Since the first ransomware incident more than 30 years ago, attackers have continuously modified their techniques. They have devised different ways to access computer systems, prevent users from accessing critical data, and drive organizations to pay ransoms. Today attackers continue to adopt new technologies that can enhance their odds of success and allow them to extract larger sums without being caught.
Given the potential for large paydays, cybercriminals are unlikely to stop attacking healthcare organizations and other businesses anytime soon. But your organization can prevent large-scale attacks and minimize the damage. Understanding the different types of ransomware used by attackers will be critical for helping your organization build a defensive strategy.
Even as cybercriminals develop new forms of ransomware and employ various modes of infecting systems, there are a few common threads present in most attacks.
Ransomware is malicious software (or “malware”) that encrypts sensitive files or otherwise locks authorized users out of critical systems. Attackers demand ransom in exchange for a decryption key or restored access to systems. In some cases, attackers threaten to steal and sell data (a version of attack sometimes called “leakware”), or to attack partner organizations.
In the past few decades, the focus of many ransomware attacks has shifted from individual users to businesses. Previously, attackers often played a volume game: They would attempt to infect many individual users and extract relatively small sums from each. Today, there are many more “big game hunters,” targeting fewer organizations with highly sensitive or mission-critical systems. The goal is often to create massive disruptions that compel organizations to pay multi-million-dollar ransoms.
Ransomware can have a tremendous impact on healthcare organizations as well as their customers or patients. Healthcare organizations often face serious financial consequences. In addition to paying a ransom, they might need to bear the costs of forensic investigations, data recovery, regulatory fines, and lawsuits. Providers might also lose revenue from service disruptions.
Individuals can suffer health consequences. They might be unable to contact providers, fill prescriptions, have procedures, or receive emergency care. Developing an effective strategy to combat ransomware, then, is crucial.
How can you tell one type of ransomware from another? The first distinction involves the method used to prevent authorized users from accessing resources.
There are two basic types of ransomware that frequently affect businesses, including healthcare organizations. Crypto ransomware encrypts data—such as patient or customer data, preventing users from accessing the data without the correct decryption key. Locker ransomware completely locks users out of their systems, though it generally leaves files and folders untouched. Users might see a lock screen that shows the ransom demand, sometimes accompanied by a countdown clock.
Most crypto ransomware attacks follow a general pattern: The ransomware encrypts the data, leaving it inaccessible to authorized users. Different variants, however, might use slightly different encryption techniques. For example:
Most ransomware attacks begin with phishing. Attackers attempt to trick individuals into clicking on a link within an email or text message, which takes them to a spoofed website. If they enter login credentials, attackers can steal those credentials and use them to access the network themselves. In some cases, emails include attachments: Those attachments might be malware executables disguised as legitimate files. Once the attachment is opened, the ransomware infects the computer.
In addition to phishing, some attackers capitalize on remote desktop protocol (RDP) vulnerabilities or conduct network intrusions to gain access to the network. Attackers might also employ “drive-by downloads,” in which individuals inadvertently (or unknowingly) download malicious software.
Once ransomware has infected a single system, the software either self-propagates across a network or is directed by an attacker to particularly valuable data and systems. The attack can infect multiple systems along the way—including desktops, laptops, mobile devices, servers, and storage environments.
Cybercriminals have created numerous ransomware strains over the past two decades. Some of the best-known strains have included CryptoLocker, WannaCry, and Locky.
CryptoLocker first gained attention in 2013. With this strain, attackers use email attachments to infect computers. Individuals might receive a compressed ZIP file that contains an executable file. Once the executable runs, the ransomware contacts an external server and encrypts files on the local drive as well as on network drives.
In 2017, WannaCry ransomware was used in a large-scale attack that infected more than 200,000 computers around the world. FedEx, Honda, and Nissan were affected as well as the UK National Health Service. A security researcher turned off the ransomware within a few hours of the attack, but many victims could not decrypt their systems until they paid the ransom.
Locky began infecting healthcare organizations in the United States, New Zealand, and Germany in 2016. Attacks began with spam emails that included either Microsoft Office documents with malicious macros or compressed files with malicious scripts. The macros and scripts tricked users into taking steps that would ultimately trigger the download of ransomware. The ransomware targeted file types used by software developers and engineers.
Ransomware-as-a-Service (RaaS) offerings enable attackers to launch attacks without having to code the ransomware themselves. Developers create the ransomware and the non-technical attackers (sometimes called “affiliates”) use the ransomware for attacks. The attackers might pay a monthly subscription, a one-time fee, or use an affiliate or profit-sharing model, in which attackers pay developers a percentage of the ransoms they extract from victims.
The RaaS model has played a key role in the proliferation of ransomware attacks. A relatively small number of developer gangs can provide their malicious code to a large number of attackers. And because developers can focus on creating and modifying code, they can continuously feed attackers new tools to launch attacks that exploit new vulnerabilities and evade the latest patches.
Several recent ransomware strains were RaaS offerings. For example, DarkSide, which was linked to the 2021 attack of Colonial Pipeline (an oil pipeline in the Southeastern United States), was a RaaS offering. REvil was the name of a RaaS gang that claimed to earn more than $100 million in one year. LockBit, which blocked users from accessing computers, was launched from a RaaS gang in 2019. WannaCry—one of the most well-known strains—was a RaaS offering, as was Ryuk.
“Opportunistic” ransomware attacks are designed to infect any and all organizations whose employees are tricked into clicking on a link in a phishing email or downloading a malicious script disguised as an attachment. By contrast, “targeted” ransomware attacks are focused on particular organizations—usually organizations with known vulnerabilities or those likely to pay high ransoms. There has been an uptick in targeted attacks over the past decade.
First appearing in 2018, Ryuk is a family of ransomware that has been responsible for attacks on large organizations, including healthcare organizations, in which attackers make very large, multi-million-dollar demands. Ryuk ransomware shuts down processes that could thwart its progress. It encrypts data and disables the Windows system restore functionality, preventing organizations from restoring systems to a previous, clean state.
SamSam ransomware, which might have been released as early as 2015 or 2016, has mainly targeted healthcare organizations and local government agencies in the United States. Instead of using phishing, SamSam ransomware attacks exploit vulnerabilities in unpatched Windows servers. The ransomware might establish a foothold within systems for a period of time before encrypting files.
Dharma is a type of ransomware that attackers install manually after hacking into IT environments using RDP. The ransomware not only encrypts files; it also enables an attacker to manually explore those files, which might lead the attacker to steal them. Dharma has been frequently used to attack small and medium-sized businesses, whose defenses might be less robust than larger enterprises.
Since the launch of Bitcoin in 2009, most ransomware attacks have included ransom demands in cryptocurrency. In fact, the growth of ransomware is partly related to the ability of attackers to use cryptocurrency for ransom.
Cryptocurrency provides a key advantage over other forms of currency for ransomware attacks: Cryptocurrency payments are very difficult to trace. Unlike with traditional payments, law enforcement authorities cannot easily determine who has received a cryptocurrency payment, especially when those criminals are operating in distant countries. Tracking down all criminals involved is even more difficult when attackers are working with RaaS gangs.
Cryptocurrency is also fast. Criminals can receive huge ransom payments, even from across the globe, in seconds.
Initiatives to ban or more tightly regulate cryptocurrency have not yet been successful. Banning a decentralized technology isn’t likely to succeed since attackers could always operate outside of banned areas. While cryptocurrency is already regulated to some degree in the United States, regulating exchanges outside of the United States would require multi-national cooperation.
In the meantime, law enforcement agencies have at least one means of tracking criminals: When transactions use public blockchains, agencies stand a chance to follow these transactions back to the attackers. Ransom for the Colonial Pipeline attack was paid by Bitcoin, and the FBI was able to recover most of the ransom payment.
It might not be surprising that with the explosion of mobile device use across the globe, attackers have focused some of their energy on attacking these devices. Beyond inconveniencing individual users, mobile ransomware attacks can develop into larger-scale enterprise incidents.
The rise in hybrid and remote work has led more people to use smartphones and tablets for their jobs. These enterprise-connected devices could provide attackers with avenues for infiltrating company networks. Mobile devices are particularly vulnerable because they might lack the robust cybersecurity capabilities used on desktops and laptops. Moreover, when employees are allowed to use personally owned devices, they might not update and patch software as often as they should.
Svpeng, which appeared in 2013, targeted Android devices. Though it was initially meant to steal credit card information from individuals using SMS-based banking, the ransomware was subsequently used to lock individuals out of phones. Later iterations used keylogging to capture banking credentials as users entered them into their devices.
LockerPIN, which appeared in 2015, also targeted Android devices. It reset a device’s PIN to a random code, locking users out of the device. The attackers demanded a ransom—but even victims who paid were unable to unlock their phone since the attackers themselves didn’t know the new code. Users had to perform a factory reset to regain control of the device.
One of the most important preventive measures is to keep software on mobile devices updated. Mobile operating system vendors are continuously searching for new threats and patching potential vulnerabilities in their software. Deploying updates can help thwart the latest threats.
Users should also consider employing mobile security capabilities—including capabilities offered by device and operating systems vendors as well as by third parties. Employer-managed devices will often implement multiple levels of protection against cyber threats.
Finally, users should download and install apps only from reputable app stores—namely, Google Play and the Apple App Store. Though risks aren’t eliminated, they are greatly diminished when users download apps from these stores.
There are several best practices that can help your organization prevent damaging, large-scale ransomware attacks.
One of the most effective ways to defuse attackers’ schemes is to back up critical data and develop a data recovery plan. If you can maintain a complete, up-to-date copy of data in an environment that is beyond attackers’ reach, you can reduce the need to pay ransom. In the event of an attack, you can restore clean data to uninfected systems and resume normal operations.
Attackers will often try to exploit vulnerabilities in operating systems and applications. Make sure you deploy the latest updates and patches as soon as possible. Ensuring you reach all systems is key. It might take only one unpatched system to provide an entry point for attackers.
There are numerous cybersecurity tools that help you halt attacks and minimize damage. For example, email security solutions can identify spam and potential phishing attempts. Antivirus and anti-malware software can spot ransomware and block it from spreading. Multi-factor authentication (MFA) tools can prevent attackers from gaining access to network systems even if they steal usernames and passwords. Firewalls can block malware from entering networks, and network monitoring tools can identify unusual behaviors.
Several policy changes can also reduce the likelihood of successful attacks. Requiring employees to use unique, robust passwords can help reduce brute-force attacks in which attackers use algorithms to guess passwords. And implementing role-based access policies based on the principle of least privilege can prevent attackers from penetrating deep into networks, even with stolen credentials.
Cybercriminals will continue to modify techniques and adopt new technologies to improve their odds of success.
Ransomware has long been used in conjunction with other types of malware and tactics, and that trend is likely to continue. For example, some ransomware attacks use a Trojan model, in which users are tricked into downloading malware disguised as—or within—legitimate software. Several variants also operate as worms, self-propagating through an enterprise network.
Attackers are also likely to continue focusing on targeted attacks of critical infrastructure within enterprises. With each highly publicized successful attack, cybercriminals see new opportunities for large paydays by focusing on bigger, more profitable targets. And because attackers can easily access RaaS offerings, they can often employ new, novel variants, which might have a higher chance of success.
There is little doubt that artificial intelligence (AI) will play an increasingly important role in ransomware attacks. Attackers are already using generative AI to create more convincing phishing emails. In the future, RaaS developers could use AI to write better code, faster. AI-infused ransomware could also learn from efforts to block it, rapidly implementing evasive maneuvers.
Staying on top of the latest ransomware trends—and the newest approaches to combating it—can put a strain on internal resources. In many cases, organizations will benefit from working with external security experts or managed service providers to assess current risks, develop defensive strategies, and recover from attacks. These third parties can draw from deep threat intelligence and extensive experience working with other clients. They can employ new security capabilities to help your organization prevent attacks, mitigate damage, and comply with regulations—all while keeping internal resources focused on more strategic priorities.
Ready to strengthen your ransomware prevention strategy? Work with a team that combines deep cybersecurity skills and healthcare-industry expertise. Contact the experts at Cloudticity for a free consultation today.