Ransomware – Understanding how it works and how to protect yourself.
What is a ransomware attack? A ransomware attack is a cyberattack in which a device is infected by a type of malware called ransomware, which is designed to deny a user access to their computer files.
How, primarily, does ransomware deny access to files? It usually works by encrypting the files. It’s called ransomware because hackers almost always demand a ransom in return for decrypting the files. Often, companies give in to the extortion simply because it’s quicker and easier than trying to fix the damage themselves, making it a lucrative and popular cybercrime. In IBM’s Cost of a Data Breach 2022 report, the average ransom payment was found to be $812,360 – and that doesn’t include the costs incurred by the data breach itself, which can be even higher.
Ransomware can cripple entire systems, causing disastrous effects – especially when it targets an organization such as a hospital, where data is highly sensitive and valuable, and losing even temporary access to this data, can risk lives.
Malware vs. ransomware
What is the difference between ransomware and malware? Malware is a generic umbrella term for any type of malicious software, whereas ransomware is a particular type of malicious software that involves the hackers demanding a ransom from the individual victim or organization in return for restoring their data or access to their systems. Malware can include not only ransomware, but also adware, viruses, trojan horses, spyware, worms, and more.
Types of ransomware
There are a number of types of ransomware. The most common ones are:
Locker ransomware – where basic computer functions are locked so the user cannot use their computer at all, thus losing access to data and functionality.
Crypto ransomware – where the data files themselves are encrypted. This is the most common form of ransomware, and the one we will discuss most throughout this article. Examples of popular crypto ransomware include Locky, WannaCry, and Bad Rabbit.
How does ransomware work?
Most ransomware attacks follow the same attack process – first infecting one device via an attack vector; distributing the infection throughout a network to which that device is connected; encrypting data that is stored on the network; and finally, notifying the victim that their data has been encrypted and demanding a ransom. When the demand is met, there is another stage wherein the data is decrypted – unless the attack uses double extortion.
Infection and distribution
The attacker gains access to the target system in one of a number of possible different ways:
One of the most common methods is through a social engineering technique called phishing. With phishing, an employee may be sent a spoof email that looks genuine, with a link requesting credentials that can then be stolen and used to access the network, or a malicious link that downloads malware to the user’s computer and used to infiltrate the network. Phishing may also be done using SMS messages, known as smishing, or using IM messages.
Attackers may also use browser or software vulnerabilities to inject malware and infect a device and spread throughout the network.
Another method is the use of the Remote Desktop Protocol (RDP) – attackers who have stolen or guessed user credentials can then access a device using RDP and download the malware themselves, running it and infecting the network.
Once the attacker has access to the network and the data being targeted, they can encrypt the files. Encryption is easy to do, as there are many encryption tools available. Some are even bundled with computer operating systems. As long as the attacker is the only one with access to the key that is used to decrypt the files (and part of that means deleting any back up keys), they are the ones with the power to launch the next step – demanding a ransom.
The final phase of the actual attack is when the attacker demands a ransom from the target, promising a decryption key in response. Stereotypically, as you may see in movies, the computer desktop background is changed to the ransom note. Alternatively, the encrypted files may now come with a text file detailing the attacker’s demands.
In situations where access to data is central to business functioning, it can be very tempting to just give in to the criminals’ requests and hand over the money in order to get the system back online as soon as possible.
One way or another, the files need to be decrypted. If the victim pays the ransom, the attacker should give over the decryption key required to return files to their original, usable state. But keep in mind that the attackers are criminals. What they “should do” might not loom large in their decision-making.
Giving in to an attacker’s demands shouldn’t be necessary, and it isn’t advised. It is impossible to know whether paying up will generate the promised decryption key or restored files, or if they will simply demand additional money? Consider alternatives carefully. There are many remediation techniques – we’ll discuss them later on in the article.
Double extortion and triple extortion ransomware attacks
In double extortion ransomware attacks, a cybercriminal or criminal gang will exfiltrate the victim’s data before encrypting it. They then demand two separate sums – one for providing the decryption key, and one to keep them from exposing or selling the exfiltrated data.
In a triple extortion attack, the cybercriminals may demand payment from individuals whose personal data was within the material that exfiltrated, as well as from the organization that was attacked.
Training and raising awareness of ransomware threats – teach your employees how to spot a phishing attempt that comes through email, and to avoid clicking on any malicious links. Keep in mind that while training can help, phishing relies on the built-in habits and behaviors that keep users efficient and productive. So even hyper-alert users are likely to fall for a phishing email at some point.
Check before entering sensitive info – make sure employees know not to provide sensitive information to anyone unless they are 100% sure it is a genuine communication – and there should be no reason for an employee to ever share their login details with anyone, even the IT department. Better yet, adopt a browser isolation solution that restricts interaction with unknown sites to “read-only access.”
Enforce strong password policies and authentication processes – use IAM, including MFA or similar, to make it that much harder for attackers to steal credentials and infect a device in the first place. This is harder in a world with increasing numbers of remote users using their own devices for work, although there are many software solutions that can ensure your system is secure, even when there are many unmanaged devices.
Keep software up to date – as some ransomware starts its life as malware that preys on software vulnerabilities, ensuring all employees update their software with the latest patches minimizes the risk that a vulnerability can be used to target the organization.
Use a cybersecurity solution equipped with ransomware detection techniques – anti-ransomware tools should be ones that can detect a wide range of different ransomware variants, quickly, and accurately. In addition, the solution should be able to restore your data in a safe and efficient way, in the event of a ransomware attack.
Back up all data – data encryption is only a threat if decryption is the only way to get your data back. If you have a backup system in place, which can return all encrypted data to its original state, ransomware can be overcome without the need to give in to the attacker’s demands. And, in general, backing up data is always a good idea – any hardware or software malfunction can lead to data loss, and data loss can have terrible consequences for an organization.
Implement a comprehensive security solution to protect from all web-based threats – with most ransomware originating from the browser or emails, it’s crucial that you use a comprehensive solution, such as one that relies on zero trust principles, using a preventative approach to stop ransomware (or any malware) from accessing end-user devices in the first place.
Handling a ransomware attack
What should you do if you’ve found yourself a victim of a ransomware attack?
The first thing to do is determine the extent of the attack and isolate any infected machines from the network, so the infection can’t spread.
Next, backup all of the encrypted files on an external hard drive in case the data somehow is damaged during the decryption process, or in case something happens to the computer.
Whatever you do, don’t turn off the infected computer, as it can lead to data loss. Just make sure it isn’t connected to the network or other devices in any way.
Try to decrypt the files – a decryption tool may be available for the particular ransomware you have been infected with. Try to find out if one exists and use it to decrypt your files. If that doesn’t work, you’ll need to find a way to restore your data. If you have a backup, you can use that – but make sure it’s a clean, full backup of the entire machine that will restore the system to a non-infected state. If you don’t have one, you may need to wipe that machine and backup the data later on, assuming you have an external backup somewhere else.