Ransomware: What it is and What to do About it

Ransomware is a form of malware that involves criminals compromising a business or even individuals by installing payloads (malicious code) onto one or many devices and then demanding a payment in order to resolve the issue. In its traditional form, this could mean making it impossible for users to access critical files unless they pay up. Or, increasingly, it can involve exfiltrating data from a business with the threat of public release or sale until further payments are made.

The majority of ransomware arrives via email, either directly in the form of attachments containing the malware or by directing users to infected URLs. Sending a phishing email (and their more targeted variants such as spear phishing and whaling), while relatively simple to initiate for hackers, continues to see success as criminals look to take advantage of careless or untrained employees who fail to identify that the message is not legitimate..

Another increasing vulnerability for many businesses is their supply chain. This attack method takes advantage of the interconnectedness of today’s business IT environment, targeting smaller, less well-defended firms they can then use to piggyback into more lucrative targets.

For example, in 2021, the REvil ransomware group was said to have infected as many as 1,500 companies by targeting managed IT services provider Kaseya. Once they had infected the supplier, it was simple to distribute their malware out to its customers.

There can be no doubt that ransomware attacks are on the rise, with both the frequency of incidents and the financial costs they lead to increasing. International Data Corporation, for example, estimated that as many as one in three businesses globally fell victim to these incidents in 2021. BlackFog’s 2021 State of Ransomware Annual Report also observed a 17% increase in publicly disclosed attacks year over year.

Meanwhile, figures from the Ponemon Institute from the same year suggest ransomware attacks now cost large firms $5.66 million annually. Of this, only $790,000 comes from ransom payments themselves, illustrating the wide-ranging damage these threats can cause.

There are several factors that have led to the recent boom in these attacks. One major contributor is that ransomware attacks are viewed by hackers as relatively simple to pull off, with the promise of lucrative rewards.

Even if individuals lack the technical skills to build this malware themselves, the proliferation of ‘Ransomware-as-a-Service’ offering on the dark web significantly lowers the barriers to entry for hackers. These toolkits can be inexpensive to acquire and offer easy profits.

Other factors include the high likelihood of success. Many firms – especially those that haven’t prepared effectively for such attacks – may feel they have no choice but to pay a ransom. This may be because they have critical data or systems they cannot work without, as was the case with the Colonial Pipeline attack in 2021, or they believe their cybersecurity insurance will cover any financial losses.

In fact, 58 percent of targeted firms around the world have reported making a ransomware payment – rising to 82 percent in the UK – and every time these attacks are successful, this motivates other cybercriminals to pursue even more targets.

While ransomware is often used as a catch-all term, there are in fact several different types of attack that fall under this banner. These include ‘classic’ ransomware attacks that focus on encrypting files, and more advanced double or triple extortion threats that have the potential for much more long-lasting damage. Focusing only on traditional defenses such as maintaining frequent, comprehensive backups may leave you exposed to more sophisticated attacks. Therefore, understanding the different types is essential if you’re to prevent ransomware.

The first step is to ensure there’s no confusion between ransomware and other types of related cyberattacks. Malware is defined as any malicious software that has the potential to do damage to your computer or network. It comes in a wide variety of types, including viruses, worms, bots, Trojans and even fileless malware. As such, ransomware is a subset of this term. In other words, all ransomware can be considered malware, but not all malware is ransomware.

Ransomware does have several key features in common with other forms of malware. For example, it’s often designed to spread stealthily within a network once it has a foothold, meaning that it can infect many devices before businesses even realize they’ve been breached. However, what makes ransomware distinct is how it causes damage to your business.

The most traditional forms of ransomware involve encrypting key parts of a computer or network so they cannot be accessed. Then, ransomware authors demand payment – usually in the form of a hard-to-trace cryptocurrency such as Bitcoin – in exchange for the decryption key, which will allow businesses to recover their data.

However, even within this form of ransomware, there are different types. Perhaps the most common is so-called ‘crypto ransomware’. This targets files within the system and could target an entire hard drive or selectively look for certain file types. This still allows the device to be used, but can prevent employees from accessing mission-critical information such as customer databases.

The other form of encryption ransomware is called locker ransomware. This can be a more disruptive type of attack as these variants target systems themselves, leaving workers unable to use their devices at all. While not as common as crypto ransomware, this has the potential to bring businesses grinding to a halt, as even if file backups exist, they won’t be able to use them.

Both of these types of ransomware attack, however, are fading in popularity among criminals as businesses build more robust protections. Instead, they are turning to more advanced forms of ransomware that are harder to defend against.

One of the most common forms of ransomware is now ‘double extortion’ ransomware. In this type of incident, as well as encrypting files, hackers also use data exfiltration techniques to steal sensitive and classified data from the business. Once they have this, they can use it in a number of ways. The first and most straightforward is by threatening further consequences if the ransom isn’t paid.

In such an attack, hackers will give the victim a deadline to pay, with the threat that if this is missed, either private data will be publicly released or sold, or details of the compromised data will be sent to customers, stakeholders or regulators. This firstly increases pressure on businesses with the intent of rushing them into a decision, but also promises much more serious consequences if the firm fails to comply.

Many organizations may decide they cannot afford the damage that having private data published could cause. This could be customer personal data that will harm their reputation, or the exposure of trade secrets or upcoming products to competitors. Therefore, they may conclude that the only way to prevent the huge costs this would cause is to pay up.

Find out more about the state of global ransomware in 2022 and learn about the latest trends.

The first documented instance of ransomware was back in 1989 and was known as the AIDS Trojan. It was distributed via floppy disks sent to 20,000 attendees of a World Health Organization AIDS conference by a Harvard-educated evolutionary biologist named Joseph Popp. Anyone who inserted the disk found their files were locked, and were asked to send $189 to a PO Box in Panama in order to restore access.

However, it was only with the widespread use of the internet that ransomware really took off. Early efforts include 2004’s GPCode, which used a fairly rudimentary custom algorithm to encrypt files and charged just $20 for the decryption key, and 2011’s Winlock – the first major ransomware variant to fully lock users out of their systems. Both of these spread mainly through malicious websites.

Perhaps the first variant to cause serious damage on a global scale was the Petya ransomware, which was first identified in 2016. For many firms, this was the first serious illustration of what ransomware was capable of. Spreading via email attachments, the first attacks using this family of malware were aimed at Windows machines and targeted their master file table – the resource that the device uses to quickly find files – rendering the PCs unusable.

This was a step up from previous ransomware efforts because of the way it overwrote files rather than simply encrypting them, making recovery even more difficult. The following year, a variant of this called NotPetya started permanently encrypting machines.

With 80 percent of infected devices in Ukraine, cybersecurity experts believe this marked a new step forward in targeted, state-sponsored cyberattacks, with the ransomware elements simply a front to hide the significant damage it was doing behind the scenes. The finger of blame for this pointed at Russia.

It was around the same time as the NotPetya attacks that an even more widespread ransomware caught the attention of the world’s media – the WannaCry ransomware. This affected devices in over 150 countries across multiple sectors. However, it was the impact on high-profile organizations such as the UK’s National Health Service (NHS) that made this ransomware incident stand out.

WannaCry was also notable because of the speed at which it spread, and the fact it was only stopped by accident, when a security researcher discovered a ‘kill-switch’ that halted the infection before it could do even more damage. It remains one of the most expensive cyberattacks of all time, with costs to the NHS alone reaching £92 million ($113 million).

Learn more about how the cyber security sector has adapted to the growing costs of ransomware.

With the costs of ransomware so high, the obvious question for businesses is what can they do to defend themselves against the ransomware threat, both in terms of preventing breaches in the first place and minimizing the damage it causes if frontline defenses such as email security fail to pick up these attacks.

The best defense is to ensure ransomware doesn’t have a chance to enter your network in the first place. There are various cybersecurity best practices to follow in order to achieve this that should be familiar to any IT team.

For instance, effective endpoint security software is a must-have to block an attacker before they can enter the network. However, this must be backed up by effective staff security awareness training, as human error such as failing to spot phishing emails is one of the leading causes of ransomware infection.

Deploying newer technologies that block the exfiltration of data must also be part of any layered cybersecurity strategy, as many legacy cybersecurity techniques have proven ineffective at preventing bad actors from gaining access.

For many firms, the first indication they may have that they are experiencing a ransomware attack is when they receive a message from the cybercriminal behind it that their data has already been compromised – by which time it will be too late to do anything but enact disaster recovery plans. However, there are steps you can take before this happens.

As well as effective security software that can scan your system’s entry points and within your network for malicious activity, advanced tools such as Anti Data Exfiltration (ADX) can be highly useful in stopping attacks before they have a chance to do damage.

ADX technology monitors your network for any unusual activity or traffic that can indicate an attack is taking place with an attempt to steal data. It is effective at halting the most dangerous double extortion ransomware attacks, as it automatically stops a threat actor from exfiltrating valuable data.

Find out more about data exfiltration and how you can guard against it.