Malware is an attack vector installed on a target machine to perform malicious activities over a corporate network and IT devices. A ransomware attack is a malware attack in which the attacker prevents access to files or system data until the victim capitulates to the attacker’s ransom demands. Recent attacks have successfully targeted major financial institutions, federal contractors, industrial control systems, and private sector businesses. Most of such attacks were orchestrated by exploiting inherent vulnerabilities of the tech stack.
This article discusses a ransomware attack, recent attack examples, vulnerabilities, and prevention practices to mitigate such attacks.
What is a Ransomware Attack?
A ransomware attack involves encrypting critical system files and data to expose or block access unless the victim pays the ransom money. In this form of an attack, the threat actor maintains the secrecy of the decryption key until ransom payments are made. In instances where the victim of ransomware does not pay on time, the ransom demand is typically increased, or the victim loses access to their data forever.
A recent study also observed that victims who paid ransom are susceptible to repeat attacks orchestrated through the exact attack vector. As a precaution, although Federal officials, security teams, and other law enforcement agencies warn against paying the ransom demands, ransomware victims often tend to pay out ransom amounts in return for valuable data and retaining services as usual.
Recent Ransomware Attacks
Some of the biggest ransomware attacks carried out in the recent past include:
Kronos Ransomware Attack
Kronos is a workforce management company offering payroll processing and work-hour tracing services to numerous client companies. In December 2021, Kronos’ private cloud platform was targeted in a ransomware attack that lost command and control of its administrative functions. Ransomware attackers crippled the payroll administrator, resulting in many employees getting inaccurate pay while others failed to get any wages. The attack also resulted in a data breach that exposed the employees’ personally identifying information (PII).
Many companies using the Kronos service fell victim to cyber threats, where the attackers threatened to release confidential files to the public if the victims failed to pay the ransom. Through the attack, attackers also obtained the UKG source code, which they threatened to sell if the company could not honor their ransom demands. While it took over a year to fully restore Kronos’ core services, the affected companies have since filed lawsuits amounting to millions of dollars in the aftermath of the incident.
Kaseya VSA Ransomware Attack
Kaseya provides IT solutions for enterprise clients and managed service providers (MSPs) in over ten countries. In July 2021, attackers performed a supply chain ransomware attack targeting a vulnerability in the firm’s Virtual System Administrator (VSA) software. To orchestrate the attack, attackers exploited an authentication bypass vulnerability to install and distribute the ransomware software on the host operating systems running the VSA software. The REvil operation gang took credit for the attack, claiming to encrypt over a million infected devices in the hack. Their ransom note initially included a request for $70 million, which Kaseya did not pay.
Federal officials and the United States government intervened in a takedown of REvil’s servers and other infrastructure on the 13th of July. Within a week, Kaseya reported that they had received the decryption tool for REvil’s exploits and were in the process of restoring files belonging to the ransomware victims.
Nordic Choice Hotels Ransomware Attack
Nordic Choice is a hotel chain across Scandinavian and Eastern European regions. The hotel chain targeted a ransomware attack on 1st December 2021. According to the company’s VP – of Technology, the exploit led to a deliberate shutdown of computers within the corporate network, check-in desks, and other critical infrastructure systems. The attack made Nordic Choice staff lose control of operations such as guest check-ins and keycard entry. According to a cyber official, the hackers gained access to their systems 48 hours before the attack through phishing emails. An employee clicked on a malicious link assuming it was a legitimate message from a renowned tour operator. The hackers used a ransomware variant known as Conti to disable Nordic Choice’s antivirus systems and copy information from multiple local Windows files.
Although attackers left a ransom message on the infected devices that included their contact information for data decryption, they never mentioned the ransom amount. Following the attack, Nordic Choice’s technical operations team migrated from Microsoft’s Windows operating system to Alphabet’s Google Chrome as part of a long-term security solution. While the team was busy with the migration, hackers leaked confidential files with employee information, such as credit card numbers, on the dark web. The transition to ChromeOS Flex was claimed to be completed in 48 hours, following which Nordic Choice got all their customer systems working again.
Colonial Pipeline Ransomware Attack
On 6th May 2021, attackers launched a ransomware attack targeting computerized equipment managing industrial control systems for Colonial Pipeline. The attack affected major infrastructure systems, leading to a shutdown that impacted several airlines along the USA’s East Coast. As the pipeline transported oil from refineries to major national markets, government officials classified the attack as an advanced threat, declaring a state of emergency. Within the first two hours of the attack, hackers obtained about 100 GB of sensitive data. Following the breach, attackers infected the entire network with malware that affected critical desktop services, including accounting and billing.
To prevent malware from spreading beyond infected devices, Colonial Pipeline shut down its operations and reported federal agencies investigating the incident. The investigation discovered the attack vector as an undisclosed VPN password leaked in a previous data breach. After a cost-benefit analysis, Colonial Pipelines paid $4 million in ransom money to obtain the decryption tool and regain control of their IT systems.
List of Vulnerabilities Exploited for Ransomware Attacks
The most aggressive forms of ransomware attacks exploit an existing vulnerability as a starting point. Common attack vectors for ransomware exploits include:
Ransomware attackers typically target unsuspecting employees by sending fake emails pretending to be senior employees or company partners. These emails may contain links to malicious websites or file attachments, which install ransomware software onto the victim’s computers when clicked. Although the email trick has been used for decades, threat actors have consistently evolved ways of tricking target victims into installing malware that leaves their data and device inaccessible.
Access Control Flaws
The primary goal of a ransomware attack is to render the entire network or infected device inaccessible, allowing the attacker to exploit the situation and demand money in return. Access control flaws allow hackers to exploit public-facing applications by assuming the identities of recognized users, making it hard to detect intrusion until it is too late. In instances where the target system contains access control vulnerabilities, attackers can gain access to legitimate user accounts, orchestrate file encryption, and prevent the victim from accessing their data until the attackers’ demands are met.
Common Vulnerabilities and Exposures
Attackers also utilize cyber threats listed in the CVE database to gain access to files for a ransomware exploit. Some vulnerabilities and exposures commonly used in ransomware attacks include:
- CVE-2021-40444 – Windows MSHTML vulnerability
- CVE-2021-34473, CVE-2021-34523, CVE-2021-31207 – ProxyShell exploit over MS Exchange Server
- CVE-2021-36942 – Overriding Windows domains through LockFile
- CVE-2021-34527 – Windows print spooler vulnerability
- CVE-2021-30116, CVE-2021-30119, and CVE-2021-30120 – Zero day vulnerability on Kaseya’s MSPs
Strategies to Combat Ransomware Attacks
Some techniques to combat an active ransomware infection include:
Ransomware Recovery Tools
Ransomware recovery tools help security teams identify whether malware has encrypted files within the system while suggesting measures to recover data within these files. Such tools scan encrypted files and check within their databases if there is an available decryption key. Adopting appropriate ransomware recovery tools helps operations teams recover encrypted data and restart critical systems without forsaking ransom money.
External Backup Solutions
Enterprises should invest in solutions that persist external backup copies of their crucial system files and data. External backups are critical components of an emergency response plan as they enable an organization to resume normal operations without having to pay for resuming control of its network assets. External backups are also recommended to be hosted on-site or on the cloud. Still, they are most effective when stored remotely to reduce the possibility of being impacted by active ransomware infection.
Antivirus software leverage application whitelists to prevent unauthorized applications from executing within the network. Deploying an antivirus solution across the entire network helps operations teams detect malware as soon as it attacks, thereby preventing ransomware authors from gaining system access.
Self-assessed Security Audits
Security teams should perform regular vulnerability scans, penetration tests, and log audits to assess the deployment’s security posture. Security audits help identify ransomware attack vectors before threat actors can exploit them while assisting internal teams in analyzing whether they are fully prepared for an attack.
Crashtest Security Suite is a platform that helps organizations perform security audits through automated penetration testing and vulnerability scanning. The platform also helps organizations identify common weaknesses and attack signatures for insecure design exploits through a few simple steps.
Sign up for a free, 14-day trial to discover how Crashtest Security’s automated scanning helps prevent ransomware attacks proactively.
What are the most common types of ransomware attacks?
While there are dozens of ransomware variants used to target critical systems in the modern world, some common ransomware variants include the following:
- Locker ransomware
- Commodity ransomware
- Crypto ransomware attacks
- Drive-by ransomware
What are the stages of a ransomware attack?
Though attack scenarios may differ, a typical ransomware attack goes through the stages below:
- Malicious code execution
- File encryption
- Ransom message notification
- Attack footprint deletion
- Ransom payments
- File decryption