Ransomware is a malware designed to prevent users from accessing files in their systems until they pay a ransom. Cybercriminals restrict access to data by encrypting it and only provide a decryption key after receiving payment. Ransomware is designed to spread across target systems and can quickly halt regular company operations.
The first case of ransomware can be traced back to 1989 when Dr. Joseph Popp sent 20,000 floppy disks with malware to AIDS researchers. The malicious code stayed dormant until the computer was rebooted 90 times, then started encrypting file names. The ransom note required the researchers to send a $189 cheque to a PO box in Panama.
Over the past few years, ransomware has become a significant risk to organizations. The emergence of cryptocurrencies like Bitcoin in the 2010s has bred the current era of crypto-ransomware, with attackers collecting payments in an easy and untraceable manner. One notable example is the CryptoLocker ransomware threat that emerged in 2013. This ransomware installed itself on Windows machines, encrypted files, and demanded a $300 ransom — paid via Bitcoin or a pre-paid voucher — to release the decryption key.
By 2018, attackers shifted from random attacks to more thought-out attacks on large organizations, businesses, and governments. Criminals figured if they could encrypt high-value data, they could ask for a higher ransom. Today, attackers can extort their victims twice — not only are they asking for payment for the decryption key, but they’re also demanding to be compensated to delete any data they might have stolen.
While each ransomware is different, they all work in three main steps.
First, the ransomware operator gains access to the target system. They can do this in several ways, the most common being phishing emails. Phishing emails use social engineering tactics to make victims open emails, click malicious links, or give personal information to the attacker. For example, an attacker can send an email attachment that, once opened, installs ransomware on that computer. The attacker could also use personal information collected through phishing to guess the victim’s login credentials to access a computer network remotely. They can then install the malware themselves. Apart from phishing, attackers can exploit known vulnerabilities to attack systems directly.
After the ransomware gets access to the target system, it begins encrypting files. The ransomware doesn’t encrypt files required to operate the system because it must be stable enough to boot up.
Then, when encryption is complete, the ransomware demands a ransom in exchange for the decryption key. This is typically a text file containing the amount of currency or cryptocurrency the victim should pay.
In the early days of ransomware, cybercriminals wrote their own ransomware code. Now, there’s been a shift towards using ransomware as a service (RaaS). In this business model, operators lease out already coded ransomware to affiliates, who then launch it in return for a percentage of the ransom payments. This way, even the affiliates without superior hacking skills can launch a ransomware attack.
This model works the same way as software as a service (SaaS). After RaaS providers develop the malware, they run marketing campaigns and advertisements on the dark web to attract cybercriminals. They even have customer support service to help their customers successfully launch the malware. By eliminating the technical barrier, RaaS has become a top contributor to the rising number of ransomware attacks.
There are numerous ways ransomware can impact businesses, but let’s explore some of the primary and most significant impacts.
According to Kroll (who tracks over 40 threat actor extortion websites), nearly 80 percent of ransomware attacks involve data exfiltration. The increase in these numbers can be attributed to cyber attackers using the exfiltrated data to threaten companies to pay the ransom, or else they will publish the data publicly.
The 2021 attack on the Italian government’s copyright and intellectual property agency is a recent example of compromised proprietary data. The attack exposed 60 GB of personal data about celebrities and high-profile artists acquired through their copyright and IP records. Everest Ransomware Group published the data on an extortion site after the Italian body responsible for safeguarding the data failed to pay the ransom — demonstrating that attackers follow through with their threats.
Between Q1 2020 and Q3 2021, the average duration of downtime after a ransomware attack increased from 15 to 22 days. Downtime refers to the time during which regular operations in a business are interrupted, and productivity is less than 100 percent.
Recovering from ransomware is costly. Even if companies pay the ransom, they must spend time rebuilding their systems and ensuring all their operations are back online at total capacity.
The financial damage of ransomware doesn’t just include the ransom payments. It also consists of the collateral damage after the attack, like loss of revenue, the labor costs to rebuild, and legal expenses from clients demanding payments for data loss.
Palo Alto Networks notes that the average ransom payment was $570,000 in 2021 compared to $312,000 in 2020. On top of that, 66 percent of businesses attacked by ransomware reported a significant loss in revenue in 2021.
While companies can seek cyber insurance to lessen the financial blow, it’s becoming expensive as prices have increased by 132 percent.
Ransomware attacks hit 80 percent of critical infrastructure organizations in 2021 and continue to be a massive threat to companies. Here are some ways companies can protect themselves against ransomware.
Data exfiltration is one of the threat factors cyber attackers use. With data backups, you can restore your systems to the state before the ransomware infection. To prevent your backups from being affected by ransomware, store them securely offline and away from the company’s network.
Network segmentation allows the network to be subdivided into sub-networks, allowing different security controls to be applied to each. Segmenting makes it possible to contain ransomware in one subnetwork and minimize the damage if you’re subject to an attack.
Perform vulnerability checks and patch commonly exploited software to prevent attackers from using them as access points. Vulnerability checks also involve tracking unusual activity in the network traffic to catch potential attacks in the early stages.
Ensure everyone follows password policies in the company. This means having a minimum number of characters and frequent rotations. The use of multi-factor authentication also minimizes the risk of stolen credentials. Additionally, educating employees on how to identify phishing emails is crucial.
Furthermore, steps should always be taken to properly document, verify, and remove user access to systems, databases, and so on. Implementing the principle of least privilege (PoLP) and multi-factor authentication (MFA) are valuable strategies for ensuring that anyone accessing sensitive and high-impact information is doing so securely — and that they have the permission to access that information in the first place.
Anti-ransomware software protects against ransomware and removes infection when an attack occurs. This can be implemented on a company-wide level and an individual scale. This is particularly important in today’s work-from-home era.
A company should have an effective response plan during a ransomware attack to remediate the attack quickly. The first step after the attack is to isolate the affected systems. This prevents the ransomware from spreading and infecting other parts of the network. Make sure backups are secure and disconnected from the network, as they will be crucial when restoring operations.
After isolating the affected systems, assess the attack to identify how the attackers gained access to the network, the type of ransomware used, how quickly the infection is spreading, and the extent of the damage. Determining the scope of the attack helps you decide your recovery strategy. You can choose to pay the ransom or employ other recovery options like wiping the affected systems or hiring outside help to assist with recovery. It’s also recommended to report the attack to the appropriate regulatory bodies.
