It’s all over the news. Ransomware attacks are one of the most headline-worthy cyberattacks because they often target large organizations like government and critical infrastructure, law enforcement, utilities, healthcare, and educational institutions.
Let’s explore what ransomware is, how it works, the different variants, and how to best protect yourself or your organization against it.
- What is ransomware?
- Origin
- Evolution
- How does ransomware work?
- Impacts of an attack
- Most likely targets
- Types
- Education and mitigation
What is ransomware?
Ransomware is a type of malware designed to permanently block system and data access until a ransom is paid – usually in difficult to trace cryptocurrency. It inhibits or prevents users from accessing their systems in different ways. Some variants lock the screen and some lock access to files until a ransom is paid to regain access.
Simple variants of ransomware might just lock up systems without causing permanent damage, but more sophisticated types encrypt files so users can’t access them without paying the hackers. And sometimes, even if the ransom is paid the hackers destroy data or don’t relinquish access to the owners.
Bad actors often require ransoms to be paid in hard-to-trace cryptocurrencies, and the anonymous nature of this type of transaction makes it difficult for law enforcement to prosecute.
Digital extortion, indeed.
Origin
Believe it or not, ransomware dates back to the late 1980s. The first documented instance was known as AIDS, a Trojan horse that resided on a floppy disk. Created by a Harvard educated microbiologist, the disk’s contents hid directories and encrypted file names on the hard drive of the computer it was introduced to.
Once initiated, a prompt appeared telling users to renew a license and contact a nefarious organization with payment for decryption. AIDS ransomware was isolated in 1989. Its architect, Dr. Joseph Popp was deemed mentally unfit to stand trial for his crimes.
But this type of computer virus became the ancestor of modern ransomware as we know it today.
Evolution
For almost 20 years ransomware was dormant. In the late 2000s the first locker variations started appearing.
Initial versions targeted victims in Russia by locking a computer’s basic functions like input devices. After infected computers displayed an “adult” image the virus instructed victims to call a toll phone number or send a text message to satisfy ransom demands.
Cryptolocker, one of the most notorious ransomware variants, appeared in 2013. By leveraging a command-and-control compromise to lock up victims’ data before demanding a $300 ransom. By the end of 2015 it’s estimated approximately $27 million was paid to the hackers behind it.
Starting in 2018 the FBI started noticing ransomware attacks on individuals were trending down and attacks on businesses and organizations were ticking up. Particularly state and local government, industry, healthcare, and transportation entities.
This move to what’s known in cybersecurity as “big game hunting” makes sense. The score was far more appealing. High value data, disruption of operations, and the most attractive – much more lucrative ransoms.
The concept of “double extortion” gained popularity in 2019 thanks to the Maze ransomware gang. Hackers realized that ransomware wasn’t hitting victims as hard as they wanted because they could just refuse to pay the ransom and restore from backup.
Bad actors started stealing data then ransoming. This way they could extort their victims with two ransoms, one to decrypt the data and another to delete the stolen data from the hackers’ servers.
Like most cyberattack types, it’s not just the technology behind the threats that evolves, but the hackers strategy in employing it.
How does ransomware work?
Ransomware variants have slight differences in how they operate, but they all need to gain system access, encrypt files, and then demand the ransom. There are three core stages to a ransomware infiltration regardless of the type.
Infection and distribution
Malware can gain system access through a few methods. But ransomware architects prefer a few specific vectors.
The first is phishing emails. When a user clicks on a link to a site hosting a malicious download or downloads a malicious attachment from an email the ransomware is downloaded and executes on the user’s system.
Remote Desktop Protocol (RDP) is another popular attack vector. A hacker will gain login access and directly place malware on a system then execute it. These are some of the most common methods, but far from the only ones.
Encryption
Once ransomware gains access to a system it starts encrypting files. It accesses the files and encrypts using a key controlled by the attacker, replacing the original files with encrypted versions.
Most types of ransomware are careful when selecting which files to encrypt. The compromised system needs to remain stable without any indication that the infection is present. More sophisticated variants take the additional step to delete backups and copies of the files to make system recovery without the decryption key more difficult.
Ransom
When file encryption is complete the malware moves to the final stage – demanding the ransom. Variants approach this step in different ways. One of the most common is to display a background with the ransom note or text files in the encrypted directories.
The note usually contains the amount they’re demanding in exchange for access to the files. If paid, the hacker either provides the decryption key or a copy of it. Key information is entered into a decryptor program provided by the hacker to reverse the encryption and restore file access.
All ransomware types are architected slightly differently, but these are the three core tenants of how the concept of this type of malware works.
Impacts of a ransomware attack
The impacts of ransomware can be devastating.
If an organization falls victim it leads to business continuity lapses, system uptime disruption, data and productivity loss, loss of revenue (sometimes significantly), and damage to reputation.
It has significant effects on staffing too. Almost 1/3 of organizations report loss of talent in C-suite and executive leadership levels after an attack. And considering the financial ramifications of a ransomware attack, it’s not uncommon for businesses to lay off employees due to financial strain post-attack.
Then there are the legal and compliance issues.
Small businesses are especially vulnerable. They often don’t have any sort of incident response plan in place, and those that do don’t always keep it current. This kind of major disruption to business operations is especially detrimental to the revenue of smaller organizations.
Most likely targets
Some targets are more appealing to ransomware hackers than others. There are different reasons for this, from a higher potential ransom payout
Education
According to Sophos, educational institutions had the highest amount of ransomware attacks in 2023. This includes all levels, from elementary schools to higher education.
Federal and central government
Around the globe, all levels of government are a prime target. Federal and central tiers are at the top of the list, which makes sense due to the critical nature of what they do.
In some countries, ransomware attacks on top level government has caused leadership to declare a state of emergency as a result.
Types of ransomware (Variants)
As mentioned, ransomware has a lot of different variants. These are some of the most popular, along with some anecdotes on how they were behind some major attacks.
Cryptolocker
Cryptolocker has the distinction of being the first variant posted to the internet in September of 2013. It spread through email attachments and through the Gameover ZeuS botnet. It affected local and mounted network drives.
Once the ransom demand was made it threatened to delete the private key, stored on the malware’s control servers, if it wasn’t paid by a stated deadline. Once the deadline passed CryptoLocker offered data decryption for a much higher price than the original ransom, but there was no guarantee decryption would happen.
It’s believed that it extorted $3 million from victims over its short lifespan.
Petya
This family of encrypting malware was first discovered in 2016. It infects the master boot record on Windows systems that encrypts a hard drive’s file system to prevent the OS from booting. A White House assessment estimated that total damages caused by the Petya family of malware totaled over $10 billion.
Wannacry
2017’s most infamous ransomware attack, WannaCry was a cryptoworm that infected machines running the Windows operating system. It used the EternalBlue exploit developed by the NSA.
What made this attack different was the transport mechanism that allows it to spread automatically. Its transport code scans for vulnerable systems, gains access, and installs and executes itself.
It’s estimated that approximately 200,000 machines were affected worldwide including National Health Service hospitals and Nissan Motor Manufacturing in the UK.
Ryuk
This variant is best known for targeting large-scale Windows systems. Experts believe Ryuk is operated by Russian criminal groups that target organizations over individuals.
It uses Trickbot malware to install once it has access to a network’s servers. Designed to bypass specific anti-malware defenses, it can totally disable networks. Like other types of ransomware it shadow copy files, disables Windows System Restore and other mitigation efforts.
So how did Ryuk infect so many sophisticated systems? Successful phishing attempts were its main point of entry. The goal of Ryuk from the very beginning was to extort money from large organizations.
Darkside
Darkside is a hacker group that’s believed to be behind the notorious Colonial Pipeline attack that occurred in 2021. They have focused many of their hacking efforts on targets based in the United States, but avoids targets like educational institutions, healthcare organizations, and non-profits.
They use a ransomware-as-a-service model, and the organizations that utilize them share a portion of the ransom with Darkside.
Education and mitigation
Given the pervasive nature of ransomware, proactive measures are essential to mitigate the risks and minimize the impact of attacks. Here are some strategies that organizations and individuals can adopt.
Education and awareness
Promoting cybersecurity awareness among employees and individuals is crucial toward preventing ransomware attacks. Training programs on recognizing phishing emails, practicing safe browsing habits, and updating software regularly can significantly reduce the chances of getting breached.
Security measures
Implementing holistic cybersecurity measures that include firewalls, antivirus software, and intrusion detection systems helps detect and thwart ransomware attacks before they cause significant harm.
Deploying endpoint protection solutions that detect and block malicious activities fortifies defenses against ransomware attacks.
Data backup
Regularly backing up data to secure, offsite locations is critical in mitigating the impact of ransomware attacks. In the event of an attack, having up-to-date backups enables organizations to restore encrypted data without having to meet the ransom demands of hackers.
Patching
Always make sure your software patching is current.
Incident response planning
Developing comprehensive incident response plans that outline procedures for detecting, containing, and mitigating ransomware attacks is imperative. Conducing regular tabletop exercises and simulations can help organizations refine their response capabilities and minimize downtime during cybersecurity emergencies.
Zero trust
Adopting a zero-trust approach to cybersecurity limits the spread of ransomware. By implementing least-privilege access organizations can contain ransomware infections and prevent lateral movement by attackers.
Conclusion
Ransomware has certainly earned a reputation as one of the most fearsome types of cyberattacks, and rightfully so. But just like the others with some education and proper cybersecurity measures in place you can greatly reduce – or eliminate altogether – your likelihood of getting breached.