In this article, we’ll define ransomware, explore the different types of ransomware and the risks associated, and discuss how you can protect yourself from ransomware attacks. You’ll learn how ransomware works and what each various attack is seeking to accomplish. We’ll also put things into context in terms of real-world attacks like the recent one affecting Colonial Pipeline. And with a handy glossary at the end, you’ll be well informed and equipped with all the information you need about how ransomware works.Table of Contents
- What is Ransomware?
- Ransomware Resources
- How Does Ransomware Work?
- Types of Ransomware
- Ransomware Examples
- Ransomware Strains
- Ransomware Glossary
- How to Remove Ransomware
What is Ransomware?
Ransomware is a type of virus or malware designed to disable critical systems or prevent sensitive data access until a specified amount of money is paid. For example, a ransomware attack on a hospital might lock out doctors or administrators from accessing patient records they need on a continual basis. The attacker might then send out a system-wide message demanding payment in order to restore access.
On a high level, ransomware uses cryptography to encrypt and decrypt files. The malware encrypts access to systems or files, only granting a special private key when a ransom is collected. In short, ransomware keeps organizations from operating unless the attacker is sent payment. Hackers can also encrypt sensitive or private information, threatening to release it unless compensated.
Want to learn ransomware basics and earn a CPE credit? Try our free course.
Thankfully, there are resources available to help you protect from, prepare for, and potentially respond to ransomware attacks:
- A Brief History of Ransomware
- Netwalker Ransomware Guide
- How to Prevent Ransomware
- Ransomware and Data Theft
- Ransomware Data and Statistics
- GitHub Ransomware Tools
- Hotfix Ransomware Attacks
- Ransomware and Data Exfiltration
How Does Ransomware Work?
For a ransomware attack to occur, malware must first gain access to the system, usually via a single computer terminal. This often occurs using a phishing attack, where users are sent files or attachments that appear trustworthy. But when the user opens or downloads the file, the malware is released on the terminal. In sophisticated attacks, malicious software can even unlock advanced administrative access, compromising the system even further.
The most common form of ransomware immediately encrypts the user’s — or entire system’s — files. The mathematical key to unlock the files is known only to the attacker, who will agree to release them once payment is made. Oftentimes this is through a wire transfer to an offshore bank or an untraceable cryptocurrency payment to a specified wallet. Another variation called Leakware steals confidential data and threatens to release that information to the public, business competitors, or law enforcement unless payment is made.
In short, ransomware invades a computer or entire system at which point the organization is held hostage until they pay the ransom to the attacker.
Who is Targeted by Ransomware?
Ransomware attackers select their targets depending on a variety of factors. In some instances, attackers simply select weak targets. Either they’ve scouted a particular organization and know that its cyber defenses are sub-optimal, or choose a certain industry because of traditionally poor cybersecurity. Universities, for instance, make good targets because their security teams are smaller and conduct massive file sharing, providing hackers with a high number of endpoints to exploit.
Other times, ransomware attackers go after companies or governments that they feel are most able or likely to pay the ransom. Large corporations like Sony — the victim of one of the largest ransomware attacks in history — or governments typically have the funds and will most often pay out of necessity. Other institutions like hospitals are also likely to pay simply because lives are quite literally on the line if their systems are down for prolonged periods of time.
Finally, ransomware hackers will go after organizations they know have sensitive information that might be damaging if released to the general public. Files or data about legal proceedings or confidential intellectual property are targeted, and companies often hand over money to ensure those details aren’t made public. The financial damage that an entity would incur in many instances far exceeds the ransom payment, making these instances extremely profitable for ransomware actors.
Types of Ransomware
Ransomware comes in many different forms, has evolved over the years, and continues to morph in order to avoid modern cybersecurity measures.
Here are some of the main types of ransomware that you should be aware of:
This kind of malware locks systems and devices from performing basic functions. Keyboard and mouse functions may be disabled or login privileges denied. Users can typically interact with the device insofar as the attack lets them in order to make a ransom payment. Locky is one of the most common locker malware. The good news is that Locker attacks don’t aim to destroy or compromise data. Only to extract funds to restore functionality.
These attacks aim to encrypt important data such as documents, videos, or photos. While basic system functionality still exists, users are unable to access the files they normally do. Only the attackers have the cryptographic keys to restore access upon payment. Crypto attacks can also come with countdown timers, indicating that if payment isn’t made by the time the clock hits zero, all files will be deleted.
In these attacks, malware infects a system or devices and then poses as a legitimate alert, claiming to detect some other form of virus or malfunction. It then prompts the user to make a payment to a fake service or company to resolve the issue. It’s called Scareware because users often get scared into thinking there is a real issue and remitting payment, not knowing that the entire ordeal is a ransomware scam. All employees and staff should be trained on how to spot scareware and what to do if they suspect an attack.
These attacks threaten to distribute confidential or sensitive information online or leak them to various third parties. Doxware attacks can be highly effective, as mentioned because companies often see more financial damage taking place from leaked information than the ransom amount. Some information is so sensitive that it may even threaten the very existence of a business, making Doxware attacks extremely dangerous. Therefore, installing adequate data protection measures up-front is of the utmost importance for businesses.
This emerging type of ransomware functions almost exactly like Software-as-a-Service. The malicious actor doesn’t need any real technical skills, they simply purchase the ransomware over the dark web and pay a monthly subscription fee for its use. Attackers can then simply log in to the service, select targets, conduct hacks, and receive payments all through one interface.
The first ransomware attacks began occurring in the late 1980s. Criminals would obtain encrypted files — sometimes physically — and ransom them for cash sent via the postal service. The first major documented ransomware software was the AIDS trojan, a PC Cyborg virus that was released in 1989 in the form of a floppy disk. If infected with the AIDS Trojan, users had to remit a check to a P.O. box in Panama to restore their systems access.
Ransomware has obviously evolved tremendously since then, with 2021 witnessing one of the most sophisticated and impactful ransomware attacks in the form of Colonial Pipeline. A single leaked password was reportedly used to breach the system of the largest oil pipeline company in the U.S., forcing the company to pay upwards of $5 million in cryptocurrency to restore operations to their systems.
Infrastructure ransomware attacks like Colonial pipeline have been a trend, similar to the one that took place in 2017 against Britain’s National Health Service (NHS). Hackers are honing in on organizations and services that are critical to the ongoing functions of society, knowing full well that the cost of these systems being down on a prolonged basis far exceeds the ransom they’ll ask for. In fact, in 2020, healthcare accounted for over 50% of all ransomware attacks.
Third-party service providers and outsourcing organizations will also likely be increased targets of ransomware in 2021 and beyond. As companies become more distributed in terms of both business operations and IT infrastructure, malicious actors will look for vulnerabilities wherever they can find them. So although a company may be headquartered in the U.S. and have adequate cyber defenses, ransomware attacks may still try and find a backdoor via a contractor or data center in India or Brazil.
The volume of ransomware attacks is also likely to increase in 2021 and beyond, with the prevalence of RaaS being a huge contributor. RaaS lowers the barrier of entry to conducting ransomware attacks, and the market of such software continues to grow over the dark web. While most ransomware attacks will likely target smaller targets as criminals seek to “scalp” smaller amounts on a repetitive basis, there’s no telling when or how often another Colonial Pipeline incident may occur.
The following are well-known examples of ransomware strains:
- BlackCat (ALPHV)
- Bad Rabbit
|Term||What it is||What’s the impact|
|Malware||Short for “malicious software,” malware infects computers with viruses, bugs, and other damaging programs.||Malware prevents systems from functioning or data access unless a ransom is paid.|
|Phishing||Files or links containing malware sent to unsuspecting users, typically via email. Once clicked, the malware is released.||Phishing attacks can target any user within an organization who isn’t trained on how to spot one.|
|Social Engineering||Hackers pose as friends or connections on social media, tricking a user into divulging login or other information.||Hackers use social engineering to take advantage of human error to gain a backdoor into systems.|
|Whaling||A phishing attack that targets the most senior members of an organization or company for high-value attacks.||Executives often have high-value information on their devices and can be special ransomware targets.|
|Trojan||A file or software that seems legitimate and bypasses defenses, but contains ransomware code.||External software downloads need to be monitored carefully for trojan horse malware.|
|Doxing||When confidential information is compromised and threatened to be made public by the ransomware attacker.||Organizations need to pinpoint and protect information most vulnerable to doxing attacks.|
|Lockerware||Malware that locks users out from critical data or systems until a ransom is paid.||One of the most common ransomware attacks to guard against.|
How to Remove Ransomware
If you do fall victim to a ransomware attack, there are steps you can take to neutralize the malware and potentially remove it from your system. The first step is to immediately disconnect devices and systems from the internet. This includes wireless devices, external hard drives, storage media, and cloud accounts. Complete disconnection can prevent the spread of ransomware within your network.
Next, you’ll need to perform a complete virus scan of your systems and devices using whatever internet security software you’re using. This will help you identify the threat and quarantine the malicious software before it can take further action like device locking or file destruction. You can then delete those files and programs automatically using your software or on a manual basis if necessary.
In the event of a crypto-ransomware attack, you’ll need to employ a decryption tool to regain access to your data. Once you decrypt your files, the attacker loses all leverage to extort you financially. And in the event of Lockerware, users should restart their devices in Safe Mode. Doing this can sometimes bypass the malware, letting users navigate to the anti-virus programs on their desktop to quarantine and remove the malware.
Ransomware attacks are growing both in volume and sophistication, as illustrated by the Colonial pipeline incident. Both public and private sector organizations need to go above and beyond in their systems and data protection efforts to prevent ransomware attacks. Installing anti-virus software or hiring a small information security team with a “set it and forget it” mindset simply won’t get the job done.
You’ll need to create an internal culture of vigilance against malware, constantly update your cybersecurity technology stack, and seek experienced cyberdefense partners to stay ahead of the curve and avoid paying out millions to cybercriminals just to get your systems and data back online.
What you should do now
Below are three ways we can help you begin your journey to reducing data risk at your company:
- Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
- Download our free report and learn the risks associated with SaaS data exposure.
- Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Reddit, or Facebook.
David is a professional writer and thought leadership consultant for enterprise technology brands, startups and venture capital firms.