Learn more about ransomware, how it's deployed, and how to prevent becoming a victim of a ransomware attack yourself.
In this 101, we’re going to cover:
Ransomware attacks are on the rise. Between 2019 and 2020, ransomware incidents rose by 62% worldwide and 158% in North America. Targets include government institutions, corporations, and individuals. Earlier this year, it could have been the high-profile attack on the top United States fuel pipeline operator, the Colonial Pipeline, that finally captured the public's attention.
In this instance, a ransomware-related incident led to the company shutting down half the East Coast's fuel supply. The potential impact of these sorts of attacks is enormous, and the Colonial Pipeline incident alone threatened the very heart of the U.S. infrastructure and commerce. Even more minor incidents have threatened national security or cost companies and private citizens millions.
A basic ransomware definition includes attackers using specialized malware to encrypt critical information, making it inaccessible to the victim. After attackers encrypt the user's data, they've effectively shut off all access to files, applications, and databases. The attacker then demands payment in the form of a ransom to give the victim access to their data. These attacks are dangerous because attackers often design ransomware to continue to spread across the victim's systems, escalating the damage as they consider their options.
Ransomware can enter networks and systems through various means. Typically, users receive a spam email and inadvertently download the malware onto their machine. Other methods may include social engineering, malicious website links, chat messages, or thumb drives. After the malware is on a device, it's typically introduced to the network by an executable file or embedded in macros. As soon as this occurs, ransomware begins its dangerous work of encrypting data and adds extensions to files that make them inaccessible.
Some newer, more sophisticated versions of ransomware can infect systems on their own via vulnerable browser plugins. Once a system is infected and critical data is encrypted, attackers have tremendous leverage over organizations and individuals to demand payment.
In today's computing environments, some consider cyberattacks inevitable. Luckily, there are a few ransomware prevention methods users can deploy to protect themselves against threat actors from infiltrating their networks and, failing that, mitigate the worst of the impacts.
Most ransomware attacks leverage organizations by making their data inaccessible. Routine backups to external locations can significantly reduce the leverage attackers gain and the potential damage to an organization's interests because the external backups are still accessible in the event of a breach.
Traditional virus scanners and malware detection aren't always sufficient at preventing ransomware attacks. Combating the evolving landscape and ever-more sophisticated attacks targeting day zero vulnerabilities involves ransomware protection that's predictive and capable of protecting all endpoints in the network.
If ransomware does infect the network, it's imperative to limit its spread and isolate the damage. Network segmentation and robust firewall rules ensure that data encrypted by a ransomware attack is limited to only a subset of the network.
Training and user awareness remain the cornerstone of cybersecurity. Training employees about ransomware meaning, avoiding opening emails from unknown senders, and never clicking email links can go a long way towards preventing Ransomware attacks.
The first step to preparing for ransomware attacks is establishing a contingency plan for actions if an attack occurs. A Cybereason study found that weekends and holidays are prime targets for launching ransomware attacks against companies. Alarmingly, 36% of the survey's respondents stated that when the ransomware attack occurred, a specific contingency plan wasn't in place to mount a response. The study also revealed that 24% of these organizations still don't have a contingency plan even after suffering an attack. Up to 49% of these organizations concluded that the attack was successful because of inadequate planning and failure to have the right security solutions.
Traditional signature-based antivirus solutions are ineffective against ransomware attacks because they often use novel, polymorphic, or repacked malware strains. Up to 46% of surveyed organizations indicated that they still rely on these traditional methods. Establishing endpoint detection and response (EDR) systems can significantly bolster the attack surface of critical systems and help prevent the worst impacts of ransomware attacks.
Ransomware removal involves a series of strategic steps, the first of which includes isolating the problem. The next step involves removing the infected systems from the network and killing any connections or interfaces to the data. Next, security teams must identify and find the source of the infection to shut it down. Then, operators must verify the integrity of backups to assess the potential damage of not paying the ransom.
The FBI recommends that organizations not pay the ransom or engage with the cybercriminals responsible for the attack. That's where having routine, safe, and isolated storage backups can be a huge difference-maker in mitigating the impacts of a ransomware attack.
Ransomware-as-a-Service (RaaS) is a subscription-based model enabling affiliates to deploy already developed ransomware tools threat actors can use for executing ransomware attacks. After performing an attack, the affiliate earns a percentage of the corresponding ransom payment.
Ransomware developers create and publish malicious code on the black market, commonly exchanging a share in the ransom payment or for a set fee. That's a potentially dangerous development as it lowers the bar to entry for malicious actors to engage in ransomware attacks.