The key to keeping people scared is to keep changing what you’re doing. Imagine a horror movie, for example, where a knife-brandishing masked killer keeps jumping out of people’s cupboards to scare them. The first time an audience sees it happen, they’ll react in a big way. When it happens without variation for the fifth or sixth time, they’ll probably yawn. The novelty is gone. Heck, if they have any sense, the would-be victims might even stop buying cupboards.
That may seem a strange analogy for a cyber attack, but the same principle holds true. Attackers are always on the lookout for new ways to catch their victims off-guard. That could be finding new software or system vulnerabilities that have yet to be plugged. Alternatively, it could be trying to extort money from a target by threatening them with something they’ve never seen before – and therefore have no idea how to deal with.
Ransomware attacks fall into this second group. Ransomware attacks are highly visible attacks that make no bones about what they’re trying to do: Attackers want victims to pay them money, and they’ll directly tell them as much. They’re essentially twenty-first century versions of age-old extortion attempts: They take something from the user and then charge them money if they want to regain it. How they do it – as this article will lay out – can vary from basic encryption to DDoS attacks.
The trajectory of ransomware
In the case of a classic ransomware attack, the threat came from data encryption. Ransomware attackers would use malware to encrypt vital files belonging to the user or target organization. If they wanted to gain access to the decryption key, they’d have to pay up – with amounts that could range from a few bucks to many thousands of dollars. Should they decline to pay, the files would remain encrypted.
However, more recently ransomware attackers have been seeking out fresh ways to ratchet up the ransom threat. One of these ways is through data theft, rather than simply encryption. In a data encryption-based ransomware attack, the idea is that no-one has access to the information without using a decryption key. The files remain on the computer, or on the system, belonging to the target; they just so happen to be rendered useless and unreadable until a ransom is paid.
In the case of a theft-based attack, on the other hand, the attackers exfiltrate files which they can threaten to publish or release if a ransom is not paid. Instead of the threat being lost time (that would be required to recreate the files), the threat is losing confidential information (possibly including customer data or forward-looking plans) that could result in considerably worse outcomes.
Adding more layers to DDoS attacks
In some instances, attackers add yet another layer to the threat – by then attempting to extort customers of the original target. For instance, files stolen from a manufacturing company could include blueprints belonging to any number of companies which use that manufacturer. That means that one original target (the manufacturer) opens up plenty of potentially deep-pocketed additional targets.
Recently, another twist on the ransomware formula has included DDoS. Short for Distributed Denial of Service, these attacks seek to overwhelm target websites or services by bombarding them with massive quantities of fraudulent traffic. Picture it like redirecting too many cars to drive down a residential street, and the gridlock that would undoubtedly result from this.
One example of an attacker using DDoS as part of their toolkit is the ransomware group known as HelloKitty, a.k.a. FiveHands – the gang most notable for attacking the video game developer CD Projekt Red with a ransomware attack, and allegedly stealing the source code for games such as Witcher 3, Cyberpunk 2077, and more.
According to the Federal Bureau of Investigation (FBI), the HelloKitty ransomware gang has recently started adding to its ransomware methods by targeting victims with DDoS attacks. These attacks are launched against targets in the event that they do pay ransoms, or fail to pay them in a timely manner. This further compounds the threat of ransomware.
Protecting against ransomware
Protecting against ransomware is essential for any organization today. Unfortunately, because the means of attack keeps changing, there is no one, all-encompassing way to protect against them. However, that doesn’t mean that there are no tools to help. Systems and tools designed for detecting ransomware work by looking for suspicious ransomware read/write behavior in real-time and blocking endpoints and users in order to protect against attacks in progress, quarantining suspicious files. Tools like Web Application Firewalls (WAFs) can also prove helpful in this area.
When it comes to DDoS attacks, tools like Web Application Firewalls (WAFs) work by stopping malicious traffic before it has the chance to cause damage – all while letting legitimate, filtered traffic through to its desired destination. What is known as scrubbing centers can additionally protect against sizable volumetric DDoS attacks, allowing organizations to better cope with unusually high volumes of traffic.
Ransomware attacks aren’t going away. But by employing the right safety measures, you can learn to live with it by protecting yourself, your employees, and your customers. It’s the smart thing to do.