Ransomware Evolved: New Forms of Attack

Threat actor exchanging money with a key

By now you’ve either heard of ransomware or have been the unfortunate victim of its destructive nature. Ransomware has evolved over the years, and nowadays the main targets of ransomware seem to be public or private organizations as opposed to individuals. Although individuals are not immune to ransomware, the attackers have focused efforts on large-scale attacks to yield the most profit from their investment. Most individuals can recover from ransomware attacks by restoring their files from the cloud, while many organizations still struggle to keep pace with proper backup and restoration protocols.

So, what is ransomware? Traditionally, it was a form of malware that locks and encrypts files on a victim’s computer or device, then demands a ransom payment in order to restore access. In most cases, the victim must pay the cyber criminals within a set amount of time or they will risk losing their data permanently. However, paying the ransom does not guarantee that access to data will be restored.

As ransomware has evolved to evade modern detection and remediation, so to have the criminal masterminds’ tactics, techniques, and procedures (TTPs) behind many of the large-scale attacks you’ve probably seen in the mainstream news recently. These attackers are not only causing damage to the systems and data that are critical to running operations, they are often exfiltrating sensitive data long before they execute the payload of ransomware. They use the exfiltrated data as additional leverage to secure payment in cases where an organization can successfully restore their systems and data from backups. The attackers will then demand a ransom by threatening the release of the data either publicly or to the highest bidder on the underground marketplace. In many recent cases, attackers have also contacted the media, and individuals affected by the data breach in order to put additional pressure on the victim organizations to pay.

Network of computers with ransomware

Where does ransomware come from?

The 2021 Verizon Data Breach Investigations Report identified 85% of breaches being attributed to some sort of human element, 61% involved credentials, whereas only 3% of breaches are a result of a vulnerability exploitation. Most ransomware seen in the wild still originates from a phishing email leading to credential compromise or direct malware deployment, however some of the most widespread and destructive ransomware attacks in recent memory have targeted software and networking services providers and leveraged their existing remote connections to infect all of their clients. In an organizational setting, once the attackers have credentials, they can laterally move across the organization looking for opportunities to deploy their ransomware. Once a device becomes infected, ransomware restricts access to files by encrypting data so that a decryption key or code is required to regain access. At this point, a ‘ransom’ notification will pop up asking for funds before access to the data is restored.

Reporting ransomware

People writing a report for ransomware

Most police services do not endorse the payment of ransomware as it encourages further victimization. The Ontario Provincial Police (OPP) issued an advisory warning about the risks of paying ransomware demands, as there is no guarantee that paying will result in all encrypted data being recovered.

The role of law enforcement is to investigate the incident to find the cyber criminals who are responsible. Officers and analysts will work alongside the victim to preserve and collect any digital evidence and intelligence without interfering in the organization’s remediation efforts. Data collected by law enforcement as part of the investigation will remain confidential and analyzed solely for the purpose of the investigation. While retaining confidentiality, the data may also be used for the purposes of threat intelligence gathering and trend analysis for the further enhancement of the OPP outreach program.

The local police are building the capacity and capability to investigate cyber crimes including these complex cases. Unfortunately, cyber crimes still often go unreported. Cyber crimes must be reported so that the scope of the criminal activity is understood, properly investigated, and that the victims receive the necessary supports.

Phone using a shield to block attacks

Preventing ransomware attacks starts with awareness

Phishing and fraudulent emails remain a prominent way for attackers to access and compromise the security of organizations. Educating users on cyber security best practices is the first step in tackling ransomware.

Below are some DOs and DON’Ts of ransomware:

  • Do conduct internal phishing campaigns to educate staff on phishing dangers.
  • Do set a robust email security strategy which can include tracking user clicks, enforcing isolated browsing, detonating malicious attachments in a sandbox prior to end-user delivery and leveraging step up authentication.
  • Do use complex passwords with lower and upper case letters, numbers and special characters, avoiding dictionary words.
  • Do have backups of data, preferably in an air gapped state.
  • Do have a data restoration strategy, which should be tested at least annually.
  • Do patch systems regularly and if possible, enable automatic software updates.
  • Do harden and secure systems by removing and closing unneeded services and ports. Always enforce multi-factor authentication for users, especially administrative accounts.
  • Do have well documented and tested incident plans for cyber incident response, business continuity and disaster recovery. Obtain cyber insurance and a cyber security incident response firm on retainer. Host a cyber security tabletop exercise at least yearly.
  • Don't use the same password for accounts and services. Having different passwords across accounts is the best practice to prevent credential stuffing attacks from attackers who have access to leaked credentials.
  • Don't automatically open email attachments or click on links. Email is one of the main methods for delivering ransomware.
  • Don't allow your backups to be overwritten with corrupt data. If you are the victim of a ransomware attack, check your backups before restoring them.
  • Don't speak to media or anyone else about the incident unless and until confirmed by your media relations lead. Provided information may help attackers with their ransom demands, such as gaining intelligence about your restoration efforts.

For Cyber Security educational materials and advice contact cybersecurity@ontario.ca.

ontario provincial police logo

The Government of Ontario’s Cyber Security Division developed this piece in collaboration with the Ontario Provincial Police to highlight the importance of reporting ransomware and to share prevention techniques using do’s and don’ts of ransomware.