Ransomware
It’s the kind of routine you’ve come to take for granted: you pick up your smartphone to check your e-mail or dive into one of your work apps. This time, however, you’re presented with an unexpected message: your data and all access to your device is being held hostage. You can either pay up, or risk the consequences.
Welcome to the world of ransomware – a form of cyberattack that can affect individuals and entire organizations alike.
What Is Ransomware?
If you haven’t experienced ransomware yet, the risk is ever-present, especially as more of us use mobile devices both personally and professionally.
Definition and explanation of ransomware
What is ransomware, and why is it bad? Like other forms of malicious software (or malware), the attack begins by penetrating the security defenses of your device and network.
Instead of simply stealing data, however, those behind the attack will encrypt your files and prevent you from using your device.
Attackers will then demand a ransom in exchange for restoring access to your device and decrypting files. Otherwise, they may threaten to steal, leak, or even delete the data.
The message will typically detail how to pay the ransom, such as an anonymous e-mail account, and whether it should be in cryptocurrency such as Bitcoin or some other form.
Globally, an estimated 4,399 ransomware attacks were reported in 2023, with payments exceeding more than $1 billion for the first time.
Common types of ransomware
Defending against these attacks begins by understanding that they can come in several different forms. For example:
- Scareware takes a psychological approach by showing prospective victims a message informing them that a virus has infected their device or simply swarming the screen with pop-up notifications. A link to “resolve” the issue takes users to the ransom demand and payment information.
- Encryptors: This form of attack was illustrated in the introduction to this post, where paying the ransom is the only way to get the decryption key and regain access to your data and files.
- Lockers: As the name suggests, Lockers don’t necessarily encrypt your data but take over a device’s operating system to make it impossible to access anything on it.
- Leakware: Sometimes called Doxware, this attack threatens to publish or expose data that could be embarrassing or somehow damaging to the victim. It often is a form of encryptor.
- Ransomware-as-a-service (RaaS): Much like software-as-a-service (SaaS), this refers to third parties that use proprietary tools or technologies to manage attacks on behalf of someone else.
How ransomware infects systems or devices
The easiest way in for most cybercriminals is through people. Many of us are all too vulnerable to being fooled or manipulated into helping bad actors bypass security defenses, especially when we’re making decisions quickly.
Attackers might send phishing messages via e-mail or SMS, for example, that appear to come from someone or an organization we recognize. Clicking on a link in those messages can immediately start the infection process. The same risk happens when we click on digital ads that launch ransomware infections, or on web pages that serve as a decoy for cybercriminals.
In other cases, ransomware can get in through remote desktop protocol (RDP) applications with little endpoint security or poorly written passwords. Some attacks have even begun by duping employees into sharing security credentials over the phone or via online chatrooms.
Stages of a Ransomware Attack
Falling victim to an attack can happen quickly, but usually there’s a series of steps that need to be executed to take data and device access privileges hostage.
Overview of the different stages involved in a ransomware attack
Let’s say someone in a company clicked on a link that came through a phishing e-mail. This launches communication between infected devices and a command and control (C&C) server residing somewhere online.
Depending on the attack, cybercriminals might attempt to infect additional machines before encrypting files.
Then the extortion begins, where victims are made aware of the attack and the ransom terms.
If payment isn’t made, the only way to resolve an attack is to work through law enforcement officials and possibly pull from backup systems, if they’re available.
Methods used by attackers to exploit vulnerabilities
Beyond spoofing websites and messages to pull the wool over users' eyes, attackers may conduct brute force attacks where they try to extend their access into business systems by guessing passwords.
Some will look for applications that have not been updated with the latest security patches. Then there are insider attacks, where rogue or ex-employees are enlisted to help break into a network.
Impact and consequences of a successful ransomware attack
Having your data and applications held hostage isn’t just frustrating or annoying. It can create panic across an organization’s entire workforce. If an attack isn’t resolved quickly, the same fear and uncertainty can spread to those outside the organization, damaging customer and citizen experiences.
For many leaders, the biggest concern is with adverse effects to the bottom line, and with good reason. It may be impossible to sell products or services until a ransom demand has been addressed, and everyday processes such as payroll could grind to a halt.
Ransomware Protection and Response
As challenging as these attacks can be, any organization can be proactive in reducing the likelihood of having their data or systems held for ransom. It’s a matter of thinking through your organization’s potential risk areas and knowing what you’ll do if the worst-case scenarios play out.
Best practices for protecting against ransomware
The Cybersecurity and Infrastructure Security Agency (CISA) has a #StopRansomware guide that suggests routinely monitoring against attacks the way a security guard might patrol the perimeter of a building. This could include staying vigilant about software vulnerabilities, exploring areas for further employee education, and trying out the latest antivirus protection.
Next, establish what’s known as a “zero trust” architecture that makes sure access to data and systems is only given to those who truly need it. You may want to rethink how widely technologies like remote desktop protocol (RDP) are used.
Strong policies, particularly around password creation and credential management, can also go a long way toward preventing incidents from happening.
Importance of regular backups and data recovery strategies
Can ransomware be removed? Sometimes. But it can be a complex process. In the meantime, when attackers get access to the only copies of a file, they enjoy a far greater advantage over their victims compared with those who have backups ready.
Cybercriminals can still do considerable damage by leaking encrypted files, but backups can allow an organization to resume normal operations more quickly. Backups also improve your ability to work with law enforcement agencies to resolve a security incident.
In some industries, backups are done on a daily or even hourly basis. There are also third-party organizations that can assist with creating and storing backups in an offsite location that can be accessed during an emergency.
Steps to take in case of a ransomware incident
Most organizations conduct fire drills so that everyone knows how to evacuate safely should the need arise. Similarly, developing a cyber incident response plan can reduce panic in the event of an attack by clarifying roles, responsibilities, and timelines.
A Cyber Management Alliance guide provides some high-level principles to help you get started. These include quickly identifying when an attack happens, isolating affected devices and systems to contain potential damage, and informing legal counsel and law enforcement. You may also want to prepare draft communications materials to share with customers, suppliers, and other stakeholders.
Notable Ransomware Variants
Just like legitimate software companies, cybercriminals are constantly creating modifications of their malware, called variants, which can make an attack more difficult to detect or cause greater damage.
Overview of well-known ransomware variants and their characteristics
CryptoLocker dates back to at least 2013 and spread via e-mail attachments. Its pioneering use of C&C infrastructure and strong encryption allowed its alleged Russian creators to infect hundreds of thousands of machines.
WannaCry became one of the most well-known variants when it emerged in 2017, encrypting data in Windows operating systems. Reports suggest WannaCry remains active and its original source code has not been found.
More recently, LockBit has been active since at least 2019 and is notable for licensing out code to a team of affiliates who help carry out attacks. LockBit also runs distributed denial of service (DDoS) attacks in addition to holding data for ransom.
Notable historical ransomware attacks and their impact
Sony Pictures Entertainment became one of the most high-profile organizations to be hit by a ransomware attack when its systems were compromised in 2014. The incident continues to serve as a case study for lessons learned and best practices.
An attack on Colonial Pipelines in 2021 brought a major gas line to a standstill and has since led to several policies intended to address concerns about the industry’s vulnerability.
Cybercriminals have also sought ransom from organizations in the public sector, such as a rash of attacks on at least 44 U.S. school districts and at least 45 colleges in 2022.
Emerging trends and new developments in ransomware
While many early threats and attacks seemed to emerge out of Eastern Europe, experts suggest cybercriminals are now seeking to hold data ransom on a global level. They are also widening the scope of tools used to develop new variants and are exploring ways to compromise multiple organizations at the same time.
Ransomware Impact on Businesses
The fallout from a ransomware attack can depend in part on the sector in which an organization operates.
How ransomware affects different industries
For a financial services institution, for instance, being locked out of critical systems can mean staff and customers can’t access their accounts, or delay processes such as receiving loan applications.
For a healthcare provider, it could mean patient care is put at increased risk because doctors and other staff can’t access the records they need, including medical histories.
Manufacturing firms can wind up facing costly delays in production while they decide whether to pay a ransom, which can create a ripple effect across other parts of the supply chain.
Common targets and sectors vulnerable to ransomware attacks
There may no industries completely immune to these threats, though a report from the FBI suggests two out of five reported attacks are aimed at critical infrastructure organizations.
The same research suggested healthcare, manufacturing, government, and transportation organizations are also frequently among whose data is held ransom.
Financial and reputational consequences of a ransomware incident
Even once data has been decrypted, there can be considerable investment required to fully restore operations. According to the U.S. Department of Health and Human Services, the average cost of recovering from a ransomware incident is $1.27 million across all industries.
The amount an organization might have to pay to release its data can be just the tip of the iceberg. There can also be losses from disruptions to regular business operations, as well as customer churn as a result of media coverage of an incident.
Even once an attack is over, organizations may have to work hard to prove they have taken steps to prevent a similar incident to rebuild trust among their stakeholders.
Ransomware Prevention and Mitigation
Fortunately, organizations of any size can begin bolstering their defenses against these kinds of attacks, and improve the way they respond when they happen.
Effective strategies for preventing ransomware infections
Besides regular IT security audits and backing up your data, moving some data to the cloud could make it easier to roll back to a previous version.
Make it more difficult for attackers to penetrate systems by powering them down when they’re not being actively used, or simply disconnect them from the network.
Importance of employee education and awareness
Defending against cybersecurity incidents also requires helping your team understand the risks your organization faces and their role in incident prevention.
Conduct regular training sessions or lunch and learns that teach them how to spot a potential phishing scheme, and when to avoid clicking on attachments.
If a new variant begins targeting your sector, share any details and encourage them to report any suspicious activity.
Role of security software and encryption in mitigating ransomware risks
There is also a wealth of technology available to bolster an organization’s defenses. Passkeys, for instance, offer an alternative to entering user names and passwords and can offer an extra layer of protection against cyberattacks.
No matter what kind of organization you're running, your data and devices are priceless assets. With the right knowledge, strategy and tools in place, you'll be able to keep ransomware at bay, as well as some of the other most common cybersecurity threats.
Take the next step by starting your LastPass trial today.