- Ransomware employs stealthy methods like supply chain attacks, exploiting trust between users and software providers, making it challenging to detect and prevent.
- Recovering encrypted data is often costly and uncertain due to complex encryption algorithms used by ransomware, leading to potential data loss or damage even after decryption.
- Victims face the risk of secondary ransomware attacks due to attackers exploiting system vulnerabilities or leaving backdoors, causing repeated financial and operational disruptions.
Ransomware is a special type of malware that uses technical means to restrict the victim’s access to the system or data within the system (e.g., documents, emails, databases, source code, etc.) and hold the victim to ransom. The victim needs to pay a certain amount of ransom to regain control of the data. Any organization or individual can be the target of a ransomware attack.
Ransomware attack trends
More stealthy attack channels
Supply chain attacks take advantage of the trust between users and application providers to hijack or tamper with legitimate software by exploiting various oversights or loopholes in software providers during normal software dissemination or upgrading, thereby bypassing traditional security product checks. Recently, this attack technique, which appeared in several customer sites, application upgrade packages have been infected upstream and further penetrated the whole network after entering the customer’s network environment.
Difficult to deal with attacks by traditional methods
Despite improvements in enterprise network security awareness and the deployment of network security devices, ransomware attacks remain a significant threat. These attacks are characterized by their stealthy, high-speed, and multi-channel propagation, posing challenges for traditional protection methods. For instance, feature-based comparison technology struggles to keep pace with ransomware attack penetration, advanced threat detection products lack multi-dimensional all-around protection capabilities, and terminal threat protection feature libraries cannot match the rapid evolution of ransomware virus variants.
Also read: What are the 3 factors of multi-factor authentication?
Low possibility but high cost of encrypted data recovery
When subjected to ransomware attacks, you can generally determine from the ransom behaviour, encryption or locking method of the ransom organization, the use of a small number of encryption algorithms that have been made public on the network to support the decryption work. However, due to the complex encryption algorithms used by ransomware viruses, the possibility of data recovery is often extremely low, and even if successfully decrypted, it may cause data damage or loss.
Risk of secondary ransom
Some victims are subjected to ransom attacks again and again. This is related to the high camouflage and stealth of ransomware. On the one hand, this is because victims fail to completely remove malicious programs or fix system vulnerabilities after the first attack, resulting in attackers being able to exploit known weaknesses to launch another attack; on the other hand, some attackers may intentionally leave a backdoor in order to activate and attack again in the future.
Also read: Is multi-factor authentication effective?
Characteristics of ransomware attacks
Ransomware virus with rapid iteration and numerous variants
With the constant changes in the network security environment and the rapid development of technology, ransomware viruses are also evolving, showing more advanced and more complex attack characteristics. The number of variants of ransomware is getting larger and larger, and it is difficult to catch up with the speed of virus changes by simply pursuing defence through sample comparison. As of March 2024, the Venut Anti-Ransom expert team has collected more than 100,000 kinds of virus samples, and in 2023 alone, it has increased by 1,600 kinds.
Formed ransomware industry
Ransomware attacks have formed an industry, from hacking systems, encrypting files, to extorting ransom, forming a systematic attack pattern. The formation of the industry is due to technological advances. With the acceleration of digital transformation, more and more enterprises and individuals are moving their data and business online, making the potential attack surface ever-expanding. In addition, some attackers have made the threshold of ransom attacks lower by providing ransomware-as-a-service (RaaS), and ransomware attacks are rapidly forming a scale effect.
Use of counter-protections
Targeting lucrative victims, attackers are not shy about taking the risk of using anti-protection tactics. In the process of providing anti-ransom services for customers at one time, it was found that the attacker successfully infiltrated through the social worker attack, using the Remote Desktop Protocol (RDP) and Virtual Private Network (VPN), uninstalled the antivirus client installed on the terminal equipment or stopping the process, and captured the customer’s terminal, and then drilled down to the other network environments.
Various ways of spreading
Ransomware can spread widely in the form of emails, program Trojans, and web page hangers. The vast majority of network users have weak security awareness, use only basic security protection software on their Internet terminals, use open source software at will, click on unidentified links in emails, visit insecure web pages, and unknowingly become the spreaders of ransomware.
How to defend against ransomware?
Network side defence
The key to defending against ransomware attacks is prevention – intercepting the attack before it enters the organization and causes substantial damage. The best way to do this is to set up a multi-layered security defence system based on firewalls to prevent attackers from breaking through one layer of defence and then driving in. A strict security policy is the simplest and most effective means of protection; opening only essential services to the outside world and blocking high-risk ports reduces exposure (attack surface). Blocking known threats can often cause attackers to abandon attacks that would otherwise require the attacker to create new ransomware or exploit new vulnerabilities, the cost of which inevitably increases. Also, enabling file filtering can restrict high-risk types of files from entering the network; blocking malicious websites with URL filtering can prevent users from inadvertently downloading malware.
Host-side defence
Firstly, it is recommended to set up hosts in a unified way through organization-level IT infrastructure solutions. Group policies for AD servers and control centres for enterprise-level antivirus software can ensure that security measures are in place without having to rely on individual employees’ execution.
Second, information security education for employees is also important. Many ransomware programs use email and social engineering tactics to entice employees to download malware or visit malicious URLs. By not acting on this, employees can avoid activating attack vectors that carry them. Training employees to develop good office habits and to recognize and prevent typical attack tactics through information security awareness is an effective means of avoiding ransomware attacks.
