Gaining access to ransomware and attacking a business is a lot easier than most people realize. In fact, it can be as simple as buying prepackaged software online and following the instructions.
Now more than ever your company must be ready for ransomware. That means knowing what threats to watch out for, having appropriate defenses in place, and writing a plan of action for the event that an attack gets through.
Ransomware is a type of malware (computer virus) designed to lock access to files, devices and even entire networks. If the victim wants to regain their access, they must pay a ransom - hence the name.
Usually the ransom must be paid within a strict time limit, or else the attacker may never give back the victim's data - they might even go on to sell it on the black market, or release it publicly. In fact, on average, companies can only restore 65% of their lost data per attack (Sophos).
Figures differ depending on the source. However, a report by Coveware found the median ransomware payment for Q1 2022 had dropped to US$36,360 (€20,883). Some reports indicate the average is much higher, though most use a mean average rather than a median - so outliers pull the figure up.
Coveware's relatively small median represents a change in trend: where once attackers used to attack big brands for seven-figure payouts, they have been shifting to lower-profile, mid-market victims in order to escape media headlines and, thus, scrutiny by law enforcement.
That said, the total cost of a data breach can be much higher
While ransoms may not be what they once were, the total cost of a data breach - when taking into account people or outsourced firms, technology fixes, reputational harm and even fines - is much higher.
In 2022, the average cost of a data breach was $9.44 million (€9.5 million) (IBM).
The three most popular are:
Three other ransomware types are also relatively common:
Ransomware as a piece of malware can be quite simple - all it needs to do is encrypt data or replace access to a device with a lock screen. Additionally, it may enable communication between attacker and victim.
However, ransomware is more than just malware. It requires an entire, multi-stage attack strategy in order to succeed - meaning there are a lot of steps involved leading up to the deployment itself. Some of these steps will leave a trace in the victim's system, meaning cyber security professionals defending against ransomware can often block an attack long before it occurs (more on that below).
Choice of target is an important part of a ransomware attack. Cyber criminals must find not only a company that they believe will be willing and able to pay up, but also one that has enough weak points in its security that the attack will actually succeed.
As mentioned above, cyber attackers are starting to shift away from previous big-ticket attack targets. In the past, cyber crime almost exclusively struck significant brands and ransom payments could be in the millions. But, these days anyone can be a target - it's often safer for cyber criminals to hit smaller, mid-market enterprises with lower ransom demands, as they stand a better chance of evading the attention of law enforcement.
Wide-net phishing attacks
We're seeing a lot more targeting in modern cyber crime, but 'wide-net' attacks are still fairly common. This is where attackers let victims essentially choose themselves. They send out phishing scams to as many people as possible, in the hopes that just a few who are easy to dupe will respond and grant them access to a system, or download their malware.
Attacks from within
Because of the accessibility of ransomware thanks to RaaS, a ransomware attack may also originate from within a company - just about anybody can pick up a ransomware package and utilize it, it's that easy.
Current or ex-employees have been known as potential attack vectors. Sometimes these individuals grow disgruntled with their employer and attack it out of retribution, other times they may have been radicalized by others and used as a weapon.
This is known as a 'malicious insider', 'turncoat' or 'insider threat' attack.
At this point, our attacker knows who they want to target. This might be a company as a whole, or one or two specific employees at that company (yes - reconnaissance can get that detailed).
The next step is all about getting the right malware into the network undetected.
'Hacking' is often viewed as a feat of brute force, where someone sits behind a computer, types a lot, and 'breaks into' a system. But while brute force is a possible technique, it's far more common that attackers will use subtlety, trickery and time to sneak in.
So how are attackers getting in?
Loading ransomware into a system may require a few steps, depending on the chosen attack vector.
For example, the first step is often to steal login credentials. Then the attacker can install a backdoor allowing them to come and go as they please. Once inside they can adjust firewall and other security settings, or turn them off entirely. From here they will load their malware.
Alternatively, an attacker may trick victims into downloading a 'dropper', which is a piece of code that disguises itself as something else (software, an app or a document). Once downloaded onto the system, it is free to install other malware behind the firewall. This type of trick file is also known as a 'trojan'
Common infection and distribution methods include:
Ransomware can come from any of the above, in any combination. However, each of the attack techniques we've described are preventable. Even very basic best practice cyber security and training can make a huge difference - keep reading this article to learn more about how to prevent ransomware attacks.
At this point our attacker has found their victim and broken into the system one way or another. Now they are free to utilize their ransomware to prevent access to their chosen file or system.
How does a ransomware attacker choose what to encrypt/lock?
If they've had reasonably free access to the company network, they may have been able to view sensitive files and databases, allowing them to spot a target in advance. In this case, they will hone in on what they know to be business-critical and encrypt it.
Or, they may go more broad and encrypt large portions of the network so they catch both critical and non-critical files. Usually it's obvious which data is valuable, as most companies have similar file structures. Of course, lock screen attackers will just shut the whole thing down.
Ransomware can also act on its own
Ransomware can be designed to seek out certain file types (i.e. spreadsheets, PDFs or databases), encrypting all of them. Then, if programmed to do so, it'll spread into other areas of the network and keep looking for more files to encrypt.
Depending on how the network is set up, it may spill into other devices, or perhaps piggy-back into another company's system (if they're integrated sufficiently). Ransomware is also often programmed to look for backups, encrypting or deleting them so the victim cannot restore their system and circumvent the ransom demand.
Without the encryption key - held by the attacker - it is next to impossible to decrypt the locked data.
Finally comes the ransom part of ransomware.
The ransom note itself will usually come in the form of a lock screen, or a text file added to the system. This note is where the attacker demands their money, offers basic instructions on how to pay, and sets a time limit. If using double extortion, they will also add their second threat.
Cryptocurrency is the most common form of ransom payment type thanks to its perceived anonymity. The payment window is usually very short (even as little as 24 hours), to put maximum pressure on the victim and prevent their ability to negotiate.
When the payment is made, theoretically the attacker will hand back access. But, as noted earlier, not always.
It sounds crazy, but there are even victim hotlines
Some RaaS comes with more than just malware - it also comes with a victim hotline. In these cases, a phone number or other contact information is displayed alongside the ransom note encouraging victims to call. Then, a member of the criminal group will walk them through how to purchase cryptocurrency and send it to the attacker.
Negotiating with ransomers
Depending on the situation, victims may be able to negotiate for a reduced ransom. Many companies have in the past successfully bargained with cyber criminals - either by themselves or with the help of professional hostage negotiators - to reduce their ransoms. For example, JBS Foods managed to get their 2021 ransom down from US$22.5 million to $11 million.
We've mentioned a couple of times how many ransomware attackers don't just lock data, but steal it and sell it - that extra layer of threat requires an additional step, called data exfiltration.
Unfortunately, this is growing increasingly popular. As awareness of ransomware grows among the global business world and cyber security experts get better at dealing with it, ransomers need a new way to put pressure on their victims and double extortion is the way to do that.
Double extortion also prevents a company from restoring from backups as a means to get around paying the ransom - they might regain access by themselves, but their data has still been stolen.
Oh yes, exceedingly so. More than people tend to realize.
Two thirds of organizations (measured across 31 countries by Sophos) were hit by a ransomware attack or an attempted attack in the 12 months leading to February 2022. A huge figure! However, not all of those attacks were successful - 65% had their data encrypted, leaving 35% whose data remained safe. But, that 65% is an increase from 54% the year prior (Sophos).
Remote working as a result of the COVID-19 pandemic has exposed a great number of companies to new cyber security vulnerabilities, leading to a marked increase in the scale of attacks worldwide. The sudden uptick in the use of SaaS has had a profound impact in particular - notably, Verizon found that 62% of network intrusions came through an organization's partners.
Download now: Is your business secure? A cyber maturity checklist
If you think a lot of companies are being struck now, it used to be worse. The total number of cyber attacks has actually come down in recent years, as cyber attackers get more targeted and significantly more sophisticated in their techniques.
From 2015 to 2018, the number of worldwide malware (not just ransomware) attacks per year rose from 8.2 billion to 10.5 billion at its peak, coming down to 2.8 billion in the first half of 2022 (Statista).
Social engineering, specifically email phishing, was observed by Coveware to account for not only about a third of all ransomware infections at time of writing, but to have proportionally risen since 2018. In addition, Verizon analysis found the 'human factor' (such as human error or falling victim to scams) was involved in 82% of breaches in 2021.
As mentioned, trickery is at the heart of social engineering. It is about pretending to be someone or something legitimate so that you can lure a victim into handing over login credentials, downloading malware, or giving you remote access to their device.
Examples of social engineering tactics include:
RDP is Windows' Remote Desktop Protocol - a piece of software that enables remote workers to access and manage their work computer via their home computer. Thanks to the rise in remote working, RDP use saw a spike of activity in 2020 - leading to a similar spike in RDP attacks.
Brute force attacks (cracking someone's login credentials through repeated trial and error) in particular saw a surge starting in around March 2020 and skyrocketing in a matter of days. Kaspersky found that, to use Spain as an example, the number of brute force RDP attacks rose from less than 200,000 to over 1.2 million (Kaspersky).
Compromising external remote services like RDP remains a popular access method for ransomware. Indeed, Kroll noted its use in about 67% of cases in Q2 2022 - rising 700% since Q4 2021.
CVEs and zero-day exploits
CVE, or Common Vulnerabilities and Exposures, refers to a list of publicly known security vulnerabilities in the world's software. It's a list that's curated by MITRE, which also operates the popular threat intelligence database MITRE ATT&CK.
A zero-day exploit or zero-day attack is where cyber criminals attack a software vulnerability that they have discovered before the developers, or before the developers have had a chance to fix it. Hence the name 'zero-day', referring to the number of days the developer has left to patch the issue before it becomes a problem.
CVE and zero-day exploitation was noted in about 19% of ransomware attacks, found Knoll. This further highlights the risks of third-party vendor relationships from a security standpoint, and the need for security teams to be involved in those partnership negotiations.
Essentially all organizations from across sectors have some degree of cyber security risk relating to ransomware. But, the world's attacks show us that some targets are more popular than others.
Does your company fit into this victim profile (data from Trellix)?
Most commonly targeted countries
Most commonly targeted sectors:
Ransomware vs. companies which can't afford downtime
Some companies say they can't afford downtime, but they can. If only for a while. But, some organizations genuinely can't - it puts people's lives at risk. Healthcare is perhaps the biggest example here, and unfortunately ransomware attacks on the healthcare sector are also on the rise.
Sophos surveyed over 300 healthcare organizations and found that the number who had been hit by ransomware in the year leading to 2022 effectively doubled from the year prior (34% to 66%). Of those attack attempts, 61% resulted in data encryption.
No, not really. Ransomware is best prevented, not removed. It's a lot easier to mitigate the risk than it is to decrypt files, as encryption technology is by design almost impossible to crack.
So what steps can a business follow if it's hit by ransomware?
We'll cover this more extensively below so if you need this information now, keep scrolling.
In short, you're going to need to have an incident response team ready to go, who will review what's happened and respond accordingly. Because each attack is so different, it's hard to predict how best to act (although, again, we've offered some generalized tips below).
Some of the steps they may follow include:
There do exist some ransomware decryptor tools. These purport to be able to decrypt files, but they tend to be specific to independent ransomware strains - if you are infected by the right malware, you may be able to try them out. If not, they might not work at all.
We recommend consulting a security expert before giving these decryptors a go. If your data has been locked by ransomware, trying to break the encryption could escalate rather than de-escalate the situation.
Ensure that your entire system - or your critical data, if you can't afford to backup the entire thing - is backed up to a separate, secure location on a regular basis. This backup should not be connected to the main network in any way that stray ransomware could find and get into.
Test your backups to ensure that they are actually restorable.
ZeroTrust sounds harsh, but it's important. It's a security principle that says 'trust no one'. With a ZeroTrust model, access to the network is never assumed - it's always granted on a limited basis, to ensure that employees have the access they need and never the access they don't.
With ZeroTrust, if any one of your employees is compromised, their login credentials either have no access at all, or have only limited access to do damage.
PC versions, mobile device OS, app versions - all software and hardware used for business purposes should be kept up to date with the latest version. While zero-day attackers may still be able to exploit the software, it will ensure that any vulnerabilities on MITRE's CVE list have been patched over, and you aren't left exposed to any security flaws present in older technology that has, quite simply, gotten out of date.
From the highest-level board member right down to entry-level interns, everyone at your company (whether in-office or remote) should receive a base level of cyber security awareness training, and then regular updates from there on.
Base level training will give your people the skills they need to spot common attack techniques, and the confidence to speak up if they see anything suspicious. Then, regular reviews (monthly, or at least quarterly) will give you a place to update everyone on the evolving cyber warfare landscape and how it may impact your business.
Third-party risk, vendor risk and supply chain risk are all terms for the same thing - managing the cyber security risk of your partnerships.
Adopting a staunch third-party security policy does not need to negatively impact your relationship with a vendor or your employees' productivity using their software. It's just a way to assess risk, plan for it, and reduce the likelihood that your business can be compromised through its integrations.
Some quick tips:
Learn more: Managing third-party risks
Antivirus software isn't just for personal devices, it's also an important line of defense for all work devices too.
Go through all of your company devices and ensure that each has proper, up-to-date antivirus. Additionally, you'll want to write a policy (or update an existing security policy) that specifies who owns the process of checking and updating antivirus at your business, so this process is repeated regularly.
Your remote workers could be some of your most vulnerable. Many aspects of remote work can create weak points in a company's security perimeter, which cyber attackers have been increasingly seeking to exploit since the COVID-19 pandemic. Such weak points include unsecured personal devices used for work purposes, use of RDP or other exploitable software, a lack of cyber awareness relating to remote security, non-private Wi-Fi security, and more.
So how do you keep your remote workers safe from ransomware attacks? You'll need:
As you try to protect your employees from unsafe apps or website domains, you may be tempted into creating a blacklist - that is, a list of blocked apps/domains which you know to be risky. However, a blacklist isn't sufficient for the modern world. There are too many apps and domains you'd need to block.
Instead, look to create a whitelist. This is a list of allowed apps/domains - everything else gets blocked. Create this whitelist in conjunction with your people to ensure it has on it everything they need to be able to do their work effectively, as well as a degree of non-work activity (many employees desire access to social media at work, for example).
You'll also need to create a communications policy that allows people to request new apps or domains be added to the whitelist, and this whitelist should be reviewed regularly for effectiveness.
While you can't create a blacklist of apps or domains, you can create a blacklist of restricted file types and functions. The functions we've listed below have all been exploited by ransomware attackers in the past, so restricting them could help prevent certain attack vectors entirely.
Steps to take include:
Every process we've mentioned in this list needs an owner. This person (or rather, this role, as the person may change regularly as people come and go from the business) will be the owner of the process, and is accountable for overseeing that it takes place. Ownership of the process(es) must be written into their job description to ensure it doesn't get sidelined.
Owners should review their policies at least annually to ensure they remain fit for purpose as the business, and technology landscape, evolves. This will also allow them to perform updates or optimizations as necessary, and gives other employees a clear point of contact to talk to if there's a problem.
Like everything in security (and business generally!) it's good to have a policy in place to standardize your approach. This will allow you to train the people you'll need for dealing with a ransomware breach, practice the steps, and optimize.
The six components of a good ransomware incident response policy are:
Your incident response team are The Avengers of your cyber security response. When trouble comes calling, they'll get together and tackle the issue head-on.
A good incident response team should bring together not just IT expertise, but a broad range of disciplines to ensure the team has access to the skills it needs for each step of the plan.
Your team should include experts from:
This can help you cut some of your costs. In fact, IBM found in 2022 that such a team (with a tested plan) can reduce the cost of a breach by an average of $2.66 million (€2.4 million).
Set your incident response team to the task of containing the breach. They must figure out which systems have been compromised (it may be more than you think!), how the attacker got in, and whether or not anything was stolen.
With the ransomware contained, your IR team can start to slow down and think more carefully about the attack vector and its fallout.
If you're still not sure how they got in or to what extent they have infiltrated the system, this must be identified now. Can you determine what their objective was? That might help.
You'll also need to figure out the root cause of the breach. Not just the specific place they broke in, but all of the steps that led up to that point. As we've seen in this article, chances are it was either human error or a software exploit.
Everything must be documented. Because your company has been breached, a lot of other parties are going to want to see what has happened, and what you're doing about it. That includes key business stakeholders, shareholders, customers, some business partners and regulators.
The extent of the breach will determine who you need to notify. The legal and cyber security experts on your team will help the group advise which parties must be notified.
At minimum you are going to need to tell business leaders and local regulators. Regulators in particular are going to want to see all of the documentation you've collected, and they will likely scrutinize your cyber security top to bottom.
Customers and other stakeholders may need to be informed if their data has been compromised.
The next steps are hard to estimate as it'll depend on the extent of the ransomware attack. If you can't restore from backup or your company is being double-extorted, you're probably going to need to negotiate with the attackers and, potentially, pay up.
You will also need to feed any learnings from this process back into your business to ensure it can learn from the issue and close the gaps, while improving its defenses against future attacks.
Learn more: How to respond to a cyber breach
Cyber security is not 100% effective, and anyone who says that their solution is fool-proof is probably lying. The reality is that you can only ever mitigate, never entirely prevent, cyber attacks. Technology and techniques always advance, making it easy to slip behind in the cold war of cyber warfare. Plus, human error can mean even the best defense fails.
This means that at some point, you may suffer a ransomware attack and that will put you in a position where you must make a hugely difficult decision: To pay or not to pay.
Should you pay the ransom?
It's likely that, unless you live in a country where paying such a ransom is illegal, you will need to pay up. But, that doesn't mean you must pay the entire thing.
With the help of a professional police negotiator or private hostage negotiator, you may be able to bring the costs down. This could make your company a more frustrating target, which itself is a type of defense against future attack.
Here's the link again to our downloadable guide on whether or not to pay a ransomware ransom. It goes into more detail on this topic, and offers more tips for protecting against ransomware.
Should you report a ransomware attack to the police?
They may not have the resources to track down your attacker and bring them to justice, but they may be able to lend you a veteran negotiator to help you reduce the price of the ransom and make yourself a harder target.
Additionally, you'll be adding to their data which will help the police make strategic decisions moving forwards about how best to tackle the ransomware problem in your particular country. Police usually need data in order to change strategy.
What happens if you don't pay?
Unless you can decrypt your own data, which is unlikely, or restore from backups, you will probably lose your data forever.
Depending on the ransomware and the threats made, your attack may go on to sell your data on the black market or release it publicly in order to damage your reputation.
Will you get your data back if you do pay?
In most cases, yes. But, perhaps not all of it as we've mentioned earlier in this article. Most companies receive data back after paying, but it may not be wholly intact.
Additionally, even if you do get your data back, you may face punitive measures from your regulatory body. Regulators understand that breaches do occur, but tend to come down heavily on companies which could have done more to prevent the breach from occurring. Heavy fines and even jail time could apply.
Ransomware is a major threat affecting nearly all businesses around the world. Attacks are growing increasingly targeted and sophisticated, and even smaller companies aren't necessarily safe - as attacking smaller targets draws less attention from law enforcement agencies.
In order to protect yourself against ransomware, your business must:
If you're worried about any of the above, or lack the in-house experience to implement best practice ransomware protection measures, we can help. Contact us today for a free maturity consultation and we'll talk to you about your unique needs.