Ransomware
Module 13 explores ransomware and as a form of malware used to extort companies and/or services. A brief overview of the nature and extent of ransomware is provided. In addition, ransomware as a service (RaaS) as an emerging criminal business is reviewed.
Learning Objectives
After completing this module, you should be able to:
- Define ransomware
- Describe differences between types of ransomware
- Identify suitable targets for ransomware
- Discuss ways that individuals and business can protect themselves from the growing threat of ransomware
- Analyze how ransomware is used to extort for profit
Summary
Ransomware is a type of malicious software designed to block access to a computer system or files until a sum of money, or ransom, is paid to the attacker. It has become a significant and widespread cybersecurity threat, affecting individuals, businesses, and even government organizations.
Ransomware typically enters a system through phishing emails, malicious attachments, or compromised websites. Once inside, it encrypts files on the infected system, rendering them inaccessible without the decryption key.
Attackers use ransomware for financial gain. Victims are coerced into paying the ransom to regain access to their files. Cryptocurrencies, such as Bitcoin, are often demanded as payment due to their pseudonymous nature, making it more challenging to trace the transactions.
Ransomware comes in various forms, including crypto-ransomware, which encrypts files; locker ransomware, which locks the system; and doxware, which threatens to expose sensitive information. Notable ransomware strains include WannaCry, Ryuk, NotPetya, and Maze.
While individuals can be victims, businesses and institutions are often prime targets due to the potential for larger payouts and the critical nature of their data. Regularly updating software and systems can help patch vulnerabilities that ransomware exploits. Employing robust cybersecurity measures, such as firewalls and antivirus software, can help detect and prevent ransomware attacks. Regularly backing up data and storing it in a secure, offline location can mitigate the impact of an attack.
Ransomware attacks can have severe consequences, causing financial losses, reputational damage, and operational disruptions. Critical infrastructure, such as healthcare systems or government services, can be particularly vulnerable, with potential life-threatening implications.
Paying the ransom is a controversial topic. Some argue that paying encourages further attacks, while others argue that it may be the only way for some organizations to recover their data. Governments and law enforcement agencies work to track down and prosecute ransomware operators, but the international and decentralized nature of such attacks makes it challenging.
Ransomware tactics continue to evolve. Attackers may now engage in double extortion, where they not only encrypt files but also threaten to release sensitive information. Ransomware-as-a-Service (RaaS) allows less technically proficient individuals to launch ransomware attacks, further increasing the threat landscape.
Addressing the ransomware threat requires a multi-faceted approach involving technological defenses, user education, and international collaboration to track and prosecute cybercriminals. Organizations and individuals should remain vigilant to minimize the risk of falling victim to ransomware attacks.
Key Terms/Concepts
Cyber risk assessment
Crypto ransomware
Double extortion
Leakage or "extortionware"
Locker ransomware
Mobile device ransomware
Negotiators
Non-encrypting ransomware
Ransomware
Ransomware as a Service (RaaS)
Risk management
Read, Review, Watch and Listen
- Read Ransomware 101 (CISA, 2022)
- Read Preparing for a Cyber Incident: Preparing for a Cyber Incident – A Guide to Ransomware v 1.1 (U.S. Secret Service Cybercrime Investigations, 2022)
- Review Ransomware Guide: CISA_MS-ISAC_Ransomware Guide_S508C_ (CISA / MS-ISAC, 2022)
- Review Ransomware Statistics, Trends and Facts for 2022 and Beyond (Cloudwards, March 2022)
- Watch What is Ransomware, How it Works and What You Can Do to Stay Protected: (kasperskylab, Dec. 2016) [also embedded below]
- Watch Ransomware is booming as a business model: “It’s like eBay” (CBS News, May 2021)
- Listen to Government Collaboration Needed To Prevent Ransomware Attacks
Read, Review, Watch and Listen to all listed materials by the due date listed within the course LMS site.
Contact the professor with any course-related questions. Report any broken links to Dr. Ramirez-Thompson (thompsne@cod.edu).
Purpose
The purpose of this activity is to explore ransomware as a service (RaaS) and strengthen the student’s understanding of how it works.
Overview
Ransomware as a Service (RaaS) is a business model between ransomware operators and affiliates in which affiliates pay to launch ransomware attacks developed by operators. Ransomware as a Service (RaaS) is an adoption of the Software as a Service (SaaS) business model. In the past, coding erudition was a requirement for all successful hackers. But now, with the introduction of the RaaS model, this technical prerequisite has been completely diluted.
Instructions
- Read Ransomware as a Service: Enabler of Widespread Attacks (TendMicro, Oct. 2021)
- Read WHAT IS RANSOMWARE AS A SERVICE (RAAS) AND HOW DOES IT WORK? (BEFORECRYPT, last accessed May 2022)
- Watch DarkSide and other gangs exploit companies that aren’t prepared for ransomware attacks (TechRepublic, July 2021) [also embedded below]
Answer the following questions:
- Explain how RaaS makes it easier for those lacking technical skills to engage in a ransomware attack.
- In your own words, explain why is the RaaS Business Model so popular?
- Describe factors that might discourage ransomware operators from attacking certain targets.
Key Terms/Concepts
Negotiators in the context of ransomware as a service (RaaS), are those who act as negotiators between hackers and victims
Ransomware is an ever-evolving form of malware designed to encrypt files on a device, rendering any files and the systems that rely on them unusable. Malicious actors then demand ransom in exchange for decryption.
Ransomware as a service (RaaS) equips prospective attackers, even those who possess minimal technical skills and knowledge, with the ammunition they need to launch attacks. This in turn helps ransomware spread quickly to more targets. What exactly is RaaS, and which ransomware families and techniques are associated with it?
Refer to the course learning management system (LMS); that is Blackboard (BB), for the correct due date. In addition, submit your work via BB for grading.
Supplemental Resources
- Ransomware attack on ICBC disrupts US Treasury market (Financial Times, Nov. 9, 2023) [last accessed Nov. 2023]
What should I accomplish by the end of Week 13?
Check items off as you complete them!
□ Read, Review, Watch, and Listen (Module 13) – Ransomware
□ Complete Exam 3 (Modules 8-12)
□ Complete Module 13 Quiz
□ Complete Activity 13 – Ransomware as a Service (RaaS)
□ Explore Module 13 resources
□ NOTE: The topical paper is due within four weeks; that is, Sunday, Dec. 3th
Unless otherwise stated, everything listed on this checklist is due by Sunday, Nov 19 @ 11:59PM
Contact Dr. Ramirez-Thompson (thompson@cod.edu of via Remind) with any course-related questions.
Identifies the various information assets that could be affected by a cyber-attack (such as hardware, systems, laptops, customer data, and intellectual property), and then identifies the various risks that could affect those assets.
A type of harmful program that encrypts files stored on a computer or mobile device in order to extort money. Encryption 'scrambles' the contents of a file, so that it is unreadable. To restore it for normal use, a decryption key is needed to 'unscramble' the file.
Also known as pay-now-or-get-breached refers to a growing ransomware strategy and the way it works is that the attackers initially exfiltrate large quantities of private information, then encrypt the victim's files.
Locker ransomware.
A form of cyberattack in which threat actors threaten to harm a target in some way if their demands are not met.
A virus that infects PCs and locks the users’ files, preventing access to data and files located on the PC until a ransom or fines are paid. Locker demands a payment of $150 via Perfect Money or is a QIWI Visa Virtual Card number to unlock files.
A form of malware that affects mobile devices. A cybercriminal can use mobile malware to steal sensitive data from a smartphone or lock a device, before demanding payment to return the data to the user or unlock the device.
In the context of ransomware as a service (RaaS), negotiators are those who act as intermediaries between hackers and victims.
Tends to fall into more of the “scareware” category. In other words, their bark is worse than their bite. Usually, these types of malware display a message that takes up the entire screen and states that your computer has been taken over by a Federal Law Enforcement Agency (i.e. FBI, CIA, NSA) and demands you pay the ransom or face criminal charges, fines or even imprisonment.
A type of malware that prevents or limits users from accessing their system, either by locking the system's screen or by locking the users' files until a ransom is paid.
Equips prospective attackers, even those who possess minimal technical skills and knowledge, with the ammunition they need to launch attacks. This in turn helps ransomware spread quickly to more targets.
Is the process of identifying, analyzing, evaluating, and addressing your organization’s cyber security threats.