What is ransomware and how can you limit its effects?

Here you’ll find information that will help you build stronger cybersecurity defences and outsmart cyber criminals.

Ransomware is a type of malicious software (malware) that encrypts a victim's files or locks the victim out of their own system, demanding a ransom payment in exchange for the decryption key or system access. It is a form of extortion, and the attackers usually demand payment in cryptocurrency, such as Bitcoin, to make it more difficult to trace the transaction.

Ransomware can spread through various methods, including email attachments, social engineering, malvertising, and exploiting vulnerabilities like zero-days in software and operating systems. Attackers may also use techniques like spear phishing and baiting to trick victims into clicking on malicious links or downloading infected files.

Criminals can gain initial access to victims through virtual private network (VPN) servers. In one confirmed compromise, the actors likely exploited an unpatched vulnerability in the organization’s VPN server. In another confirmed compromise, the actors used previously compromised credentials to access a legacy VPN server that did not have multifactor authentication (MFA) enabled. The criminals are believed to have acquired the VPN credentials through the use of a phishing email with a malicious attachment.

After obtaining access to the victim’s server, thieves may try to move laterally via Secure Shell (SSH) and Remote Desktop Protocol (RDP). Bad actors have sought to gain privileged account access through credential dumping and pass the hash techniques.

In virtualised environments, cybercriminals can use leveraged privileged accounts to gain access to VMware vCenter Server and reset account passwords for ESXi servers in the environment. The actors then use SSH to connect to accessible ESXi servers and deploy ransomware on those servers.

For more comprehensive information, refer to the MITRE ATT&CK® for Enterprise framework for details of tactics and techniques. MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.

Ransomware can target any organisation with network computers and mobile devices, but attackers often focus on organizations with valuable personal or commercial data, such as manufacturers, healthcare providers, financial institutions and government agencies. Smaller businesses are also at risk, as they may have fewer resources and less robust security measures in place to cover all the ‘attack surfaces’ that thieves can exploit. An attack surface is simply the entire area of an organization or system that is susceptible to being compromised by ransomware. It's made up of all the points of access that an unauthorized person could use to enter the system and try to steal or disrupt business data.

Ransomware has a long history, with some early versions dating back to the 1980s. However, modern ransomware attacks are often attributed to the proliferation of cryptocurrencies, which make it easier for attackers to demand and receive anonymous payments. By providing an easy and practically untraceable method for receiving payment from victims, virtual currencies created the opportunity for ransomware to become a lucrative industry for cybercriminals.

Recovery from a ransomware attack can be time-consuming and costly, depending on the severity of the attack and the effectiveness of the backup and recovery systems in place. In some cases, victims may be unable to recover their data at all, even after paying the ransom. In reality, therefore, there is no hard and fast rule as to how long your organisation might be disrupted. But typically, three weeks is perhaps an accurate reflection of what most organizations experience after a cybersecurity incident although the impact and disruption could continue to be felt for a much longer period. When the city of Atlanta in the US was a target in 2018, it took months to fully recover normal IT operations and cost the city $17 million.

Ransomware statistics

There are many different studies analysing the state of the ransomware industry, which may review the threat landscape from the perspective of geography, vertical market, business size and scope. Generally, most commentators agree that ransomware is a permanent threat although its methods and prevalence continues to metamorphosize as authorities and businesses try to put in place preventative measures. 

• According to a report by Sophos[1], 66% of organisations suffered a ransomware attack in 2022 – an increase of over 78% compared to the previous year.
• 65% of attacks resulted in data being encrypted.
• 46% of firms paid to get their data back.
• But only 61% or two thirds of data was recovered after the ransom had been paid.
• A mere 4% recovered all their data.
• In the Sophos study, the average ransom payout was $812,360, with manufacturing being the most badly affected vertical.
• 86% of companies said that the ransomware attack caused loss of business or revenue

[1] The State of Ransomware 2022, Sophos

Ransomware attacks can have a significant impact on the economy, particularly if they target critical infrastructure or essential services. For example, the 2017 WannaCry attack impacted over 200,000 computers in 150 countries, causing billions of dollars in damages.

Ransomware attacks against healthcare providers can be particularly devastating, as they may impact patient care and put lives at risk because of the increasing reliance on digital data. By the end of October 2022, according to the FBI, the healthcare industry accounted for 25% of ransomware complaints that year.

Schools and educational institutions are also at risk from ransomware attacks, with many schools having to pay ransoms to regain access to their systems and data. In 2020, schools were the second most targeted sector for ransomware attacks, accounting for 10% of all incidents.

If you have fallen victim to a Ransomware attack, the first thing you should do is to isolate affected systems from the network and the internet to prevent the malware from spreading. This includes infected computers, laptops and tablets, whether wired, wireless or mobile phone based.

In a very serious case, consider whether turning off your Wi-Fi, disabling any core network connections (including switches), and disconnecting from the internet might be necessary to limit contagion.

Find the source. Any system with out-of-date or misconfigured software is easily compromised, and it’s vital to remember that even SaaS productivity apps like Microsoft 365 are vulnerable.

Reset credentials including passwords (especially for administrator and other system accounts) - but verify that you are not locking yourself out of systems that are needed for recovery. Also be aware that the adversary likely has multiple credentials, or worse, has access to your entire Active Directory and may try to create new credentials.

Safely wipe the infected devices and reinstall the OS. Then begin to recover data from backups.

Before you restore from a backup, verify that it is free from any malware. You should only restore from a backup if you are very confident that the backup and the device you're connecting it to are clean. You should ideally use a quarantined environment that is entirely sandboxed and isolated from other systems in order to load and verify your data and return to a ‘last known good’ state before ransomware struck.

Retain all log data for at least one year. If critical log types are not collected, or are not retained for a sufficient length of time, key information about the incident may not be determinable.

Install, update, and run antivirus software.

Reconnect to your network.

Monitor network traffic and maintain strict antivirus protocols to identify if any infection remains.

Authorities do not typically support paying a ransom in response to a ransomware attack. They argue paying a ransom not only encourages the business model, but it also may go into the pockets of criminal organizations, money launderers, and even rogue nation-states. Moreover, while few organizations publicly admit to paying ransoms, adversaries will publicize that info on the dark web – making it common knowledge for other adversaries looking for a new target. Very often, companies that have suffered a ransomware attack will be targeted again.

Having a Ransomware policy in place is essential for any business or organization that wants to protect itself from the devastating effects of a Ransomware attack. A comprehensive policy should include guidelines on how to prevent Ransomware attacks, what to do in case of an attack, and how to mitigate the impact of an attack. It should also include regular training sessions for employees to raise awareness and reduce the likelihood of falling victim to phishing scams and other attack vectors commonly used by Ransomware attackers.

Ransomware attacks have been on the rise in recent years due to the increasing sophistication of cybercriminals and the ease with which they can distribute malware. The rise of cryptocurrency has also made it easier for attackers to receive payment without being traced, providing them with a lucrative source of income. Additionally, the COVID-19 pandemic created new opportunities for attackers, with many employees working from home and potentially using unsecured networks and devices.

Understanding the different terms related to Ransomware can help you better protect your computer and your data. Here are some common terms you may come across:

While Ransomware is a type of malware, it is specifically designed to encrypt the victim's files and demand payment for their release. Other types of malware, such as viruses and trojans, may have other goals such as stealing data or disrupting computer systems.

Cyber extortion is the act of threatening to damage a victim's computer system or release sensitive data unless a ransom is paid. Software used for this purpose is sometimes referred to as ‘doxware’ or ‘leakware’. Ransomware attacks can be seen as a type of cyber extortion, as the attackers threaten to permanently encrypt the victim's files if their demands are not met.

Spyware is a type of malware that is designed to secretly monitor a victim's computer activity and steal sensitive information such as login credentials and credit card numbers. Ransomware, on the other hand, is designed to encrypt the victim's files and demand payment for their release.

A virus is a type of malware that is designed to spread from computer to computer and often has a destructive payload, such as deleting files or disrupting computer systems. Ransomware is also a type of malware, but it specifically targets the victim's files and demands payment for their release.

Ransomware attacks can happen to anyone. From individuals to businesses, everyone is a potential target.

Here are some of the most common ransomware names and their characteristics:

• WannaCry: A ransomware that spreads through a vulnerability in Microsoft Windows. It encrypts files and demands payment in Bitcoin.
• Petya/NotPetya: A ransomware that spreads through a vulnerability in Microsoft Windows. It encrypts files and demands payment in Bitcoin.
• Locky: A ransomware that spreads through spam emails with infected attachments. It encrypts files and demands payment in Bitcoin.
• CryptoLocker: A ransomware that encrypts files and demands payment in Bitcoin. It was one of the first known ransomware attacks.
• Ryuk: An encryption Trojan that targets businesses and encrypts files. It demands payment in Bitcoin and is often spread through phishing emails.
• Maze: A ransomware that not only encrypts files but also exfiltrates data from the victim's computer. It demands payment in Bitcoin and threatens to release the stolen data if the ransom is not paid.
• Locky is ransomware was spread by means of fake emails (phishing) with infected attachments. Locky ransomware targets file types that are often used by designers, developers, engineers and testers.
  
  

It's worth noting that ransomware is constantly evolving, and new variants with different names and characteristics are being discovered all the time.

Not all Ransomware encrypts your files. Some Ransomware may lock your computer screen or disable your operating system, making it impossible to use your computer. This type of Ransomware is known as "screen locker" or "locker" Ransomware. While this type of Ransomware may not be as damaging as encryption Ransomware, it can still cause significant disruption to your computer use.

Can Ransomware spread through WiFi network?

Yes, Ransomware can spread through a WiFi network if the network is not secure. Attackers may exploit vulnerabilities in the network or use social engineering tactics to trick users into downloading and running malicious software.

Tracing Ransomware attacks can be difficult, as attackers often use techniques such as encryption and anonymization to conceal their identity. However, law enforcement agencies and cybersecurity experts may be able to track down the attackers by analyzing the Ransomware code, communication channels, and payment methods.

Re-formatting your hard drive may remove Ransomware from your computer. However, this should only be done as a last resort, as it will erase all of your data. It is recommended to try other methods, such as restoring your computer from a backup or using anti-malware software, before resorting to re-formatting.

Yes, Ransomware can infect and encrypt files stored in cloud storage if the user has synced their local files to the cloud. It is essential to secure your cloud storage account with strong passwords and two-factor authentication to prevent unauthorized access.

Attackers use Bitcoin as the payment method for Ransomware because it provides them with anonymity and is difficult to trace. Bitcoin transactions are also fast and irreversible, making it easier for attackers to receive the ransom quickly and securely.