Ransomware is a form of malware that encrypts a victim’s files and demands payment in order to restore access. It has become an increasingly pervasive cyber threat in recent years. Examining case studies of ransomware attacks can provide important insights into how they occur, the damage they cause, and strategies for defending against them.
What are some high-profile examples of ransomware attacks?
Some of the most damaging ransomware incidents include:
- WannaCry (2017) – This ransomware spread rapidly around the globe, affecting over 200,000 computers across 150 countries. WannaCry exploited a vulnerability in older Windows systems to infect and encrypt files. It caused massive disruption, including shutting down parts of the UK’s National Health Service.
- NotPetya (2017) – Posing as ransomware, this wiper malware caused over $10 billion in damages across Europe, Asia, and the Americas. Once inside a system, it rapidly encrypted data and corrupted master boot records, rendering machines inoperable.
- Ryuk (2018) – Used to target large enterprises, Ryuk brought down systems at organizations such as the Chicago Tribune and Data Resolution. The attackers typically gained access via phishing and then worked to increase access and disable backups before deploying Ryuk to encrypt hundreds of computers.
- Sodinokibi (2019) – Also known as REvil, Sodinokibi has extracted ransoms as high as $2 million from victims like Travelex. The criminals behind it employ methods like “triple extortion,” threatening to auction off stolen data in addition to encrypting files.
What industries are frequent ransomware targets?
Ransomware threat actors often focus their efforts on these sectors:
- Healthcare – Hospitals and clinics make appealing targets due to the critical nature of their services and patient data. Attacks can lead to dangerous care delays and privacy breaches.
- Education – Academic institutions store sensitive student records and proprietary research data that is highly valuable to hackers.
- Government – Municipalities manage large volumes of citizens’ personally identifiable information that can be weaponized via ransomware extortion.
- Critical infrastructure – Energy companies, utilities, and transportation networks require consistent uptime to properly function and serve communities.
Additionally, managed service providers are prime targets. By compromising an MSP, ransomware groups can efficiently infect multiple downstream customer organizations through connected network infrastructure.
How do most ransomware attacks happen?
The majority of ransomware attacks commence with a social engineering scheme such as:
- Phishing – The attackers send emails impersonating trusted entities to trick users into opening malicious attachments or links that install the ransomware.
- Smishing/vishing – Similar to phishing, but leveraging SMS texts and voice calls rather than emails to manipulate victims.
- Malicious ads – Ransomware downloads onto devices when users click contaminated advertisements on websites.
- Remote desktop protocol (RDP) access – Brute forcing weak RDP credentials enables criminals to remotely control devices and deploy ransomware.
Alternately, threat actors may exploit software vulnerabilities to push out ransomware laterally across networked environments. However, phishing and the other social tactics tend to be their foremost means of getting initial access.
What are typical ransomware attack phases?
Ransomware attacks commonly unfold across these stages:
- Reconnaissance – Attackers identify potential targets through open source research and port scans, seeking vulnerable internet-facing assets like RDP.
- Initial compromise – An access point is established, often via phishing or exploiting weak credentials, to get a foothold on the first infected machine.
- Lateral movement – The attackers covertly expand access by moving internally from the first infected host to infect more endpoints and servers.
- Backup sabotage – To make restoring data more difficult, backup systems and processes are disrupted.
- Deployment – The ransomware is executed across the environment, encrypting files and shares.
- Extortion – Ransom demands are issued to coerce victims into paying cryptocurrency to supposedly decrypt their systems and data.
Reconnaissance
During reconnaissance, attackers quietly gather information on the target organization’s IT infrastructure – especially public-facing assets – to plan their infiltration strategy.
Initial compromise
The adversary compromises an internet-accessible system through tactics like phishing, RDP brute forcing, or exploiting vulnerabilities. This gets them an initial foothold.
Lateral movement
After the first machine is infected, the attacker pivots internally, traversing the victim’s network and searching for critical data stores and backup systems. They compromise additional hosts to establish broader access.
Backup sabotage
In this devastating step, attackers cripple backup and recovery mechanisms before deploying ransomware. This amplifies disruption and complicates restoration.
Deployment
The ransomware is deployed across the network, encrypting files on shared drives and endpoints. Devices are often rendered unbootable as well.
Extortion
With systems locked down and data inaccessible, the criminals issue ransom demands. They may also threaten to leak stolen data if payment is not made.
What defenses can reduce ransomware risk?
A layered mitigation strategy is key. Core ransomware defenses include:
- Backups – Maintain regular, isolated backups to enable recovery of encrypted data without paying ransom.
- Email security – Implement anti-phishing measures like DMARC and filtering by SPF, DKIM, and DMARC to catch malicious emails.
- Endpoint protection – Deploy antivirus/anti-malware tools to block known ransomware variants on endpoints.
- Segmenting access – Limit lateral movement by segmenting the network and restricting excessive user permissions.
- Updating software – Patch security flaws in operating systems, applications, and firmware promptly to remove vulnerabilities.
- Cybersecurity training – Educate employees to recognize and report phishing attempts, suspicious activity, and other possible threats.
- Incident response plan – Have an IR plan at the ready to contain, eradicate, and recover from ransomware as quickly as possible.
What steps should be taken during and after an attack?
If ransomware gets through defenses, organizations should take these steps:
During an attack
- Isolate and power off infected systems to prevent further encryption/damage.
- Determine the ransomware sample and variant if possible.
- Check backup integrity to ensure possibility of data restoration.
- Contact law enforcement and cybersecurity professionals for assistance.
After an attack
- Wipe and restore compromised systems from clean backups.
- Harden security controls to close gaps that allowed access.
- Conduct a forensic investigation to determine the root causes.
- Increase staff phishing awareness through refreshed training.
- Review and update incident response plans accordingly.
Ransom payment should be an absolute last resort after exhausting all other options. There is no guarantee files can be recovered, and it encourages more cybercrime.
Conclusion
Ransomware remains a serious threat to organizations of all kinds, often inflicting severe business disruption and financial damages. While high-profile incidents highlight its dangers, thorough planning and preparation can help reduce ransomware risk. Heeding warning signs, hardening defenses, and having robust backup/recovery capabilities are all critical – as is training personnel to avoid enabling the initial compromise. With vigilance and a multi-layered strategy, organizations can protect themselves and withstand potential ransomware attacks.