Ransomware is a type of malicious software that disrupts computers, servers, and other devices. After installing itself, ransomware software blocks access, deletes, or otherwise compromises legitimate data and applications.

Human-operated ransomware refers to attacks in which a human threat actor employs active hacking techniques, along with the deployment of malware, to advance a ransomware attack. Most ransomware demands a payment, or ransom, to “unlock” the computer and grant full access to the device and any related data and applications.

Crypto Malware or Encryptors - Block access to data and applications by encrypting files and devices.

Lockers - Completely block access to a computer system.

Scareware - Claims to identify other malware like viruses on your computer, and then demands money to remove them.

Doxware - Steals sensitive information from your computer and threatens to release it online.

Human-Operated Ransomware - Also known as “hands-on-keyboard,” are when cybercriminals actively navigate through targeted infrastructure.

Ransomware-as a-Service (RaaS) - An increasingly common ransomware business model. This refers to the practice of an attacker paying a ransomware service operator a subscription fee to use ready-packaged ransomware toolkits/malware. In RaaS, the ransom payout is shared between the ransomware owners and their affiliates. The affiliates are the entities who execute the ransomware payload and the owners are the purveyors of the RaaS malware.

Ransomware operators will typically scan for unsecured, open ports to start their attack. Internet-exposed Remote Desktop Protocol (RDP) endpoints continue to be cited in threat reports as the number one entry point for ransomware.

Remote access technology like VPNs has given attackers a back door to gain broad access to an organization's network and deliver ransomware payloads.

Social engineering attacks, such as phishing emails with infected attachments or malicious links, are also common entry points for ransomware attacks.

Remote Desktop Protocol (RDP) - In recent years, RDP has been a top entry point, allowing ransomware operators to gain a foothold in an environment. RDP allows users—and thus, ransomware actors—to remotely control computers or virtual machines over a network connection.

Administrative Access - Most ransomware needs privileges to execute. Root or administrative access can allow malware to spread quickly through your organization.

Social Engineering - Users are contacted by criminals and persuaded to install software on their machines.

Email Attachments - Users open an email attachment that contains malware that is then installed on their machine.

Macros - Macros in Microsoft Office and other apps can install ransomware.

Downloads - Certain downloaded software can have a hidden “payload” of ransomware.

Spreading Through Network Drives - Mapped network drives allow the ransomware to spread to other machines.

Malware-Infected Websites - Certain websites can install malware when they are visited, especially if you have not patched your browsers or turned on proper browser security. This includes popup online ads.

Fileless (Living Off the Land) - Ransomware may use fileless malware techniques to stay hidden as it advances through the network.

Due to infrastructure expansion, the average organization has more exposed vulnerabilities than ever. Expanded utilization of cloud, multicloud, remote work, bring your own device (BYOD), and other digital transformation initiatives has significantly increased the amount of shadow IT, human and machine identities, and privileges to manage.

Ransomware attackers have been quick to capitalize.

At a glance:

  • Cloud vulnerabilities have increased 540% in the past six years (IBM Security, 2022 IBM Security X-Force Cloud Threat Landscape Report, 2022).
  • Azure & Dynamics 365 vulnerabilities increased by nearly 159% in 2022 alone (Microsoft Vulnerabilities Report. BeyondTrust, March 2023).

User education is an important front-line defense against ransomware. Most ransomware and malware attacks utilize elements of social engineering, and/or require a user to do something wrong (click a malicious link, download a bad attachment, etc.) to execute malware.

Ransomware operators frequently use RDP and VPN security flaws to gain a foothold within an organization. Either replacing RDP and VPN, or using better security controls around them is imperative for reducing the success of ransomware.

Ensure vulnerabilities are proactively identified via scans and managed, such as via patching, and ensure updates to software and operating systems. This minimizes the chances an attacker can exploit a system flaw.

Apply and enforce least privilege policies for application and data access privileges. This also means removing administrator rights, which most malware attacks require to launch their payload. Eliminating unnecessary privileges also restricts lateral movement and privilege escalation pathways that are typically part of the ransomware attack chain.

Effective application control and trusted application protection capabilities can further ensure only legitimate, approved applications can execute or communicate, while also protecting against tricky fileless threats.

Finally, ensuring regular backups and up-to-date, comprehensive disaster recovery protocols will minimize the impact to the organization at large.

Only about 14% of organizations who have paid a ransomware ransom received 100% of their data back (ESG, The Long Road Ahead to Ransomware Preparedness, March 2022)​. Even then, ransomware operators may choose to sell stolen data or re-encrypt its access again.

Once the initial ransomware attack proves fruitful or if the root cause of the attack (an unpatched vulnerability, excessive privileges, etc.) is still exposed, another ransomware operator will be more likely to exploit the victim once again.

A rash of successful ransomware attacks over the past couple years has roiled the cyber insurance market. As a result, brokerages and underwriters are demanding more robust cybersecurity postures from their policyholders to qualify for coverage. Many organizations are now struggling to qualify for cyber insurance due to the higher scrutiny insurers are placing on potential and existing policy holders.

Two basic requirements of many cyber insurers include removing admin rights for users and enforcing the principle of least privilege (PoLP) across the enterprise. These foundational controls are highly effective at reducing cyber risk against a broad array of attack vectors.

Increased remote working and expanded IT perimeters have also increased the attack surface. Many threat reports show that ransomware operators exploit RDP exposed to the internet. This allows them to gain a foothold within the victim's environment, and is reported in about 50% of successful attacks. Cyber insurers have reacted by requiring strong remote access security controls, including multi-factor authentication.

Your risk of falling victim to a ransomware attack will depend on how closely your organization adheres to prevention best practices. Unfortunately, threat actors are continuously adapting their attack strategies to overcome even the most advanced defense measures. If the worst does happen and your organization is subjected to a ransomware attack, here is what to do.

  1. Implement Your Disaster Recovery Program

    Limit the further spread of the ransomware and start your disaster recovery process.

  2. Wipe and Reinstall Machines

    Close any impacted machines, wipe them, and reinstall the OS and applications.

  3. Recover Uncompromised Data

    Use backup data from your last known “good” data set.

  4. Apply a “Lessons Learned” Approach

    Revise security procedures and staff training to stop these issues from happening again.

  5. Identify Security Gaps to Better Prepare for the Future

    Take measures to develop new organizational policies and deploy new solutions to increase your organization's cyber defenses.

Virtually all ransomware requires privileges to execute (install files or drivers, access registry keys, etc.), encrypt data, move laterally, and spread. BeyondTrust Privileged Access Management (PAM) breaks this attack chain at multiple points by exerting control over privileges, applications, and remote access pathways, and enforcing zero trust security principles.

  • PAM Provides Foundational Security:

PAM solutions defend against the most common ransomware and malware attack vectors, including unsecure remote access pathways and privileged access.

  • PAM is a Must-Have for Zero Trust:

Enforcing the principle of least privilege or building a Zero Trust Architecture are only possible if your organization possesses the maximum amount of control over privileged access and identities. PAM solutions like BeyondTrust are commonly used by organizations looking to achieve zero trust as defined by NIST.

  • PAM is Required by Cyber Insurers for Qualification:

Cybersecurity insurance companies recognize that privileged access management (PAM) controls are foundational security in every organization, prevent many cyberattacks outright, and significantly minimize the damage of any potential breach.

Prefers reduced motion setting detected. Animations will now be reduced as a result.