What is Ransomware?
Ransomware, or ransom malware, is a type of malicious software or malware that locks up the victim’s files or entire computer system, making them inaccessible. The attacker then demands a ransom in exchange for the key to unlock the files or system. Essentially, ransomware holds a victim’s data hostage until a ransom is paid. It is a form of cybercrime that can cause significant disruption to individuals and organisations, resulting in data loss, financial losses and damage to reputation. Ransomware is often considered ‘scareware’ because it scares or intimidates users into paying the ransom.
What are ransom payments?
Ransom payments refer to the funds that victims are required to pay to cybercriminals in exchange for the tools needed to unlock their files. Once a victim’s files have been locked, a ransom note with payment instructions and the amount demanded is provided to them. This often includes threats and a deadline to create a sense of urgency. Victims are warned that if they do not pay within the specified time frame, their files will be permanently deleted. Ransom payments are often demanded in cryptocurrencies such as Bitcoin, which gives some anonymity to attackers and makes it harder for authorities to trace the transactions.
Paying a ransom is generally discouraged as it comes with risks of its own. For one, it does not guarantee that the attackers will provide the decryption key or that the victim’s files will be successfully recovered. Paying may also be illegal, as it involves funding criminal activities and encourages attackers to continue their attacks.
What are the different types of ransomware?
There are many different strains of ransomware, including:
- Encrypting ransomware, which locks the victim’s files and demands a ransom in exchange for the decryption key. This is one of the most common types of ransomware
- Locker ransomware, which locks the victim out of their computer or device and shows them a full-screen message demanding payment to regain access
- Master boot record (MBR) ransomware, which infects the MBR (an important part of a computer’s storage device that helps it start up and load its operating system), preventing it from starting up. Victims see a ransom note instead of their operating system.
- Mobile ransomware, which targets mobile operating systems such as Android by locking them and demanding a ransom for access
- Ransomware-as-a-Service (RaaS), where cybercriminals create and distribute ransomware, but others can use it for a fee or a percentage of the ransom payments
- Scareware or fake antivirus ransomware, which often appears as a pop-up or fake antivirus software claiming the victim’s computer is infected with malware and demanding payment to remove the supposed threats
- Doxware or leakware, which locks files and threatens to release private information to the public unless a ransom is paid – adding an element of extortion to the attack
- Double extortion ransomware, which steals sensitive data before locking files, and then threatens to release it unless a ransom is paid
- Fileless ransomware, which operates in a computer’s memory rather than relying on files. This is more difficult to detect because it does not leave traces on the victim’s system.
- Hybrid ransomware, which combines elements of different types. For example, it may both lock files and shut the victim out of their computer
- Customised ransomware, developed specifically for targeted organisations
How does ransomware spread?
Ransomware can be delivered through malicious email attachments, infected websites or by exploiting vulnerabilities in software and operating systems. Some of the most common ways in which it can spread include through:
- Malspam or phishing emails: Attackers send scam emails with malicious links or attachments such as PDFs or ZIP files. If someone opens or clicks on these, ransomware can be downloaded on their system.
- Drive-by downloads: Malicious or compromised websites exploit browser vulnerabilities, and infect visitors’ computers with ransomware
- Malvertising: Criminals may place malicious advertisements on trustworthy websites, and clicking on them can infect users with ransomware
- Software vulnerabilities: Attackers can exploit outdated software vulnerabilities to gain access to systems and deploy ransomware
- Remote desktop protocol (RDP) attacks: RDP is a technology that allows users to control a computer from a different location. Attackers may attempt to gain unauthorised access to a victim’s computer using stolen passwords, and can manually install and execute ransomware once inside.
- Spear phishing: Attackers send targeted emails, often impersonating trusted entities, to trick victims into opening attachments or clicking links
- Social engineering: Cybercriminals use psychological manipulation to deceive victims into taking actions that compromise their systems, such as convincing them to download ransomware by impersonating tech support or other trusted parties
- Infected software installers: Attackers can contaminate real software installers by injecting ransomware into them, and unsuspecting users who download the compromised programmes infect their systems
- Shared networks: If one computer on a network is infected, the ransomware can move on to other connected devices, especially if security controls are weak
- USB drives and removable media: Cybercriminals may place ransomware on removable media, and when these are inserted into a computer, the ransomware infiltrates the system
- Watering hole attacks: Attackers take over websites that are frequently visited by a target organisation’s employees. When employees visit the hacked sites, they may unknowingly download ransomware.
- Instant messaging and social media: Some ransomware strains use social platforms to spread links to malicious websites or infected files.
What is a ransomware attack?
A ransomware attack is a type of malicious cyberattack in which cybercriminals lock a victim’s files or entire computer systems and demand a ransom payment to provide the tool needed to regain access to the data. Once ransomware has gained access to a victim’s computer or network, it begins locking files, making them inaccessible without a decryption key. Once the victim has been locked out of their files or system, they are shown a ransom note on the screen, demanding a payment. They are directed to a specific payment portal to pay the ransom. If the victim decides to go through with this, the attackers may provide the tool needed to unlock the files – but there is no guarantee that they will. It is recommended, instead, that ransomware attacks be reported to law enforcement agencies.
Who could be targeted with a ransomware attack?
Ransomware attacks can target a wide range of people and organisations, regardless of their size. Small and medium-sized organisations are often targeted because they tend to lack strong cybersecurity defences, and large organisations are prime targets due to the potential for significant financial gain. Manufacturers, retailers and banks and financial organisations can all be targeted. An attack on a financial institution could have far-reaching consequences for the economy.
Attackers do not discriminate based on the organisation’s mission, so public sector and nonprofit organisations are equally open to attack. Government agencies, educational institutions and healthcare providers are frequent targets of ransomware attacks. For the latter, data breaches can have life-threatening consequences if patient care is compromised. Power plants, water treatment facilities, transportation systems and law firms are also open to attack – as are high-profile public figures. Attacks may be plotted for financial gain or simply to cause disarray. In 2022, ransomware attacks made up over a quarter of all cyberattacks.
How to protect against ransomware?
Protecting against ransomware requires a layered approach. Organisations must regularly back up important data and systems using the 3-2-1 rule (three copies, two different media, one off-site). They must keep all operating systems, software and applications up to date with the latest security and enable automatic updates where possible. Organisations are also advised to use antivirus and anti-malware software on all devices and implement email filtering to prevent phishing attacks. Web filtering tools should also be used to block access to suspicious websites. Strong network security measures, such as firewalls, must be employed, and regular cybersecurity training for employees to educate them about the current ransomware threats should be mandatory.
Organisations should develop a detailed incident response plan that outlines the steps to take in case of a ransomware attack, and carry out regular security assessments and vulnerability scans to detect and address weaknesses. They should stay informed about the latest ransomware threats and tactics by monitoring threat intelligence sources. Some organisations adopt a Zero Trust security model, which assumes that no one, whether inside or outside the organisation, is trusted by default.
How can organisations detect a ransomware attack?
In terms of ransomware detection techniques, organisations must be alert at all times and keep an eye on their network traffic for signs of unusual activity. They must use tools to identify suspicious behaviour on their system and special software to filter emails for signs of cyberattacks. Keeping antivirus and anti-malware software up-to-date is recommended so it can be used effectively and regularly to scan systems for ransomware. User activity should be monitored for signs of ransomware, such as multiple failed login attempts or changes to user privileges. Organisations must also train employees to recognise the warning signs of ransomware, and encourage them to report any unusual network behaviour or suspicious emails right away.
Ransomware intelligence helps organisations defend against ransomware attacks by highlighting vulnerabilities for patching, as well as providing insights into attacker tactics, indicators of compromise and behavioural analysis – facilitating early detection and enhanced decision-making to mitigate risks. Another way to detect a ransomware attack is to keep an eye on cryptocurrency payments, which are often used for ransom payments. Detecting large, unexplained cryptocurrency transfers may signal a ransomware attack. Finally, organisations can develop decoy systems that mimic potential targets. Any unauthorised access or activity on these fake systems can then trigger alerts.
What should organisations do after a ransomware attack?
Responding effectively to a ransomware attack is crucial to minimise damage, recover data and prevent future incidents. Following a ransomware attack, organisations should first immediately shut down infected systems from the network to prevent the ransomware from spreading further. Next, they should inform their incident response team, IT department and senior management about the attack and execute the incident response plan, which outlines the specific procedures for dealing with cyberattacks. Organisations should then determine the extent of the ransomware infection by identifying which systems and data have been affected, and report the attack to their local law enforcement agency and legal experts. Notifying employees and other relevant parties about the attack is also vital. Most importantly, the ransom should not be paid as it may encourage further attacks.
Following these immediate steps, organisations must remove the ransomware from the infected systems and thoroughly scan the network to ensure no traces remain. They can then begin to restore affected systems and data if they have secure backups free from malware. Once files have been recovered and the ransomware removed, a detailed review of the incident must be carried out to understand how the attack occurred, what vulnerabilities were exploited and how similar attacks can be prevented in the future. The organisation’s security policies and procedures should be strengthened and updated based on lessons learnt from the attack, and detailed records of all actions taken during the incident response process should be stored. Finally, organisations must remain vigilant and keep monitoring their systems for any signs of the ransomware returning or other malicious activities.
What is the history of ransomware attacks?
The first known ransomware attack, known as the AIDS Trojan, targeted MS-DOS-based computers and appeared in 1989. It was distributed via infected floppy disks and hidden file names on the victim’s computer. The ransom demand was sent by mail, and victims were ordered to send money to a post office box in Panama.
One of the earliest examples of modern ransomware, however, first came about in 2005. Known as Archiveus, or A2, this locked victims’ files and demanded a ransom in exchange for the decryption key, marking the beginning of the use of encryption in ransomware attacks. Early ransomware primarily encrypted specific file types such as .doc, .jpg and .pdf.
In 2011, SMS ransomware emerged, instructing victims to make premium SMS payments.
Next in the timeline was Cryptolocker, in 2013 – one of the first major ransomware threats. It used strong encryption to lock files on infected computers and demanded Bitcoin payments for decryption keys. The success of CryptoLocker inspired many copycat ransomware strains. Following these, the world saw ransomware strains such as WannaCry (2016), which exploited a vulnerability in Microsoft Windows, Ryuk (2019), which focused on larger organisations, Maze (2020), which pioneered the double extortion tactic, the Colonial Pipeline ransomware attack (2021), which caused disruptions to the fuel supply on the US East Coast, and more. Today, ransomware attacks continue to steadily increase and advance at a rapid pace.
What are some examples of well-known ransomware attacks?
Some examples of well-known ransomware attacks include:
- WannaCry ransomware attack (May 2017) is one that affected thousands of computers in over 150 countries. It exploited a vulnerability in Microsoft Windows and demanded ransom payments in Bitcoin
- NotPetya (June 2017) initially appeared as ransomware but was later revealed to be a wiper malware designed to cause destruction. It targeted organisations in Ukraine but quickly spread to other countries
- Bad Rabbit (October 2017) was a ransomware attack mainly targeting organisations in Russia and Ukraine. It spread through malicious websites and infected victims by tricking them into downloading a fake Adobe Flash update
- REvil (2019 – 2021) was a prominent ransomware group that targeted high-profile victims, including corporations and law firms. It had aggressive tactics and high ransom demands, and mysteriously disappeared from the Internet in mid-2021
- Ryuk (August 2019 – Present) is a well-known ransomware strain known for its high-profile targets, including large enterprises and healthcare organisations. It usually demands large ransoms and is often sent through phishing emails
- The Colonial Pipeline ransomware attack in May 2021 disrupted the fuel supply on the US East Coast. The incident raised concerns about the impact of ransomware on critical infrastructure
How can Silobreaker help against ransomware attacks?
Ransomware threat intelligence protects your organisation from cyberattacks by alerting you about which attackers are trying to infect your network, how they’re attempting to infect it and what types of malicious tools they use to do so.
Silobreaker helps you avoid becoming a victim by predicting the target, delivery medium and infrastructure of the attackers, building the most comprehensive picture of ransomware campaigns and targets with automated data aggregation from millions of sources, forums and finished intelligence.
The Silobreaker threat intelligence platform provides you with the full context of each malicious campaign, extracting and prioritising threat actor groups and malware variants in relation to the industry, organisation, technology and vendors within your supply chain.
With Silobreaker, you can automate alerts to notify you as soon as your organisation is mentioned in the context of ransomware threats, and integrate with your SIEM to act on IOCs as they appear on the open and dark web.
The Silobreaker Workspace brings everything together by creating a single place to collaborate on analysis, build dashboards and run intuitive queries supporting over 100k search terms. It enables organisations to respond faster to threats based on the full picture of ransomware – from attacker groups to their latest campaigns, use of phishing and domains, CVEs and other TTPs – to put the right protection in place.
Silobreaker equips you with the actionable intelligence needed to stay ahead of the ransomware and other malware targeting your organisation and industry.