
Ransomware
Ransomware as a Service (RaaS)
Risk management
Read, Review, Watch and Listen
- Read Ransomware 101 (CISA, 2022)
- Read Preparing for a Cyber Incident: Preparing for a Cyber Incident – A Guide to Ransomware v 1.1 (U.S. Secret Service Cybercrime Investigations, 2022)
- Review Cybersecurity & Infrastructure Security Agency (CISA) – CISA Ransomware Guide (Oct. 2023).
- CISA Ransomware Gide – Overview and Updates
- Review the CISA website and learn about the agency and its mission.
- Review Ransomware Statistics, Trends and Facts for 2022 and Beyond (Cloudwards, March 2022)
- Watch What is Ransomware, How it Works and What You Can Do to Stay Protected: (kasperskylab, Dec. 2016) [also embedded below]
- Watch Ransomware is booming as a business model: “It’s like eBay” (CBS News, May 2021)
- Listen to Government Collaboration Needed To Prevent Ransomware Attacks
Read, Review, Watch and Listen to all listed materials by the due date listed within the course LMS site.
Contact the professor with any course-related questions. Report any broken links to Dr. Ramirez-Thompson (thompsne@cod.edu).
Activity – Ransomware as a Service (Raas)
STOP!!
Note: This is a copy of the module’s activity that students find within Blackboard. For that reason, refer to the Activities page to submit your work for review.
Purpose
The purpose of this activity is to explore ransomware as a service (RaaS) and enhance students’ understanding of how it operates.
Overview
Ransomware as a Service (RaaS) is a business model where ransomware operators partner with affiliates, who pay to launch attacks created by the operators. RaaS adopts the same structure as the Software as a Service (SaaS) business model. In the past, successful hackers required coding skills, but with the rise of the RaaS model, this technical expertise has become less essential.
Instructions
- Read Ransomware as a Service: Enabler of Widespread Attacks (TendMicro, Oct. 2021)
- Read WHAT IS RANSOMWARE AS A SERVICE (RAAS) AND HOW DOES IT WORK? (BEFORECRYPT, last accessed May 2022)
- Review CISA’s I’ve Been Hit By Ransomware! (last accessed, November 2024).
- Watch DarkSide and other gangs exploit companies that aren’t prepared for ransomware attacks (TechRepublic, July 2021) [also embedded below]
Answer the following questions:
- Explain how RaaS makes it easier for those lacking technical skills to engage in a ransomware attack.
- In your own words, explain why is the RaaS Business Model so popular?
- Describe factors that might discourage ransomware operators from attacking certain targets. Make a concerted effort to integrate course-related terms/concepts in this and previous responses.
- After finishing the readings and video, explain why RaaS makes ransomware more accessible to people with limited technical skills and how this shift impacts organizations and law enforcement.
Key Terms/Concepts
| Concept | Definition |
|---|---|
| RaaS subscription model | A service where ransomware tools are sold or leased to affiliates who pay to use them. |
| Operators and affiliates | Operators create and manage the ransomware. Affiliates buy access and carry out the attacks. |
| Limited technical expertise needed | Affiliates no longer need coding skills because operators provide ready-made tools. |
| Profit-sharing | A business arrangement where operators and affiliates split the ransom payments. |
| Dark web marketplaces | Online spaces where RaaS kits, tools, and support services are bought and sold. |
| Double extortion | Attackers encrypt data and also threaten to leak it unless the victim pays. |
| Cryptocurrency payments | A preferred payment method because it helps attackers stay anonymous. |
| CISA response guidance | Recommended steps for victims, such as isolating systems, reporting the incident, and avoiding ransom payments. |
| Expanded offender pool | RaaS increases the number of attackers because entry barriers are much lower. |
Supplemental Resources
- Ransomware attack on ICBC disrupts US Treasury market (Financial Times, Nov. 9, 2023).
- A timeline of the biggest ransomware attacks Bitcoin and other cryptocurrencies have become a key tool in online crime (CNET, Nov. 20121).
- A massive ransomware attack hit hundreds of businesses. Here’s what we know (Clare Duffy, CNN Business, July 7, 2021).
- NIST – Virtual Workshop on Preventing and Recovering from Ransomware and Other Destructive Cyber Events (July 2021).
- CISA: Stop Ransomware (last accessed, November 2024).
- Trend Micro Ransomware Spotlight – Hive (last accessed, November 2024).
- Hive ransomware is one of the new ransomware families in 2021 that poses significant challenges to enterprises worldwide. We take an in-depth look at the ransomware group’s operations and discuss how organizations can bolster their defenses against it.
- PYSA FBI Flash (last accessed, November 2024).
Read, Review, Watch and Listen to all listed materials by the due date listed within the course LMS site.
Click HERE to report any needed updates, e.g., broken links.
CISA is the operational lead for federal cybersecurity and the national coordinator for critical infrastructure security and resilience. We are designed for collaboration and partnership. Learn about our layered mission to reduce risk to the nation’s cyber and physical infrastructure. Read CISA's Fact Sheet to learn more.
Identifies the various information assets that could be affected by a cyber-attack (such as hardware, systems, laptops, customer data, and intellectual property), and then identifies the various risks that could affect those assets.
A type of harmful program that encrypts files stored on a computer or mobile device in order to extort money. Encryption 'scrambles' the contents of a file, so that it is unreadable. To restore it for normal use, a decryption key is needed to 'unscramble' the file.
Also known as pay-now-or-get-breached refers to a growing ransomware strategy and the way it works is that the attackers initially exfiltrate large quantities of private information, then encrypt the victim's files.
Locker ransomware.
A form of cyberattack in which threat actors threaten to harm a target in some way if their demands are not met.
A virus that infects PCs and locks the users’ files, preventing access to data and files located on the PC until a ransom or fines are paid. Locker demands a payment of $150 via Perfect Money or is a QIWI Visa Virtual Card number to unlock files.
A form of malware that affects mobile devices. A cybercriminal can use mobile malware to steal sensitive data from a smartphone or lock a device, before demanding payment to return the data to the user or unlock the device.
In the context of ransomware as a service (RaaS), negotiators are those who act as intermediaries between hackers and victims.
Tends to fall into more of the “scareware” category. In other words, their bark is worse than their bite. Usually, these types of malware display a message that takes up the entire screen and states that your computer has been taken over by a Federal Law Enforcement Agency (i.e. FBI, CIA, NSA) and demands you pay the ransom or face criminal charges, fines or even imprisonment.
A type of malware that prevents or limits users from accessing their system, either by locking the system's screen or by locking the users' files until a ransom is paid.
Equips prospective attackers, even those who possess minimal technical skills and knowledge, with the ammunition they need to launch attacks. This in turn helps ransomware spread quickly to more targets.
Is the process of identifying, analyzing, evaluating, and addressing your organization’s cyber security threats.
