Ransomware is one of the most dangerous threats businesses and consumers face today. Whether you are an individual or a Fortune 500 company, the experience of getting locked out of your system, having your files encrypted, and being subjected to threats and demands for payment can be harrowing.
While law enforcement and cybersecurity firms are fighting the rise of ransomware groups, this extremely lucrative and illegal business is flourishing. New ransomware gangs are appearing in the field every day, while more established ones rebrand and regroup to confuse efforts to track down and prosecute the perpetrators.
Here is everything you need to know about ransomware, how it works, and what you can do to mitigate the risk of attack.
Ransomware is one of the biggest cybersecurity problems on the internet and one of the biggest forms of cybercrime that organizations face today. Ransomware is a form of malicious software — malware — that encrypts files and documents on anything from a single PC all the way up to an entire network, including servers.
Once files are encrypted by the ransomware, victims are left with few choices: They can regain access to their encrypted network by paying a ransom to the criminals behind the attack. They can restore data from their backups. They can hope there is a decryption key freely available. Or, they start again from scratch.
Some ransomware infections start with someone inside an organization clicking on what looks like an innocent attachment that, when opened, downloads the malicious payload and encrypts the network.
Other, much larger ransomware campaigns use software exploits and flaws, cracked passwords, and other vulnerabilities to gain access to organizations using weak points such as internet-facing servers or remote desktop logins. The attackers will hunt secretly through the network until they control as much as possible — before encrypting all they can.
It can be a headache for companies of all sizes if vital files and documents, networks, or servers are suddenly encrypted and inaccessible. Even worse, after you are attacked with file-encrypting ransomware, criminals will announce brazenly that they’re holding your corporate data hostage until you pay a ransom in order to get the data back. Some will even publish stolen data on the internet for all to see.
Known as AIDS or the PC Cyborg Trojan, the virus was sent to victims on a floppy disc. The ransomware counted the number of times the PC was booted: once it hit 90, it encrypted the machine and the files on it and demanded the user ‘renew their license’ with ‘PC Cyborg Corporation ‘ by sending $189 or $378 to a post office box in Panama.
This early ransomware was a relatively simple construct, using basic cryptography that mostly just changed the names of files, making it relatively easy to overcome.
However, it effectively created a new branch of computer crime that grew gradually in scope and ambition. Once dial-up internet became available to consumers, basic ransomware appeared en masse.
One of the most successful variants was “police ransomware,” which attempted to extort victims by claiming the PC had been encrypted by law enforcement. It locked the screen with a ransom note warning the user they’d committed illegal online activity, which could get them sent to jail.
However, if the victim paid a fine, the “police” would let the infringement slide and restore access to the computer by handing over the decryption key. Of course, this wasn’t anything to do with law enforcement — these were criminals exploiting innocent people.
Criminals learned from this approach and now the majority of ransomware schemes use advanced cryptography to lock down an infected PC and the files on it.
Ransomware is always evolving, with new variants continually appearing and posing new threats to businesses. However, certain types of ransomware have been much more successful than others.
- North Korea’s WannaCry was utilized in one of the biggest ransomware attacks to date. In 2017, the ransomware caused chaos across the globe, with more than 300,000 victims in over 150 countries falling victim.
- Locky was once the most notorious form of ransomware, creating havoc within organizations worldwide throughout 2016, spread via phishing emails.
- One of the most prolific families of ransomware during 2021 was REvil, responsible for encrypting the networks of a large number of high-profile organizations.
- Conti, like REvil, combines encrypting networks with threats to publish data in order to extort ransom payments. The US Cybersecurity and Infrastructure Security Agency (CISA) is among those that have issued warnings about prolific Conti ransomware attacks, which are ongoing and have even claimed healthcare services and hospitals among their victims.
- Cerber was once popular as one of the first ‘Ransomware-as-a-Service’ (RaaS) models, allowing users without technical know-how to conduct attacks in exchange for some of the profits going back to the original authors.
Ransomware comes in many variations, but at its heart, ransomware is designed to lock you out of your system and revoke access to files. Some ransomware will be able to move laterally across networks, encrypt data — or destroy it — and may also include surveillance modules.
While ransomware operations come and go, the individuals involved with building and testing the malware regularly move between them or seek new opportunities, meaning there’s a steady flow of new ransomware variants to potentially become the next big threat.
- Dish Network: A February attack against broadcast giant Dish Network led to service outages and the exposure of data belonging to roughly 300,000 people. The company reportedly may have paid out a ransom, as a letter sent to impacted individuals revealed the company “received confirmation that the extracted data has been deleted.”
- Royal Mail: The UK’s Royal Mail delivery service received an $80 million ransom demand following an attack in January that severely disrupted deliveries, nationally and abroad. Company officials refused to pay.
- Caesars: Casino operator Caesars suffered a ransomware attack and data breach, including the theft of customer data. Reports suggest that the firm paid out roughly half of a $30 million ransomware demand.
- MGM Resorts: The attackers behind a chaotic ransomware attack against MGM Resorts — which forced many services offline, including point-of-sale systems — claimed they managed to obtain the credentials necessary to perform the assault with only a phone call. Everything from casino slot machines to hotel room cards stopped functioning.
Obviously, the most immediate cost associated with becoming infected with ransomware — if it’s paid — is the ransom demand, which can depend on the type of ransomware or the size of your organization.
Ransomware attacks can vary in size but it’s becoming increasingly common for hacking gangs to demand millions of dollars to restore access to the network. And the reason hacking gangs can demand this much money is, put simply, because many victims will pay.
That’s especially the case if a network being locked with ransomware means the organization can’t do business — it could lose large amounts of revenue for each day, perhaps each hour, the network is unavailable. This downtime can quickly add up to millions of dollars in losses.
Also: Faced with likelihood of ransomware attacks, businesses still choosing to pay up
If an organization chooses not to pay the ransom, not only will it lose revenue for a period of time that could last weeks, perhaps months, but it will also have to pay a large sum for a security company to come in and restore access to the network, and there may also be costly legal repercussions.
Whichever way the organization deals with a ransomware attack, the incident also will have a financial impact going forward, because to protect against falling victim again, the organization will need to invest in its security infrastructure and handle legal costs, potential class action lawsuits, and regulatory fines.
On top of all of this, there’s also the risk of customers losing trust in the organization because of poor cybersecurity, with clients taking their business elsewhere.
Paying the ransom is discouraged by cybersecurity and law enforcement because it encourages cyber criminals to continue to launch ransomware campaigns. There are even instances where a victim has paid a ransom, only for the same attackers to return with another attack and demand another ransom payment.
To date, the largest ransomware payout to date was made by CNA Financial, one of the top US insurance providers. The organization reportedly paid out $40 million after falling victim to a ransomware attack.
To put it simply: Ransomware can destroy your business. Being locked out of your own files by malware for even just a day will impact your revenue. But given that ransomware takes most victims offline for at least a week, or sometimes months, the losses can be significant. Systems can remain offline for so long, not simply because ransomware locks the system, but because of all the time and effort required to clean up and restore networks.
And it isn’t just the immediate financial hit of ransomware that will damage a business; consumers become wary of giving their data to companies they believe to be insecure.
Also: Ransomware and phishing attacks continue to plague these businesses
Cybercriminals have learned that not only just businesses make lucrative targets for ransomware attacks, but important infrastructures like hospitals and industrial facilities are being disrupted by ransomware. And such disruptions can have big consequences for people.
The education sector also has become an increasingly popular target for ransomware campaigns. Schools and universities became reliant on remote learning due to the coronavirus pandemic — and cybercriminals noticed. These education networks are used by potentially thousands of people, many using their personal devices, and all it might take for a malicious hacker to gain access to the network is one successful phishing email or cracking the password of one account.
Small and medium-sized businesses are a popular target because they tend to have poorer cybersecurity than large organizations. Despite that, many SMBs falsely believe they’re too small to be targeted –but even a modest ransom of a few hundred dollars is still highly profitable for cybercriminals.
Smaller businesses, and low-hanging fruit, can also make tempting targets because supply chain attacks can provide access to a larger, more lucrative target.
The rise of cryptocurrencies like Bitcoin has made it easy for cybercriminals to receive payments with less risk of the authorities being able to identify and trace the perpetrators.
Digital wallets are used to store cryptocurrency and — while not untraceable — this makes it more difficult to track and seize illegal funds — especially if the crypto funds are mixed and filtered out through multiple wallets and cryptocurrency exchanges.
Many ransomware groups offer “customer service” to help victims who don’t know how to acquire or send cryptocurrency to do so, because what’s the point of making ransom demands if users don’t know how to pay?
Because large numbers of ransomware attacks start with hackers exploiting insecure internet-facing ports and remote desktop protocols, one of the key things an organization can do to prevent itself from falling victim is to ensure that ports aren’t exposed to the internet when they don’t need to be.
When remote ports are necessary, organizations should ensure that login credentials are complex. Applying multi-factor authentication to these accounts also can act as a barrier to attacks, as there will be an alert if any attempt is made at unauthorized access.
Networks should be patched with the latest security updates because many forms of ransomware – and other malware – are spread via the use of common, known vulnerabilities.
When it comes to stopping attacks via email, managers should provide employees with training on how to spot suspicious emails. Employees noticing unusual details — say, an email with sloppy formatting, or a message purporting to be from ‘Microsoft Security’ sent from an obscure address that doesn’t even contain the word Microsoft — might save networks from infection.
Also: 6 simple cybersecurity rules you can apply now
There’s also something to be said for enabling employees to learn from making mistakes while within a safe environment and through phishing training exercises.
On a technical level, stopping employees from being able to enable macros is a big step toward ensuring that they can’t unwittingly run a ransomware file. Endpoint protection, alongside firewalls and behavioral anomaly detection solutions, also can help.
At the very least, employers should invest in antivirus software and keep it up to date, so that it can warn users about potentially malicious files. Backing up important files and making sure those files can’t be compromised during an attack is also key because that makes it possible to recover the network without paying a ransom.
But even if attacks are already inside the network, it isn’t too late – if information security teams can spot unusual or suspicious activity before the ransomware attack is launched, it’s possible to reduce the scope of the attack or prevent it altogether.
Simply put, ransomware can cripple a whole organization –an encrypted network is more or less useless and not much can be done until systems are restored.
If a business has backups in place, systems can be back online in the time it takes the network to be restored to functionality, although depending on the size of the company, that could range from a few hours to days.
However, while it’s possible to regain functionality in the short term, it can sometimes take months for organizations to get all their systems back up and running.
Also: The top cloud storage services
Outside of the immediate impact ransomware can have on a network, the incident can result in an ongoing financial hit. Any period of time offline is bad for a business as it ultimately means the organization can’t provide the service it sets out to, and can’t make money. But the longer the system is offline, the bigger that hit can be.
And that’s assuming your customers want to continue doing business with you: In some sectors, the fact that you’ve fallen victim to a cyberattack could drive customers away.
The ‘No More Ransom’ initiative — launched in July 2016 by Europol and the Dutch National Police in collaboration with a number of cybersecurity companies — offers free decryption tools for ransomware variants to help victims retrieve their encrypted data without succumbing to the will of cyber extortionists.
Available in dozens of languages, and now offering numerous ransomware decryption tools, the program is regularly adding more tools for new ransomware variants.
Also: Cybersecurity 101: Everything on how to protect your privacy and stay safe online
Individual security companies also regularly release decryption tools to counter the ongoing evolution of ransomware – many of these will post updates about these tools on their company blogs as soon as they’ve cracked the code.
Another way of working around a ransomware infection is to ensure your organization regularly backs up data offline. It might take some time to transfer the backup files onto a new machine, but if a computer is infected and you have backups, it’s possible to isolate that unit and then get on with your business. Just make sure that cybercriminals aren’t able to encrypt your backups, too.
There are those who advise victims to simply pay the ransom, citing it to be the quickest and easiest way to retrieve their encrypted data. And many organizations do pay, even if law enforcement agencies warn against it.
But be warned: If word gets out that your organization is an easy target for cybercriminals because it paid a ransom, you could find yourself the target of other cybercriminals looking to take advantage of your weak security. And remember that you’re dealing with criminals here and their very nature means they may not keep their word: There’s no guarantee you’ll ever get the decryption key, even if they have it. Decryption isn’t even always possible.