What is ransomware?
Ransomware is a type of cyberattack in which malware infiltrates a computer system and encrypts the data or gains control of the computer. Hackers then demand that victims pay a ransom to get everything back. PCs and business computer systems alike are vulnerable to ransomware.
However, businesses have become the main target over the past few years, thanks to their networked systems that tend to have unseen security vulnerabilities, as well as an increased willingness to pay ransoms to avoid excessive downtime – and potential for much bigger payouts.
How does ransomware work?
To attack a system with ransomware, a hacker must first gain access to that system. Methods for gaining access have become quite sophisticated using zero-day or unpatched/unknown exploits.
They often start with a phishing attack, malicious email, compromised email attachments, aggressive computer worms, vulnerability exploits, targeted attacks or click-jacking (the practice of inserting alternate hyperlinks into legitimate clickable content).
Even if the system has antivirus installed, the ransomware might slip in undetected, or possibly cause file-level damage if the antivirus doesn’t have the malware’s signature in its files or isn’t scanning in real-time. A networked computer also gives the ransomware access to other connected machines and storage devices.
There are two main types of ransomware: Screen lockers and encryptors. Encryptors encrypt the system’s data and require a decryption key to restore. Screen lockers prevent access to a computer system with a lock screen.
In both types of ransomware, a lock screen is typically used to notify the user that ransomware has taken over. It also includes the payment amount and information detailing how to recover access to the data or regain control of the system, usually through a decryption key or other code. The message often includes a warning that the data will be deleted or made public if payment isn’t received.
While attackers traditionally demanded ransom through gift cards, wire transfers or prepaid cash services, today’s payment of choice is largely Bitcoin and other cryptocurrencies. The problem is, paying the ransom isn’t a guarantee that a user or company will regain control of their data.
Today, most ransomware exfiltrates data before running the encryption process which leads to loss of data governance and violations of policy like HIPAA or PCI. There’s no guarantee data will be completely returned from a threat actor’s control and sometimes attackers can install even more malware on a system after they receive the ransom and release the data back into the organization’s control.
Who is a target for ransomware?
Unfortunately, ransomware can target everything from home PCs to large-scale networked computer systems in global enterprises. Essentially, any internet-connected device is at risk.
While ransomware has affected all sizes of business across all industries and geographical locations, experts have noticed some patterns. Some industries are more at risk of ransomware attacks than others because of the massive volumes of sensitive data they have or the blast radius of how an attack would do damage. The most targeted industries are typically banking and financial services, healthcare, manufacturing, energy and utilities, governmental agencies, and education.
How common is ransomware?
Ransomware is increasingly common as attack methods evolve and hackers find workarounds to defense measures. In fact, during the second quarter of 2021, ransomware attacks totaled 304.7 million (over 3 million attacks per day), and the FBI released a warning that 100 new ransomware strains are now circling the globe. Compare that 304.7 million attacks in a single three-month span to the 304.6 million ransomware attacks recorded in the entire year of 2020.
Here’s what other experts say:
- An IDC 2021 ransomware study found that approximately 37% of global organizations said they were the victim of some form of ransomware attack in 2021.
- The FBI’s Internet Crime Complaint Center reported that it received over 2,000 ransomware complaints in the first half of 2021. That number represents a 62% year-over-year increase.
- Some of the targets are also highly critical systems. According to the Cybersecurity and Infrastructure Security Agency, there were recent ransomware incidents against 14 of the 16 U.S. critical infrastructure sectors.
- WannaCry – One of the most widely-known ransomware systems today. It was an encrypting computer worm that was released in May 2017. Going by several other similar names (WannaCrypt, WCry, etc.), it targeted systems with outdated versions of Microsoft Windows. The worm infected about 200,000 computers in 150 countries and likely caused billions of dollars in damage.
- CryptoLocker – This encrypting trojan horse was active between 2013 and 2014. It spread through a malicious botnet and infected email attachments that were supposed to be package tracking notifications. It was one of the first ransomware systems that required bitcoin for payment.
- Petya – Part of a ransomware family that has been active since 2016, Petya corrupts the affected computer’s master boot record, deletes the Windows bootloader and forces a restart. When the system comes back on after the restart, the malware encrypts valuable data and Bitcoin is demanded as a ransom.
- NotPetya – Using similar tactics to Petya, this ransomware is considered one of the most damaging attacks. It also infects and encrypts a computer’s master boot record and spreads via a worm similar to WannaCry. Some experts call it a wiper because the ransomware can’t undo its changes to the system, so an attack essentially makes the system unrecoverable.
- Bad Rabbit – Discovered in late 2017, this ransomware spreads through a false Adobe Flash update and encrypts a system’s file tables. It hit several major targets in Ukraine and Russia, including The Odessa International Airport and Ukraine’s Ministry of Infrastructure.
- Locky – Released in 2016, this ransomware spread via an email about an unpaid invoice. When users opened the attachment, they saw a page full of gibberish headed by a link to “Enable macro if data encoding is incorrect.” If the link was clicked, an encryption trojan encrypted all files with a specific extension.
- REvil – This ransomware steals data before encrypting it so that even if victims don’t pay the ransom, attackers might still be able to blackmail them into paying by threatening to release their sensitive data.
The business impact from ransomware
Ransomware can impact a business in several critical ways. The first and most obvious effect is financial. According to the U.S. Treasury's Financial Crimes Enforcement Network, the first half of 2021 saw $590 million in expenditures related to ransomware. For all of the previous year, the agency reported just $416 million for the same costs. Even if a business doesn’t pay the ransom, it can still see significant financial losses due to loss of productivity and data.
Besides financial damage, ransomware can hurt a victim through damage to the business’s reputation if word gets out about the attack, or if the attacker releases sensitive or confidential data owned by the victim. Litigation around ransomware attacks can be expensive and also time-consuming, taking business employees away from their daily work. The National Health Service (NHS) in the United Kingdom serves as a stark example detailing over $100M USD in losses from cancelled appointments and downtime.
Industry-specific fines can also be catastrophic with fines exponentially adding to the combined cost of a ransom and recovery.
How to prevent ransomware
While there’s no way to prevent or defend against every type of ransomware 100% of the time, there are still many things a business can do to protect against ransomware and eliminate vulnerabilities that attackers look for. Here are some recommendations:
- Deploy defense-in-depth security. Multiple layers that protect your system end-to-end is a wise move to reduce risk of ransomware as well as other cyberattacks.
- Educate personnel on ransomware and how it spreads. Make employees aware of the various ways attackers get into a system, including social engineering and presenting false documents and attachments that entice users to click on them.
- Monitor your systems and back data up frequently. Use monitoring tools to alert IT to unusual data access behavior and traffic. Also, keeping a copy of backups of your data, with at least one copy offsite, can help minimize risk of data loss.
- Stay on top of patching schedules. Because ransomware typically gets into a system through existing vulnerabilities, staying current on updates can help close off those points of entry.
- Develop and practice response strategies. Planning before you need it can help you respond quickly and efficiently to a ransomware attack. Preparing with a tabletop exercise also helps ensure that everyone in the organization knows what to do if an attack occurs.
- Keep email and web surfing safe. Email is a common way ransomware gets into a system. You can secure email gateways that will identify and block potentially dangerous emails and protect against iffy attachments and URLs. Similarly, web gateways can monitor online traffic to detect suspicious ads or links.
- Protect mobile devices. Some mobile device management solutions can alert users to potentially malicious applications or messages received over a mobile device.
- Limit administrative privileges. Make sure you know who has admin access and be sure to revoke access and privileges when employees leave the company.
- Whitelist applications. This practice can reduce risks by allowing predetermined applications to run on a device or computer while blocking others that haven’t been specifically authorized. It can help IT eliminate installations by unauthorized users and block malicious attempts to run malware code.
- Adopt and implement a Zero Trust strategy and architecture. Zero Trust provides a framework of controls around the concept of “never trust, always verify.” This perimiterless concept means that devices should not be trusted by default, even if they are connected to a permissioned network such as a corporate LAN and even if they were previously verified.
- Leverage managed application network separation using microsegmentation. Microsegmentation leverages a security policy model at the application, VM or data levels to control network traffic to and from your workloads. Using what’s called a managed software firewall, the policies implemented by a microsegmentation solution ensures only the traffic you desire can traverse certain applications, without increasing unwanted network risk.
Do I need ransomware protection?
Data security should be a top concern for every business, large or small. Ransomware security and protection is a layered approach focused on the attack vectors critical for your business. Your computer operating systems might have built-in security features that can help reduce the risk of a ransomware attack, such as advanced anti-malware endpoint protection.
Nonetheless, it’s critical to add further layers of robust, holistic protection at the infrastructure, networks, and data levels, too. This type of strategy is called defense-in-depth and ensures that even a successful ransomware attack has much less of an impact or blast radius than without.
Zero Trust is a leading strategy to protect against ransomware. In conjunction with Zero Trust Network Access (ZTNA), Zero Trust creates critical checkpoints for access at every layer of the technology stack, not just at the perimeter into trusted networks that has traditionally been led by passwords and VPNs.
While still critical for a security posture, a single authentication point typically provides broad access to resources one time, while Zero Trust creates multiple authentication points and aligns to what a user needs rather than what they can access.
What to do after a ransomware attack?
While prevention is the best way to avoid damages from ransomware attacks, it’s still a good idea to plan out how your organization will respond if an attack does occur. Here are some best practices for what to do after a ransomware attack.
- Stay calm and respond with your business continuity plan. Being locked out of your critical business files or dealing with the threat of data deletion isn’t easy, but it’s critical to stay calm and fully assess the situation before springing into action. Pre-planning a response aligned to business critical operations can help prioritize in this area and keep everyone aligned with what needs to happen to respond to the attack.
- Contact your incident response teams. Typically you should have an incident response team internally, or tied to things like cyber insurance that can help organize and prioritize your response.
- Report the incident to the government. In the United States, stopransomware.gov is a resource to report ransomware and gain the support of the federal authorities. Learn more about your government response method for ransomware.
- Document the ransomware note. Take a picture of the ransomware note, which will help if you file a police report.
- Identify which systems have been compromised – and isolate them. Ransomware can infect other networked computers and devices so quarantine the affected systems as quickly and completely as you can. That might mean disconnecting the affected machines from the network.
- Immediately turn off automated maintenance tasks. Disable tasks on affected systems, such as log rotation or the removal of temporary files, and power down any affected devices. This will keep those tasks from altering or changing any data files that you’ll need later for investigation and analysis.
- Disconnect all data backups. Because the latest ransomware strains attempt to prevent recovery by going after your backups, disconnect them from the network. It’s also smart to keep anyone from accessing the backups until after the ransomware malware is removed.
- Check the consistency of data backups. When confident backups are disconnected, with a known clean endpoint, check the backup statuses and consistency. In newer ransomware attacks they are increasingly targeting backups to ensure a ransom payment will be provided.
- Try to determine which ransomware has infected your system. If you can figure out which ransomware strain is affecting you, it can be easier to combat it. Free and helpful online services include ID Ransomware and an online ransomware identification tool from Emsisoft. On these sites, you can upload an image of the ransom note and a sample of the encrypted data. The sites will then try to identify the ransomware strain for you.
- Use decryption tools to see if you can head off further action. Many tools exist online to help you decrypt ransomed data – such as No More Ransom. Knowing the name of your ransomware strain will help. Search for the newest decryptions at the bottom of the list.
- Reset online and account passwords. Once you’ve disconnected the affected systems from your network, create new passwords for your online accounts and applications. Change them all again once the ransomware has been removed completely.
- Decide whether you’ll pay the ransom or not. It’s not an easy decision, and there are advantages and disadvantages to both paying the ransom and not paying. One thing to keep in mind, though, is that you should pay a ransom only if you have already tried everything else and you’ve determined that the data loss is more serious than paying.
- Bring in experts to fully eradicate the threat. Reiterating the need to bring in a cyber incident response team, make sure to use a proven and trusted expert to do a root-cause analysis to figure out the system’s vulnerabilities and which systems were affected. Cleanup and final investigations should also be done by an expert. Attackers can use all kinds of back doors and unknown entries into your system.
- Prioritize system restoration. This should be well-defined in your business continuity plan. If not, identify systems and data that are most critical to your business operations to be the first priority for restoration. These are systems that affect revenue and productivity.
- Perform an attack post-mortem. Understanding how a ransomware incident occurred in complete technical detail is critical to preventing future events. This will also lead to new security initiatives and focuses.
- Consult with experts to upgrade security. In the case of ransomware, lightning can strike twice. In fact, it’s fairly common for a company to be hit by a second attack. If the vulnerability that allowed the attacker to get into the system in the first place isn’t identified, it could be used again. Leverage trusted partners or suggestions from your incident response team to improve security measures across the board.
Statistically, a ransomware attack will happen to you. It’s not really possible to completely eliminate the risk because ransomware attacks are continually evolving and getting better at breaking through defenses. That’s why it’s critical to have a business continuity plan in place before you need it – a well-thought-out strategy for what to do if you get attacked by ransomware.
Knowing how to respond and what to do immediately following an attack can help, and so can overall good security hygiene and daily conscientiousness around keeping data protected and systems up-to-date to reduce potential vulnerabilities.
By eliminating vulnerable entry points into your systems and having a solid response plan, you can make it much less likely that your organization will suffer lasting effects from ransomware.