Main menu


ransomware: Introducing features, attack methods

ransomware: Introducing features, attack methods

What is ransomware? Introducing features, attack methods and countermeasures in an easy-to-understand manner.

Many people may have seen the word ransomware in newspapers and news. This article provides basic information and countermeasures for cyber attacks using ransomware that threaten many companies.

One day suddenly I couldn't access my company data

Mr. A, who works for a major company, still works from home today. He started his business by opening his laptop at his home and checking a large number of emails.

At Mr. A's company, the IT department has thorough security measures, so he can work from home with peace of mind. As usual, I opened emails one after another, and when I was checking the contents and attached files, my boss called me. 
It looks like he was in a hurry. "I suddenly lost access to my company's data. I can't even use important transaction data. The IT department is investigating, but it seems that your PC is the source of the infection due to a virus called ransomware. Isn't it? "

I checked in a hurry, but I certainly couldn't access the data ... So Mr. A remembered an email that he opened a few hours ago.

I received an email from someone I didn't know, but it was urgent, so I clicked on the attached file. I didn't notice anything when I opened the file ...

In this way, ransomware is spreading infection through the work that we do on a daily basis.

What is ransomware?

Ransomware is a coined word that combines "Ransom" and "Software", which means ransom, in exchange for making a file unusable by encryption etc. and then restoring the file. Malware (computer virus) that demands money.

The above case is fictitious, but there are many cases where ransomware is infected in the same situation and internal data cannot be used. Cyber ​​attacks on businesses using ransomware have been increasing in recent years.
Restoring files encrypted by ransomware is extremely difficult, and even if you pay the ransom required by a cyber attacker, there is no guarantee that the files will be restored and can be very damaging. In addition to financial damage, it can also lead to the leakage of important information such as customer data, which can lead to loss of social credibility and even difficulty in business continuity.

Ransomware threatens companies in this way, but in recent years, the cloud service "RaaS (Ransomware as a Service)" developed by criminal organizations to support ransomware attacks has become widespread among cyber attackers. This is a set of tools necessary for cyber attackers to use ransomware, greatly reducing the difficulty of attacks by ransomware, and criminal organizations pay license fees from users (cyber attackers). I'm getting it. The advent of RaaS has spurred an increase in ransomware attacks, and companies are required to further strengthen their security measures. 

Ransomware damage and tricks

Ransomware is used in attacks that take encrypted information hostage and demand money, and since 2020, what is called "exposure type" is increasing. In exposed ransomware, cyber attackers encrypt information and then (1) cannot recover the information unless they pay the ransom within the time limit. (2) If they do not pay the ransom, the stolen information is disclosed. Make a threat. This is a way to increase the risk of the victim not paying money, which puts greater financial pressure on the victim.

The increase in exposure has also changed the way ransomware is infected. In the past, ransomware infections were mainly "scattered" by sending e-mails all at once, but in the exposed type, the target is narrowed down to "targeted attacks" with the aim of charging a higher ransom. I'm changing.

Ransomware infection route and attack procedure

Cyber ​​attacks using ransomware are mainly carried out in the following four stages.

① Intrusion into the network 

To set up ransomware, cyber attackers first break into the target company's network. Typical routes for this are phishing emails containing malware (computer viruses) and vulnerabilities in devices connected to networks such as VPNs.

② Build an attack base

Once the network is invaded, cyber attackers take action to further strengthen their foothold in the network. Specifically, we will prepare remote control tools for terminals connected to the network, download various hacking tools, acquire the authority in the network, and expand our actions.

③ Information theft

Now that they have gained authority within the network and can access sensitive network hierarchies, cyber attackers are finally embarking on the acquisition of important information. It steals enough information to threaten the enterprise and transfers it to its own servers and the cloud. This is an indispensable process in the mainstream "exposure type" in recent years.

④ Run ransomware

Finally, run the ransomware that has been installed in the target company's network to encrypt the information. After encrypting and disabling the information, it threatens the company by sending a message such as "If you want to decrypt it, you can pay the ransom, if you do not pay it, the information will be disclosed". At this time, so that the encryption of information by ransomware is not detected or hindered.

A cyber attacker may turn off the virus detection software of the target company by using a remote control tool.

Ransomware measures

Although ransomware threatens companies in this way, the risk of infection can be reduced by implementing the following measures.

① Security education for employees

Educating employees on basic security is paramount, not just for ransomware, but for all information breaches. Clarify rules such as not opening emails with suspicious files, not setting easy passwords that can be easily guessed, and not using devices other than those specified by the company for business, and repeatedly inform employees. Let's do it.

② Response to vulnerabilities

Software and device vulnerabilities are discovered every day, and if left unchecked, they give cyber attackers a chance to take advantage of them. Many manufacturers distribute update files that correct vulnerabilities in their products, so be sure to update to the latest version and apply the latest patches. In addition, it is important to use the latest OS as much as possible because the old OS may not be the target of the manufacturer's update and the vulnerability may not be resolved.

Once the information is encrypted by ransomware, it is very difficult to get it back. In case something goes wrong, back up your files regularly to avoid losing important information. At this time, if employees use private cloud storage or USB memory without permission, the risk of information leakage increases, so it is important for the company to set rules.

④ Build an information incident management system

When a suspicious activity is detected on a network or terminal, it is extremely difficult for the discoverer or an employee of the IT department to take all actions. In particular, in order to counter serious threats such as ransomware, it is necessary to establish a management system in the event of an information incident (incident, accident). It is necessary to determine the person in charge when reporting suspicious activities, collecting and analyzing the damage situation, and contacting other companies. In addition, the strong commitment of the management is indispensable for building such a management system.

Get to know ransomware and be prepared for threats

In this article, we have introduced the features of ransomware, which poses a major threat to companies, and their countermeasures. If you are the victim of a cyber attack using ransomware, not only will you lose money, but you will also be perceived by others as a "company with poor security", which may lead to a decline in social credibility. To prevent such a situation, let's accumulate more knowledge about ransomware and prevent damage.