Ransomware is a type of malicious software (malware) that blocks a victim’s access to data or a computer system, usually by encrypting it, until the victim pays a ransom fee to the attacker. Attackers often promise to restore the data if the ransom is paid, but these days, victims cannot be sure about this assurance, as the risk of data being destroyed or leaked remains.
Ransomware can be categorised into two main types: those that use encryption (crypto ransomware) and those that do not (locker ransomware).
This is the most common type of ransomware, where attackers lock their victims’ files via encryption, until the ransom is paid. Victims are often coerced into paying the ransom as only the attackers hold the decryption key needed to regain access to the files and data. Regardless of whether they pay the ransom, businesses are highly likely to face business disruptions and the risk of their data being sold on the dark web.
Doxware, also known as extortionware, adds a particularly insidious dimension to crypto ransomware. It not only encrypts victims’ data but also steals personal information like emails, photos, and other records. Attackers will threaten to release sensitive data to the public unless the ransom payments are made. Doxware attacks are often highly targeted, with attackers conducting preliminary surveillance to identify potential data targets and system weaknesses of specific victims.
As a sidenote, crypto ransomware shouldn’t be confused with crypto malware (cryptojacking) where the latter enables threat actors to mine cryptocurrencies from the victim’s devices.
Locker ransomware, or lockers, does not encrypt files. Rather, it locks victims out of their device or system. Lockers can work in various ways, such as disabling the mouse and keyboard, or displaying a persistent window that blocks other applications until the ransom payment is made. Users will be provided with instructions on how to make the ransom payments in exchange for regaining access to their devices or systems.
Ransomware originates from various vectors that take advantage of human susceptibilities, exploit weak credentials, and leverage technological weaknesses. Some common vectors by which ransomware can infect users include:
Social engineering is the psychological manipulation of people into performing actions or divulging confidential information for information gathering, fraud, or system access. These manipulation tactics exploit victims’ sense of security by establishing rapport and trust. Social engineering attacks can come in various forms:
Cyber attackers often exploit flaws and weaknesses in the code or design of an operating system or application software to gain unauthorised access and conduct malicious activities. Zero-day vulnerabilities are one such example. They refer to inherent flaws or weaknesses in a computer system that are unknown to the developers, hence having zero days to address the vulnerability before it is exploited.
They are a type of malware that is unintentionally downloaded onto a computer or mobile device without the user's knowledge or consent. Victims typically encounter drive-by downloads by visiting an infected website or downloading infected files, some of which are ransomware. Since drive-by downloads can be triggered without needing users to click on anything to initiate the download, it is able to infect systems and spread easily among unsuspecting users.
Attackers take advantage of weak passwords to steal credentials, which they can use to infiltrate networks or devices and deploy ransomware. Additionally, they may sell the stolen credentials on the dark web, allowing other cybercriminals to exploit the same vulnerabilities.
Ransomware can also propagate laterally and infect multiple devices by using techniques such as pass-the-hash to impersonate legitimate users. Some advanced ransomware strains maliciously utilise legitimate network administration tools like remote desktop protocol (RDP), PowerShell scripts, or group policy objects to spread further.
Inspired by the Software-as-a-Service (SaaS) business model, the low barrier to entry of RaaS has contributed to its proliferation in the cybercrime space. Ransomware tool kits are developed by operators and sold to other hackers or affiliates, who then use these tools to launch attacks on victims. This model allows affiliates with no technical expertise to participate in ransomware attacks, making it easier for new cybercriminals to carry out their attacks.
In the RaaS model, specialised operators develop ransomware tool kits and maintain the back-end infrastructure. These kits are then sold to affiliates, who may lack technical expertise but can still effectively launch attacks. This division of labour increases efficiency and reach, as affiliates focus on infiltrating networks and deploying the malware.
The accessibility of RaaS is further enhanced by its user-friendly features, including customer support and regular updates. This makes it easier for new cybercriminals to participate in ransomware attacks, expanding the pool of potential attackers.
Financially, RaaS operates on a profit-sharing model. Affiliates typically receive a significant portion of the collected ransom, creating a strong incentive for widespread and aggressive attacks. This arrangement has not only increased the frequency of ransomware incidents but has also driven up their sophistication and effectiveness.
The evolution of ransomware attacks also saw the development of more sophisticated tactics to pressure victims into paying. This has led to the emergence of double- and triple-extortion techniques.
Double-extortion ransomware attacks involve two layers of threat:
This approach puts additional pressure on victims, because even if they can restore their data from backups, they still risk having sensitive information exposed.
Triple-extortion takes this a step further by adding a third layer of additional coercive pressure, which may include:
These multi-layered extortion techniques make ransomware attacks more damaging and complex. They target not just data availability, but also its confidentiality and the broader reputation and operations of the victim organisation. As a result, victims face increased pressure to pay the ransom, even if they have robust backup systems in place.
Ransomware attacks often have severe consequences for businesses, affecting them financially, operationally, and reputationally:
Financial impacts are often significant, including potential ransom payments, costly remediation efforts, increased insurance premiums, and revenue losses due to business disruptions. These costs can far exceed the initial ransom demand.
Organisations risk permanent loss of sensitive information if they are unable to decrypt their files. Modern attacks often involve double or triple extortion, adding another layer of risk.
Reputational damage can be long-lasting, eroding customer and investor trust, potentially leading to lost business opportunities and partnerships. If proprietary information is leaked, their competitors may gain unfair advantages.
Most attacks cause significant operational disruptions lasting anywhere from 7 to 21 days on average. This downtime often results in substantial productivity losses and can be more costly than the ransom itself.
Start by securing your network access points, particularly by reviewing and limiting open ports. Pay special attention to Remote Desktop Protocol (RDP) and Server Message Block (SMB) ports, as these are common entry points for attackers. This not only fortifies your network security but also helps prevent unauthorised access and discourages drive-by download attacks on unsuspecting users.
Cybersecurity software forms another vital layer of defence. Deploy robust anti-virus programs to detect and prevent malware infections and utilise intrusion detection systems (IDS) to monitor network traffic for suspicious activities. Content filters can also play a crucial role by blocking access to malicious websites and downloads.
Regular scanning, updating, and patching are essential for maintaining a robust defence against ransomware. Pay special attention to critical security updates and patches and prioritise their installation. This proactive approach helps close potential entry points for ransomware and other malicious software.
Organisations can transform their workforce into a vigilant first line of defence by fostering a security-conscious culture. Regular training sessions equip users with the skills to spot phishing attempts, avoid suspicious downloads, and create strong passwords. Simulated attacks reinforce these lessons, while encouraging prompt reporting of potential threats keeps everyone engaged in the ongoing battle against cybercrime.
Implementing a robust backup strategy that includes off-site storage and frequent updates, and regularly testing these backups to ensure data integrity provides a safety net in case of a successful attack. It also strengthens an organisation’s overall resilience, reducing the temptation to pay ransoms and enabling quicker restoration of normal operations
A comprehensive incident response plan can provide a clear guideline to help organisations to identify, contain and eradicate threats fast. Organisations should also test and update the IR plan through tabletop exercises and simulations to identify gaps or areas for improvement. Having a good IR plan will strengthen the organisational cyber infrastructure and preparedness for a ransomware attack. Check out Ensign’s Incident Response Retainer Packages.
While antivirus software and vulnerability scans can help prevent ransomware attacks, external cybersecurity expertise can significantly bolster an organisation’s efforts in ransomware prevention and response. These specialists bring a wealth of experience and knowledge, and can offer critical guidance and support, especially during crises. They serve as a point of contact every step of the journey, from threat detection to forming a comprehensive incident response plan to prevent the next attack.
Ransomware attacks can cripple businesses, leaving them with the agonising choice of paying a ransom or facing devastating downtime and data loss. Even the most prepared organisations can struggle to navigate the technical complexities and high-pressure decision-making of a ransomware incident.
Ensign’s ransomware response expertise goes beyond decryption. We offer comprehensive guidance, including threat analysis, negotiation tactics, and post-incident remediation to help organisations recover swiftly and minimise damage.
Click to find out more about our anti-ransomware suite.