How Ransomware Works: WanaCrypt0r, Petya & NotPetya

Ransomware is a hot topic right now. It’s continuously in the news, and no organisation is immune from a cyber attack. In 2016 alone, over $75 billion in lost productivity was reported. And more recently, we’ve seen the biggest worldwide attacks of ransomware so far with WanaCrypt0r, Petya, and NotPetya (which has now increased its ransom significantly to $340,000).

These more recent attacks started in Europe, but quickly became just as widespread causing issues among several well-known local and loved brands:

Bega Cheese – Vegemite Takeover Delay
Cadbury Chocolate Factory Hit by Ransomware
Boutique Victorian Law Firm
FedEx’s TNT Affected – Australian Deliveries ‘in Limbo’

Whilst these above cases made it to the news, many go unreported…

Why Ransomware Attacks are Successful

Considering its growing prevalence, it’s important for businesses to understand how ransomware works:

Businesses pay IT professionals to protect their networks from intrusion. There are many measures that can be taken to prevent outside intruders, including (but certainly not limited to) implementing email protection and blocking unknown IP addresses inbound to their firewalls.

But what if the intruder is simply allowed to come in?

Much like Dracula needs to be allowed into someone’s home – ransomware thieves take advantage of ill-informed users that click or download something they think is legitimate, to gain access to the network and the data that exists on the network. Despite the growing awareness of ransomware and its risks, even cautious end users can be tricked into clicking on things.

How Ransomware Works

While there are many variants in existence, the generic process for ransomware is as follows:

  1. A user clicks on a link that seems legitimate, but is actually a phishing email with embedded ransomware.
  2. A program downloads and runs in the background.
  3. The program calls home to get the encryption algorithm.
  4. The program encrypts “important” files like docx, xlsx, pdf, jpg, etc. on the computer and or network shares.
  5. The threat pops up to the user in a window on their desktop.
  6. The threat states that they have X amount of time before the encryption key is deleted and their data is lost forever, known as an extortion attack. (An additional type of attack is called Leakware, where data is threatened to be published to the Dark Web after some time expiration.)
  7. The threat then states that for a nominal fee of N number of bitcoins (a thief’s payment of choice) the data can be decrypted.
  8. Usually, there is a customer service number or email to help with the transaction.

The worst part about WanaCrypt0r was that people didn’t even HAVE to click on an infected email. The thieves used a ransomware variant of WannaCry, which uses a SAMBA exploit in Windows called EternalBlue. Microsoft added a patch for the exploit, but there are hundreds of thousands (if not millions) of Windows machines without the patch. That allowed thieves to remotely attach ransomware into a network, and then infect as many of the computers that it could reach (even the ones that are patched).

Before you get infected, protect yourself with a backup and recovery solution. Having a recovery solution is the #1 way to protect against ransomware. If you don’t have a backup and recovery solution for your business, contact us to see how we can help protect your data from ransomware and future cyber attacks.


Related Posts