Blog Layout

What is Ransomware: A Pocket Guide for IT Professionals

Threat Intelligence • September 13, 2021

In one of the most high-profile ransomware attacks of recent times, Colonial Pipeline, the largest petroleum pipeline in the U.S., was attacked. Following the attack, the company had to shut operations for several days. To bring their systems back online, they ended up paying a ransom of 75 bitcoins (approx $4.4 million).


This attack highlighted the increasing vulnerability of firms to ransomware attacks. In 2019, over 200,000 U.S. firms were compromised by ransomware – a serious number by any standards. But then, in the first half of 2020, global ransomware attacks increased by 715% YoY.


So, what is ransomware?



How does ransomware work?


How does ransomware spread?


In this article, we address all these questions about this increasingly common cyber threat.

What is Ransomware?

Ransomware is a kind of malware (malicious software) that a bad actor installs on a victim’s system without their knowledge. It then encrypts their files or data, and locks them out of the system. To decrypt these locked files, the criminal demands a ransom from the victim.

How Does Ransomware Work?

In 2020, ransom payouts touched nearly $350 million in cryptocurrencies, a 311% increase over 2019. Ransomware attacks often yield such huge payouts for attackers because they’re easy to set up, and require almost no technical or coding skills. As long as the threat actor can access the Dark Web, they can buy ready-to-use ransomware toolkits or a Ransomware-as-a-Service (RaaS) subscription to easily author and launch an attack.



Ransomware works on the basis of asymmetric encryption that uses two keys – a public key and a private key. The attacker generates this unique key pair for the victim. They send the private key to the victim only after they pay the ransom – or so they say. In many cases, the victim never receives the private key, so they lose access to their files or data forever. Between 2020 and 2021, the number of organizations that paid the ransom rose from 26% to 32%, but only 8% got all of their data back.

How Do Ransomware Attacks Happen?

There are several possible vectors for ransomware infections. A malicious actor may, for example, distribute ransomware using email phishing. The victim receives a ransomware-infected attachment. Once they open it, the ransomware is installed on their system, and the game begins.


Other possible ransomware attack vectors include:


  • Social engineering
  • Malware downloads
  • Directly from a malicious site – something known as “Drive by Downloading”
  • By clicking on a “malvertisement” or a fake ad
  • Chat messages
  • USB devices


Sometimes attackers launch ransomware to exploit network vulnerabilities, and spread to other systems across the organization. This kind of lateral movement can be especially dangerous, because it now involves unlocking and recovering data for not just one device, but multiple devices.

How Does Ransomware Spread?

As we mentioned above, ransomware is easily available to any script kiddie who has the means to acquire it (a script kiddie is someone who can acquire and use a malicious program or code with little to no expertise). With good generic interpreters, they can create cross-platform ransomware, which can spread easily in a very short time. They can also leverage new techniques to encrypt complete hard disks, allowing them to expand the scope and scale of their attacks.

Types of Ransomware

Crypto Ransomware


This ransomware encrypts hard drives, folders and files. Attackers then demand a ransom with the promise of decrypting the data.


Locker Ransomware


It infects the device operating system to completely lock the user out. The lock screen displays the ransom demand, often with a countdown timer, which is used to create a sense of urgency.


Scareware


This fake software dupes a victim into thinking there are security issues on their device, and demands money to eliminate them.


Doxware/Leakware


It hijacks a device, and threatens to publish the user’s sensitive information online unless they pay a ransom.

Most Common Ransomware Strains

Over the years, many ransomware strains have evolved, and continue to cause problems for organizations (and individuals) all over the world. The most well-known ransomware strains are:


  • Bad Rabbit
  • Petya
  • NotPetya
  • Ryuk
  • WannaCry
  • CryptoLocker
  • CryptoWall
  • Cerber
  • Locky
  • Jigsaw
  • GoldenEye
  • REvil

How to Prevent Ransomware Attacks

It’s hard to trace ransomware perpetrators, especially if they demand ransom in anonymous cryptocurrencies. Moreover, modern ransomware is polymorphic, allowing attackers to bypass traditional signature-based security.


However, it is possible to prevent ransomware attacks, or at least minimize their impact by following these best practices:


  • Use updated security software ( e.g. antivirus and firewall)
  • Patch and update the operating system
  • Back-up all data, preferably in the cloud or an external hard drive
  • Take secure backups, and separate them from original data/files
  • Educate users on phishing, social engineering, and other possible threat vectors
  • Avoid using insecure or open WiFi networks

What to Do After a Ransomware Attack

If a system is infected with ransomware, it’s vital to act quickly to mitigate its impact. The important actions to take are:


  • Quickly isolate the infected device from the enterprise network and the Internet
  • Disconnect all devices from the network if they are behaving suspiciously
  • Assess the damage and create a list of infected systems
  • Identify the ransomware variant and educate all affected users on how to spot the signs of infection
  • Report the ransomware to the proper authorities
  • Wipe all infected systems with antivirus/anti-malware solutions
  • Restore systems from the backup
  • If a viable backup is not available, look for possible file/data decryption options


If neither backups nor decryption keys are available, the only option is to accept that the files and data are lost forever, and start rebuilding the system from scratch. This can be a painful process, which is why it’s crucial to take regular backups. Periodic vulnerability scans and penetration tests are also a proactive way to find possible weaknesses that may leave the organisation vulnerable to ransomware..

Conclusion

We hope this article answers your question: what is ransomware?


In 2019, ransomware caused $11.5 billion in global damage. In 2020, this figure jumped to $20 billion. Ransomware is now a lucrative business, and companies everywhere are vulnerable to it. That’s why they must take preventive action to protect themselves and their customers from this threat.

remote work security

Securing Remote Workers

By Threat Intelligence January 31, 2022
There are many factors to take into consideration when staff work remotely. For any organisation, maintaining ongoing visibility over staff devices, the applications in your environment and network traffic is essential.

Security Within Agile Methodologies

By Threat Intelligence January 24, 2022
In this blog we will explore the benefits of embracing agile methodologies, whilst ensuring AppSec becomes an integral part of the SDLC.

Embracing Cloud Without Compromising Security

By Threat Intelligence January 17, 2022
In this blog, we will explore the benefits of cloud, some of the important security implications you need to consider before transitioning, and how expert guidance can help you avoid potentially devastating breaches.
Share by: