Ransomware is a type of malicious software that disrupts computers, servers, and other devices by installing itself and then blocking access, deleting, or otherwise compromising legitimate data and applications. It typically demands a payment, or ransom, to “unlock” the computer and grant full access to the device and any related data and applications.

Ransomware is a kind of malware and is used by hackers and criminal organizations to extort money from businesses and individuals. There are several different categories of ransomware, including:

A few key ways to protect your business from ransomware include user education, least privilege policies, vulnerability scanning and remediation, and more.

Ransomware Targets

As of July 2018, worldwide ransomware campaigns are declining, but there is still plenty of reason for concern. In particular, hospitals and other medical providers, cryptocurrency exchanges and miners, and smaller, niche businesses continue to be lucrative targets for ransomware attacks.

There’s also a rise in the number of nation-state actors launching ransomware attacks as part of international cyber warfare. The way criminals use ransomware is also changing, with an increase in rentable “Ransomware as a service” attacks.

Here are just a few of the most notable examples of high-profile ransomware attacks:

WannaCry

is a ransomware payload that was grafted onto a vulnerability discovered by the NSA and leaked by Shadow Brokers. The WannaCry ransomware crypto worm unleashed a worldwide attack in May 2017. Emergency patches by Microsoft, along with discovery of a kill switch, helped stop the spread within a few days. However, not before an estimated 200,000 computers across 150 countries were affected, and damages ranging from hundreds of millions to billions of dollars.The hackers leveraged the vulnerabilities (nicknamed EternalBlue and DoublePulsar) and grafted WannaCry (real name WanaCrypt0r) as the payload. WannaCry does not need any user interaction to infect a host. The payload contains its own network scanner that can discover new hosts and self-propagate–this is how it spread so fast and through so many companies without anyone clicking on a link or browsing a malicious website.

Petya

like WannaCry, involves exploitation of the EternalBlue vulnerability. Petya and its variants (such as NotPetya) proliferates through malicious Office attachments and email. Once the malware is installed, it seeks out other systems to exploit. On June 27, 2017, a number of Ukrainian companies received the brunt of Peta ransomware attacks. The power grid, nuclear facilities, and other key infrastructure companies were targeted. The radiation monitoring system at Ukraine’s Chernobyl Nuclear Power Plant was knocked offline. The NotPetya variant has been billed as the “most costly cyber-attack in history,” with damage spiraling into the billions of dollars, affecting large businesses and governmental organizations worldwide.

CryptoLocker

while not the first ransomware, really brought ransomware into the public eye. The CryptoLocker ransomware attack, perpetrated by the Gameover Zeus Botnet, occurred from September 2013 to May 2014, when it infected more than 250,000 systems. CryptoLocker leveraged a trojan targeting Microsoft Windows computers, and spread via infected spam email attachments. While CryptoLocker could be eliminated from systems fairly easily, affected files that were encrypted could generally not be recovered, often even when the ransom was paid.

While the FBI urges organizations not to pay the ransom, according to an IBM security study, over 70% of affected business do pay the ransom. Half of those businesses paid over $10,000, while 20% paid over $40,000 to eliminate the ransomware and get back access to their systems and data.

Common Ransomware Attack Vectors

A ransomware attack typically leverages one or more of the following methods to install itself on computers and other devices:

Social engineering

Users are contacted by criminals and persuaded to install software on their machines.

Email attachments

Users open an email attachment that contains malware that is then installed on their machine.

Macros

Macros in MS Office and other apps can install ransomware.

Downloads

Certain downloaded software can have a hidden “payload” of ransomware.

Spreading through network drives

Mapped network drives allow the ransomware to spread to other machines.

Malware-infected websites

Certain websites can install malware when they are visited, especially if you haven’t patched your browsers or turned on proper browser security. This includes popup online ads.

Administrative access

Root or administrative access can allow malware to spread quickly through your organization.

How to Prevent or Eliminate Ransomware Attacks

By applying the following nine best practices, individuals and organizations can reduce the risk of ransomware infection, or at least limits its spread and damage if an infection should occur:

  1. User education: Train users in popular social engineering techniques. Inform them about the dangers of macros, Office documents, email attachments, and downloads, and give them techniques to identify these threats.

  2. Secure macros: Newer versions of MS Office have options to disallow any macros that are not digitally signed. Make sure you enable this option by default.

  3. Patch and update software and OS vulnerabilities: Some malware targets identified vulnerabilities. Ensure you have a thorough patching process that quickly identifies and fixes software and OS flaws.

  4. Apply least privilege policies: Assign application and data access privileges based on job roles and ensure users do not have more access than they need. This includes removing administrator rights. Most ransomware (albeit not macro-based ransomware and some other forms, such as with WannaCry) requires administrator privileges just to launch.

  5. Use vulnerability scanning and patch management: Regularly scan your IT ecosystem for potential vulnerabilities and have a robust vulnerability management process to fix any issues.

  6. Enforce application control: Prevent installation or usage of applications unless they are vetted and approved by your IT security team.

  7. Apply network segmentation: Particularly in dangerous server-side ransomware attacks, network segmentation provides a critical way to divide resources in such a way so that an infection can be contained, rather than jumping throughout the entire network.

  8. Make regular backups: If you are impacted by ransomware, you will need to recover applications and data. Have a robust backup process in place that combines live mirroring, periodic backups, drive imaging, and incremental backups.

  9. Have a disaster recovery process: If you are impacted, it’s vital everyone understands what they need to do. Develop a working DR process for identifying and resolving ransomware attacks, reinstalling machines, and recovering data.

What to Do if You are Attacked by Ransomware

If the worst does happen, here’s what to do:

  1. Implement your disaster recovery program: Limit the further spread of the ransomware and start your DR process.

  2. Wipe and reinstall machines: Close down any impacted machines, wipe them, and reinstall the OS and applications.

  3. Recover uncompromised data: Backups data from your last known “good” data set.

  4. Apply a “lessons learned” approach: Revise security procedures and staff training to stop these issues from happening again.