According to the Data Breach Report of Verizon, ransomware is one of the most frequent malware attacks behind the C2 (command and control) attacks. It's also been found that most of the malware and ransomware attacks are carried out through email.
So, how can we prevent users from clicking on malicious links, or downloading malicious files? Unfortunately, we can't. By nature, humans will always find ways to do things if they want to.
So, when it comes to preventing ransomware, a different approach is needed.
What is Ransomware?
First, let's understand what is ransomware. Ransomware is a type of malware that works by encrypting the data of the target victim. The attacker will then hold the data and will ask the victim to pay ransom money before the data is released.
It was in 1989 when the first ransomware attack took place and a floppy disk was used at that time. The attacker asked for $189 in ransom money.
Ransomware consists of a multi-staged attack that attackers would pack in various ways. The basic concepts are pretty much the same. They would infiltrate the network of their target, encrypt as much data as they can, and then hold the data for ransom.
After the attacker gets a hold of the data, he will send the victim a ransom note. There's usually a dollar figure attached to the note and the payment will be through Bitcoin to avoid any traces. The attacker will attach a Bitcoin link on the note and urge the victim to make a payment through the link before releasing the data.
It's worth noting that cryptocurrency has made ransomware to become one of the most lucrative activities online. While the lucrativeness of this criminal act is difficult to quantify, the frequency of the attacks indicates that the criminals are seeing the upside of this crime and continue to use ransomware for their criminal activities.
Recently, attackers have been using the threat of data exposure in their extortion plots. Ransomware will not only encrypt data in public, but it's also capable of exfiltrating the data back to its attackers. Then they will coerce the victim to pay or the data will be released to the public.
When it comes to dealing with ransomware attacks, you'll have two options - will you pay the ransom money and hope that the attacker will release the decryption keys, or will you remove the malware infection to recover the data without paying hefty sums of money?
It's worth noting that the attackers don't generally deliver the encryption keys even after receiving the ransom money.
This is why during the ransomware incident in Baltimore, the recovery cost the city a lot of money and took a lot of time. Baltimore didn't pay and the IT staff had to manually restore as much data as they could and rebuild their machines.
The recovery efforts have to also take into account the threats of the data release.
So how do you prevent the attacker from releasing the data that was stolen? Unfortunately, you can't. This is why prevention and protection against ransomware are extremely important.