Ransomware appears to be a growing threat across many industries. The healthcare industry has been a favorable target as of late. Although there have been a number of successful malware attacks, one aspect not explored to a significant level is how does this actually work.
The initial step involves the infection. Somehow the malware has to be placed on the system to work. Without this connection, the ransomware would not be placed and there would not be the ever-increasing number of ransomware infections. The most popular vector at this point in time are the phishing attacks. Here a seemingly plain, boring file is included in the email. This may lead the target to believe that the file may include wedding photos, a friend’s child’s photos, etc.
Once this is clicked on, the Trojan or worm that was coded in the file is now in the system. This malware may be directed at the endpoints, the local system, enterprise, servers, etc. the next step is where the malware begins to show itself. The person coding this has options at this point. The malware may begin encrypting immediately, in a day, or a week. This may also be triggered by the programmer on any particular day.
The malware may focus on a file, set of files, drive, etc. The selected areas are encrypted with a password using a substantial key length so that it would not be easily cracked. To make things interesting, this may be coded to change the file names.
A newer variant of this adds a new step. This follows the same methodology as the general ransomware, but also is coded to delete the files. The malware however does not only let the person know their files/folders/system is encrypted, provides a deadline for payment for the decrypt key, but also deletes the files it allegedly is allowing you access to post-payment. The victim is unaware of this until they receive the decrypt key and finds the lack of data. This is not found much as if this were to occur more often, there would be less incentive to pay on average.
Ransomware has over time increased in usage. With a basic phishing campaign, the attackers can “earn” over $20k per incident. The effort for this is minimal, in comparison to a typical breach attempting to get into the system. As this attack has been operationalized and monetized, this mode of attack will not stop or slow in appearance.
Remember to back-up frequently and maintain a training schedule for the staff.
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.