Ransomware is certainly a type of cyber attack and it has become one of the most dangerous threats to businesses and individuals in recent years. Ransomware is a form of malicious software that encrypts files on a device and demands a ransom payment in order to decrypt the files and restore access. Let’s take a closer look at what defines ransomware as an attack.
What is ransomware?
Ransomware is a type of malware that prevents users from accessing their system or personal files and demands a ransom payment in order to regain access. It encrypts files on the victims computer or device and displays a message demanding payment. The ransom demand is usually in the form of cryptocurrency, such as Bitcoin, that is difficult to trace. There are several different methods used to infect systems with ransomware:
- Phishing emails containing infected attachments or links
- Drive-by downloads from compromised websites
- Remote Desktop Protocol vulnerabilities
- Software or application vulnerabilities
Once installed, the ransomware encrypts files on the system’s hard drive as well as any external or networked drives that the victim has access to. The encryption typically uses strong algorithms that make it impossible to simply decrypt the files. The ransom note contains instructions for how to pay the ransom, usually involving purchasing cryptocurrency. The ransom amounts range from several hundreds to thousands of dollars. If the ransom is paid, the attackers claim they will provide the decryption key to unlock the files. However, there is no guarantee that files will be recovered, even if the ransom is paid.
History of ransomware
The first ransomware attacks appeared in the late 1980s, but ransomware really emerged as a major threat in the mid-2000s. Some key events in the history of ransomware include:
- 1989 – The AIDS Trojan was mailed to attendees of the World Health Organization’s AIDS conference. It encrypted files on the victim’s machine and demanded a payment of $189.
- 2005 – GPCode was one of the first ransomware tools to use public key cryptography to encrypt files.
- 2013 – CryptoLocker emerged as a major threat, infecting over 250,000 computers globally.
- 2017 – WannaCry and NotPetya caused widespread damage across 150 countries.
- 2018 – Ryuk and other targeted ransomware emerged, focusing on bigger payouts from businesses.
- 2021 – REvil/Sodinokibi used double extortion by stealing data and threatening to leak it if ransom not paid.
As you can see, ransomware emerged as a niche threat initially but rapidly evolved due to the success attackers were having with extorting money from victims. It is now one of the most common and damaging cybersecurity threats faced by organizations around the world.
Main types of ransomware
There are a few main types of ransomware that are most commonly seen in attacks today:
Scareware does not actually encrypt files, but displays alarming messages intended to scare victims into paying. Payment is unnecessary since no real damage occurs.
Encrypting ransomware is what most people think of when they hear the term today. It uses encryption algorithms to lock access to files and systems unless the ransom demand is paid.
Locker ransomware does not encrypt files, but instead locks victims out of their devices or critical functions of the system. Payment is demanded in order to restore full access.
Leaking or extortion ransomware steals sensitive data from the victim’s system before encrypting files. If the ransom is not paid, the data will be leaked publicly or sold.
Stages of a ransomware attack
Ransomware attacks typically unfold across the following stages:
- Infection vector – An email, website, download, or vulnerability is exploited to install the ransomware on the victim’s device.
- Communication – The ransomware communicates back to its command and control server for encryption keys.
- Locking – The ransomware recursively encrypts files on local drives as well as shared or networked drives.
- Ransom demand – A ransom note is displayed with payment instructions, usually demanding cryptocurrency.
- Extortion – Some ransomware also threatens to leak or publicly release sensitive stolen data if the ransom is not paid.
Understanding the attack lifecycle helps organizations defend against ransomware by protecting infection vectors, detecting communication and locking stages before significant file encryption occurs.
Examples of ransomware
Some examples of well-known ransomware strains include:
|WannaCry||2017||Exploited Windows SMB vulnerability to spread. Encrypted files and demanded $300 ransom in Bitcoin.|
|NotPetya||2017||Posed as ransomware but was designed for destruction. Caused over $10 billion in damages.|
|Ryuk||2018||Targeted enterprises and demanded large ransoms up to $5 million paid in Bitcoin.|
|Sodinokibi/REvil||2019||Auctioned off data leaks if ransom not paid. Highly sophisticated.|
Impact of ransomware
Ransomware can have severe impacts on individuals and organizations. Effects include:
- Loss of access to critical files, systems, and applications
- Revenue and productivity losses during downtime
- Costs associated with data recovery and system restoration
- Reputational damage and loss of customer trust
- Liability issues if sensitive data is leaked
According to cybersecurity firm Emsisoft, the global cost of ransomware could be as high as $20 billion annually when business interruption is factored in.
Table: Estimated global ransomware costs
|Type||Est. Annual Cost|
|Ransom payments||$5 billion|
|Business interruption||$15 billion|
Is paying the ransom recommended?
There is considerable debate around whether victims should pay ransom demands or not. Some key considerations include:
- Paying does not guarantee files will be recovered, since attackers may still choose not to provide decryption keys
- Paying encourages more ransomware attacks as attackers see it as a profitable endeavor
- Not paying risks permanent data loss if files cannot be recovered through other means
- Law enforcement recommends not paying ransoms to disincentivize attacks
Many organizations are improving their backup systems and processes so they can restore encrypted files without paying ransom. However, in cases of sensitive files or time-critical systems, some choose to pay.
Ransomware defense strategies
Defending against ransomware requires a multi-layered strategy across people, processes, and technology. Key elements include:
User awareness training
Train employees to identify and avoid ransomware infection vectors like phishing.
Block suspicious attachments, links, and emails at the gateway before they reach end users.
Promptly patch and update operating systems, software, and applications.
Isolate and segment parts of the network to limit lateral movement.
Maintain recent backups offline to enable file restoration without paying ransom.
Endpoint detection and response
Use EDR tools to detect and block ransomware installation and behavior.
Should ransomware payments be banned?
Some policymakers argue that banning ransomware payments could help deter attacks. Proponents argue that:
- Paying ransoms funds criminal organizations and enables further crime
- Banning payments forces organizations to improve security posture
- Disrupting attacker revenue models can limit ransomware growth
Opponents counter that payment bans could perversely increase damage from attacks. Counterarguments include:
- Organizations may suffer more irrecoverable data loss without option to pay
- Attackers will find other forms of monetization beyond encrypting data
- Blanket payment bans reduce options for victims in complex situations
The debate involves balancing cybercrime deterrence against preserving recovery options. The optimal policy likely involves nuance versus outright prohibition.
Are ransomware attacks increasing?
Ransomware attacks have been increasing at an alarming rate in recent years:
- Ransomware grew over 350% globally from 2018 to 2019
- Attacks on healthcare organizations increased 55% from 2020 to 2021
- SonicWall recorded 4.8 million ransomware attacks in 2021, a 105% year-over-year increase
Key factors driving the ransomware surge include:
- Lucrative payouts netting millions of dollars for attackers
- Ability to hide behind cryptocurrency transactions
- Lower barriers to entry for novice hackers
- Ransomware-as-a-Service offerings on the dark web
As long as ransomware remains highly profitable with low risk, growth is likely to continue absent major defensive improvements.
Are some industries more targeted?
Certain industries appear to be highly targeted by ransomware gangs due to having more lucrative targets or weaker security postures. Industries frequently targeted include:
- Local government
Hospitals and school districts are often targeted because they rely heavily on timely access to data and systems to perform critical services. Paying ransoms can appear more attractive than suffering major disruptions. Similarly, manufacturers and energy companies rely on operational technology and cannot afford extended outages. Understanding industry targets helps inform security priorities.
Notable ransomware trends
Some emerging trends demonstrate how ransomware tactics and technology continue to evolve:
Developers lease or sell ransomware code to affiliates who then carry out attacks and provide the developers a cut.
Double and triple extortion
In addition to encrypting files, attackers also threaten to publicly leak stolen data or launch DDoS attacks if ransom unpaid.
Supply chain attacks via managed service providers
Attackers compromise MSPs and push ransomware to their downstream customer networks.
Ransomware on Linux systems and IoT devices
Attackers expanding beyond Windows to target Mac, Linux, and internet-connected devices.
Automation using artificial intelligence
AI enables attacks to be executed faster, against more targets, and with less human oversight.
Ransomware remains one of the top cybersecurity threats for organizations across industry verticals. As attack rates accelerate, organizations need to prioritize risk-based defenses leveraging layered security controls, employee education, contingency planning, and cyber insurance. Implementing comprehensive security measures provides the best protection against ransomware attacks that are growing increasingly frequent and damaging.