Ransomware has become one of the most prolific and costly types of malware in recent years. In general, ransomware is malware that disables the victim’s computer in some way and then demands a ransom payment in exchange for restoring access to the computer or the data stored on it.
Most ransomware variants work by encrypting valuable files stored on an infected machine using an encryption key known only to the attacker. To reverse the encryption and restore access to their data, victims must pay the ransom to receive that key.
Ransomware has become a prolific malware variant because it is successful and profitable. Ransom demands in the millions of dollars are common, and victims often pay the ransom to gain access to critical data. As a result, ransomware groups have ample funding to attract new talent and improve their tools and techniques.
Over the past few years, ransomware attacks have grown more numerous, sophisticated, and costly to their victims. Protecting against ransomware attacks is vital to an organization’s bottom line and ability to remain in business.
How does ransomware work?
Ransomware is designed to make money for cybercriminals by forcing victims to pay to regain access to their lost data. The way ransomware works is by encrypting data using a key known only to the attackers. With modern encryption algorithms, it is impossible to restore encrypted data without knowledge of the key, so cybercriminals can sell victims the decryption key for their own data.
What ransomware does is gain access to a computer like any other malware. It might be distributed via a phishing email, the attackers may leverage compromised credentials to log in via a VPN, or exploitation of an unpatched vulnerability may allow malware to be planted on a device. Once installed, the ransomware can do its job in a couple of ways.
The better-known approach to ransomware involves targeted encryption of files. The ransomware searches for certain types of files (such as documents) and encrypts each file individually. This allows them to deny access to a user’s files without running the risk that the computer breaks if the wrong system file is encrypted.
The other main approach to ransomware is to encrypt the Master Boot Record (MBR). The MBR is a map of the layout of the computer’s memory. If the MBR is encrypted, the computer can’t find the operating system or any other files on the system.
Regardless of its approach to encryption, the ransomware follows up by presenting a ransom demand to the user. Often this appears as a text file saved alongside encrypted files or a changed background image. The ransom demand includes the amount of cryptocurrency to be paid, where and how to pay the ransom, and potentially information for “customer support”.
Many ransomware variants exist, and different ransomware groups use different techniques to extort their victims. Ransomware operators are increasingly supplementing their attacks with data theft or the threat of distributed denial of service (DDoS) attacks. By threatening to leak sensitive information, perform a DDoS attack, or directly extorting a victim’s customers, the attacker increases their leverage and the probability of receiving a ransom payment.
Some ransomware groups also operate under an “affiliate” model where a ransomware developer distributes their malware to affiliates who infect victims’ machines with it. Under this model, profits are shared between the ransomware developer and the affiliates. This model enables ransomware operators to have their malware distributed to more targets, increasing overall ransom payments.
Who is a target for ransomware?
The modern ransomware attack is highly targeted. Ransomware groups carefully research potential targets to determine how to infect them and the maximum ransom that they can demand with an expectation of being paid.
While any organization can be a target of ransomware, certain organizations are more tempting targets than others. In addition to the ability to pay large ransoms, ransomware operators commonly target organizations that are more likely to pay the ransom quickly. For example, hospitals need access to their data to treat patients, so they have a greater incentive to pay a ransom demand quickly.
Ransomware groups’ tactics and targets change over time, and they benefit from the fact that it is difficult to attribute cyberattacks and pursue legal action against attackers. While a ransom note may state which group is behind an attack, the identity of the group’s members and their affiliates is hard to determine.
History of Ransomware Attacks
Ransomware is hardly a new threat. The first ransomware variant was the “AIDS virus,” which was created in 1989. Victims of this malware needed to mail payments to Panama and received a decryption key back in the mail.
Since then, technological advancements have made ransomware attacks more scalable and effective. The development of cryptocurrency – which allows pseudonymous payments of virtual currency – made it possible for ransoms to be paid digitally and anonymously. This made ransomware attacks safer and easier to perform for cybercriminals.
The WannaCry attack of 2017 brought ransomware into public awareness. This ransomware variant used an exploit named EternalBlue that was developed by the NSA and leaked by the Shadow Brokers. EternalBlue exploited vulnerabilities in the SMB protocol, enabling the malware to spread quickly without human action.
Since the WannaCry attack, ransomware has become a more common malware variant, and ransomware attacks have grown more targeted. WannaCry tried to infect as many computers as possible, but most targets could not pay large ransoms and did not understand how cryptocurrency worked. The modern ransomware attack targets large organizations, and ransom demands commonly reach millions of dollars.
Over time, ransomware operators have adapted their tactics to improve the effectiveness of their attacks and the probability of a ransom payout. For example, the COVID-19 pandemic created significant opportunities for ransomware gangs. The rise of remote work drove widespread use of VPNs and the remote desktop protocol (RDP). In response, exploitation of VPN vulnerabilities and the use of compromised credentials to log into enterprise systems via RDP displaced phishing attacks as the top ransomware distribution methods.
As ransomware victims refused to pay ransoms – or restored their data from backups – ransomware operators also changed their tactics to improve their leverage. In recent years, leaks of stolen data, DDoS attacks, and third-party extortion efforts have emerged to improve ransom payment rates.
Why are ransomware attacks spreading?
Ransomware attacks are a growing threat for a few reasons, including malware availability, cross-platform technological advancement and new effective techniques the generate profit for ransomware groups.
- Malware Availability: The ransomware affiliate model and the availability of malware kits make it easy to gain access to high-quality malware.
- Technological Advancement: Cross-platform interpreters and other development tools enable ransomware operators to more easily target different systems.
- Innovative Techniques: Ransomware variants have developed new techniques to evade detection, such as encrypting the MBR or encrypting only parts of files.
- Business Drivers: Ransomware attacks are profitable and effective, creating incentives for ransomware groups to keep operating and refining their techniques.
Why shouldn’t you just pay the ransom?
Paying the ransom may seem like the easiest solution to a ransomware attack and this is exactly what ransomware groups want their victims to think. However, there are several reasons why paying the ransom can only make things worse. Besides funding criminal activity, you may not get a description key to get your data back, or even put a target on your back that might lead to more demands for ransom.
You May Not Get a Decryption KeyMany businesses choose to pay the ransom because they need access to that data, and paying is seen as the fastest and easiest way to regain it. However, ransomware victims must pay the ransom before they get a key, and they are making a deal with the exact same criminals who infected their networks with malware and are extorting them. When paying a ransom, there is no guarantee that the attacker will hold up their end of the deal and provide a working key.
You Might Get Ransom Demands RepeatedlyRansomware operators demand a certain ransom in exchange for the decryption key for an organization’s data. However, nothing binds them to that deal. After an organization pays a ransom for their data, no one is forcing the ransomware group to provide a decryption key that works on all of their encrypted data. The attackers may string their victims along, demanding more and more money before handing over a key. If a company has paid a ransom, they’re likely to be willing to pay a bit more to “ensure” that initial payment wasn’t wasted.
You May Be Putting a Target on Your BackRansomware operators perform in-depth research to identify victims that are able and likely to pay large ransoms to regain access to their data. By paying a ransom, an organization signals that it is willing to pay the attackers to regain access to their data, demonstrating that they are a ransomware group’s ideal target. Many organizations that are the victim of a ransomware attack are targeted again in the future because they’ve shown that they are willing to pay.
You Fund Criminal ActivityRansomware attacks are extremely popular among cybercriminals because they are effective and profitable. Ransomware gangs can make millions of dollars from a single successful attack if the victim pays their ransom demand. By paying a ransom, a ransomware victim funds the attacker’s activities and demonstrates that ransomware attacks continue to be a profitable business venture. As long as these attacks remain profitable, ransomware operators have no incentive to stop.
What Types of Ransomware Are There?
Ransom can come in several varieties that pose different levels of risk to an infected computer. These range from scareware, which is primarily a scam, to encrypting ransomware, which carries the risk of permanent data loss, and screen lockers.
ScarewareScareware is a form of ransomware designed to intimidate the target into taking some action. Typically, this involves locking the screen or putting up pop-ups claiming that a virus has been detected on the computer. This message will include instructions for contacting a “help desk,” which promises to fix the problem for a fee. While the offer to help clean up the virus is a scam, the computer does need to be checked and cleaned of the malware that creates the pop-up.
ScreenlockersScreen locking ransomware will lock the screen, keyboard, and mouse on a computer, making it impossible to use. This type of ransomware commonly comes with a pop-up demanding a ransom payment and showing a countdown clock designed to create a sense of urgency. While this type of ransomware is more inconvenient than scareware, it is less dangerous than encrypting ransomware. This ransomware variant does not usually encrypt files, reducing the probability of data loss.
Encrypting RansomwareEncrypting ransomware is what most people think of when they hear ransomware. Encrypting ransomware will encrypt files or the MBR on a victim’s computer and demand a ransom payment in exchange for the decryption key. This is the most dangerous type of ransomware because there is the potential that data may be lost forever whether or not the target decides to pay the ransom.
Popular Ransomware VariantsMany different ransomware variants exist, and new ones are discovered on a regular basis. However, some variants stand out from the crowd due to the scope and impact of their attack:
The REvil ransomware variant is one of the most famous in existence. This ransomware variant first emerged in 2019 and was responsible for high-profile attacks such as the Kaseya and JSB hacks. It also was the most prolific ransomware variant in existence and demanded some of the highest ransoms to date.
However, the fame of REvil also led to its downfall. In October 2021, a multi-national coalition took action against the malware, seizing its servers and forcing it offline. The following month, the US government indicted two alleged members of the group.
Ryuk is another extremely expensive ransomware variant. A Ryuk ransomware attack carries a demand of over $1 million on average. This ransomware variant is highly-targeted, focusing on large organizations that have the ability to meet these large demands.
Ryuk ransomware is one of the variants that took advantage of the switch to remote work in the wake of the COVID-19 pandemic. Its operators commonly take advantage of compromised credentials to log into enterprise networks via RDP or distribute the malware via spear-phishing emails.
LockBitLockBit is a ransomware variant that began its attacks in September 2019. A few months later, it began a Ransomware as a Service (RaaS) affiliate program in January 2020, recruiting other cybercriminals to distribute its malware. LockBit also operates a data leak site, providing it with additional leverage when demanding ransoms from its victims.In June 2021, LockBit was updated with a new version 2.0. A couple of months later, Accenture reported a data breach and ransomware infection by LockBit in August 2021 that included a $50 million ransom demand.
DearCryDearCry is a relatively new ransomware variant that emerged in April 2021. It was developed to take advantage of a set of four critical vulnerabilities in Microsoft Exchange Server that Microsoft publicly reported and released patches for that month. DearCry differed from most ransomware variants in that it didn’t include a cryptocurrency payment address in its ransom demand. Instead, victims were instructed to contact the operators directly via one of two email addresses.
How to Protect Against Ransomware
Ransomware is a sophisticated cyber threat, and protecting against it requires multiple lines of defense. This includes cutting off potential attack vectors, reducing the corporate digital attack surface, and deploying targeted anti-ransomware defenses.
Best Practices for Ransomware Protection
Ransomware is spread through various means. However, an organization can dramatically reduce its exposure to ransomware by implementing cybersecurity best practices such as:
- Cyber Awareness Training and Education: Ransomware uses the same attack vectors as other types of malware, including phishing emails, use of compromised credentials, and other means. Employee cybersecurity awareness training can help to protect against ransomware attacks by teaching employees to avoid the poor security practices that make infections possible. For example, training on detecting phishing emails and using strong, unique passwords helps to mitigate some of ransomware’s primary infection vectors.
- Continuous Data Backups: Ransomware’s revenue model is based on selling victims access to their data. It only works if the only way to recover encrypted data is to pay the ransom. By creating regular, read-only data backups, an organization provides itself with an alternative means of recovering lost data. When designing a data backup strategy, it is important to back up regularly to minimize the chance of data loss and to ensure that the backups cannot be encrypted by the ransomware as well.
- Patching: Exploitation of unpatched software vulnerabilities is a common means for ransomware to gain access to and move through enterprise networks. For example, the rise of remote work due to COVID-19 made exploitation of vulnerable VPNs one of the leading ransomware attack vectors. Frequent vulnerability scanning and patching of discovered vulnerabilities can enable an organization to manage its exposure to ransomware.
- User Authentication: VPNs, RDP, and other remote access solutions are valuable tools for ransomware operators. A leaked or guessed user password can allow an attacker to remotely access enterprise systems and directly install and execute their malware on corporate systems. Implementing strong user authentication – including the use of multi-factor authentication (MFA) – makes it more difficult for ransomware operators to use compromised credentials to spread their malware.
Reduce the Attack Surface
Ransomware operators take advantage of potential infection vectors in an organization’s attack surface. Reducing the threat of ransomware requires addressing multiple potential threat vectors, including:
- Phishing Messages: Many ransomware variants spread via phishing emails, especially through the use of Office documents with malicious macros. Anti-phishing solutions and employee training can help defend against this attack vector.
- Unpatched Vulnerabilities: Exploitation of unpatched vulnerabilities is a common infection vector for ransomware. Patching these vulnerabilities makes it more difficult for ransomware groups to gain an initial foothold within an organization’s network.
- Remote Access Solutions: VPN vulnerabilities and exposed RDP are common targets for ransomware operators. Patching vulnerable systems and enforcing strong user authentication helps to protect against these infection vectors.
- Mobile Malware: Mobile devices are used more for business, making them a growing target of cybercriminals. Protecting against mobile ransomware requires a mobile antivirus solution.
Use Anti-Ransomware Solutions
Ransomware poses a significant threat to companies’ ability to operate and profitability. Protecting against the ransomware threat requires solutions designed specifically to identify, remediate, and restore from ransomware infections. Key capabilities for anti-ransomware solutions include:
- Wide Variant Detection: Many ransomware variants exist, making the ability to detect multiple variants essential for an anti-ransomware solution.
- Fast Detection: Once data encryption has begun, ransomware has already caused damage to the company, so rapid detection is vital.
- Automatic Restoration: Anti-ransomware solutions should automatically restore encrypted data using mechanisms that are not deleted by ransomware (i.e. not shadow copies).