Ransomware: What it is and What to do About it
Ransomware is now one of the leading cyberthreats that any business faces. Over the last few years, this has rapidly become a popular tactic among cybercriminals, driven by the promise of higher returns and greater odds of success.
Therefore, ransomware prevention needs to be a key part of any cybersecurity strategy. And this starts with having a clear understanding of what ransomware threats look like, how they’re evolving and what happens if firms fall victim to a ransomware attack.
What is ransomware and how does it work?
Understanding exactly how ransomware behaves is vital in formulating a clear strategy for tackling this cyberthreat. Knowing how it gains access to systems, what it does once it has infected a network, and how criminals make money is critical for any defense strategy. It is not a question of IF you will be attacked, but when.
What is ransomware and how do you get it?
Ransomware is a form of malware that involves criminals compromising a business or even individuals by installing payloads (malicious code) onto one or many devices and then demanding a payment in order to resolve the issue. In its traditional form, this could mean making it impossible for users to access critical files unless they pay up. Or, increasingly, it can involve exfiltrating data from a business with the threat of public release or sale until further payments are made.
The majority of ransomware arrives via email, either directly in the form of attachments containing the malware or by directing users to infected URLs. Sending a phishing email (and their more targeted variants such as spear phishing and whaling), while relatively simple to initiate for hackers, continues to see success as criminals look to take advantage of careless or untrained employees who fail to identify that the message is not legitimate..
Another increasing vulnerability for many businesses is their supply chain. This attack method takes advantage of the interconnectedness of today’s business IT environment, targeting smaller, less well-defended firms they can then use to piggyback into more lucrative targets.
For example, in 2021, the REvil ransomware group was said to have infected as many as 1,500 companies by targeting managed IT services provider Kaseya. Once they had infected the supplier, it was simple to distribute their malware out to its customers.
Why are ransomware attacks increasing?
There can be no doubt that ransomware attacks are on the rise, with both the frequency of incidents and the financial costs they lead to increasing. International Data Corporation, for example, estimated that as many as one in three businesses globally fell victim to these incidents in 2021. BlackFog’s 2021 State of Ransomware Annual Report also observed a 17% increase in publicly disclosed attacks year over year.
Meanwhile, figures from the Ponemon Institute from the same year suggest ransomware attacks now cost large firms $5.66 million annually. Of this, only $790,000 comes from ransom payments themselves, illustrating the wide-ranging damage these threats can cause.
There are several factors that have led to the recent boom in these attacks. One major contributor is that ransomware attacks are viewed by hackers as relatively simple to pull off, with the promise of lucrative rewards.
Even if individuals lack the technical skills to build this malware themselves, the proliferation of ‘Ransomware-as-a-Service’ offering on the dark web significantly lowers the barriers to entry for hackers. These toolkits can be inexpensive to acquire and offer easy profits.
Other factors include the high likelihood of success. Many firms – especially those that haven’t prepared effectively for such attacks – may feel they have no choice but to pay a ransom. This may be because they have critical data or systems they cannot work without, as was the case with the Colonial Pipeline attack in 2021, or they believe their cybersecurity insurance will cover any financial losses.
In fact, 58 percent of targeted firms around the world have reported making a ransomware payment – rising to 82 percent in the UK – and every time these attacks are successful, this motivates other cybercriminals to pursue even more targets.
Who is behind the ransomware attacks?
The majority of ransomware attacks are financially motivated, and are increasingly launched by organized criminal gangs, some of whom even have the backing of nation-states. This means they can afford to operate at large-scale against many major firms.
However, the FBI has noted that while ‘big game hunting’ tactics aimed at the largest and most lucrative targets may get the most media attention, many of the most professional threat actors are turning to lower-profile targets to reduce scrutiny of these activities.
Ransomware is a global problem, but there are some patterns in where attacks originate. In 2021, for example, it was estimated that almost three-quarters (74 percent) of all money made from ransomware attacks went to hackers with links to Russia or the Commonwealth of Independent States nations. This amounted to $400 million worth of crypto-currency payments. However, other ransomware hackers have been arrested in countries including Romania, Ukraine, South Korea and Kuwait.
In addition to financial gain, state-sponsored hackers also aim to cause wide-scale disruption. This means that organizations in critical industries may be especially tempting targets. The FBI identifies 16 such sectors where disruption could have a “debilitating effect on our security, national economy, public health or safety”. These include healthcare, financial services and energy, all of which experienced multiple ransomware attacks in 2021.
What forms of ransomware are there and what does that mean for you?
While ransomware is often used as a catch-all term, there are in fact several different types of attack that fall under this banner. These include ‘classic’ ransomware attacks that focus on encrypting files, and more advanced double or triple extortion threats that have the potential for much more long-lasting damage. Focusing only on traditional defenses such as maintaining frequent, comprehensive backups may leave you exposed to more sophisticated attacks. Therefore, understanding the different types is essential if you’re to prevent ransomware.
What is the difference between ransomware and malware?
The first step is to ensure there’s no confusion between ransomware and other types of related cyberattacks. Malware is defined as any malicious software that has the potential to do damage to your computer or network. It comes in a wide variety of types, including viruses, worms, bots, Trojans and even fileless malware. As such, ransomware is a subset of this term. In other words, all ransomware can be considered malware, but not all malware is ransomware.
Ransomware does have several key features in common with other forms of malware. For example, it’s often designed to spread stealthily within a network once it has a foothold, meaning that it can infect many devices before businesses even realize they’ve been breached. However, what makes ransomware distinct is how it causes damage to your business.
Encrypting files and demanding a ransom
The most traditional forms of ransomware involve encrypting key parts of a computer or network so they cannot be accessed. Then, ransomware authors demand payment – usually in the form of a hard-to-trace cryptocurrency such as Bitcoin – in exchange for the decryption key, which will allow businesses to recover their data.
However, even within this form of ransomware, there are different types. Perhaps the most common is so-called ‘crypto ransomware’. This targets files within the system and could target an entire hard drive or selectively look for certain file types. This still allows the device to be used, but can prevent employees from accessing mission-critical information such as customer databases.
The other form of encryption ransomware is called locker ransomware. This can be a more disruptive type of attack as these variants target systems themselves, leaving workers unable to use their devices at all. While not as common as crypto ransomware, this has the potential to bring businesses grinding to a halt, as even if file backups exist, they won’t be able to use them.
What is double extortion ransomware?
Both of these types of ransomware attack, however, are fading in popularity among criminals as businesses build more robust protections. Instead, they are turning to more advanced forms of ransomware that are harder to defend against.
One of the most common forms of ransomware is now ‘double extortion’ ransomware. In this type of incident, as well as encrypting files, hackers also use data exfiltration techniques to steal sensitive and classified data from the business. Once they have this, they can use it in a number of ways. The first and most straightforward is by threatening further consequences if the ransom isn’t paid.
In such an attack, hackers will give the victim a deadline to pay, with the threat that if this is missed, either private data will be publicly released or sold, or details of the compromised data will be sent to customers, stakeholders or regulators. This firstly increases pressure on businesses with the intent of rushing them into a decision, but also promises much more serious consequences if the firm fails to comply.
Many organizations may decide they cannot afford the damage that having private data published could cause. This could be customer personal data that will harm their reputation, or the exposure of trade secrets or upcoming products to competitors. Therefore, they may conclude that the only way to prevent the huge costs this would cause is to pay up.
Find out more about the state of global ransomware in 2022 and learn about the latest trends.
The history and evolution of ransomware
While ransomware has become much more prevalent in the last few years – especially as changes in work practices brought about by the 2020 Covid pandemic have made tactics such as a phishing attack more likely to succeed – the tactic is not new.
By seeing how it has evolved to take advantage of new technology and evade the efforts of defenders, it’s clear ransomware authors are constantly modifying their tactics, highlighting the importance of an advanced, up-to-date ransomware prevention solution.
What is the history of ransomware?
The first documented instance of ransomware was back in 1989 and was known as the AIDS Trojan. It was distributed via floppy disks sent to 20,000 attendees of a World Health Organization AIDS conference by a Harvard-educated evolutionary biologist named Joseph Popp. Anyone who inserted the disk found their files were locked, and were asked to send $189 to a PO Box in Panama in order to restore access.
However, it was only with the widespread use of the internet that ransomware really took off. Early efforts include 2004’s GPCode, which used a fairly rudimentary custom algorithm to encrypt files and charged just $20 for the decryption key, and 2011’s Winlock – the first major ransomware variant to fully lock users out of their systems. Both of these spread mainly through malicious websites.
What is Petya and NotPetya ransomware?
Perhaps the first variant to cause serious damage on a global scale was the Petya ransomware, which was first identified in 2016. For many firms, this was the first serious illustration of what ransomware was capable of. Spreading via email attachments, the first attacks using this family of malware were aimed at Windows machines and targeted their master file table – the resource that the device uses to quickly find files – rendering the PCs unusable.
This was a step up from previous ransomware efforts because of the way it overwrote files rather than simply encrypting them, making recovery even more difficult. The following year, a variant of this called NotPetya started permanently encrypting machines.
With 80 percent of infected devices in Ukraine, cybersecurity experts believe this marked a new step forward in targeted, state-sponsored cyberattacks, with the ransomware elements simply a front to hide the significant damage it was doing behind the scenes. The finger of blame for this pointed at Russia.
What was the WannaCry ransomware attack?
It was around the same time as the NotPetya attacks that an even more widespread ransomware caught the attention of the world’s media – the WannaCry ransomware. This affected devices in over 150 countries across multiple sectors. However, it was the impact on high-profile organizations such as the UK’s National Health Service (NHS) that made this ransomware incident stand out.
WannaCry was also notable because of the speed at which it spread, and the fact it was only stopped by accident, when a security researcher discovered a ‘kill-switch’ that halted the infection before it could do even more damage. It remains one of the most expensive cyberattacks of all time, with costs to the NHS alone reaching £92 million ($113 million).
Learn more about how the cyber security sector has adapted to the growing costs of ransomware.
What can you do to protect against ransomware?
With the costs of ransomware so high, the obvious question for businesses is what can they do to defend themselves against the ransomware threat, both in terms of preventing breaches in the first place and minimizing the damage it causes if frontline defenses such as email security fail to pick up these attacks.
How can you minimize the risk of a ransomware attack?
The best defense is to ensure ransomware doesn’t have a chance to enter your network in the first place. There are various cybersecurity best practices to follow in order to achieve this that should be familiar to any IT team.
For instance, effective endpoint security software is a must-have to block an attacker before they can enter the network. However, this must be backed up by effective staff security awareness training, as human error such as failing to spot phishing emails is one of the leading causes of ransomware infection.
Deploying newer technologies that block the exfiltration of data must also be part of any layered cybersecurity strategy, as many legacy cybersecurity techniques have proven ineffective at preventing bad actors from gaining access.
How do you know if you have ransomware?
For many firms, the first indication they may have that they are experiencing a ransomware attack is when they receive a message from the cybercriminal behind it that their data has already been compromised – by which time it will be too late to do anything but enact disaster recovery plans. However, there are steps you can take before this happens.
As well as effective security software that can scan your system’s entry points and within your network for malicious activity, advanced tools such as Anti Data Exfiltration (ADX) can be highly useful in stopping attacks before they have a chance to do damage.
ADX technology monitors your network for any unusual activity or traffic that can indicate an attack is taking place with an attempt to steal data. It is effective at halting the most dangerous double extortion ransomware attacks, as it automatically stops a threat actor from exfiltrating valuable data.
Find out more about data exfiltration and how you can guard against it.
What happens if you pay ransomware demands?
Paying a ransomware demand may give an organization the decryption key needed to get up and running again, and is seen by many businesses as the fastest and easiest way to recover their systems. However, in the long run, this can cause much more harm than good.
The main issue is that, if a ransomware attacker receives a payment, this gives them a major incentive to continue creating malicious software. In fact, it’s estimated that 80 percent of firms that pay a ransom will fall victim again, as cybercriminals keep returning to a lucrative well. In addition to this, handing over money can put organizations at risk of breaking the law, especially if payments end up in countries that are subject to sanctions.
What’s more, many cybersecurity insurance providers will no longer reimburse firms for direct ransomware payment costs, acting as a further disincentive for businesses. Therefore, experts now recommend against paying any ransom, as ultimately the costs of doing so will eventually outweigh the downsides of not paying.
As a result, prevention is infinitely better than cure. And to do this, you need the right tools. Get in touch with BlackFog today to find out how our Anti Data Exfiltration solutions can help your business avoid becoming the next ransomware headline.