What is Ransomware?—How to Prevent, Remove, and Respond to Attacks

The success of a modern business is heavily reliant on the network of which its computers and employees operate. With many risks looming online, a secured operating system and network are critical for most businesses to perform to their full ability. 

One of the most prolific threats to modern business is ransomware. With global ransomware damage costs are predicted to reach $20 billion by 2021 organizations need to ensure their security posture is sufficiently mature to protect against this pervasive malware.

In this article, we’ll dive into the history of ransomware, and then provide solutions on how to prevent, remove, and respond to ransomware attacks.

Table of Contents

What is Ransomware?

IBM defines ransomware as a “form of malware that threatens to destroy or withhold the victim’s data or files unless a ransom is paid.” This is not too unlike ransom cases that we see in war and crime, where criminals hold people as hostages in return for large sums of money. But instead of people, cyber-criminals withhold valuable data and files in hopes of a big cash return.

Ransomware, just like other forms of malware, is software that is specifically designed to disrupt, damage, or gain unauthorized access to a computer system. There are two primary types of ransomware: locker or crypto. 

Research from the Beazley Breach Response (BBR) Services found that ransomware attacks increased by 131% between 2018 and 2019 alone. Cybersecurity Ventures predicts businesses will experience a ransomware incident every 11 seconds in 2021, up considerably from every 40 seconds in 2016.

“The ransomware landscape has been rapidly evolving. Back then, instances of ransomware typically involved the target’s data being encrypted, but not accessed or exfiltrated. Today, however, not only has the frequency of ransomware attacks increased substantially, but the added threat of a data breach makes them potentially much more damaging.”

2020 Breach Briefing, Beazley Breach Response (BBR) Services

Locker Ransomware

This type of malware blocks basic computer functions. For example, a user of an infected computer may not be able to access the desktop files or properly use the mouse and keyboard. By locking users from their computers and preventing them from using certain programs, cyber-criminals aim to have victims pay a ransom to regain control of their machines.

Crypto Ransomware

Crypto ransomware is malware that has been designed to encrypt the important data that is stored on a computer hard drive or network. Common targets include secured documents, files, photos, and other forms of personal information. Hackers will demand a ransom from their victims, promising to release the stolen data upon payment using a decryption key. 

Why is Ransomware So Popular?

There are two major forces driving the adoption is ransomware: Ransomware-as-a-Service businesses lowering the barrier to entry and the sheer profitability for threat actors.

Ransomware-as-a-Service allows malware developers to rent out their malicious software in exchange for a cryptocurrency (such as Bitcoin or Monero) or a share of what the victims pay. This allows threat actors without programming skills to spread ransomware without spending their time on development.

Why is ransomware so profitable? Simply put, victims are willing to pay; even against FBI recommendations. Cybercriminals prioritize their targets based on the perceived odds of receiving a ransom payment from their victim. Researchers from IBM Security’s X-Force surveyed executives at 600 businesses and found that 70% of those that were hit with ransomware have paid the ransom. 

How Do Ransomware Attacks Work?

Ransomware can be deployed in several ways, but it is most commonly spread through phishing emails, malicious websites, torrents, and shared networks. 

Phishing

Often disguised as a promotional offer or free product, fraudulent emails containing malware are sent to users to retrieve personal information from infected devices.

Malicious Websites

Some websites attempt to install malware onto the computer of unsuspecting visitors, usually through popups or malicious web links.

Torrents

Online file sharing and downloading is a particularly dangerous realm of the internet as ransomware can be downloaded through a file without the user knowing.

Shared Networks

Computers connected through a shared network are at a high risk of being attacked if there has been a security breach and the system has been infected. Malware is capable of spreading from one computer to another on a shared network, making the need to prevent ransomware even more of a priority for organizations that rely on a broad network of shared devices with many users.

The History of Ransomware

The Early Years

It is reported that the first-ever successfully deployed ransomware virus was created in 1989 by a Harvard student. 20,000 infected floppy disks were distributed to attendees of the World Health Organization’s AIDS conference. Disguised as technology that could analyze a person’s risk of getting AIDS, the floppy disks were used to infect the computers, hiding directories and encrypting the names of all files on the C drive. Victims were greeted with a cryptic message asking for a payment to recover their files.

Despite the elementary technique of the 1989 ransomware attack, the software used and the relative success paved the way for a long road of cyber-crime.

Throughout the ’90s and into the 2000s, ransomware technology developed alongside the increasingly powerful computers that became more and more mainstream in society. As businesses and civilians began purchasing computers and using them regularly, the ideation of widespread ransomware infections began to circulate throughout the criminal underworld. 

Ransomware Goes Viral

In 2006, Archiveus Trojan and GPcode ransomware were developed by cyber-criminals to deploy wide-scale attacks. The ransomware was mainly distributed to victims through email and would aim to withhold information such as social security numbers and bank account information from the attacked computers. 

With the technology capable of attacking a mass volume of computers, ransomware was becoming a highly lucrative business. 

By the mid-2010s, ransomware had become a multi-billion dollar industry for cyber-criminals. Connecting through online forums and chat groups, hackers developed and shared open-source software code for malware that made it more simple to create successful ransomware attacks. And since 2016, over 4,000 ransomware attacks occur daily within the US. 

No Signs of Slowing Down

Cybersecurity threats have become widespread in our personal lives and within the business world. Every day people are falling victim to ransomware and large corporations are investing millions to increase the efficiency of their digital security systems.

And these threats aren’t superficial in any regard. ThreatPost.com reports that the volume of ransomware incidents around the world increased 151% for the first six months of 2021 as compared with the first half of 2020. Europe, specifically, saw the highest jump in volume, spiking +234%.

The biggest reason for the continued increase in ransomware incidents is, quite simply, the profit. Steve Morgan, a cyber-security expert, believes that the rise in ransomware incidents is largely due to companies that opt to pay a ransom. “It’s the proverbial get rich scheme,” says Morgan. Paying the ransom provides hackers with more incentive to continue creating the malware and tools necessary to generate even more money from their cyber-criminal schemes.

With only 25% of business executives willing to pay between $20,000 and $50,000 to regain access to encrypted data, generating the profit from their schemes is a numbers game for hackers. Given the variance and low likelihood of a payout, hackers will continue to increase the frequency of their attacks to maximize their profit.

As the internet continues to make it easier for users to learn new skills and connect with like-minded people, the prevalence of ransomware will become more and more substantial in society and business. Crime, greed, and technology can be a dangerous combination.

Hours of Labor

When an attack occurs, companies will need to allocate resources, such as an IT team, to help restore backups and operating systems in an attempt to recover stolen and encrypted data. For most small to medium-sized businesses, outsourcing a team of cyber-security IT experts will often be necessary.

Other areas of business, such as marketing and human resources, can also be affected. A marketing team may have to focus energy towards maintaining positive public sentiment, while an HR team may be bombarded with questions and concerns from their staff.

Reputational Damage

The protection of customer and patient information is paramount for businesses in today’s world. However, as most ransomware is designed to retrieve personal information such as a home address and medical records, a company affected by ransomware will incur major reputational damage. Current and potential customers and patients will be skeptical of doing business with a company that has been hit with a network breach, fearing poor security systems and negligent staff members.

Ransoms Paid

Despite the FBI’s recommendation to not pay hackers their ransom, many businesses do end up paying the high costs as a means of recovering their stolen data and minimizing the impact of the incident. In  2021, the average ransomware payment is $570,000, an amount that would financially cripple most companies.

Biggest Ransomware Attacks of 2021

Hackers do not discriminate much when it comes to the targeting of their attacks, though certain industries are particularly appetizing for cybercriminals. These industries include the education sector, information technology, health care, and retail. With a desire for hackers to steal personal information from customers and patients, these industries are at a particularly high risk of ransomware attacks.

Buffalo Public Schools

The information of thousands of students, including their gender and race, was the target of a March 12th ransomware attack on the Buffalo Public Schools. Upon detection, the schools involved were forced to shut down as the school board hired a security team and requested support from the FBI to investigate and respond to the incident. Although the school board refused to pay the ransom, the response to and relief of the incident has cost nearly $10 million.

Colonial Pipeline 

In May of 2021, a group of hackers deployed the DarkSide ransomware strain that was responsible for the disruption of the Colonial Pipeline, America’s largest pipeline of refined products. The impact of the ransomware attack was felt immediately as gas prices soared above $3 for the first time in seven years. The pipeline operator immediately paid the hackers their $5 million ransom to minimize the impact and resume their operations.

DarkSide is a new ransomware variant, associated with the DarkSide hacker group, that operates as ransomware-as-a-service (Raas).

Ireland’s Health Service Executive

The Health Service Executive, which is the publicly funded healthcare system in Ireland, was attacked in May by a variant of Conti ransomware. The incident forced the HSE to shut down all of its IT systems, causing a great disturbance for the country and those relying on the HSE for health services.

The attackers have demanded a whopping $20 million in Bitcoin as ransom, a sum that the HSE and Ireland have thus far refused to pay.

Dairy Farm

A Pan-Asian retail giant, Dairy Farm, was the victim of a sophisticated ransomware attack carried out by the cyber-criminal group REvil. Dairy Farm, which operates a wide range of retail outlets including grocery and convenience stores, had its network and encrypted devices compromised in the attack that occurred in January of 2021.

The REvil group has demanded $30 million as a ransom for decrypting the stolen data and not leaking business information on the dark web.

How to Prevent and Remove Ransomware

There are many challenges and variables involved in the recovery process of each ransomware situation, making each case uniquely difficult to manage. Fortunately for companies, there are proven systems and solutions to help stop ransomware from happening in the first place.

Staff Training

Any worker who uses a computer and the internet is susceptible to the threat of ransomware and could put their company at risk. And as we know, ransomware may come in many different forms, so training employees on what to look out for when on their computers will be an important first step to prevention.

Considering that phishing is one of the most commonly used methods to deliver malware, employees should be able to identify potentially harmful emails. Understanding what a phishing scam email looks like will be important for employees to help prevent the success of cyberattacks.

Web Filtering

90% of IT departments surveyed by Spiceworks restrict web access to protect against malware/ransomware infections

Preventing employees from accessing any of the millions upon millions of malicious websites that are infected with malware is a critical component of protection from ransomware.

Web filtering helps fight against ransomware attacks by proactively blocking websites that are used to execute ‘drive-by downloads’ that infect a user’s machine with the ransomware software without their knowledge.

Web filtering software allows employers to create dynamic lists of specific websites and website categories to be allowed or locked from employee access. To apply tighter restrictions, a company can create a list of the websites that workers are allowed to access while blocking all other websites. A well-curated blocked website list will prevent access to websites that contain ransomware.

Anti Virus Software and Anti Ransomware

Many different vendors offer software designed to prevent and remove ransomware. Depending on the scale and threat of the organization, customized anti-virus software solutions are available to help protect the business from an attacker.

Maintain Backups 

To minimize the impact of a successful security breach and ransomware infection, companies should prioritize maintaining secured backups of company data. Companies that maintain backups will not have to worry about paying the ransom to recover their data and can instead focus on identifying and improving the internal security flaws that failed the system.

A proper backup recovery from a ransomware attack can be as simple as reverting to a restore point, discovering the inciting incident, and remediating the vulnerabilities that made it possible.

Maintaining backups is easier said than done; if the only available backups are connected to the network they can become encrypted as well. 

Learn More: How Successful Companies Backup Data

How to Respond to a Ransomware Incident

How an organization responds to a ransomware infection will determine the impact of an incident and how long it will take to recover. 

While regaining access to encrypted files is seldom possible with the decryption key there are important steps to take in response to a ransomware attack to help reduce its effects and reduce the spread of the malware.

Should Companies Pay the Ransom?

The FBI and other law enforcement or government bodies will recommend never to pay the ransom. Doing so often further encourages the attackers, supporting their operation with more money to fund more attacks. 

Although the attackers may be motivated to maintain a reputation that they will honor their end of the deal, there is no guarantee that data can be recovered after payment. HelpNetSecurity.com writes that, in 2020, 56% of companies impacted by ransomware paid the attacker, but only 66% of those were able to recover their files.

In addition, organizations that pay ransomware demands prove that they are willing to pay, increasing risks for future attacks on their systems.

Isolate Affected Systems

To minimize the spread of malware infection throughout the network, isolating and disconnecting the machines that have been infected is very important. This should be the top priority to prevent ransomware from having a devastating effect.

Identify Patient Zero

Knowing which piece of the network was the source of the ransomware infection is important in understanding how attackers gained access to the system. Doing so will not only help to resolve the situation, but it will also help organizations to address vulnerabilities and reduce future risks.

Report to Authorities

No matter its scale, any victim of a ransomware incident should consider reporting their incident to authorities. The FBI asks all victims of ransomware to report their experience to their local FBI field office, stressing that it is important for law enforcement and local authorities to be aware of cyber-criminal activity. Affected businesses can contact the FBI’s Internet Crime Complaint Center (IC3).

In Canada, the National Cybercrime Coordination Unit (NC3) and the Canadian Anti-Fraud Centre are working on implementing a new cybercrime and fraud reporting system for Canadians and businesses

Conclusion

Hacking will continue to be a real-world problem for businesses in 2022 and beyond. As hackers and cyber-criminal organizations profit more and more from their sophisticated schemes, the frequency at which they choose to attack will continue to rise.

For businesses, knowing how to prevent, remove, and respond to ransomware will be important for remaining consistent in this ever-evolving world of technology and the threats it brings with it.