There's no question ransomware has become a prolific threat. But how does it get onto a victim's computer in the first place?
According to a June 2016 survey by Osterman Research nearly 50 percent of organizations have been hit with ransomware. As infection rates continue to rise, more and more attention and budget is being directed toward finding ways of keeping machines clean and data safe.
To do that, organizations need to understand how ransomware works and what needs to happen in order for an infection to be successful. Let's break down what the infection process looks like, starting with the most common ways ransomware gets delivered and the steps you can take to reduce your risk.
Skip ahead to get answers to the following questions:
How does ransomware infect a computer?
Ok, sure. We've heard the horror stories about employees finding USB flash drives in the parking lot and plugging them in. But by far, the two primary, most likely delivery channels for ransomware are email and compromised websites.
For cyber criminals, email serves as a direct line straight to the soft, chewy, vulnerable center of your network — your users. By sending emails disguised as legitimate messages the hope for ransomware authors is they can trick users into either opening an infected attachment or clicking a link that takes the user to an infected website.
It’s a tactic referred to as phishing (attackers try to catch users by luring them into taking the bait). Unfortunately, it can be highly effective — according to the Verizon 2016 Data Breach Investigation Report, phishing emails have an average open rate of 30% — and research shows ransomware is now the #1 type of malware that phishing delivers (by far).
Did you know? 9 out of 10 phishing emails sent in March 2016 carried a ransomware payload (PhishMe).
Source: PhishMe Q1 2016 Malware Review
So we're talking spam emails?
Not exactly. You may still get an obvious mass spam email from a “Nigerian prince” from time to time, but the truth is many of today’s phishing emails are surprisingly sophisticated.
For starters, they’re more likely to be targeted, with attackers actually taking the time to do a bit of research and craft emails that are personally relevant to their victims. Ex: Just a few minutes on LinkedIn can supply an attacker with a name of a business connection or colleague they can reference to make their email much more convincing.
This type of targeted phishing attack is referred to as spear phishing (because the attacker is singling out and going after a specific person or group). Case in point: our CEO recently received a spear phishing email that looked like it came from our lawyer. We wrote a blog post that shows what it looked like and shares the one crucial thing that saved him from getting phished.
How does a phishing email deliver ransomware?
Two primary ways:
- Infected attachments
- Links to infected websites
As of now, simply opening a phishing email isn't enough to get a user infected with ransomware. Attackers still need users to take one more additional step in order to get the malicious ransomware code onto their machine — either opening an infected attachment or clicking on a link that takes them to an infected website.
We'll get into how the second option works when we talk about exploit kits a little further down the page. First, let's talk about how attackers hide ransomware in attachments.
What types of attachments does ransomware hide in?
The success of ransomware phishing attacks hinges on convincing the victim every aspect of the email is legitimate. An attacker can go to great lengths crafting a customized, relevant message and making it look like it's coming from a sender the victim knows and trusts, but if the attachment looks suspicious that can ruin the chance of the user taking the bait.
To avoid raising suspicion, attackers often hide ransomware in the types of attachments we expect to receive — some of the most common include MS Office docs (Word, Excel, and PowerPoint) and PDFs.
These documents can be disguised as anything from invoices, contracts, regulatory forms, and more.
MS Office docs are a popular choice among ransomware authors because they allow them to leverage macros (bits of code that allow additional functionality) to execute the ransomware without the user's knowledge. Ex: The Locky ransomware family originally gained traction and notoriety in early 2016 with its use of malcious macros in Word documents.
If macros aren't enabled, the user won't be able to properly read the document, and they will be asked to enable them. Once macros are enabled that allows code in the document to download and execute the actual ransomware payload.
Pro tip: If possible, it's a good idea to adjust your users' Microsoft Office default settings to disable macros. That way you can prevent ransomware from exploiting them. Microsoft has a support document that walks you through that process here.
What's different from ransomware delivery via email?
The biggest difference is, with email, the burden is on the attacker to trick a user into actively downloading and opening a file. By using tools called exploit kits, however, criminals can infect visitors to a compromised website automatically, without any clicking required.
How do exploit kits work?
Exploit kits allow criminals to upload malicious code to any web page they have access to. That code is designed to exploit specific vulnerabilities in browsers or other software the visitor may be running (ex: an outdated version of Adobe Flash Player). If the vulnerability is present, the exploit kit can leverage it to download ransomware.
For a deeper dive, see our post "Understanding Exploit Kits: How They Work and How to Stop Them".
So avoid sketchy websites and we're good to go?
Again, not exactly. Another way for criminals to boost their infection rates is to compromise ad networks, so that even visits to legitimate, mainstream websites can result in a ransomware attack.
That's exactly what happened in March, when malicious ads (malvertising) containing the Angler exploit kit appeared on The New York Times, the BBC, AOL, and the MSN homepage, exposing tens of thousands of visitors.
Once a ransomware payload is delivered, what happens next?
The precise next steps can vary from ransomware variant to variant, but in general, once ransomware is executed it wastes very little time scanning local and connected drives for files to encrypt. Some variants (such as Locky and DMA Locker) even encrypt unmapped network shares, extending the reach of the infection and making potential damage even more widespread.
Different ransomware variants can also scan for different file types, though many cast their nets wide and can encrypt anything from Office files to multimedia files. It's important to note some ransomware variants like Locky also delete shadow volume copies — live backup snapshots Windows users could otherwise use to restore their files.
Did you know? Ransomware typically only takes a matter of minutes or even seconds to finish encrypting files.
Once the encryption process is complete and the files are rendered inaccessible, the ransomware then creates a ransom note that notifies the user what just happened. Ransom notes are typically .TXT files, but depending on the ransomware, they may also appear on a web page and/or replace the Windows wallpaper, too. The point of the notes is to establish the ransom demand amount, walk the user through how to pay it (typically with Bitcoin), or simply direct them to a web page for further instructions.
Locky ransom screen
Note: Details included in the ransom notices, specifically any URLs that are included, can sometimes provide clues as to the specific type of ransomware you're dealing with (as can any changes the ransomware has made to encrypted file extensions — more on that below).
Is it possible to decrypt files without paying the ransom?
In some cases, malware researchers are able to exploit flaws in ransomware encryption methods to create tools that allow victims to decrypt their files without paying the ransom.
Pro tip: If you get hit with ransomware use our Ransomware Decryption Tool Finder to determine:
a) what type of ransomware you're dealing with (based on changes to file extensions the ransomware made)
b) whether a decrypting tool is available for the particular strain of ransomware you're infected with
Unfortunately, if the encryption method was sound and no decryption tool is available then the only way to recover access to files is to restore them from backup. If backup copies don't exist then you have a difficult decision to make: Can you afford to move on without access to the files, or do you have to consider paying the ransom?
While the general advice is not to pay, there have been cases where disruption caused by ransomware has been severe enough to effectively bring an organization grinding to a halt. Case in point: the ransomware attack on Hollywood Presbyterian Medical Center in February triggered 10 days of crippling downtime that resulted in patients being transfered to other facilities. The hospital ended up paying a ransom of $17,000 to get its systems back up and running.
Because ransomware infections have such an immediate and damaging consequence, that puts the emphasis on preventing attacks before they start. The best way to do that is by focusing your security efforts on disrupting these two primary delivery channels that get ransomware onto computers in the first place.
After all, if ransomware can't be delivered it can't do any harm.
How can I prevent ransomware from being delivered via email?
You can't prevent attackers from sending ransomware phishing emails, but you can put security controls in place that reduce the risk of users taking the bait or the ransomware successfully executing even if they do.
Actively filtering email attachment types that are potentially dangerous and aren't commonly used or necessary to day-to-day work is certainly a low-effort way for you to lower your risk, but as the example of Locky demonstrates, criminals are becoming increasingly good at sneaking malicious code into file types that will get past most email filtering. For that reason, email filtering is far from a comprehensive solution.
Quick stat: In a recent survey we conducted, 7 out of 10 ransomware victims reported they were running email/content filtering at the time of infection.
Teaching users how to spot and react to suspicious emails can help transform them from a major liability to a formidable first line of defense. To help, we've put together a Phishing Field Guide complete with example phishing emails you can share with users to show them exactly what to watch out for.
Train your employees to spot and avoid phishing attacks.
User awareness training is a great long-term investment, but it's also an ongoing commitment, and there's no guarantee users are going to be 100% mistake-free 100% of the time. That means you need to have back-up safety nets in place so you're ready for the inevitable when new or even trained users click on something they shouldn't have.
How can I prevent ransomware from being delivered via compromised websites?
Again, it's all about focusing on the things you can control. You can't stop attackers from creating and using exploit kits, but since they rely on taking advantage of software vulnerabilities, one thing you can do is take precautions to make sure your software is patched and up-to-date.
Depending on the size and complexity of your organization, staying on top of, testing, and rolling out the latest patches can be a full-time job in and of itself. The good news is, when it comes to successful exploits, 85% take advantage of just 10 incredibly popular vulnerabilties.
Did you know? The following 10 vulnerabilities account for 85% of successful exploits (Verizon 2016 DBIR):CVE-2001-0876, CVE-2011-0877, CVE-2002-0953, CVE-2001-0680, CVE-2012-1054, CVE-2015-0204, CVE-2015-1637, CVE-2003-0818, CVE-2002-0126, CVE-1999-1058
Start out by patching those and you can drastically reduce your risk. From there, you'll want to implement a patch management strategy that ideally involves automation.
Install an ad blocker
Ad blockers can help protect your users from malicious ads (malvertising) that can infect even mainstream, legitimate websites.
How can I stop ransomware from fully executing, even if it does get downloaded?
In addition to taking precautionary measures to prevent ransomware delivery in the first place, there are several things you can do to render ransomware ineffective even if it does land on a machine. The key is to identify the actions ransomware needs to accomplish in order to successfully complete the infection process — and then stop those actions short.
Do it yourself with policy restrictions
A simple example is disabling MS Office macros to render ransomware that relies on them ineffective.
Another (slightly more complicated) example is using Software Restriction Policies to block executables from running when they're located in specific file locations (ex: the %AppData% and %LocalAppData% folders).
Use a solution like Barkly to block ransomware attempts for you
The most comprehensive (and also hands-off) approach, however, is to install a solution that actively blocks ransomware behavior and does all the work for you. At the risk of being self-promotional, that's exactly what we've built Barkly to do.
Check out the video below to learn more about how Barkly stops ransomware before it has a chance to encrypt a single file:
Learn more about how to keep your employees safe from ransomware.
Note: This blog post is the first in a series. Over the next few weeks we'll be answering more questions about how ransomware works and what you can do to lower your risk of a successful infection. Sign up for updates and I'll send you an email when a new post is live.
In the meantime, if you have a question you want us to cover let me know in the comments below.