What do you need to know about ransomware and wiping?

The question is, who needs to know what about ransomware and wiping? Both crimes are related, but clearly different in their objective. The purpose of learning about these types of crimes is to be able to arm oneself against them.

What one needs to know about ransomware takes place on the following three levels: Those things that everyone needs to know.Those things that decision-makers and the board need to know.Those things the CISO and the CRO need to know.In this post, I give my own opinion, not that of any organization
Author: Manu Steens

Ransomware and Wiping, in short.

Ransomware is a type of malware to block access to a computer system or files until the victim pays a ransom, often in cryptocurrency.

Wiping usually refers to completely deleting data from a digital storage device. The goal then is nothing more than to cause harm. For whatever reason.

What is ransomware? What is the difference with wiping?

Ransomware usually operates by encrypting files, thereby rendering them inaccessible. The criminal thus forces the victim to ‘buy’ a decryption key. Ransomware can be delivered in a variety of ways:

  • Through infected emails with an attachment or link containing ransomware.
  • It can go through unsafe websites where the criminals automatically download the ransomware onto your computer.
  • It can also be due to infected software that you download from an untrustworthy source.
  • Finally, by exploiting vulnerabilities in software or operating systems.

Wiping does not allow you to recover the data using standard file recovery methods. This process one often uses in data security practices, such as when decommissioning old computers or mobile devices. The goal is to prevent data breaches. But it can also be criminal. The goal then is to cause harm.

In both cases, the attack normally results in financial loss, data breaches, and operational disruptions.

What’s the difference?

The difference between ransomware and erase is that ransomware is for making ransom demands. One might be able to restore the files if one ‘buys’ the decryption key. Or one can restore a backup. Wiping is for destroying data. One can only partially restore deleted files by a proper backup. A “Wiper” does not demand a ransom.

A well-known example of ransomware is WannaCry.

This was an infamous ransomware attack that took place in May 2017. It affected hundreds of thousands of computers around the world, including systems in hospitals, government agencies, and businesses. According to Datanews , the exploit that one used by Wannacry, Eternalblue SMB, was one of the tools that the hacking group TheShadowBrokers leaked in April 2017. They then captured them from the American intelligence service NSA.

A very recent example of ransomware is Sodinokibi (also known as REvil).

Avast Business writes: “Sodinokibi (also known as REvil or Ransomware Evil) first emerged in 2019 and was developed – presumably in Russia – as a private RaaS (Ransomware-as-a-Service) action. Right off the bat, the sheer scope and efficiency of Sodinokibi became apparent, as it was already the fourth most common type of ransomware in the first four months of its existence.”

What are KRIs for Ransomware?

Examples of KRIs, according  to PWC, to monitor the risk of ransomware include

  • the number, frequency and severity of phishing events,
  • the number of outstanding critical points,
  • email security issues or
  • Leaked credentials.

Other indicators of suspicious behavior pointing to ransomware are in the article “What Decision-Makers Need to Know About Ransomware Risk: Data Science Applied to Ransomware Ecosystem Analysis” by Vladimir Kropotov, Bakuei Matsukawa, Robert McArdle, Fyodor Yarochkin, Shingo Matsugaya (Trend Micro), Erin Burns, Eireann Leverett (Waratah Analytics):

“Behavior similar to that of ransomware can be subject to profiling and deployed as alert rules to let defenders know when IT security detects such behavior in an organization’s network. The following are some possible indicators of such behavior:

  • Creating profiles of encryption patterns, algorithms, and key lengths that one considers normal on the defender’s network. Any outliers can be indicators of ransomware.
  • Detecting partial encryption of files. This is used by several ransomware families, including LockBit and BlackCat, as part of their speed optimization process. For the vast majority of companies, this has almost no legitimate use case outside of this context.
  • Detecting a 50/50 read-write ratio when files are encrypted on the host. This may be a deviation from the normal behavior of the host, except most likely in some local backup scenarios.
  • Creating interhost connectivity profiles that can security can track by time of day and day of the week. Hosts who have specific roles in an organization must have specific communication peers, timings, connections, and volume of data transferred. Defenders can be alerted to anomalies outside of these profiles.”

What do decision-makers need to know about ransomware?

Decision-makers need to understand a few things about ransomware in order to effectively protect and respond to ransomware:

  • How ransomware works: It is crucial to know that it encrypts files on a computer and then demands a ransom from the perpetrator to return the encryption.
  • How it spreads via e.g. email attachments, malicious websites or other vulnerabilities in systems.
  • What the potential impact is: data loss, financial losses, operational downtime, and reputational damage.
  • That preventive measures are possible: such as regular software updates, the use of antivirus programs and firewalls, training employees about phishing, and regularly backing up data and practicing with back-ups.
  • That one needs a response plan for ransomware attacks: including isolating infected systems, reporting the incident to the authorities, and forensically analyzing the event to determine the severity of the situation.
  • The existence of legal and compliance issues: There are legal implications, including potential obligations to report data breaches and the requirements of the GDPR if criminals breach privacy prior to encryption.
  • That payment of ransom is only sometimes an option: it is often better not to recommend this because it does not guarantee (full) recovery.
  • That Cooperation and information sharing about the attack with other organizations in the same and other sectors and with government agencies contributes to a better understanding of it and to efforts to prevent more damage.

In the article on Trend Micro about that of Vladimir Kropotov, Bakuei Matsukawa, Robert McArdle, Fyodor Yarochkin, Shingo Matsugaya (Trend Micro), Erin Burns, Eireann Leverett (Waratah Analytics), one also finds:

  • Victims who pay cover the operational costs of attacks on those who don’t.
  • The risk of ransomware varies by region, industry, and organization size.
  • Most ransomware victims don’t pay, but those who do pay quickly.
  • Challengers are aiming for top positions in the ransomware arena.
  • Mitigate ransomware attacks with a zero-trust approach.

Who is behind ransomware attacks? And who is behind Wiping attacks?

Who Is Behind Ransomware Attacks

There are several profiles of criminals who perpetrate these attacks:

  • Cybercriminal groups distribute ransomware for financial gain.
  • Individual hackers can create their own malware or use existing ransomware kits available online on the dark web.
  • State-backed actors carry out ransomware attacks as part of sabotage or geopolitical purposes. This is very difficult to demonstrate.

Who Is Behind Wiping Attacks

There are also several profiles of these:

  • State hackers carry out wiping attacks as part of espionage, sabotage, or cyber warfare. These attacks sometimes aim at destroying the enemy’s data and infrastructure or serve political or military purposes.
  • Hacktivists are individuals or groups who hack and carry out cyberattacks as political protest or activism. They can act against certain organizations, governments or policies.
  • Sometimes, internal actors commit wiping attacks to take revenge on an organization.

There are a number of critical success factors of ransomware that cause this crime to be used more and more:

  • Ransomware can be extremely profitable. In addition, the use of cryptocurrency such as Bitcoin makes the payment of ransom relatively anonymous and difficult to trace.
  • Ready-made ransomware kits exist available on the dark web. Because of this, even less experienced hackers are able to carry out lucrative ransomware attacks.
  • There is a wide range of targets. Virtually any type of target is possible, including individuals, small businesses, large corporations, government agencies, and critical infrastructure.
  • The phenomenon features highly effective distribution methods, including phishing emails, malicious websites, exploit kits, and software vulnerabilities. This means relatively little effort with a lot of results.
  • It causes anxiety and urgency, especially if business-critical data is encrypted. This leads to an impulsive payment of the ransom without considering alternative solutions.
  • The malware is difficult to detect and remove due to the use of advanced encryption algorithms. This increases the likelihood of victims paying.

Finally, what can you do preventively against ransomware and wiping?

  • Make backups systematically.
  • Use quality antivirus and anti-malware software.
  • Be careful with links you open and software and data you download. Only do that from reliable sources.
  • Install security patches of your software against the known vulnerabilities.
  • Educate employees about phishing tactics and encourage them to behave cautiously online.

Manu Steens

Manu works at the Flemish Government in risk management and Business Continuity Management. On this website, he shares his own opinions regarding these and related fields.

Leave a Reply

Your email address will not be published. Required fields are marked *

Recent Posts