Ransomware is a type of malicious program, or malware, that encrypts files, documents and images on a computer or server so that users cannot access the data.
Ransomware is the most feared cybersecurity threat and with good reason: Its ability to cripple organizations by locking their data is a threat like no other.
Knowing what ransomware is and how it works is essential for protecting against and responding to such attacks. We’ll delve into what you need to know so you can begin to protect yourself against ransomware attacks.
For readers coming to this article in a ransomware emergency, see How to Recover From a Ransomware Attack.
How Does Ransomware Work?
By encrypting data on devices, a ransomware attack leaves victims with few choices:
- They can try to regain access to the encrypted files, databases and applications by paying a ransom, although encryption keys provided by cyber attackers often don’t work
- They can hope to find a decryption key that does work
- Or they can try to restore data from backups and hope that attackers haven’t also encrypted that data
Through the use of asymmetric encryption, cryptographic keys encode and decode data. These keys are available to the attacker, and the encryption can only be decrypted using a private key. The private key is only given to the target once the payment is given. Occasionally cybersecurity officials and researchers obtain the keys or crack the encryption code and make the keys freely available, but ransomware groups will typically respond by quickly changing their encryption approach to render the keys worthless.
There are several methods of delivering ransomware attacks. Whether deployed by ransomware groups or individuals via ransomware as a service (RaaS), the most common method of ransomware deployment is a phishing email. The victim is sent an email with an attachment, and once they click on the link, the malware file downloads. The malware establishes itself on the endpoint and implements an infected binary on the system, encrypting everything from valuable database files to images and office documents. It may also replicate across networks and systems to infect other machines. You can often only retrieve your data by paying ransom to the attacker.
The malware can also spread via chat messages, USB drives, or browser plugins too.
Also read: How to Decrypt Ransomware Files – And What to Do When That Fails
What Is a Double Extortion Ransomware Attack?
Double extortion ransomware is an attack where the hackers exfiltrate the victim’s sensitive information and threaten to release it, gaining added leverage to force a victim to pay the ransom. While a typical ransomware attack just encrypts the data, exfiltration raises the risk by threatening to make sensitive data public.
During a double extortion attack, a ransomware operator acquires control of the victim network through established threat vectors, then locates high-value assets, encrypts the data and exfiltrates it. If the victim doesn’t pay the ransom, the attackers resort to blackmail, threatening to publish the sensitive information online.
More recently, some threat groups have begun to add data destruction to their arsenal to raise the stakes even further, and DDoS attacks have also been threatened as a means of getting organizations to pay ransoms.
What is Ransomware as a Service?
Ransomware as a Service (RaaS) allows less technically capable hackers to launch ransomware attacks by paying to use a threat group’s ransomware. This arrangement lowers the bar for threat actors wishing to enter the ransomware space and allows ransomware groups to increase their income by renting out the ransomware they’ve developed without having to launch the attack themselves.
Even non-technical hackers can purchase the malware and infect systems and networks and pay the developer a portion of the ransom they collect.
The developer has fewer risks, and the buyer does all of the work. Some examples of RaaS use subscriptions, while some need registration to acquire access. But regardless of how it’s done, RaaS has dramatically expanded the ransomware threat.
Notable Ransomware Attacks
CryptoLocker ushered in the modern ransomware age in 2013, and in 2017, the devastating WannaCry and NotPetya ransomware attacks raised the threat’s profile significantly.
One attack in particular thrust ransomware into the spotlight as never before, the May 2021 Colonial Pipeline attack. The pipeline carried around 45% of the U.S. East Coast gasoline supply and nearly shut down the southeastern U.S. before it was resolved. The DarkSide ransomware group also took 100GB of data, forcing the company to pay $5 million in bitcoin to reacquire access and control to the services.
Ransomware attacks followed on Ireland’s Health Service Executive System and meat processing giant JBS Foods, and then in July 2021, IT service management company Kaseya had a number of its downstream customers targeted by ransomware in a software supply chain attack. The culprit in both the JBS and Kaseya attacks was the REvil ransomware gang.
In late 2022, Rackspace became a ransomware victim in one of the biggest cyberattacks ever suffered by a major cloud services vendor.
Ransomware attacks doubled in 2021 and now number roughly 500 million a year, according to SonicWall. About the only good news is attacks declined 21% last year as fewer victims paid the ransom demands.
7 Major Ransomware Groups
The most active ransomware gangs shift as groups go into hiatus and change structure, but here are some of the most active ransomware groups today.
This RaaS group has been the most active ransomware group over the last year. LockBit uses a double extortion method and was responsible for roughly 40% of ransomware attacks in the first few months of 2022. Some companies it has attacked are Bridgestone America and French Thales Group.
Hive attacked the Costa Rica Social Security Fund, Missouri Delta Medical Center, and Memorial Health System in Ohio. Hive functions as RaaS and uses the double extortion method.
AlphV (Black Cat)
AlphV works as RaaS and uses a double extortion approach. It is the first gang that used the RUST programming language. It has attacked several elite companies such as Swissport airline, Moncler, and Austrian Federal State Carinthia.
This hacking group is famous for using an extortion and destruction approach without organizing ransomware payloads. Lapsus$ recently hacked software company Globant, whose primary clientele includes Google and Disney. Lapsus$ was responsible for a destructive run of cyber attacks in early 2022, hitting some high-profile tech companies.
Around 20% of attacks in early 2022 were from Conti, the group behind the 2021 Irish health services attack. Conti uses a double extortion method and a multithreading system. The group was involved in some high-profile ransomware attacks, including JVCKenwood and the City of Tulsa.
Formed by former members of Conti and REvil, Black Basta’s victims have included the American Dental Association and AGCO. Black Basta uses a double-extortion RaaS model with the added threat of DDoS attacks.
And never count out REvil, which has gone in and out of business a number of times, resurfacing again in May 2022.
What Are the Odds of Getting Hit by Ransomware?
The short answer is that the odds of an organization getting hit by ransomware are pretty high. About two-thirds of organizations have been hit by ransomware in each of the last three years, according to Proofpoint.
There are, however, some industries at higher risk than others. Financial firms are a favorite target, not surprisingly. Education, government, energy and manufacturing are others.
Cyber criminals have learned that it is not only businesses that make soft targets for the attacks. Hospitals and healthcare organizations are being infected by ransomware, with predictably dire results.
Hospitals cannot afford to compromise patient information and thus are viewed as more likely to pay the ransom. Similarly, the education sector has also become a soft target for ransomware. Even small and midsize businesses (SMBs) have become targets because of their lack of cybersecurity measures.
Here are some factors attackers look for when assessing potential ransomware targets:
- Valuable data: The first thing a ransomware attacker considers is the significance of a company’s data. If they can encrypt essential or sensitive data, the company will likely pay a higher ransom.
- Lack of efficient cybersecurity infrastructure: Ransomware will target companies with limited cybersecurity measures. SMBs are more likely to fall into this trap, as large corporations have extensive security. Companies new to cybersecurity may fall victim to RaaS and don’t have sufficient infrastructure to deal with them.
- Money: An attacker looks for wealthier companies that can pay a substantial ransom.
- High damage potential: Apart from financial motivation, hackers aim to cause as much damage as possible, typically in state-sponsored threats. Supply chain companies are primarily at risk. If you offer IT services to many companies, you could be a soft target for them, as a single ransomware attack can lead to widespread damage.
These are some points cyber criminals look at when planning ransomware attacks. To keep from becoming a ransomware victim, there are steps you need to take.
Companies can prevent ransomware attacks, or at least limit their damage through security and IT best processes.
Cybersecurity best practices can also stop and prevent ransomware attacks:
- Endpoint security: Antivirus and EDR tools offer good protection against malware in general and are a cornerstone cybersecurity technology. Tools like network access control (NAC) can also keep insecure devices from connecting to your network.
- Multifactor authentication (MFA) can protect critical applications and devices, as can zero trust security principles.
- Email and web gateways can help protect an organization when employees click on malicious links and downloads, but strong end user training could potentially keep them from clicking on those things in the first place. For email security, use an efficient spam filter with cloud-based intelligence to prevent such attacks by implementing tools like SPF (Sender Policy Framework) email security, DMARC (Domain-based Message Authentication, Reporting, and Conformance), and DKIM (DomainKeys Identified Mail).
- Manage desktop extensions: Change Windows from default to showcase extensions. Train employees on .exe and other malicious file types that should never be downloaded.
- Patching and maintenance: Attackers are looking to take advantage of vulnerabilities in all possible ways. Make sure your IT team promptly patches hardware and software vulnerabilities and executes mitigation measures to secure your software and devices.
- Scanning for vulnerabilities is another best practice for limiting your attack surface.
Further reading: Ransomware Protection: How to Prevent Ransomware Attacks
Best Practices for Limiting Ransomware Damage
Some best practices to limit the damage of a ransomware attack and speed recovery include:
- Data encryption: A common tactic most ransomware attacks use is data exfiltration to extort companies by threatening to release their data to the public or their competitors. It can be stopped by encrypting the sensitive data of your company so it can’t be released. But make sure you manage the encryption keys well.
- Ransomware-proof backups: You can limit the damage caused by ransomware by maintaining an effective backup and disaster recovery plan. Usually, ransomware attacks damage backups, so you should have at a minimum one backup version offline and out of reach from the network.
Also read: Building a Ransomware Resilient Architecture
Ransomware Response Best Practices
Once a ransomware attack has been recognized, the incident response team will have limited time to limit the attack. A reliable backup is the quickest way to recover from a ransomware attack, but proper response and investigation will help.
- Incident response: All organizations need an incident response plan and access to tools and services. The response plan should include plans for prompt action, such as isolating endpoints to prevent ransomware from spreading across the network, and shutting down or disconnecting devices to avoid larger attacks.
- Forensic evaluation: Any ransomware attack needs proper investigation, including checking the entry point and data exfiltrated and corrupted as well as the damage that occurred, along with an analysis of the ransomware variant to see if there are available decryption keys. After the investigation, the company confirms that the attack has been contained.
Ransomware Recovery Best Practices
After containing the ransomware attack, you can initiate the recovery process.
- Version restore: Some ransomware threats leave the system store version intact, helping your recovery team to switch to a previous version.
- Backup restore: If you have a good data backup, you can choose this route, as it is the quickest to execute.
- Decryption trials: Companies with no backup can try to decrypt the data; however, this option doesn’t have a good success rate.
Ransomware recovery resources:
- How to Recover From a Ransomware Attack
- Best Ransomware Removal Tools
- Best Ransomware Removal and Recovery Services
- How to Decrypt Ransomware Files – And What to Do When That Fails
Should I Pay the Ransom?
The big question here is whether a company facing disruption and loss from ransomware should pay the ransom or not. In a few situations, it may appear that the only option left to prevent business damage is making the payment.
However, more companies have been refusing to pay ransom demands, in part because decryption keys provided by ransomware groups often don’t work and data has already been damaged. Security officials typically caution victims not to pay, in part to discourage attackers.
And companies that pay the ransom face a higher risk of repeat attacks, so there’s not a lot of good reasons to pay.
If you have a cyber insurer, they will have their own processes for responding to any cyber attack.
History of Ransomware
While ransomware has gained notoriety in the last few years, it is not new. The first ransomware attack took place in 1989. Called the AIDS or the PC Cyborg Trojan, hackers sent the virus to people, usually in the healthcare industry, through a floppy disk.
The ransomware assessed the times the PC was booted, and when it hit 90, it encrypted the device and its files, demanding the user to renew their license with PC Cyborg Corporation by sending a sum of $189 or $378 to a P.O. Box in Panama.
Evolution of ransomware
Early ransomware involved basic cryptography, which only changed the file names, making it simpler to overcome. But with advancement, hackers now use evolved cryptography that doesn’t just change the file’s name but also its content into gibberish or an encrypted language.
A successful variation was police ransomware, which extorted victims by claiming the PC is encrypted by law enforcement. The screen was locked with a ransom note warning the users they’ll go to jail for committing illegal online activity.
However, if they paid the fine, the note said police would allow the infringement to slide and re-grant them access to the computer by providing the decryption key. The attack had nothing to do with law enforcement, and was just hackers exploiting people.
Bottom Line: Getting On Top of the Ransomware Threat
Ransomware is a uniquely malicious cyber threat that’s worth the investment it takes to stop it. The good news is that any of the steps you can take to reduce the threat of ransomware will help you with security and compliances issues in general.
Two ransomware protections in particular stand out. Encrypting sensitive data is a good way to prevent extortion threats, and ransomware-proof backup isn’t easy to get right, but nothing will get your business back up and running faster.
Stay on top of evolving cyber threats, of course, but strong ransomware defenses and preparation will give you good protection against a wide range of threats.
Read next: How One Company Survived a Ransomware Attack Without Paying the Ransom