See all
toc here

What is ransomware and how can you limit its effects?

Here you’ll find information that will help you build stronger cybersecurity defences and outsmart cyber criminals.

Ransomware is a type of malicious software (malware) that encrypts a victim's files or locks the victim out of their own system, demanding a ransom payment in exchange for the decryption key or system access. It is a form of extortion, and the attackers usually demand payment in cryptocurrency, such as Bitcoin, to make it more difficult to trace the transaction.

How Ransomware spreads

Ransomware can spread through various methods, including email attachments, social engineering, malvertising, and exploiting vulnerabilities like zero-days in software and operating systems. Attackers may also use techniques like spear phishing and baiting to trick victims into clicking on malicious links or downloading infected files.

Criminals can gain initial access to victims through virtual private network (VPN) servers. In one confirmed compromise, the actors likely exploited an unpatched vulnerability in the organization’s VPN server. In another confirmed compromise, the actors used previously compromised credentials to access a legacy VPN server that did not have multifactor authentication (MFA) enabled. The criminals are believed to have acquired the VPN credentials through the use of a phishing email with a malicious attachment.

After obtaining access to the victim’s server, thieves may try to move laterally via Secure Shell (SSH) and Remote Desktop Protocol (RDP). Bad actors have sought to gain privileged account access through credential dumping and pass the hash techniques.

In virtualised environments, cybercriminals can use leveraged privileged accounts to gain access to VMware vCenter Server and reset account passwords for ESXi servers in the environment. The actors then use SSH to connect to accessible ESXi servers and deploy ransomware on those servers.

For more comprehensive information, refer to the MITRE ATT&CK® for Enterprise framework for details of tactics and techniques. MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.

Who does Ransomware target?

Ransomware can target any organisation with network computers and mobile devices, but attackers often focus on organizations with valuable personal or commercial data, such as manufacturers, healthcare providers, financial institutions and government agencies. Smaller businesses are also at risk, as they may have fewer resources and less robust security measures in place to cover all the ‘attack surfaces’ that thieves can exploit. An attack surface is simply the entire area of an organization or system that is susceptible to being compromised by ransomware. It's made up of all the points of access that an unauthorized person could use to enter the system and try to steal or disrupt business data.

When was Ransomware first discovered?

One of the first known ransomware attacks ever documented was the AIDS trojan (PC Cyborg Virus) that appeared in in 1989. The attacker distributed floppy disks with the malware disguised as an educational program about AIDS. Once installed, the malware encrypted the victim's files and demanded a payment of $189 via a PO Box in Panama to restore access.

Where did Ransomware originate?

Ransomware has a long history, with some early versions dating back to the 1980s. However, modern ransomware attacks are often attributed to the proliferation of cryptocurrencies, which make it easier for attackers to demand and receive anonymous payments. By providing an easy and practically untraceable method for receiving payment from victims, virtual currencies created the opportunity for ransomware to become a lucrative industry for cybercriminals.

How long does it take to recover from Ransomware?

Recovery from a ransomware attack can be time-consuming and costly, depending on the severity of the attack and the effectiveness of the backup and recovery systems in place. In some cases, victims may be unable to recover their data at all, even after paying the ransom. In reality, therefore, there is no hard and fast rule as to how long your organisation might be disrupted. But typically, three weeks is perhaps an accurate reflection of what most organizations experience after a cybersecurity incident although the impact and disruption could continue to be felt for a much longer period. When the city of Atlanta in the US was a target in 2018, it took months to fully recover normal IT operations and cost the city $17 million.

How Ransomware affects business

Ransomware statistics

There are many different studies analysing the state of the ransomware industry, which may review the threat landscape from the perspective of geography, vertical market, business size and scope. Generally, most commentators agree that ransomware is a permanent threat although its methods and prevalence continues to metamorphosize as authorities and businesses try to put in place preventative measures. 

  • According to a report by Sophos[1], 66% of organisations suffered a ransomware attack in 2022 – an increase of over 78% compared to the previous year.
  • 65% of attacks resulted in data being encrypted.
  • 46% of firms paid to get their data back.
  • But only 61% or two thirds of data was recovered after the ransom had been paid.
  • A mere 4% recovered all their data.
  • In the Sophos study, the average ransom payout was $812,360, with manufacturing being the most badly affected vertical.
  • 86% of companies said that the ransomware attack caused loss of business or revenue
[1] The State of Ransomware 2022, Sophos

Are Ransomware attacks a threat to the economy?

Ransomware attacks can have a significant impact on the economy, particularly if they target critical infrastructure or essential services. For example, the 2017 WannaCry attack impacted over 200,000 computers in 150 countries, causing billions of dollars in damages.

Ransomware and healthcare

Ransomware attacks against healthcare providers can be particularly devastating, as they may impact patient care and put lives at risk because of the increasing reliance on digital data. By the end of October 2022, according to the FBI, the healthcare industry accounted for 25% of ransomware complaints that year.

Ransomware and schools

Schools and educational institutions are also at risk from ransomware attacks, with many schools having to pay ransoms to regain access to their systems and data. In 2020, schools were the second most targeted sector for ransomware attacks, accounting for 10% of all incidents.

What should I do to build effective defences against Ransomware threats?

  • Practice good IT hygiene e.g. by keeping software up-to-date, installing patches and adopting multi-factor authentication, shutting down down or decommissioning unused services and systems.
  • Improve resiliency of internet facing applications. Restrict or discontinue use of FTP and Telnet services and restrict or discontinue use of non-approved VPN services. Disable unnecessary ports, protocols, and services as well as unnecessary remote network administration tools.
  • Implement an intrusion detection system to apply continuous monitoring for threats.
  • Implement and enhance email security.
  • Harden endpoints and isolate your backup network from the primary production environment.
  • Provide greater scope for recovery by utilising multiple backup copies, maintained in a clean room architecture.
  • Keep immutable and offline backups behind physical airgaps.
  • Restrict access to virtualization management infrastructure and core backup and disaster recovery systems.
  • Implement zero trust architecture.
  • Develop and stress test an Incident Response Plan to practice for when ransomware strikes.
  • Implement a comprehensive cybersecurity training program.
  • Bring in experts as necessary to cover the specialist skillsets that may be outside the knowledge of your day-to-day IT organisation.

What to do if you are a victim of Ransomware

If you have fallen victim to a Ransomware attack, the first thing you should do is to isolate affected systems from the network and the internet to prevent the malware from spreading. This includes infected computers, laptops and tablets, whether wired, wireless or mobile phone based.

In a very serious case, consider whether turning off your Wi-Fi, disabling any core network connections (including switches), and disconnecting from the internet might be necessary to limit contagion.

Find the source. Any system with out-of-date or misconfigured software is easily compromised, and it’s vital to remember that even SaaS productivity apps like Microsoft 365 are vulnerable.

Reset credentials including passwords (especially for administrator and other system accounts) - but verify that you are not locking yourself out of systems that are needed for recovery. Also be aware that the adversary likely has multiple credentials, or worse, has access to your entire Active Directory and may try to create new credentials.

Safely wipe the infected devices and reinstall the OS. Then begin to recover data from backups.

Before you restore from a backup, verify that it is free from any malware. You should only restore from a backup if you are very confident that the backup and the device you're connecting it to are clean. You should ideally use a quarantined environment that is entirely sandboxed and isolated from other systems in order to load and verify your data and return to a ‘last known good’ state before ransomware struck.

Retain all log data for at least one year. If critical log types are not collected, or are not retained for a sufficient length of time, key information about the incident may not be determinable.

Install, update, and run antivirus software.

Reconnect to your network.

Monitor network traffic and maintain strict antivirus protocols to identify if any infection remains.

Should I pay a Ransomware demand?

Authorities do not typically support paying a ransom in response to a ransomware attack. They argue paying a ransom not only encourages the business model, but it also may go into the pockets of criminal organizations, money launderers, and even rogue nation-states. Moreover, while few organizations publicly admit to paying ransoms, adversaries will publicize that info on the dark web – making it common knowledge for other adversaries looking for a new target. Very often, companies that have suffered a ransomware attack will be targeted again.

As mentioned above, paying the ransom doesn’t result in a guaranteed recovery. There may be multiple decryption keys, there may be a bad decryption utility, the decryptor may be incompatible with the victim’s operating system, there may be double decryption and the decryption key only works on one layer, and some data may be corrupted. Very few victims are able to successfully restore their systems unless they have secure and comprehensive backups.

Ransomware policy

Having a Ransomware policy in place is essential for any business or organization that wants to protect itself from the devastating effects of a Ransomware attack. A comprehensive policy should include guidelines on how to prevent Ransomware attacks, what to do in case of an attack, and how to mitigate the impact of an attack. It should also include regular training sessions for employees to raise awareness and reduce the likelihood of falling victim to phishing scams and other attack vectors commonly used by Ransomware attackers.

Why Ransomware attacks are on the rise?

Ransomware attacks have been on the rise in recent years due to the increasing sophistication of cybercriminals and the ease with which they can distribute malware. The rise of cryptocurrency has also made it easier for attackers to receive payment without being traced, providing them with a lucrative source of income. Additionally, the COVID-19 pandemic created new opportunities for attackers, with many employees working from home and potentially using unsecured networks and devices.

Terms related to Ransomware explained

Understanding the different terms related to Ransomware can help you better protect your computer and your data. Here are some common terms you may come across:

Ransomware vs malware

While Ransomware is a type of malware, it is specifically designed to encrypt the victim's files and demand payment for their release. Other types of malware, such as viruses and trojans, may have other goals such as stealing data or disrupting computer systems.

Ransomware vs phishing

Phishing is a type of social engineering attack in which an attacker tricks the victim into revealing sensitive information such as login credentials or credit card numbers. Ransomware attacks may also be delivered through phishing emails or other social engineering tactics. More specifically, “spear phishing” is a type of phishing campaign that targets a specific person or group and often will include information known to be of interest to the target, such as current events or financial documents.

Ransomware vs cyber extortion

Cyber extortion is the act of threatening to damage a victim's computer system or release sensitive data unless a ransom is paid. Software used for this purpose is sometimes referred to as ‘doxware’ or ‘leakware’. Ransomware attacks can be seen as a type of cyber extortion, as the attackers threaten to permanently encrypt the victim's files if their demands are not met.

Ransomware vs spyware

Spyware is a type of malware that is designed to secretly monitor a victim's computer activity and steal sensitive information such as login credentials and credit card numbers. Ransomware, on the other hand, is designed to encrypt the victim's files and demand payment for their release.

Ransomware vs virus

A virus is a type of malware that is designed to spread from computer to computer and often has a destructive payload, such as deleting files or disrupting computer systems. Ransomware is also a type of malware, but it specifically targets the victim's files and demands payment for their release.

Examples of Ransomware attacks

Ransomware attacks can happen to anyone. From individuals to businesses, everyone is a potential target.

Ransomware names

Here are some of the most common ransomware names and their characteristics:

  • WannaCry: A ransomware that spreads through a vulnerability in Microsoft Windows. It encrypts files and demands payment in Bitcoin.
  • Petya/NotPetya: A ransomware that spreads through a vulnerability in Microsoft Windows. It encrypts files and demands payment in Bitcoin.
  • Locky: A ransomware that spreads through spam emails with infected attachments. It encrypts files and demands payment in Bitcoin.
  • CryptoLocker: A ransomware that encrypts files and demands payment in Bitcoin. It was one of the first known ransomware attacks.
  • Ryuk: An encryption Trojan that targets businesses and encrypts files. It demands payment in Bitcoin and is often spread through phishing emails.
  • Maze: A ransomware that not only encrypts files but also exfiltrates data from the victim's computer. It demands payment in Bitcoin and threatens to release the stolen data if the ransom is not paid.
  • Locky is ransomware was spread by means of fake emails (phishing) with infected attachments. Locky ransomware targets file types that are often used by designers, developers, engineers and testers.

It's worth noting that ransomware is constantly evolving, and new variants with different names and characteristics are being discovered all the time.

Ransomware without encryption

Not all Ransomware encrypts your files. Some Ransomware may lock your computer screen or disable your operating system, making it impossible to use your computer. This type of Ransomware is known as "screen locker" or "locker" Ransomware. While this type of Ransomware may not be as damaging as encryption Ransomware, it can still cause significant disruption to your computer use.

Frequently Asked Questions about Ransomware:

Can Ransomware spread through WiFi network?

Yes, Ransomware can spread through a WiFi network if the network is not secure. Attackers may exploit vulnerabilities in the network or use social engineering tactics to trick users into downloading and running malicious software.

Can Ransomware be traced?

Tracing Ransomware attacks can be difficult, as attackers often use techniques such as encryption and anonymization to conceal their identity. However, law enforcement agencies and cybersecurity experts may be able to track down the attackers by analyzing the Ransomware code, communication channels, and payment methods.

Will re-formatting remove Ransomware?

Re-formatting your hard drive may remove Ransomware from your computer. However, this should only be done as a last resort, as it will erase all of your data. It is recommended to try other methods, such as restoring your computer from a backup or using anti-malware software, before resorting to re-formatting.

Can Ransomware affect cloud storage?

Yes, Ransomware can infect and encrypt files stored in cloud storage if the user has synced their local files to the cloud. It is essential to secure your cloud storage account with strong passwords and two-factor authentication to prevent unauthorized access.

Why do Ransomware hackers and cybercriminals use bitcoin?

Attackers use Bitcoin as the payment method for Ransomware because it provides them with anonymity and is difficult to trace. Bitcoin transactions are also fast and irreversible, making it easier for attackers to receive the ransom quickly and securely.

Follow or contact us!

Sales Expert | Technical Support