Is ransomware a type of attack?

Ransomware is a type of malicious software that blocks access to a computer system or data until a ransom is paid. It has become an increasingly common and damaging form of cyber attack in recent years.

What is ransomware?

Ransomware is a form of malware that encrypts files on a device or blocks access to systems. The attackers demand that the victim pays a ransom in order to decrypt the files or regain access to the affected systems. The ransom is usually demanded in cryptocurrency, such as Bitcoin, which is difficult to trace. There are several types of ransomware, but they generally work in a similar way by denying access or encrypting data until the ransom is paid.

How does ransomware infect systems?

Ransomware often initially infects systems through phishing emails containing malicious attachments or links. If the user clicks on the attachment or link, the ransomware is downloaded onto their device. It may also spread through unpatched software vulnerabilities, infected software downloads, or by connecting to compromised websites. Once on a system, the ransomware encrypts files or locks systems, deploying the ransom demand.

Common ransomware infection vectors:

  • Phishing emails with infected attachments or links
  • Drive-by downloads from malicious websites
  • Software and operating system vulnerabilities
  • Infected software or fake software updates
  • Remote desktop breaches

What are the main types of ransomware?

There are a few major types of ransomware:

Encryption ransomware

This type of ransomware encrypts files, making them inaccessible until the ransom is paid. Examples include WannaCry, CryptoLocker, and Ryuk.

Locker ransomware

Locker ransomware locks users out of their devices or blocks access to the system. The screen is locked, often displaying the ransom demand. Examples include Reveton and MegaCortex.

Doxware

Doxware threatens to publish sensitive data stolen from the victim unless the ransom is paid. This can include personal files, browsing history, login credentials, etc.

Leakware

Leakware steals sensitive data from the victim’s systems before encrypting the files. The attackers threaten to make the stolen data public unless the ransom is paid.

What are the objectives of ransomware attacks?

The main objectives of ransomware attacks include:

  • Extort money from victims by charging a ransom fee to unlock files or systems
  • Disrupt business operations by restricting access to critical systems and data
  • Steal corporate or personal information for extortion
  • Hide malicious activity, as regular antivirus software may be disabled

For cybercriminals, ransomware can be a very effective way to make money. The ransoms charged can range from a few hundred to millions of dollars. Even if only some victims pay up, it can still be highly profitable for the attackers.

What are some notable examples of ransomware attacks?

Some major ransomware attacks include:

WannaCry (2017)

WannaCry rapidly spread through Windows systems worldwide, infecting over 200,000 computers across 150 countries. It leveraged stolen NSA exploits and encrypted files, demanding ransoms in Bitcoin.

NotPetya (2017)

Posed as ransomware but was designed to simply destroy data. Spread through a compromised software update in Ukraine but also caused over $10 billion in global damages.

Ryuk (2018-Present)

Ryuk has targeted large enterprises and infrastructure, infecting systems manually through remote access and demanding huge Bitcoin ransoms. Victims include hospitals, local governments, and Fortune 500 firms.

Ragnar Locker (2020-Present)

An emerging ransomware mostly targeting corporate networks. It exfiltrates data before encrypting files and threatens to release sensitive data if the ransom isn’t paid.

These and many other ransomware strains have caused significant financial damage and disrupted operations for businesses, governments, healthcare organizations and personal users.

What techniques do ransomware attackers use?

Ransomware attackers employ a variety of techniques to infect systems and coerce victims into paying, such as:

  • Using social engineering like phishing emails to trick users into installing malware
  • Exploiting software or operating system vulnerabilities
  • Brute forcing or guessing weak passwords to gain access and spread ransomware
  • Leveraging malware toolkits and frameworks for deployment
  • Using anonymity tools like Tor to hide infrastructure
  • Demanding payment via cryptocurrency to avoid tracking
  • Setting short time windows for payment to pressure victims
  • Threatening to delete data, leak it online, or sell it to others if unpaid
  • Targeting high-value individuals, businesses, and industries likely to pay up
  • Using multiple systems to generate different ransomware strains

Their technical sophistication, pressure tactics, and ransom demands continue to increase on average.

How much do ransomware attacks cost victims?

In 2021, the average ransomware payment was $541,010, more than double the $170,404 average payment in 2020, according to Unit 42 ransomware research. However, costs beyond the ransom payment can be extensive:

  • Business disruption due to restricted access to systems and data
  • Lost revenue and productivity during downtime
  • Costs associated with data loss if files aren’t recoverable
  • Technical costs to restore and secure systems
  • Reputational damage and loss of customer trust
  • Legal, regulatory, and compliance penalties

A Sophos report found the average bill for rectifying a ransomware attack was $1.4 million for mid-sized organizations. Large organizations face average recovery costs over $2 million.

Are there laws against paying ransoms?

In most countries, including the United States, there are no laws prohibiting ransomware payments. However, the U.S. Treasury Department advises against meeting ransomware payment demands, as this can embolden attackers and fund criminal and terrorist activity.

Some considerations regarding the legality of ransom payments:

  • Paying ransoms could violate sanctions laws if the attackers are associated with embargoed nations
  • Ransom payments made by financial firms must comply with anti-money laundering regulations
  • Firms should ensure ransom payments don’t breach internal compliance policies
  • Tax deductions may not be permitted for ransomware payments in some jurisdictions

Organizations should also consider whether ransom payments align with ethical policies and could encourage future attacks.

Should ransomware attacks be reported to law enforcement?

Security experts strongly recommend contacting law enforcement if your organization suffers a ransomware attack. Reasons to involve the authorities include:

  • They may be able to use legal channels to track the attackers
  • Reporting contributes intelligence about the ransomware threat
  • Law enforcement can help secure compromised systems
  • Failure to report cyber crimes can result in regulatory penalties
  • Authorities can provide advice or notify other potentially vulnerable organizations
  • FBI or international law enforcement may have decryption keys to unlock files

Organizations should report ransomware incidents to local authorities and the FBI’s Internet Crime Complaint Center. Most law enforcement agencies recommend not paying the ransom before filing a report.

How can companies defend against ransomware?

Protecting against ransomware requires layers of cybersecurity defenses, including:

  • Emergency incident response planning for ransomware attacks
  • User security training to prevent phishing and social engineering
  • Installing software patches and updates promptly
  • Using strong, unique passwords and multi-factor authentication
  • Deploying endpoint detection and anti-ransomware software
  • Conducting frequent backups and isolating backups from networks
  • Limiting user account privileges and internet access
  • Monitoring systems for IOCs associated with ransomware
  • Segmenting networks to limit spread of malware

Firms should also establish data classification and acceptable use policies. Cyber insurance can offset costs, but should not replace security best practices.

Should ransomware payments be made?

There is an ongoing ethical debate regarding paying ransomware demands. Considerations include:

  • Paying ransoms funds criminal organizations and incentivizes further attacks
  • However, refusing to pay can result in permanent data loss or interruption of critical services
  • There is no guarantee files will be restored if the ransom is paid
  • Decryption keys may be sold to third-parties even if the ransom is paid
  • Payment doesn’t prevent leaked data from being misused if already stolen
  • Some law enforcement agencies advise against paying for ethical reasons

Ultimately, the decision depends on each organization’s circumstances. Factors include the criticality of affected data or systems, potential downstream impacts of non-payment, and tolerance for risk.

What is the future outlook for ransomware attacks?

Cybersecurity researchers widely agree the ransomware threat will continue growing in scale and sophistication. Trends include:

  • Increasingly advanced techniques for compromising networks
  • Automation to enable mass deployment of ransomware
  • Higher ransom demands, especially against critical infrastructure sectors
  • Greater leverage of stolen data for extortion
  • More ransomware-as-a-service empowering lower-skilled actors
  • Continued growth of ransomware cartels and specialization
  • Cryptocurrency enabling easier ransom payments

As ransomware attacks proliferate, organizations must continue prioritizing cyber resilience and incident response capabilities.

Summary

Ransomware is unequivocally a dangerous and costly form of cyber attack aimed at extorting money from victims by restricting access to systems or data. Its disruption of critical services and extraction of huge ransom payments make it a severe economic and security threat. While debates remain about the ethics of paying ransoms, bolstering defenses across endpoints, networks, and employees provides the best protection against ransomware attacks. With the scale and profitability of these attacks increasing, concerted efforts by the cybersecurity industry, law enforcement, governments, international organizations, and public-private partnerships will be needed to mitigate the soaring global impact of ransomware.