Ransomware is a type of malicious software that blocks access to a computer system or data until a ransom is paid. It has become a major cyber threat in recent years, with attacks on businesses, government agencies, hospitals and everyday internet users. Understanding what ransomware is, how it spreads and ways to prevent it can help protect you from this insidious cyberattack.
What exactly is ransomware?
Ransomware is a form of malware that encrypts files on a device, rendering them unusable until a ransom demand is met. The ransom demand is typically for cryptocurrency, such as Bitcoin, that is difficult to trace. Upon paying the ransom, the attacker provides the victim with a decryption key to restore access to the files. If the ransom is not paid, the data may be lost forever.
Some key characteristics of ransomware include:
- Prevents access to system or data
- Encryption of files
- Ransom payment demand
- Decryption upon payment
Ransomware can target various platforms including Windows, Mac, Linux and Android devices. Attacks may be broad-based or specifically target businesses and organizations.
How does ransomware infect a system?
Ransomware uses a variety of infection vectors to get onto a device or network. Some common infection methods include:
- Phishing emails – Deceptive emails containing links or attachments that download the ransomware when clicked or opened.
- Compromised websites – Websites that have been hacked to distribute malicious downloads of ransomware.
- Trojan horses – Legitimate-looking programs that have ransomware bundled with them.
- Drive-by downloads – Visiting compromised websites that automatically download and install ransomware.
- Remote desktop access – Gaining access to a system via weak or stolen remote desktop credentials.
- Software vulnerabilities – Exploiting unpatched or outdated software programs to deliver ransomware.
Once installed, the ransomware seeks out and encrypts key files on the infected system. It will often scan mapped drives and backups to encrypt those files as well. Then the demand for ransom payment is displayed.
Recent ransomware variants
There are many variants of ransomware that have caused destruction. Some major examples include:
- WannaCry – Widespread attack in 2017 affecting over 200,000 computers across 150 countries. Targeted Windows machines.
- Petya/NotPetya – Highly damaging attacks in 2016-2017 that caused over $10 billion in losses. Affected Windows and later Linux systems.
- Cerber – Emerging in 2016, Cerber was offered as ransomware-as-a-service on the dark web. Infected 150 countries.
- CryptoLocker – One of the earliest ransomware strains from 2013. Inflicted over $3 million in losses.
- Ryuk – Prolific ransomware since 2018 targeting large enterprises. Netted over $150 million for its creators.
- Conti – Ransomware affiliate program responsible for high-profile attacks on hospitals, law firms and schools in 2021.
New ransomware strains emerge frequently, exhibiting enhancements like encryption improvements, alternative infection methods and ransom demands in the millions of dollars.
Recent notable ransomware attacks
Some noteworthy ransomware incidents that had major impacts include:
- Colonial Pipeline – Shut down a major US fuel pipeline in 2021 causing gas shortages and panic buying on the East Coast.
- JBS – Forced the shutdown of plants owned by the world’s largest meat producer in 2021.
- Kaseya – Supply chain attack in 2021 affecting up to 1,500 businesses through a software provider.
- Ireland’s Health Service Executive – Crippled healthcare IT systems for months in 2021, causing major care disruptions.
- Garmin – Took down smartwatch and GPS device operations for days in 2020.
These are just some examples of the far reaching and costly impacts ransomware can have when critical infrastructure, supply chains and healthcare systems are compromised.
Who is responsible for ransomware?
Ransomware operations involve several participants:
- Developers – Coders who build ransomware strains and include features like encryption and evasion techniques.
- Affiliates – Individuals who distribute the ransomware in return for a percentage of ransom payments.
- Mule networks – Money launderers who convert and transfer ransom payments into clean cryptocurrency.
- Ransom negotiators – Engage with victims during payment and data recovery process.
- Group administrators – Oversee and coordinate the participants and development of ransomware programs.
Many ransomware operators originate from Russia or former Soviet states. Prominent examples of Russia-linked ransomware strains include Ryuk, Conti and REvil. The Russia-based cybergang Wizard Spider is associated with operating Ryuk and Conti. North Korean state-sponsored hackers have also been linked to crafting ransomware like WannaCry.
Why is ransomware so effective?
There are several factors that make ransomware a highly potent and successful cyber threat:
- Difficult to trace payments – Cryptocurrency ransoms like Bitcoin are extremely hard to track, letting attackers easily monetize without getting caught.
- Highly vulnerable targets – Many organizations lack adequate cybersecurity measures, making them susceptible to ransomware.
- Disruptive impact – Ransomware can quickly paralyze business, healthcare and government operations, pressuring victims into paying.
- Low risk – Relatively low effort for attackers compared to payoff. Ransomware kits are readily available.
- Typical payouts – Average ransom payment in 2021 was over $200,000, proving very lucrative.
The combination of factors above has led to ransomware emerging as one of the foremost cybercrime threats faced today across all sectors.
Should ransom be paid?
Paying the ransom demand is a complex decision:
- May recover data – Files are sometimes decrypted upon payment, but not guaranteed.
- Encourages more attacks – Payouts fund criminals to expand operations.
- Possibility of repeat attacks – Nothing prevents another attack after paying once.
- May be only option – If backups are impacted and downtime intolerable, paying may be unavoidable.
- Nolegal recourse – Law enforcement discourages ransom payments, but provides little support.
Some best practices around considering ransom demands include:
- Consult experts on likelihood of decryption success
- Evaluate downtime costs and data criticality
- Check insurance policies for possible coverage
- Negotiate ransom amount if unavoidable
- Isolate payment systems from network beforehand
Paying ransoms should be an absolute last resort option after all other recovery methods are exhausted.
How can you prevent ransomware attacks?
A combination of security measures provides the best defense against ransomware threats:
- Backup regularly – Maintain offline backups of critical data to enable restoration without paying ransom.
- Software updates – Patch and update operating systems, software and firmware to close security gaps.
- Endpoint protection – Install advanced endpoint security tools to block malicious downloads and activity.
- Network segmentation – Isolate and segregate access to sensitive systems and data repositories.
- Access controls – Limit user and device access to only what is required for functions.
- Employee training – Educate staff on cyber risks like phishing and social engineering.
- Incident response plan – Have an IR plan ready for quickly reacting to potential intrusions.
Locking down security layers, preventing initial access attempts and limiting lateral movement after break-ins are key to stopping ransomware.
How can backups help defend against ransomware?
Maintaining regular backups of systems and data provides protection against loss or encryption:
- Backups enable restoring data without paying ransom
- Backups should be kept offline or immutable to prevent encryption
- Test backups periodically for viability and data integrity
- Ensure versioning so backups are not overwritten
- Cyclically rotate through backup media to retain copies
Having a dependable backup makes it possible to wipe and recover systems hit by ransomware without paying extortionists.
What cyber insurance policies may cover ransomware?
Cyber insurance can potentially cover some costs related to ransomware attacks:
- Data recovery and restoration expenses
- Business interruption losses
- Cyber extortion and ransom negotiations
- Crisis management services
- Public relations assistance
Policies vary, so businesses should carefully evaluate coverage and limits. Claims may affect future premiums and coverage eligibility.
What to do when hit with ransomware?
Steps to take if ransomware encrypts your system or data:
- Disconnect infected devices from any network
- Determine the strain of ransomware if possible
- Check for any decryption tools immediately
- Evaluate your backup situation
- Notify authorities and obtain a complaint number
- Seek assistance from cybersecurity professionals
- Only consider paying ransom as a last viable option
Staying calm, acting quickly and contacting the right help can maximize chances of recovering from a ransomware incident.
The future of ransomware
Ongoing ransomware trends include:
- More sophisticated evasion of security tools
- Shifting delivery from spam campaigns to MitM and remote access
- Targeting cloud environments and container infrastructure
- Leveraging anonymity of cryptocurrencies and blockchain
- Increasingly destructive ransomware-as-a-service offerings
As companies digitize operations, ransomware provides motivated attackers an efficient way to disrupt and extort money. Businesses, governments and individuals must remain vigilant and proactive in defending against ransomware threats.
Conclusion
Ransomware represents a clear danger to organizations across many industries. Awareness of emerging threats and adequate preventative measures are essential to protect against this crippling cyberattack. Implementing comprehensive security and reliable backup/recovery methodologies makes organizations ransomware resilient. However, many networks still remain dangerously exposed to potential ransomware infiltration. Ongoing training and testing is imperative to stay on top of this permanently evolving threat.