Ransomware isn’t just a problem for big businesses. According to Datto, the most prevalent malware threat to SMBs in 2019 is ransomware, according to 85 percent of MSPs.
Governments, companies, and other organisations are all at risk from ransomware. It has the potential to trigger anything from a major city’s operations to a business’s permanent closure. But what exactly is ransomware and how does it work? We’ll give you a ransomware description in this post, as well as look at what ransomware is and how it affects businesses and users.
What Is Ransomware? A Definition of Ransomware
Simply put, ransomware is a form of malicious software (malware) used by cybercriminals to target businesses where it hurts the most: access to their systems and data. Ransomware is a form of malware that prevents users from accessing their devices and/or data. Its name comes from the fact that cybercriminals use it to demand payment in return for access to the computers and data they are holding hostage. If the victim does not comply — or does not comply quickly enough — the attacker can delete or otherwise destroy the data, making it impossible to recover.
Although ransomware isn’t a new threat, it is becoming more prevalent. We’ve seen several articles claiming that VMware Carbon Black predicted a 900 percent increase in ransomware attacks in 2020, but I couldn’t find the source of that knowledge. However, according to Check Point reports, the average daily number of ransomware attacks increased by 50% in Q3 2020 compared to Q2 2020.
To answer a question like “what is ransomware?” you must consider how certain kidnappers function. I say this because ransomware is similar to how criminals kidnap children in order to extort money — but instead of manipulating children and their parents, it’s about controlling businesses (or people, governments, organisations, or whatever other targets they choose) in order to demand payment in return for access to their data or computers.
The following are some notable examples of crippling and expensive ransomware attacks:
- WannaCry ransomware attacks are a form of ransomware that encrypts files and (2017). By leveraging a documented flaw in Microsoft Windows operating systems known as EternalBlue, this ransomware attack infected 230,000 computers in approximately 150 countries. Despite the fact that Microsoft released a security patch for it, several people failed to implement it, leaving them vulnerable to attack.
- Atlanta, Georgia was hit by a ransomware attack (2018). The municipal operations of this proud American city were practically crippled by a massive ransomware assault. According to the Atlanta Journal-
- Constitution and Channel 2 Action News, the attack could cost taxpayers up to $17 million, with $6 million in current contracts and an additional $11 million in future costs associated with the March 22 attack.
- Ransomware attack in Baltimore, Maryland (2019). Following a ransomware attack that targeted several departments and agencies, this eastern U.S. city was hit with a bill of more than $18 million. When all was said and done, the attack necessitated more than two months of mitigating efforts, according to a comprehensive timeline provided by Heimdal Security.
Ransomware attack on the International Space Station (ISS) (2020). This ransomware assault, which targeted a company in Denmark, is one of the most expensive in terms of total cost. According to Cybersecurity Insiders, the company had to regain control of its IT networks and other vital business systems at a staggering expense of $74 million.
What Does Ransomware Do?
In a nutshell, ransomware infects your computer and prevents you from accessing it and/or your data. This may include encrypting the data on the computer. Often it’s as easy as taking control of the computer or locking the screen, effectively turning it into a glorified paperweight.
Ultimately, the aim is to sabotage an organization’s ability to function before the cybercriminal receives payment. It’s an extortion tool, plain and simple.
The Time & Financial Implications of Ransomware
Ransomware attacks last an average of 16.2 days, according to Coveware’s Q4 2019 Ransomware Marketplace survey. As you would expect, a downtime of more than two weeks poses serious problems for companies and their customers.
However, ransomware doesn’t only threaten big businesses and governments. In reality, according to Coveware’s Q3 2020 data, 70% of ransomware attacks targeted small and medium-sized businesses (those with less than $50 million in sales and less than 1,000 employees). Professional service firms were the most heavily targeted industry.
But how serious is the threat of ransomware? In 2019, the FBI’s Internet Crime Complaint Center (IC3) received 2,047 ransomware-related complaints, with total losses of over $8.9 million. (Note that these figures only represent a small percentage of all incidents reported to the FBI.) “This figure does not include estimates of lost business, time, salaries, files, or facilities, or any third-party remediation services acquired by a victim,” the study states.
To make matters worse, several ransomware groups seem to be working together. Sophos analysts discovered ransomware code that appears to have been “shared through families,” according to their Sophos 2021 Threat Analysis. The average ransom payout increased dramatically from Q4 2019 to Q3 2020, jumping from $84,116.00 to $233,817.30, according to their study. The good news for small businesses is that higher ransom demands are usually reserved for larger corporations.
How Does Ransomware Work?
An example of how an employee feels when they discover their laptop has been infected with ransomware and the consequences for their business.
To gain access to a network, ransomware infects one or more computers. In fact, ransomware attackers usually only need one point of entry to carry out their malicious activities.
There are many different types of ransomware, and some of the variations are dependent on the platforms they target. Android ransomware, for example, which targets Android mobile devices, works differently than conventional ransomware that targets desktop and laptop computers. What is the reason for this? Since they approach things in slightly different ways.
Ransomware for Android
According to ESET, two types of ransomware exist for Android devices: lock-screen and crypto-ransomware.
- Lock-Screen Ransomware: This malware prevents or regulates access to the infected computer.
- Crypto Ransomware: This form of malware encrypts the files of the target and holds them hostage.
The way Android ransomware functions varies depending on the form of malware. However, according to Microsoft 365’s Defender Research Team, this form of threat has previously hijacked the SYSTEM ALERT WINDOW in Android devices. What is the reason for this? Since it was a pop-up prompt that users couldn’t just close.
Common Ransomware Infection Methods
Cybercriminals can infect computers and networks with ransomware in a variety of ways. The following are some of the most popular methods:
- Phishing emails with malicious links or attachments are sent.
- Using social engineering techniques to persuade or deceive users into uploading or viewing malicious files or websites.
- Using stolen remote desktop protocol (RDP) credentials, which can be purchased on the dark web for a low price. RDP is the leading attack vector for ransomware, according to Sophos’ 2021 Threat Survey.
Infecting removable machines, which their victims then attach to networked computers and devices.
- Using “malvertisements” on websites their victims visit to automatically download malware into their computers.
- Gaining network access by exploiting security flaws in network-connected devices (and any servers connected to it).
Consider the following scenario. Let’s say a cybercriminal sends a malware-infected email to a company’s HR employee. The malicious attachment is disguised as a resume, and the email is written in such a way that it appears to be sent by a candidate. The HR employee receives the email and instals the attachment to their laptop, believing it to be real.
Their stomachs are in knots the next thing they know as a frightening alert appears on their phone. The message tells them that their computer and data have been compromised with ransomware and that they no longer have access to them. The only way they can reclaim access is to pay a certain amount of Bitcoin or another cryptocurrency.
Targeting Data Backups
Historically, officials’ advice for dealing with ransomware has been to rely on data backups to get networks back online. This is fine if you have a contingency plan in place… What happens if you don’t? Worse still, what if you do, but the ransomware attackers also threaten your backup systems? That does, in fact, happen.
According to data recovery company Databarracks, ransomware-wielding cybercriminals are not only encrypting files to outlast their targets’ backups, but they’re still waiting to encrypt files to outlast their targets’ backups.
Well, my mate, the fact is that if the former occurs, you’ll be up a creek without a paddle, let alone a boat. Our advice is to keep several copies of your latest backups in different locations (in both secure cloud and physical storage). Do you know what the 3-2-1 backup rule is?
Ransomware Attacks Are on the Rise — And Even One Attack Costs an Arm & Leg
Ransomware is a rising market for cybercriminals, which is unfortunate for the victims of these attacks. According to Emsisoft’s State of Ransomware in the United States: Report and Statistics 2020, the 113 ransomware attacks that attacked federal, state, and local governments and agencies alone cost a lot of money. What is their estimate? There’s a chance it’ll be $915 million, but it might be “many billions.”
Why did you make such a large estimate? They can’t provide a more precise calculation because there’s a lot of missing data and variance.
Ransomware Attacks Don’t Just Encrypt Data
The state of ransomware report from Emsisoft also highlights a recent trend that has been gaining traction: attackers stealing data from their victims. This is unlike conventional attacks, in which hackers encrypt data but do not actually transfer it. According to a blog post on their website:
“At the start of 2020, only the Maze division was using this strategy. At least 17 others had embraced it by the end of the year and were posting leaked data on so-called leak sites.”
Attackers use this information as leverage in extortion and ransom demands: pay up or we’ll sell your customers’ information on the dark web and post all of your private emails!
The Effects of Ransomware Reach Beyond the Initial Target
Ransomware is bad news for everyone, not just the companies it targets. It can also be a nightmare for their affiliated companies. For example, in May 2020, Blackbaud, a cloud software solutions company, was the target of a ransomware attack. Fortunately, Blackbaud states that the assault was detected and eventually stopped. They were unable, however, to stop the attackers from stealing data first.
Businesses, non-profits, healthcare organisations, and educational institutions all over the world could be affected by the attack. According to Emsisoft, the ransomware attack targeted over 170 organisations, exposing the personal information of over 2.5 million people.
Should You Pay the Ransom? Not Unless You Want to Face Penalties
Depending on the source, there are several different responses to this query. Paying a ransom, for example, may be a “true recovery choice depending on business need and circumstances,” according to Forrester research. However, this is a business decision that requires a variety of factors to be considered.
Historically, ransom requests have been lower than the costs of restitution and damages incurred by impacted organisations. For example, in the Atlanta attack, the requested payment was approximately $50,000 in Bitcoin (although there is no more precise figure due to the cryptocurrency’s volatile value), while the attack was estimated to cost $17 million in total.
The FBI, on the other hand, does not recommend paying ransom demands in ransomware attacks. Their justification is twofold:
“Paying the ransom does not ensure that you or your company can receive any data back. It also allows criminals to seek more victims and provides an opportunity for others to engage in illegal behaviour.”
There’s an even more compelling reason to think twice about paying a ransom in a ransomware attack. The Office of Foreign Assets Control (OFAC) of the US Treasury issued an advisory in October warning that companies that make or encourage ransom payments to sanctioned hackers could face sanctions. This is real, according to Reuters, regardless of whether the ransomware victims or the facilitators are aware that the hackers seeking payment are subject to US sanctions.
How to Protect Yourself & Your Organization from Ransomware
So, what would you do to safeguard yourself against ransomware? With their CISA Insights tip sheet, the US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) offers a few suggestions:
- All of your data and settings should be backed up. In addition to cloud backups, make sure to use offline backups.
- Always keep the devices and security solutions patched and current.
- Maintain an up-to-date incident response plan and put it to the test!
- Keep an eye on the market to see what other ransomware attacks have taught us.
Their CISA Insights sheet also includes advice on what to do if you’re the victim of a ransomware attack.
TL;DR on Ransomware
Look no further for a quick-hits overview that addresses your questions about “what is ransomware?” and “how does ransomware work?”
- Ransomware is a form of malicious software that infects computers and encrypts data.
- It’s a form of cyberattack that tries to extort money from a target in return for access to their device(s) and/or data.
- In terms of how it works, ransomware for desktop computers also differs from those for Android devices.
The remote desktop protocol (RDP) is the most commonly used attack vector for ransomware.
- Data exfiltration, rather than “just” data encryption, is becoming more popular in ransomware attacks.
As part of their ransomware operations, some cybercriminals are now actively targeting data backups. This is why, in addition to cloud backups, it’s important to maintain current offline data backups.
- Some ransomware victims opt to pay the ransom, but this does not guarantee access to the infected systems or data. The FBI, on the other hand, advises against paying in general because there’s no assurance that cybercriminals will stick to their deals or won’t be enticed to strike again because you paid the first time.
- Organizations that pay ransoms — or promote such payments — can be sanctioned by OFAC.