Hybrid Ransomware: Explained, Explored and Security Tips

hybrid ransomware attack Asian women

This post will discuss Hybrid Ransomware and Ransomware in general and share some best practices and information around decrypting encrypted data.

Ransomware is a favourite of Cybercriminals, and Ransomware attacks are on the rise. A recent cyber threat analysis by Deep Instinct observed that malware attacks increased by 358% overall in 2020, and Ransomware increased by 435% compared to 2019.

In the last few months, we have also observed a trend where threat actors are playing smart by double attacking/extorting the victim. As a result, Ransomware is evolving into Hybrid Leakware-Ransomware. This trend is led by Maze, Ravil (Sodinokibi), Snatch, and many more players. Additionally, Ransomware is growing as a SAAS model where Cybercriminals are selling their services to novice attackers for the malware and negotiations and transfer of the Ransom money.

What is Ransomware?

Ransomware is a modern malware that restricts (encrypts) user access to the system resources like the personal files or the entire system and demands a ransom to give the access back. The modus of these payments are typically cryptocurrency or credit cards.

Most of the Ransomware is operated by groups of Cybercriminals, including computer programmers.

What is a Hybrid Ransomware Attack?

A Hybrid Ransomware attack is part of a more sophisticated attack and usually involves more than one malware or even legit IT remote tools. Once the malware payload is delivered, and backchannel communication is established, the attacker targets servers, stops all database processes, copies the backup, and then deploys the Ransomware.

This gives dual leverage to the attackers, as firstly, they try to extort the money for decrypting the data. Second, regardless of the response or if the Ransomware removal is done, they can re-victimize the victim and blackmail again by threatening to leak the information.

History of Ransomware

First Ransomware attack occurred in 1989. Joseph Popp, Ph.D., and an AIDS researcher triggered the attack by distributing floppy disks to more than 20,000 AIDS researchers spanning more than 90 countries to carry out the attack. He claimed that the disks contained a program to analyze the risk of acquiring AIDS using a questionnaire.

However, the disk also had a malware program that initially remained dormant in systems and only activated once the user switched the computer on 90 times. The malware once executed, displayed a message demanding a payment of $189 and $378. This attack is known as the AIDS Trojan, aka PC Cyborg attack.

After the first known attack in 1989, not many similar attacks were observed until the mid-2000s, when the Ransomware attacks started using sophisticated and complex encryption algorithms like RSA. At the time, malware TROJ.RANSOM.A, Gpcode, Krotten, Cryzip, and MayArchive were gaining prominence.

The Internet made it easier to carry out Popp’s idea; Cybercriminals started to realize that they can monetize Ransomware on a large scale.

In 2006, Cybercriminals started using more sophisticated asymmetric RSA encryption.

Starting in 2011, Ransomware became a menace, and gradually more advanced Ransomware and services began pouring in. Subsequently, in late 2019, Maze ransomware emerged as the case of the first high-profile Hybrid Ransomware attack (double extortion). Then, many other strains soon followed. The REvil (Sodinokibi) attack on Travelex is worth mentioning, which pretty much crippled foreign exchange company Travelex on the final day of that year.

By mid-2020, hundreds of organizations fell victim to these double extortion attacks, several websites on the darknet were leaking organization’s data, and the Ransomware-as-a-Service (RAAS) business was booming.

Is Ransomware a Virus?

While both of them are malware, they are pretty different from each other. For example, viruses typically attach themselves to a file and then replicate themselves to cause damage. However, Ransomware uses cryptoviral extortion. 

Also, the end goal of a virus is typically to cause damage, but for Ransomware, it’s extortion that makes attackers go after a high-value target. So Ransomware is not a virus.

What are the types of Ransomware?

Although there are a lot of different strains of Ransomware, we can broadly categorize them into two main types:

1. Crypto Ransomware

Crypto Ransomware encrypts the valuable files on a system and makes them unusable but does not interfere with essential computer functions. Cybercriminals who leverage crypto-ransomware attacks get the money by holding the files to ransom and demanding the victim to pay a ransom to recover their files.

This spreads panic in Victims since they can see the files but can not access them. Crypto developers also often add a countdown with their ransom demand. Due to the number of users unaware of the need for backup in the cloud or on external storage devices, Crypto-Ransomware often has a devastating impact. Eventually, many victims pay the ransom to get their files back.

2. Locker Ransomware

Locker ransomware does not encrypt files like Crypto-Ransomware; it goes one step ahead and locks the victim out of their device, blocking essential computer functions.  In Locker Ransomware attacks, cybercriminals will ask for a ransom to unlock the device.

Locker Ransomware doesn’t usually encrypt or target critical files; it just wants to lock you out. So the good news is that destruction of your data is unlikely in this case.

What is Ransomware as a Service (RAAS)?

Cybercriminals offer Ransomware on lease to affiliates whose role may typically be limited to gaining access to the compromised network. Then the Ransomware Gang can handle the attack as well as the negotiations.

These services are commonly available now over Darknet, and they make it easy for even someone who does not have a piece of advanced tech knowledge.

Which platforms are most vulnerable to Ransomware?

While windows are the most vulnerable, having a different platform does not mean that you are entirely safe. The next most vulnerable platform is Android, where we observed Ransomware like MalLocker.B.

We saw examples of Ransomware designed for MAC like Keranger and ThiefQuest/ElilQuest, though they have not resulted in any severe outbreaks yet. For Linux, we have seen the likes of RansomExx and Tycoon,  but without any severe damage.

How does Ransomware attack?

Ransomware is a modern malware and can have multiple means of attacking with the use of social engineering. However, the following are the two most popular methods.

Malspam is an unsolicited email that may come with an attachment and manipulate the end-users to open it, e.g., by morphing as a law enforcement agency or your board member/CEO.  A significant number of Ransomware attacks start with Malspam. 

Malvertising or Malicious ads are another way. The interesting thing here is that you might be browsing a legitimate website, and without any action or click from their end, the users can be redirected to a malicious server. These servers allow the attacker to index detailed information about the user location, OS, vulnerabilities, etc., and an attacker can find the right malware to get his way and eventually push Ransomware.   

How to remove the Ransomware?

Ransomware removal will mostly depend on the level of damage caused, but even after Ransomware removal, you may not claim the encrypted data back. 

If attacked by Ransomware, you can first try to remove the infection by using any leading anti-malware solution. Then, once the system is clean, you can check out the No More Ransom Project. This project is a collaboration by the National High Tech Crime Unit of the Netherlands’ police, Europol’s European Cybercrime Centre, Kaspersky, and McAfee to help victims of Ransomware retrieve their encrypted data without having to pay the criminals.

Is paying Ransom a good idea?

While it solely is the decision with the individual or the organization attacked as there might be some compelling reasons behind that. However, better be prepared that you may still not get all the data back.  

Industries and people sensitive to any downtime are more inclined to pay a relatively low ransom to make the problem go away. Sectors like healthcare, Pharma, or other medical organizations are some of them, making these industries a primary target. 

Sophos recently released the “Annual Ransomware Survey,” which included 5,400 IT decision-makers from across 30 countries with some interesting insights. 

A total of 357 respondents reported that their organization paid the ransom, but only 8% got all their data back. 

So what attackers do not tell when issuing ransom demands is that even if you pay the ransom, your chances of getting all your data back are pretty slim. On average, organizations that paid the ransom got back just 65% of the encrypted files, leaving over one-third of their data inaccessible. In addition, 29% of respondents reported that 50% or less of their files were restored, and only 8% got all their data back. 

While Colonial Pipeline reportedly paid around $5 million worth of Bitcoins. According to Bloomberg, the decryption utility was so slow that they ended up using their backups to restore operations anyway.

Also, it is worth considering that RAAS (Ransomware as a Service) is evolving and getting more prominent as an industry, feeding over the ransom paid and the popularity. In turn, this will attract more young people looking to make a quick buck and will push them into a darker path to Cybercrime.

How to prevent Ransomware attacks?

Educating the employees around cybersecurity best practices can help significantly reduce the risk of a Ransomware attack. We assume that you are already using a good antimalware solution on your system. Following are some of the important points to help enhance your protection:

1. Do not open suspicious email attachments

Malspam and phishing is the primary source of Ransomware. Be extra cautious if the email has an attachment and avoid opening any suspicious attachments. Pay close attention to the sender and validate that the address is correct to make sure that you can trust the message.

Never open any attachments that prompt you to run macros. If the attachment has malware, opening it will execute a malicious macro, opening a backdoor and letting the malware get control of your system.

2. Do not follow unsafe links

Avoid clicking on any links in spam messages or over unknown websites. If you click on a malicious link, an automatic download could be started, which can infect and compromise your system.

3. Do not disclose your personal information

If you receive a text message, email, or a call from any untrusted source asking for personal information, do not fall prey to that. Since it may be Cybercriminals doing their homework and collecting personal information before a ransomware attack.

Subsequently, Attackers will use this information to tailor phishing messages for you. If you are in any doubt if the message is legitimate, contact the sender directly using a different communication mode.

4. Do not use untrusted USB sticks

Do not connect USB sticks or any other storage media to your system if you do not know where it came from. Cybercriminals typically infect the storage medium and place it in a public place to lure the victim into using it.

5. Keep your programs and operating system updated

Regularly update your operating systems and software versions. This will help to protect you from malware by patching any vulnerabilities and make it difficult for Cybercriminals to abuse or exploit vulnerabilities in your system.

6. Use only trusted download sources

To minimize the risk of downloading malware, never download software or any media files from unknown sites. Always rely only on verified and trusted sites for downloads. Make sure that the webpage you are visiting uses “HTTPS” and not “HTTP”.

A lock symbol or shield in the address bar should also indicate that the page is secure. Be very cautious when downloading any software to your mobile device. Only trust the Apple App Store or Google Play Store, depending on your device.

7. Use a VPN service on public wifi networks

Attackers seldom abuse public wifi networks, and if you are using a public wifi network, your system is more vulnerable to attacks. Avoid using public wifi for any sensitive transactions or alternately use a secure VPN service to stay protected.

Ransomware attacks can have different appearances, and they come in all shapes and sizes. Avoid using legacy devices in your network as they come with many disadvantages. If you would like to know more about the threats posed by legacy devices and systems, please refer to this post

Backing up data regularly on external storage (Physical or Cloud) and proper use of security software will help reduce the chances and intensity of a Ransomware attack.