By DeVry University
December 08, 2021
8 min read
Imagine instantly losing access to all of your most sensitive information, including financial account logins, personally identifiable data and your complete medical history. Now imagine that the only way to restore access to that information is by paying a faceless cybercriminal a large amount of money without a guarantee that your data will be restored.
These scenarios represent a growing attack vector that cybercriminals use to coerce individuals and companies worldwide to meet their demands: ransomware.
This type of malware encrypts the victim’s data and demands payment to provide the decryption key. These attacks are not new, but they have increased in recent years due to the rise in operational risks associated with more employees working from home, as well as the increase in “big game hunting” of high-profile company targets.
Read on to learn more about what ransomware is, how it works and how you can protect yourself and your organization from these types of dangerous cyberattacks.
What is Ransomware?
Ransomware is a type of malware (malicious software) used by cybercriminals to exploit weaknesses in cyber security to penetrate computer systems and restrict the victim’s data by encrypting it and then demanding a ransom payment in exchange for restoring access to the encrypted files. This costly cybercrime has seen a significant uptick in recent years, particularly with the increased use of cryptocurrencies and the massive migration of employees from offices to work-from-home environments.
- The U.S. Cybersecurity & Infrastructure Security Agency (CISA) reported that ransomware attacks in January through July 2021 had increased by 62% from the previous year.
- The FBI’s 2020 Internet Crime Report states that it received nearly 2,474 complaints identified as ransomware attacks in 2020 alone, resulting in $29.1 million in losses.
Since 1989, ransomware, in conjunction with Big Game Hunting (BGH) of high-profile cyber targets by cybercriminals, has become a growing concern for businesses and organizations of all sizes. Ransomware attackers are expanding their ransomware campaigns to include blackmail and other extortion techniques, according to the 2021 Global Threat Report by CrowdStrike.
How Does Ransomware Work?
This kind of cyberattack is particularly devastating because while it takes only a short while for a cybercriminal to access a system, it often takes much longer for a company or organization to realize they’ve been breached.
Ransomware typically propagates as an attachment in spam emails or zipped folders sent as email attachments that exploit known computer vulnerabilities and then encrypts the data stored on the computer. The victim then receives a message demanding a ransom payment in exchange for removing the encryption and restoring access to their data. Some ransomware types use a countdown timer, giving the victim a short period of time to pay the ransom before the price increases or the files are permanently encrypted or leaked. In some cases, it may be manually installed by exploiting security holes in programs downloaded from cybercrime websites.
Based on information from the U.S. Cybersecurity & Infrastructure Security Agency (CISA), Cisco and antivirus software maker Norton, some common ways cybercriminals can breach networks and deploy ransomware infections include:
- Social engineering, where cybercriminals use phishing and exploitation of trust to trick users into downloading malware under hidden pretenses.
- Drive-by downloads, where malicious websites automatically exploit vulnerabilities in web browsers or plug-ins to install ransomware onto systems without user knowledge.
- Malicious email attachments, which often masquerade as innocuous files or links from legitimate sources.
- Hacker forums and marketplaces which house downloadable software packages called “exploit kits”, a common source of vulnerabilities that hackers can utilize to target a victim’s machine remotely.
Extortion is a tried-and-true tactic and cybercriminals infrequently get caught, making ransomware attacks devastatingly effective. Their reliance on cryptocurrencies like bitcoin for ransom payouts avoids traditional financial tracing, making for a clean escape after the damage is done. Unfortunately, the dynamic battle between ransomware targets and attackers is an ongoing cat and mouse situation. There is no perfect solution, only continued cyber security protocol improvements to be made.
Primary Targets of Ransomware Attacks
Most ransomware operations are opportunistic in nature, meaning cybercriminals cast a wide net, knowing only a small percentage of the campaign will bring a payout. However, sometimes cybercriminals target certain types of businesses. Hospitals and school systems have become rich targets of opportunity because they:
- Do not regularly update their servers or software systems.
- Cannot shut down their systems to update or repair servers or networks due to the nature of their work (hospitals and manufacturers).
- Would suffer the most from disruptions to their operating systems.
- Have sensitive or prized data stored within their network systems.
Governments, organizations and average users are all potential targets for ransomware attacks. The health, education and manufacturing sectors are frequent targets due to the size of their data packages and the probability that they’ll have to pay up.
How Big of a Threat is Ransomware Today?
Ransomware is a harmful form of malware that encrypts data on the target’s machine or network, rendering it inaccessible by encrypting it with strong cryptography and hiding it behind a key that can only be unlocked with a decryption tool. Once the criminals are inside your system, there’s not much you can do.
Common targets for this type of attack are small to medium-sized businesses (SMBs) with 500 or fewer employees. According to Norton, small businesses are not likely to have the same anti-malware protection or IT staffing capabilities as their larger counterparts and may also be more likely to pay the ransom because they lack the time or resources to invest in costly IT security measures or tolerate the downtime in production.
In a March 2021 news conference, Department of Homeland Security secretary Alejandro Mayorkas said small businesses comprise one-half to three-quarters of the victims of ransomware, and that ransomware attacks had increased by 300% in the past year. In its mid-year summary of small business cyber security statistics for 2022, Firewall Times reported small businesses are more frequently targeted by cyberattacks, with 43% of all data breaches targeting SMBs in 2019.
There are no guarantees that victimized companies will get their files back after paying the ransom or that authorities will catch the criminal. It creates a lose-lose scenario for the victims, forcing them to comply if they want to regain access to their data, systems and networks.
Ransomware is a threat to businesses everywhere, regardless of size. World cybersecurity leaders at a recent International Counter-Ransomware Initiative event held at the White House have called ransomware, “...an escalating global security threat with serious economic and security consequences.”
Recent Ransomware Attacks
Ransomware attacks carried out on a global scale have inflicted widespread damages and interrupted critical operations at dozens of public and private institutions. Here are a few examples:
The WannaCry ransomware attack of 2017 infected computers in at least 150 countries with economic losses reaching up to $4 billion. European countries, including Russia were the worst affected in what European police agency Europol called an unprecedented cyberattack. The attack had a particularly damaging effect on healthcare organizations, such as the U.K.’s National Health Service. This was attributed to that system’s use of outdated and unpatched software on Windows devices.
In August 2018, a new variant of WannaCry forced Taiwan Semiconductor Manufacturing Company to temporarily shut down several of its chip manufacturing facilities after the virus spread to 10,000 of its machines.
Another noteworthy ransomware attack that occurred in 2017 was named Bad Rabbit. According to BBC News, this attack was reported by computer users in Russia and Ukraine and followed a similar pattern to the WannaCry and Petya cyberattacks, affecting the news agency Interfax, Russian media websites, Ukraine’s Odesa International Airport and an underground railway in its capital city, Kiev. Similar attacks were confirmed in Turkey and Germany.
Experts believed the ransomware used in this attack was related to the Petya malware, which was first discovered in March 2016 in Ukraine, due to similarities in the appearance of the ransom notes and their shared method of propagation across computer networks.
REvil, shorthand for Ransomware Evil, was a Russian-based private ransomware-as-a-service (RaaS) operation. REvil carried out a high-profile May 2021 ransomware attack of the meat packing company JBS, which temporarily shut down or disrupted operations at the company’s plants in the United States. It was learned that JBS paid $11 million in ransom in Bitcoin to REvil.
In July 2021, REvil websites and other infrastructure disappeared from the internet. Politico reported that U.S. government officials were unclear as to why this happened, but it’s also reported that the disappearance of the group occurred shortly after a phone call in which U.S. President Joe Biden told Russian President Vladimir Putin that he expected him to take action toward putting cyberthreats that originated on Russian soil to an end, whether or not they were working independently of the state. In January 2022, the Russian Federal Security Service said they had dismantled REvil and charged several members after being provided information by the United States.
A nasty form of ransomware with a global reach, Ryuk first appeared in 2018 and is known for targeting large, public-entity Microsoft Windows cyber systems. It is believed to be used by criminal groups who target organizations rather than individuals. The CISA website provides detailed information on how Ryuk infiltrates computer networks.
According to the FBI, more than $61 million in ransom was paid due to Ryuk attacks in 2018-2019.
In 2017, a new variant of ransomware called NotPetya (named for its resemblance to an earlier ransom malware called Petya), was used in a global cyberattack that forced its way onto users’ computers, permanently encrypting data as it went.
It affected business across the globe, including Merck, FedEx subsidiary TNT Express and food producer Mondelēz, among others.
How to Protect Yourself and Your Organization From Ransomware Attacks
When it comes to ransomware protection, it's about proactivity, early detection, prompt response and resilient recovery. You can learn how to defend yourself or your organization from ransomware attacks by implementing basic cyber security techniques recommended by the CISA, including:
- Understanding what ransomware does and how it works
- Backing up your data to external hard drives or trusted cloud providers
- Installing antivirus software on all machines and computers in your organization
- Keeping your software systems and networks up-to-date
- Installing only trusted programs
- Being wary of suspicious emails, attachments or links
- Ensuring that you have backups of essential files regularly updated at all times
- Monitoring your network traffic for any signs of an intrusion
Businesses and larger organizations can protect their data from ransomware targeted attacks by taking measures to increase their defensive protocols and preparing for a ransom attack. CISA shares how they can accomplish this goal with their Ransomware Prevention Guide by utilizing tips such as:
- Creating multiple layers of systems to deter criminals
- Taking advantage of data farm backups and cloud storage duplication
- Creating a detailed, proactive cybersecurity plan
- Using multiple authentication layers on every platform
- Training your employees to recognize and avoid ransomware phishing
- Considering cyber insurance, especially if you're in a more commonly targeted sector
If you have up-to-date antivirus software, the program will often detect most ransomware before it has a chance to do any harm. If you are not sure whether your system has been infected, there are some signs you can look for. Many ransomware variants will create a text file with ransom notes and leave them on the victim's desktop or in one of their folders. It may also change your wallpaper with a message demanding payment for the decryption key.
Some people mistakenly think that they need to submit the payment immediately to speed up the process of restoring their system. According to the FBI, this is unwise. When ransomware victims quickly pay the ransom, cybercriminals see that their campaigns work, and it encourages them to plan more attacks. Additionally, there's no guarantee that victims can trust cybercriminals not to re-attack in the future or publish stolen data even after they’ve received the ransom payment.
Instead, if you suspect that you have been a victim of a ransomware attack, a better course of action is to bring the incident to your company (if you are an employee) or cybersecurity provider (if you are a business owner) first. Together, you can work to resolve the issue, and then contact the appropriate government agencies to report the cybercrime and receive guidance.
Responding to a Ransomware Attack
CISA recommends that you follow these steps in response to a ransomware attack:
- Determine which systems have been impacted by the ransomware and isolate them immediately. This may involve taking your network offline or unplugging affected devices from the network to stop the infection from spreading.
- If it’s not possible to disconnect devices from the network, power them down to avoid further spread.
- Identify critical systems and prioritize them for restoration and recovery based on a pre-defined critical asset list that includes all the systems that house critical information about health and safety, revenue generation or other important services.
- Meet with your incident response team to gain an understanding of what has occurred based on your initial analysis, and supply documentation of the situation.
- Talk to your internal and external teams and stakeholders, such as your IT department, managed security service providers, cyber insurance carrier, shareholders and investors, and see how they can help you mitigate and recover from the event. Keep management and senior leaders informed via regular updates as the situation develops as well.
CISA recommends following these steps if no initial mitigation actions appear possible:
- Take a system image or memory capture of a sample of affected devices, and pull together records of any samples or logs that include any precursor malware binaries or signs of compromise.
- If needed, confer with federal law enforcement regarding the availability of decryption methods that could break the ransomware’s encryption algorithms.
Ransomware Prevention Starts with You
You don't have to be a cybersecurity officer to follow standard cybersecurity protocols, prevent ransomware attacks and keep your data safe. These tips will help you protect your data and prevent it from being ransomed:
- Always keep your network systems and software up-to-date to decrease vulnerabilities
- Never click a link or install software unless you know exactly what it does and that it’s coming from a safe source
- Use an antivirus software program to help you detect ransomware before it’s too late
- Frequently back up your data to reduce damage in case you are attacked by ransomware
Pursue a Cyber Security Programming Career
Remember that "cat and mouse" game we mentioned above? If you find the challenge of outwitting cybercriminals by staying one step ahead intriguing, then pursuing a career in the field of cybersecurity may be the right fit for you.
Whether you’re an active information technology professional or looking to get involved in this dynamic field, we have a range of programs that can help you prepare to pursue your goals, such as our Undergraduate Certificate Program in Cyber Security, Bachelor’s Degree in Information Technology and Networking with a Specialization in Cyber Security or our Bachelor’s in Computer Information Systems with a Specialization in Cyber Security Programming.