Hotel cybersecurity training - Ransomware, from ENISA, FBI, NIST

Ransomware, from ENISA

What is ransomware?

Ransomware depicts a type of malware (like Viruses, Trojans, etc.) that infect the computer systems of users and manipulates the infected system in a way, that the victim can not (partially or fully) use it and the data stored on it. The victim usually shortly after receives a blackmail note by pop-up, pressing the victim to pay a ransom (hence the name) to regain full access to system and files.

How does ransomware work?

Attackers resort to different types of tactics to achieve their goals. One type of ransomware, like the notorious and sophisticated Cryptolocker encrypts the user's files with a key only known to the attacker. Another type of ransomware (like Winlocker) simply blocks access to the system but leaves the files untouched.

How is ransomware used?

A user of a system infected with ransomware is usually confronted with an extortion message (in many cases a windows popup) asking the victim to pay a ransom fee to the attacker in order to regain access to their system and files. The already mentioned Cryptolocker accepts payments in the digital currency Bitcoins, which gives the attacker an additional layer of anonymity. In the case of Cryptolocker the victim, after payment, receives the key and the method to decrypt their files again and regain full access.

It is reported that criminals, their tools and their back office structure gets more and more sophisticated and (in a distorted way) more "user friendly". Not only the act of intrusion into a victims system is done with utmost precision and elaborate tools, but also the act of "supporting" the victim in restoring their systems receives more and more attention by the criminals. Some groups even offer helpdesk functionality for victims facing problems with bitcoins, payment or the application of the key.

How is ransomware distributed?

Ransomware propagates via the same channels like other kinds of malware, like via phishing email, water holing – and other drive-by attacks. In rare occasions and for high profile targets ransomware might be planted by more sophisticated methods in a direct, targeted attack.

Ransomware, considerations and recommendations.

As really targeted attacks against end users in most cases are too costly for the attacker, ransomware normally is propagated like usual viruses, Trojans and other forms of malware, so the usual good practice to avoid these apply.

Ransomware, overview

Ransomware has become a popular weapon in the hands of malicious actors who try to harm governments, businesses and individuals on a daily basis. In such cases, the ransomware victim may suffer economic losses either by paying the ransom demanded or by paying the cost of recovering from the loss, if they do not comply with the attacker’s demands.

In an incident in 2019, Baltimore, Maryland suffered a lockout and recovery is expected to pay US $18,2 million (ca. €15,4 million), although the city refused to pay the ransom.

With the growing number of incidents growing, it is evident that becoming a victim is not an ‘if’ but rather a ‘when’ hypothesis. However, in the majority of countries’ fights against ransomware, several challenges need to be addressed, such as the lack of coordination and collaboration between agencies and authorities, and the lack of legislation, that clearly criminalises ransomware attacks.

Although cyber insurance policies exist since early 2000, ransomware attacks are one of the main reasons for the increased interest in this type of insurance during the last 5 years. In some of the 2019 incidents, the ransom or the costs of recovery was covered by such contracts. Unfortunately, if potential ransomware targets are known to be insured, the attackers assume that they will most probably be paid.

Another downside for the victim is that insurance providers are paying the ransom in advance to mitigate the damage and to keep the victim’s reputation intact. However, such compliance by paying ransoms encourages the hacker community and ensures neither the victim’s recovery nor their reputation.


- €10,1 billion estimated to be paid in ransoms during 2019. The amount of paid ransoms was US €3,3 billion more than in 2018.

- 365% increase in detections in businesses in 2019. Ransomware detection in machines in business environments increased compared with the fists half of 2018.

- 66% of healthcare organisations experienced an attack. More than 66% of healthcare organisations experienced a ransomware attack in 2019.

- 45% of attacked organisations paid the ransom. This is the percentage of organisations attacked in 2019 that paid the ransom and half of them still lost their data.

- 28% of security incidents were attributed to malware. Ransomware was the second most common functionality following malware and was related to one-third (28%) of security incidents.

The most wanted.

LOCKERGOGA was first reported in January 2019 in an attack on the French engineering consultancy company, Altran Technologies. Its IT networks and all the applications went down and the company’s operations in several countries were affected. LockerGoga is dropped and executed by the PsExec tool, which is a light-weight telnet replacement, able to pass some security checks as semi-valid software.

Once installed, the user accounts in the targeted system are modified and the system is forcibly logged-off. In addition, the tool files are self-renamed and selfrelocated, and, as a result they become almost impossible to be located.

In later versions of LockerGoga, the lock-down is so tight that the victims are not even able to see the ransomware note or the instructions for recovery, even if the demands are met. Only a few anti-malware and anti-virus products are able to detect and defend systems against LockerGoga and a specific decryptor does not exist.

Other than Altran Technologies, NorskHydro and two United States-based chemical companies, Hexion and Momentive were targeted by LockerGogain 2019.

For the NorskHydro attack alone, the cost of the damage was estimated at US $50 million (ca. €42 million).

KATYUSHA is a ransomware trojan first used in October 2018. It encrypts the victim’s files, deletes shadow copies and delivers attachments by email. Katyusha uses the EternalBlueand DoublePulsar exploits to spread.

Unfortunately, no tools or decryptors are yet available for defence. JIGSAW not only encrypts the victim’s files, but it also deletes them if the demands are not met within the, most commonly, 24 hour deadline given.

Furthermore, if the victim attempts something like shutting down their computer, the deletion rate increases. It is not an accident that this ransomware was named after a horror movie character. However, security companies constantly releases updates for an efficient Jigsaw decryptor.

PEWCRYPT was created at the beginning of 2019 and, unlike most ransomware its only goal is to force people to subscribe to the PewDiePie YouTuber channel.

PewDiePie was in a popularity competition with an Indian Bollywood channel, T-Series and his fans decided to use PewCrypt to increase their idol’s chances of winning.

PewCrypt is a typical ransomware spread by spam e-mails and malicious online advertisements. It was created in the Java programming language. In March 2019, the author himself released a decryption tool.

RYUK first appeared in August 2018 and was assumed to be associated with North Korean hacking groups. Soon enough, the Ryuk authors were proved to be the same group that became known for using the Hermes ransomware while also stealing its code. Ryuk’s main characteristics are its use of military algorithms and its targeted attacks on big enterprises. Moreover, most of its victims are asked to pay the ransom in Bitcoins.

DHARMA is a crypto virus that first appeared in 2016 but new versions are still being released. Dharma not only encrypts the victim’s files but also deletes any shadow copies.

In 2019, it was spread by contaminated files with popular, harmful or legitimate extensions such as ‘.gif’, ‘.AUF’, ‘.USA’, ‘.xwx’, ‘.best’ and ‘.heets’.

In September 2019, a security researcher released the Rakhnidecryptor to help Dharma victims decrypt their files.

GANDCRAB was used for the first time in January 2018 and infected more than 50,000 systems in less than a month, becoming one of the most popular ransomwares of 2018. It exploits Microsoft Office macros, VBScript and PowerShell to attack undetected.

GandCrab is similar to Cerber, it is based on the ransomware-as-a-service (RaaS) model and allows the developers and the criminals to share profit. A team created by Europol, the Romanian police, the General Prosecutor’s Office and Bitdefender managed to produce a decryptortool after hacking the GandCrab servers.

The operators of GandCrab announced their retirement in Q2 2019 after collecting more than US $2 billion in ransom payments. However, the Sodinokibi ransomware, which is observed in small campaigns, is alleged to be GandCrab’s successor.

REVIL or SODINOKIBI or SODIN first appeared in a web attack on the Italian WinRAR tool in June 2019. It is also suspected to be involved in three MSP attacks and a fourth one against the American company PerCSoft, the clientele of which is mainly from the healthcare sector.

Sodinokibi seems to be a product of the well-known cyber-espionage group FruityArmor, which has been active since 2016. Sodinokibi has affected several countries worldwide. Taiwan has suffered 17,56% of all recorded Sodinokibi attacks so far, making it Sodinokibi’s most targeted country.

In Europe, the most targeted countries are Germany (8,05%), Italy (5,12%) and Spain (4,88%). Sodinokibi is distributed by a RaaS model and encrypts the files needed for an attack to take place in a per-system manner. The attackers embed a ‘skeleton key’ within their code allowing them to remotely decrypt files, regardless of the original encryption.

However, if a computer has Russian, Armenian, Syrian or certain other keyboard layouts it is no possible for Sodinokibi’s to encrypt it, a fact probably pointing to the origin of the authors.

SAMSAM continues to target critical infrastructure globally for a fifth consecutive year. SamSam attacks mainly focus on hospitals, healthcare companies and governmental organisations to ensure fast payment of big ransoms. It exploits vulnerabilities of the Remote Desktop Protocol (RDP). To date the group responsible for the distributing SamSam has raised more than US $6 million (ca. €5 million) in ransom payments and has cost the victims more than US $30 million (ca. €25,4 million).

From the 2018 attack against on the city of Atlanta alone the damage and recovery costs amounted US $17 million (ca. €14,4 million).

Mitigation, proposed actions.

- Maintain reliable backups that follow the 3-2-1 rule (i.e. maintain at least three copies, in two different formats, keeping one of those copies off-site).

- Invest in a cyber insurance policy covering ransomware attack damages.

- Use network segmentation, data encryption, access control, and policy enforcement to ensure minimum exposure of data.

- Use methods such as monitoring to quickly identify infections.

- Monitor access to and status of the public infrastructure used.

- Create a security operation centre (SOC) staffed by skilled security personnel within every organisation or company.

- Use appropriate and updated tools for ransomware prevention.

- Define exactly and implement a minimum set of user data access rights to minimise the impact of attacks (i.e. fewer rights, less data encrypted).

- Implement robust vulnerability and patch management.

- Implement content filtering to filter out unwanted attachments, emails with malicious content, spam and unwanted network traffic.

- Install end-point protection by means of anti-virus programs but also by blocking execution of files (e.g. block execution in Temp folder).

- Use policies to control external devices and port accessibility.

- Use whitelisting to prevent unknown executables from being executed at endpoints.

- Invest in raising users’ awareness of ransomware especially with regard to secure browsing behaviour.

Ransomware, from the FBI

Ransomware is a type of malicious software, or malware, that prevents you from accessing your computer files, systems, or networks and demands you pay a ransom for their return. Ransomware attacks can cause costly disruptions to operations and the loss of critical information and data.

You can unknowingly download ransomware onto a computer by opening an email attachment, clicking an ad, following a link, or even visiting a website that's embedded with malware.

Once the code is loaded on a computer, it will lock access to the computer itself or data and files stored there. More menacing versions can encrypt files and folders on local drives, attached drives, and even networked computers.

Most of the time, you don’t know your computer has been infected. You usually discover it when you can no longer access your data or you see computer messages letting you know about the attack and demanding ransom payments.

How does ransomware infect its victims?

Cyber criminals use a variety of techniques to infect victim systems with ransomware. Cyber criminals upgrade and change their techniques to make their attacks more effective and to prevent detection.

The FBI has observed cyber criminals using the following techniques to infect victims with ransomware:

Email phishing campaigns: The cyber criminal sends an email containing a malicious file or link, which deploys malware when clicked by a recipient. Cyber criminals historically used generic, broad-based spamming strategies to deploy their malware, while recent ransomware campaigns have been more targeted. Criminals may also compromise a victim’s email account by using precursor malware, which enables the cyber criminal to use a victim’s email account to further spread the infection.

Remote Desktop Protocol vulnerabilities: RDP is a proprietary network protocol that allows individuals to control the resources and data of a computer over the internet. Cyber criminals have used both brute-force methods, a technique using trial-and-error to obtain user credentials, and credentials purchased on darknet marketplaces to gain unauthorized RDP access to victim systems. Once they have RDP access, criminals can deploy a range of malware—including ransomware—to victim systems.

Software vulnerabilities: Cyber criminals can take advantage of security weaknesses in widely used software programs to gain control of victim systems and deploy ransomware. For example, cyber criminals recently exploited vulnerabilities in two remote management tools used by managed service providers (MSPs) to deploy ransomware on the networks of customers of at least three MSPs.

Tips for Avoiding Ransomware

The best way to avoid being exposed to ransomware—or any type of malware—is to be a cautious and conscientious computer user. Malware distributors have gotten increasingly savvy, and you need to be careful about what you download and click on.

Other tips:

- Keep operating systems, software, and applications current and up to date.

- Make sure anti-virus and anti-malware solutions are set to automatically update and run regular scans.

- Back up data regularly and double-check that those backups were completed.

- Secure your backups. Make sure they are not connected to the computers and networks they are backing up.

- Create a continuity plan in case your business or organization is the victim of a ransomware attack.

Ransomware, from the NIST

Ransomware is a type of malicious attack where attackers encrypt an organization’s data and demand payment to restore access.

Here’s an example of how a ransomware attack can occur:

1. A user is tricked into clicking on a malicious link that downloads a file from an external website.

2. The user executes the file, not knowing that the file is ransomware.

3. The ransomware takes advantage of vulnerabilities in the user’s computer and other computers to propagate throughout the organization.

4. The ransomware simultaneously encrypts files on all the computers, then displays messages on their screens demanding payment in exchange for decrypting the files.

Ransomware disrupts or halts an organization’s operations and poses a dilemma for management: does the organization pay the ransom and hope that the attackers keep their word about restoring access, or does the organization not pay the ransom and restore operations themselves?

Fortunately, organizations can take steps to prepare for ransomware attacks. This includes protecting data and devices from ransomware and being ready to respond to any ransomware attacks that succeed.

Don’t assume your business is too small to get hit. The nature of ransomware is that the cybercriminals work to ensure their malware spreads as widely as possible, infecting the computers of individuals and businesses of all sizes.

Common ways ransomware can hit you:

Email – phishing emails can trick you into clicking on an attachment (“Urgent Invoice”) that allows the malicious software program to take over your computer.

Malware – if your network or software is vulnerable , a cybercriminal can sneak in and plant malicious code. It might sit unnoticed for a period of time, allowing the bad guys time to access files and steal data, then finishing up with unleashing ransomware so you can’t see the damage.

Ransomware is a common threat against any business, large or small. It can put a company out of business or disrupt operations for a long period of time. Paying the ransom can be very expensive and there’s no guarantee that data will ever be recovered. If customer data is stolen, it may trigger state data breach notification laws.

Cyber Risk GmbH, some of our clients