There are plenty of nasty forms that malware can take, but ransomware is particularly malicious. Gaining access to your computer through an attack vector such as a phishing email, it holds your computer files hostage by encrypting them so that you, the user, no longer have access to them. To gain control of your files again, you must pay a ransom — usually in Bitcoin or another cryptocurrency — to be granted the necessary decryption key.
Ransomware attacks have targeted everything from individuals to businesses to schools and hospitals. The impact of losing access to critical files can range from profoundly annoying to financially devastating to, in the case of critical health data, life-threatening.
Ransomware persists because, as much as people might know that “don’t negotiate with wrongdoers” is good advice, they may not feel they have a choice. Faced with losing truly critical data, targets will often pay up to resolve the problem as quickly as possible; resolving instead to focus on improving security in the future so that the same thing doesn’t happen again. Nasty twists on the ransomware formula — such as gathering personal data from users and threatening to leak it if the ransom is not paid — can also be a compelling weapon in the cyberattacker’s arsenal.
The rise of Conti
Over the years, there have been a large number of big ransomware attacks, ranging from widespread attacks like May 2017’s WannaCry, which affected 200,000 computers running the Microsoft Windows operating system, to more targeted campaigns like Ryuk and REvil. Ryuk went after “big game” targets by hitting up large organizations with unusually big ransom demands. REvil stole data from targets and then auctioned it off for large amounts of money.
New strains of ransomware continue to emerge. This summer, security researchers became aware of a malware dubbed Conti, which is currently experiencing a boom in popularity on the Dark Web. Unlike most ransomware attacks, Conti utilizes a wholly bespoke AES-256 encryption implementation. Primarily targeting enterprise victims running Microsoft Windows in North America and Europe, it uses up to 32 simultaneous encryption efforts to encrypt files at a blinding speed. Each encryption key is unique to the individual ransomware attack. (It is not known whether Conti also sends personal information to the cyberattackers prior to encrypting files.)
Once it has dug into a system, Conti tries to delete Volume Shadow Copies and interferes with several services by using the Windows Restart Manager to make sure files used by these services are encrypted. Encrypted files receive the additional file extension “.CONTI”. Conti is seemingly controlled directly by its operators, allowing it to more accurately target important network-based resources. It will skip over files with DLL, EXE, LNK, or SYS extensions, and instead focus on encrypting files on local and networked SMB drives. In addition, it can attack specific drives on both the local machine and network — as well as targeting individual local IP addresses. This is a capability that was seen in the older REvil ransomware.
As with many other ransomware attacks, Conti demands a ransom to be paid in Bitcoin. If this amount is not paid, the attackers inform targets that their files will be irreversibly deleted, along with the encryption keys. Every day that the victims do not contact the attackers, the ransom demand increases by 0.5 Bitcoins (at time of writing, a single Bitcoin is valued at more than $9,000). To prove their seriousness, the hackers offer to decrypt a sample file sent by the victims (so long as it contains no valuable information.)
Proactive steps in the battle against ransomware
Fighting ransomware attacks once they have taken place is not easy. Many unprepared victims hit by ransomware attacks end up losing access to files and never retrieving it. This is true even when people pay the ransom. Despite promises from cybercriminals that they will provide decryption keys for unlocking files, this is far from guaranteed.
There are, however, proactive steps that people and companies can take to minimize the risk of a successful ransomware attack. For starters, ensuring that regular backups are taken means that you can perform a system restore without losing much (if any) of your hard work.
The same is true when it comes to installing security updates, ensuring that secure configurations are applied across all devices, that multi-factor authentication (MFA) and lockout policies are used for administrative accounts and wherever else possible, and checking that obsolete platforms are segregated from the rest of a network. Another crucial step involves continuously monitoring systems for unusual activity. This can ensure that any potential compromise of your network is detected as rapidly as possible, meaning that steps can be taken to alleviate the threat.
Find professionals to help
Some of these are moves that individuals and companies can take easily on their own. Like making sure that employees know not to click strange links in emails, promoting a policy of secure authentication and quick response to security updates means that you can mitigate many of the more widespread ransomware attacks out there. In other cases, though, it’s worth finding a professional security company with a proven track record to help.
Your average business has far more pressing everyday matters to think about than staying up-to-date with all developments in the burgeoning field of ransomware. This is one of the things cyberattackers count on to help them find vulnerabilities to exploit.
Fortunately, there are folks fighting on the right side to make sure that you don’t fall prey to such attacks — and that you don’t even need to think about them too often. Make sure you pick the right one and you’ll be able to rest safe in the knowledge that you are properly protected against ransomware attacks.