Ransomware is a type of malicious software that disrupts computers, servers, and other devices by installing itself and then blocking access, deleting, or otherwise compromising legitimate data and applications. It typically demands a payment, or ransom, to “unlock” the computer and grant full access to the device and any related data and applications.
Ransomware is a kind of malware and is used by hackers and criminal organizations to extort money from businesses and individuals. There are several different categories of ransomware, including:
Crypto malware or encryptors that block access to data and applications by encrypting devices.
Lockers that completely block access to a computer system.
Scareware that claims to identify other malware like viruses on your computer, and then demands money to remove them.
Doxware that steals sensitive information from your computer and threatens to release it online.
A few key ways to protect your business from ransomware include user education, least privilege policies, vulnerability scanning and remediation, and more.
In 2020 and into 2021, ransomware has seen a massive resurgence. In 2020, ransomware surged 150%. Moreover, 35% of breaches across all industries were ransomware-related in 2020. And in 2021, ransomware has been a constant presence in the news for causing widespread disruption, such as the Colonial Pipeline attack by the DarkSide hacker group that took 45% of the U.S. East Coast's fuel supply offline, induced panic buying, caused fuel shortages, and increased the price at the pump. Hospitals and other medical providers, cryptocurrency exchanges and miners, and smaller, niche businesses continue to be lucrative targets for ransomware attacks.
There’s also a rise in the number of nation-state actors launching ransomware attacks as part of international cyber warfare. The way criminals use ransomware is also changing, with an increase in rentable “Ransomware as a service” attacks.
Here are few other notable examples of high-profile ransomware attacks over the past years:
is a ransomware payload that was grafted onto a vulnerability discovered by the NSA and leaked by Shadow Brokers. The WannaCry ransomware crypto worm unleashed a worldwide attack in May 2017. Emergency patches by Microsoft, along with discovery of a kill switch, helped stop the spread within a few days. However, not before an estimated 200,000 computers across 150 countries were affected, and damages ranging from hundreds of millions to billions of dollars.The hackers leveraged the vulnerabilities (nicknamed EternalBlue and DoublePulsar) and grafted WannaCry (real name WanaCrypt0r) as the payload. WannaCry does not need any user interaction to infect a host. The payload contains its own network scanner that can discover new hosts and self-propagate–this is how it spread so fast and through so many companies without anyone clicking on a link or browsing a malicious website.
like WannaCry, involves exploitation of the EternalBlue vulnerability. Petya and its variants (such as NotPetya) proliferates through malicious Office attachments and email. Once the malware is installed, it seeks out other systems to exploit. On June 27, 2017, a number of Ukrainian companies received the brunt of Peta ransomware attacks. The power grid, nuclear facilities, and other key infrastructure companies were targeted. The radiation monitoring system at Ukraine’s Chernobyl Nuclear Power Plant was knocked offline. The NotPetya variant has been billed as the “most costly cyber-attack in history,” with damage spiraling into the billions of dollars, affecting large businesses and governmental organizations worldwide.
while not the first ransomware, really brought ransomware into the public eye. The CryptoLocker ransomware attack, perpetrated by the Gameover Zeus Botnet, occurred from September 2013 to May 2014, when it infected more than 250,000 systems. CryptoLocker leveraged a trojan targeting Microsoft Windows computers, and spread via infected spam email attachments. While CryptoLocker could be eliminated from systems fairly easily, affected files that were encrypted could generally not be recovered, often even when the ransom was paid.
While the FBI urges organizations not to pay the ransom, according to an IBM security study, over 70% of affected business do pay the ransom. In 2020, the average ransomware payout reached $312k, a huge leap from $115k, which was the average payout in 2019.
A ransomware attack typically leverages one or more of the following methods to install itself on computers and other devices:
Users are contacted by criminals and persuaded to install software on their machines.
Users open an email attachment that contains malware that is then installed on their machine.
Macros in MS Office and other apps can install ransomware.
Certain downloaded software can have a hidden “payload” of ransomware.
Mapped network drives allow the ransomware to spread to other machines.
Certain websites can install malware when they are visited, especially if you haven’t patched your browsers or turned on proper browser security. This includes popup online ads.
Root or administrative access can allow malware to spread quickly through your organization.
By applying the following nine best practices, individuals and organizations can reduce the risk of ransomware infection, or at least limits its spread and damage if an infection should occur:
User education: Train users in popular social engineering techniques. Inform them about the dangers of macros, Office documents, email attachments, and downloads, and give them techniques to identify these threats.
Secure macros: Newer versions of MS Office have options to disallow any macros that are not digitally signed. Make sure you enable this option by default.
Patch and update software and OS vulnerabilities: Some malware targets identified vulnerabilities. Ensure you have a thorough patching process that quickly identifies and fixes software and OS flaws.
Apply least privilege policies: Assign application and data access privileges based on job roles and ensure users do not have more access than they need. This includes removing administrator rights. Most ransomware (albeit not macro-based ransomware and some other forms, such as with WannaCry) requires administrator privileges just to launch.
Use vulnerability scanning and patch management: Regularly scan your IT ecosystem for potential vulnerabilities and have a robust vulnerability management process to fix any issues.
Enforce application control: Prevent installation or usage of applications unless they are vetted and approved by your IT security team.
Apply network segmentation: Particularly in dangerous server-side ransomware attacks, network segmentation provides a critical way to divide resources in such a way so that an infection can be contained, rather than jumping throughout the entire network.
Make regular backups: If you are impacted by ransomware, you will need to recover applications and data. Have a robust backup process in place that combines live mirroring, periodic backups, drive imaging, and incremental backups.
Have a disaster recovery process: If you are impacted, it’s vital everyone understands what they need to do. Develop a working DR process for identifying and resolving ransomware attacks, reinstalling machines, and recovering data.
If the worst does happen, here’s what to do:
Implement your disaster recovery program: Limit the further spread of the ransomware and start your DR process.
Wipe and reinstall machines: Close down any impacted machines, wipe them, and reinstall the OS and applications.
Recover uncompromised data: Backups data from your last known “good” data set.
Apply a “lessons learned” approach: Revise security procedures and staff training to stop these issues from happening again.