Products + Services Data Centers Industries Learn About
Ransomware is a type of malware that secretly enters a user’s system, usually because a computer user opened an email and clicked on a malicious link or attachment. Once in, the ransomware silently encrypts the user’s data. A ransom message is then displayed, demanding payment for a key that can decrypt the data.
Of the many types of cybercrime, ransomware is the fastest-growing. A ransomware attack could be happening right now, as unaware or negligent employees at any number of companies around the world click links in spam emails or activate macros in malicious documents. Their companies’ data will quickly be encrypted, and a ransom of hundreds, thousands, or even millions of dollars will be demanded for the data to be unlocked.
There is no single, guaranteed strategy for preventing a ransomware attack, or for recovering quickly if one does occur. However, there are protocols, practices, and processes to help mitigate attacks and minimize their damage.
For cybercriminals, ransomware is a highly profitable endeavor. For the victims of ransomware, it’s a costly one. Industry analysts predict global ransomware damage costs to reach $20 billion in 2021 – 57 times more than the costs in 2015.
Ransom money is only one-half of the cost involved. There are also the costs associated with downtime, which can bring business operations and revenue generation to a halt. With downtime due to ransomware attacks increasing, the related costs are likely to do the same. In the third quarter of 2020, downtime was 19 days compared to 12.1 days in the third quarter of 2019.
Additional costs can be attributed to all the working hours required to restore systems, clean up the damage caused by the attack, and strengthen cybersecurity.
On average, the cost to recover from ransomware attacks – without paying the ransom – totaled more than $732,520 in the US. When the organizations paid, the recovery costs nearly doubled to $1.4 million.
To combat ransomware and its ill effects, it’s important to understand how it originated and why it’s become so pervasive. While its origins are open to debate, many cite the AIDS trojan as the first documented case of ransomware.
Also known as the PC Cyborg virus, the AIDS trojan was released via floppy disk in 1989 by an eccentric biologist named Joseph Popp. He distributed 20,000 disks labeled “AIDS Information - Introductory Diskettes” to attendees of the World Health Organization’s AIDS conference.
While the disks included a program that measured a person’s risk of contracting AIDS based on responses to an interactive survey, they also contained a virus that encrypted victims’ files after they had rebooted their computer 90 times. To regain access, users were ordered to send $189 to a designated PO box.
Fortunately, an easily reversible form of cryptography had been used to hijack victims’ hard drives. Decryption tools were quickly released, limiting the damage and costs. Nonetheless, the AIDS trojan demonstrated how easy it was to gain access to users’ systems and coerce those users into paying up.
Various forms of ransomware appeared in the following years, but it wasn’t until the mid-2000s that cybercriminals started employing difficult-to-crack encryption algorithms such as RSA — a public-key cryptosystem used for secure data transmission. In 2011, combatting cybercrime became more difficult. The ransomware appeared that looked like a Windows Product Activation notice, making it difficult for users to distinguish between real notifications and malware.
Then in 2012, the ransomware game became even more deceptive with the introduction of the Reveton worm. Also known as the “Police Trojan,” it would display a warning supposedly from a law enforcement agency claiming that the computer has been used for illegal purposes. It would then restrict access to the computer and files. Users were literally locked out of their computers unless they paid a “fine” through a service such as Ukash.
Cybercriminals upped their game again in 2013 with the release of CryptoLocker. The ransomware encrypted files and then demanded a ransom in return for a key to decrypt them. It infected more than 250,000 systems between September and December 2013, earning its creators earned more than $3 million before the botnet used to carry out the attacks was taken out. It became the template for most of the ransomware attacks since.
On May 12, 2017, the largest cyberattack, as of that date, ravaged businesses around the world. A ransomware worm dubbed “WannaCry” leveraged a vulnerability in the Microsoft Windows operating system. In just a few hours it infected more than 300,000 machines in over 150 countries, encrypting data and demanding ransom payments in bitcoins. The list of victims read like a list of ‘who’s who,” with names like FedEx, Hitachi, Honda, the Ministry of Internal Affairs of the Russian Federation, Nissan Motor Manufacturing UK, Portugal Telecom, Shandong University, and the State Governments of India.
While ransomware attacks continue to impact businesses of all sizes, they’re increasingly affecting everyday life. Case in point: In 2020 a ransomware attack blocked access to healthcare and contributed to the first reported death. The attack locked a German hospital out of its systems, leaving it and unable to treat patients. A woman requiring urgent care was rerouted to a neighboring hospital but didn’t survive.
Another example occurred in May 2021 when a ransomware attack forced Colonial Pipeline, which provides roughly 45% of the East Coast’s fuel, to shut down operations and freeze IT systems. Concerns about potential gas shortages led many people to panic buy, creating fuel shortages and long lines at the gas pumps.
Ransomware has distinctive features that distinguish it from other types of malicious software — and that make it far more sinister.
Ransomware can encrypt all kinds of files, including documents, pictures, videos, audio files, and just about anything else that might reside on a computer.
It can also scramble file names, so a user won’t even know which data has been affected. By using unbreakable encryption, ransomware prevents most users from being able to decrypt their files on their own.
Some forms of ransomware may have data exfiltration capabilities. That means they can extract data from an infected computer, such as usernames and passwords, and send that information to a server controlled by cybercriminals.
Ransomware can also spread to other computers connected to a local network, creating further damage.
It often recruits the infected computers into botnets, so cyber-criminals can expand their infrastructure and launch more attacks.
Ransomware uses a complex set of evasion techniques to go undetected by traditional antivirus products, cybersecurity experts, and law enforcement agencies. It can remain inactive on a system until the computer is in its most vulnerable state and then strike fast. Ransomware also tends to be polymorphic. It can mutate and create new variations without altering its function.
Many ransomware attacks incorporate built-in traffic anonymizers to avoid tracking; others use domain shadowing to hide their activities as well as the communication between the downloader and the servers they control. Then, there are those that use encrypted payloads making it more difficult for antivirus to detect the ransomware.
A ransomware attack usually begins with what appears to be a normal email. What’s not normal about it is that it may contain a malware attachment or a click-through link to an infected website. Sometimes a fake pop-up ad appears on a user’s screen, claiming the user’s system has been infected and instructing the user to click on a link for help. In some cases, it may create a new master boot record for the drive. A message then appears demanding payment for a key to decrypt the user’s data.
Payment is often requested in cryptocurrency, a digital currency that works like a credit card but with no personal identifying information, which makes it difficult to track down the recipients of it. Ransomware also sometimes employs geographical targeting, meaning the ransom demand is translated into the target’s native language, to increase the chances for the ransom to be paid.
Typically, there’s a deadline for paying the ransom. If the deadline isn’t met, the ransom increases. Or, the ransomware may flood the user’s screen with pornographic images or use other mechanisms to force the user to pay up. Some forms also infect their hosts with more malware to steal users’ login credentials for online banking and retail transactions. Others may search for additional computers to infect on the same network.
Cybercriminals are never satisfied with the status quo and are always seeking new ways to exploit and profit. Among them are targeted attacks, typically on large organizations, that yield higher payouts rather than the broad-based attacks seen previously that collect small amounts of information from a massive number of victims.
The attacks entail going deeper inside the target organization’s systems with the goal of deploying ransomware to as much of the network as possible rather than to a single machine. The attack usually starts with exploiting one of three common compromise points:
Cybercriminals take their time to find out where everything is and understand how the systems work in order to obtain administrator privileges, which lets them exploit computers across the network.
They can then exfiltrate data, destroy backups, and deploy more ransomware wherever it can go. Once all this is done, the cybercriminals make their demands public and often threaten to release exfiltrated data or delete the only remaining copy of essential data.
Given the increasingly sophisticated, pervasive, and ever-changing ransomware attacks, it’s difficult to predict what’s next. However, there are few notable trends to watch:
There are several types of ransomware, and new variations are coming out at an ever-increasing pace. Some use encryption, while others ship as virus loads. Still, others are based on PowerShell. However, most ransomware can be classified into one of two categories: crypto-ransomware and locker ransomware.
Crypto ransomware is designed to block system files by encrypting the data. Payment is then demanded in exchange for a key to decrypt the blocked content.
Locker ransomware is designed to lock a victim out of the operating system, making it impossible to access the desktop and any apps or files. The files are not encrypted, but a ransom is still demanded for the infected computer to be unlocked. Some locker ransomware will infect the master boot record, the section of a PC’s hard drive which enables the operating system to boot up. When that happens, the boot process can’t complete, and prompts a ransom note to be displayed on the screen.
As of mid-2020, nearly 3,000 types of ransomware have been reported and more are likely to emerge. Here are some of the most widely known:
The FBI advises against paying digital ransoms, and the US Treasury has indicated ransomware payments can lead to sanctions for a business. There’s the possibility that the attackers may not actually have the keys to decrypt the hijacked data, or they may simply refuse to supply them. Plus, you open yourself and your organization up to future extortion attempts.
Nonetheless, many companies choose to pay the ransoms and get the decryption keys to unlock their data rather than spending time and money to try to get their systems back. Their actions are often driven by fear that there is no alternative; that not paying ransoms could be catastrophic due to the costs of downtime and the interruption to their business.
There’s also reputational damage to consider. Cybercriminals not only can keep data held hostage but can also expose the data if payment is not made. This could severely damage an organization’s reputation and brand value, particularly if customer information is involved. The number of organizations that paid the ransom increased from 26% in 2020 to 32% in 2021, although fewer than one in 10 managed to get back all of their data.
Most ransom payments are made in cryptocurrencies. The money is then often dispersed and mixed across numerous wallets to ensure anonymity. Some may be used for the cybercriminals’ operational needs while the rest is exfiltrated via numerous underground payment services.
Cybercriminals are indiscriminate when it comes to their ransomware targets. They’ll steal from individual users as well as global corporations. When they do go after individuals, it’s largely because they are relatively easy marks.
However, it’s the larger institutions such as corporations, schools, hospitals, and even government organizations that cyber-criminals prefer; that’s where the money is. They know that a successful infection can cause major business disruptions, which will increase their chances of getting paid. They also know that many businesses would rather not report an infection for fear of legal consequences and brand damage.
Many of these organizations manage huge databases of personal and confidential information that cybercriminals can sell on the black market. Data pulled from a variety of sources reported the per-record value of the following types of information:
Social Security Number $1.00
Streaming services such as Netflix and Spotify $2.75 - $3.00
Credit Card $8 - $22
Driver’s License $20
Email Address and Password $.70 - $2.30
Complete Medical Record Up to $1,000
Big company computer systems also tend to be complex, making them prone to vulnerabilities that can easily be exploited. Because ransomware can also affect servers and cloud-based file-sharing systems, there’s even greater potential for data hijacking. There’s also the human factor. Employees can be negligent, unsuspecting, or uneducated about security protocols and inadvertently click on a link that introduces ransomware into their company’s system. Weak BYOD (bring your own device) policies don’t help.
Ideally, you should never have to use decryption tools because you’ve been able to stave off ransomware attacks. However, combatting ransomware requires businesses to be prepared before, during, and after an attack. Among the best ways to accomplish this is to employ a multi-layered approach that prevents ransomware from reaching your networks and systems.
The following are some of the best practices to incorporate into your protection strategy against ransomware:
While the practices described will help prevent a ransomware attack, there’s no guarantee that one won’t happen. If it does, your organization must be prepared to minimize downtime and damages. If you suspect a ransomware attack, do the following:
Integrate the above steps into your disaster recovery plan. Your plan should also detail how to deal with ransom demands. Some organizations choose to inform authorities, so they can help with the investigation. Others prefer not to risk downtime and data loss by going ahead with a ransom payment. There is no right or wrong option. It will depend largely on your organization’s risk profile and how much potential downtime it can tolerate.
In addition, ensure your cyber insurance covers ransomware. Make sure that you’re fully covered if the worst does happen.
Ransomware is a highly successful enterprise for cybercriminals and will continue growing in sophistication and attack frequency. Law enforcement agencies, government entities, and security experts are working diligently to tackle the problem. However, it’s incumbent on potential targets of ransomware to do their part to keep the enemy at bay as well.
That includes employing security best practices, having a comprehensive, frequently updated data protection strategy in place, and always being vigilant.
For more information on combating ransomware and other cybersecurity threats, contact a US Signal expert today.
To learn more about ransomware, check out these articles below from our blog or visit our resource center for whitepapers, e-books and more!
Back in 2019, Gartner predicted that by 2025, 80% of enterprises would shut down their traditional data centers — and that 10% already had. It’s now 2024. If you’re still running your own data center, is it time to consider an alternative like colocation, the cloud, or a hybrid solution? Reasons to Ditch Your [...]
When a US Signal customer asked about immutability (the inability of a file to be changed) — specifically the immutability of backups in US Signal’s Disaster Recovery as a Service (DRaaS) solution that’s powered by Zerto, here's how one of our US Signal solution architects answered th question.
There are various options for where you can put your workloads. But not every environment is ideal. Learn about some of the factors that can help you decide where they will perform best.