A subset of malware known as ransomware locks the data on a victim's computer, usually using encryption, and demands payment before the data is unlocked and the victim is given access again. Ransomware assaults typically have a financial goal, and unlike other sorts of attacks, the victim is typically informed of a vulnerability and provided guidance on how to recover from the attack. Payment of virtual currencies like bitcoin is frequently sought to conceal the identity of the cybercriminal.
Malicious email attachments, malicious software apps, infected external storage devices, and compromised websites can all transmit ransomware malware.
The average monthly suspected ransomware transaction value in 2021 was over $66 million, according to the Financial Crimes Enforcement Network of the U.S. Treasury. That works up to over $2.2 million per day. The prediction that ransomware-related damage expenses alone are likely to hit $265 billion by 2031 is even more startling. These data highlight the fact that ransomware attacks and all of their numerous consequences cannot be stopped by technological precautions alone.
Types of Ransomware
- Encrypting Ransomware: In this case, the system's hard disk is periodically encrypted by the ransomware, making it difficult to decrypt files without paying the ransom for the decryption key. Payment can be made with a prepaid (debit) card, BitCoin, MoneyPak, PaySafeCard, or Ukash.
- Screen Lockers: Lockers prevent you from accessing your computer or system in any way, making your files and programs unavailable. The ransom demand is shown on a lock screen, potentially with a countdown clock to create a sense of urgency and encourage victims to respond.
- Scareware: Scareware is a technique that employs popup windows to trick users into believing they have a virus and instructs them to download phony software to remove it.
- Doxware: By using this software, an attacker could threaten to post the victim's data online if the victim refuses to pay a ransom.
- Master boot record ransomware prevents access to the operating system by encrypting the entire hard disk, not just the user's personal files.
- Mobile ransomware: Mobile devices are affected by this ransomware. Using mobile ransomware, an attacker can lock a phone, take data from it, and then demand payment to unlock the device or get the data back.
What Causes Ransomware to Spread?
- For a variety of reasons, ransomware assaults and their variants are quickly advancing to defy protective solutions.
- Malware creation tools are easily accessible and can be used to quickly produce fresh malware samples.
- Using well-known, reliable generic interpreters, cross-platform ransomware is produced (for example, Ransom32 uses Node.js with a JavaScript payload) using novel methods, such as encrypting the entire drive rather than just certain files.
- Thieves of today don't even need to be technologically sophisticated. Online markets for ransomware have sprung up, providing malware strains for any would-be cyberthief and bringing in additional revenue for the creators of the software, who frequently demand a part of the ransom money.
Financial Red Flag Indicators of Ransomware
When FinCEN publishes advisories, financial institutions must understand the implications of their suspicious activity monitoring and reporting procedures. FinCEN has identified the following financial red flag signs of ransomware-related illicit activity, which may be utilized to train front-line employees as well as AML and fraud investigators;
- A financial institution or a client notices IT activity associated with ransomware cyber indicators or known cyber threat actors. Malicious cyber activity may be detected in system log files, network traffic, or file data.
- The consumer gives information indicating the payment is in reaction to a ransomware event when opening a new account or during other contacts with the financial institution.
- A client's CVC address, or an address with which a customer transacts, is linked to ransomware variants, payments, or other associated activities. These links may be discovered using open-source searches.
- An unusual transaction happens between an organization, particularly one from a high-risk sector for ransomware targeting (e.g., government, financial, educational, or healthcare), and a client, particularly one known to enable ransomware payments.
- A client gets payments from a counterparty and promptly sends similar amounts to a CVC exchange.
- A consumer demonstrates minimal awareness of CVC during onboarding or previous encounters with the financial institution but inquires about or purchases CVC (especially if in large quantities or a hurried request), which may suggest the customer is a victim of ransomware.
- A consumer with no or limited CVC transaction history sends a significant CVC transaction, especially when it is outside of a company's regular business standards.
- A customer who has not identified himself to the CVC exchanger or registered with FinCEN as a money transmitter appears to be using the exchange's liquidity to execute a large number of offsetting transactions between various CVCs, which could indicate that the customer is acting as an unregistered MSB.
- A consumer utilizes a CVC exchanger based in a high-risk country that lacks or is known to have weak AML/CFT legislation for CVC firms.
A Couple of Cases of Ransomware
- Ultimate Kronos Group (UKG) experienced a ransomware assault on December 11, 2021, which took systems offline. Numerous customers' payroll systems were impacted by this attack. Many clients were forced to use paper checks to pay personnel as a result. Cleveland, Ohio, Springfield, Massachusetts, and the Metropolitan Transportation Authority of New York include some affected clients.
- The U.S. Colonial oil pipeline was shut down on May 7, 2021, as a result of ransomware infecting the parent company's computer systems. Attackers with the handle DarkSide specifically targeted this attack., Even though Colonial Pipeline believed none of its vital industrial control systems were impacted, it nonetheless announced temporarily stopping operations from stopping the ransomware from spreading. Gas shortages were caused by the closure of the 5,500-mile pipeline, the longest of its kind in the United States.
- Pensacola, Florida, also experienced a ransomware attack in December 2019. Several city services, including Pensacola Energy and Pensacola Sanitation Services, were disrupted, as were customer service and online bill payment.
- A brute-force assault was employed by the SamSam ransomware outbreak in 2018 to crack flimsy passwords protecting crucial infrastructure in Atlanta. Major cracks appeared in the city's infrastructure as a result of the shutdown of applications that residents used to pay their bills and access court-related information. As a result, enormous volumes of data were corrupted, costing millions of dollars to recover.
How to Protect Yourself From Ransomware
The following tips will help you avoid ransomware and minimize damage if you are attacked:
- Create a data backup. Making sure you always have backup copies of your crucial information, preferably in the cloud and on an external hard drive, is the greatest method to prevent the threat of getting locked out of them. In this manner, if ransomware does infect your computer or device, you can wipe it clean and reload your files using a backup. With your data protected, you won't feel pressured to compensate the malware's creators with a ransom. Although backups won't stop ransomware, they can lessen the hazards.
- Secure your backups. Ensure that your backup data is not modifiable or deletable from the systems where it is stored. Using backup systems that do not enable direct access to backup files will prevent ransomware from searching for data backups and encrypting or deleting them so they cannot be recovered.
- Utilize security software and make sure it's updated. Ensure that comprehensive security software is installed on every computer and device you own, and keep all of your software up to date. Make sure to regularly update the software on your devices because each update often includes a patch to fix a bug.
- Use caution when surfing. Where you click matters. Don't reply to emails or texts from strangers, and only download software from legitimate sites. This is significant because malware writers frequently exploit social engineering to persuade you to install harmful files.
- Use only safe networks. Avoid connecting to unsecured public Wi-Fi networks since hackers can snoop on your internet activity on many of them. Instead, think about setting up a VPN, which offers you a secure internet connection wherever you are.
- Implement a program to raise security awareness. Every employee in your company should receive regular security awareness training so they can recognize and avoid phishing and other social engineering scams. To ensure that training is being followed, conduct exams and drills regularly.
To address the sanctions compliance risk connected with ransomware, businesses must make prompt choices regarding customers and risk factors. Companies must gather and analyze massive amounts of data in order to inform compliance processes before and during a possible ransomware assault. In practice, this entails integrating an automated software platform into a sanctions compliance solution. Sanction Scanner provides tools used in the battle against ransomware and other sorts of financial crime as part of a next-generation risk management approach. Sanction Scanner offers a way for enterprises to remain on top of customer actions and swiftly adjust to emerging risks such as ransomware in a continuously shifting sanctions and regulatory landscape.