Ransomware has become one of cybercriminals’ most muscular business models, threatening organizations of all sizes. Cybercriminals demand a ransom to regain access to stolen or encrypted data.
Cybercriminals typically launch a ransomware attack using phishing emails with malicious file attachments. However, the malware can spread through chat messages, USB drives, and compromised websites.
What is Ransomware?
Cybercriminals can deploy multiple extortion techniques to encourage victims to pay, including copying and exfiltrating data, shaming the victim on social media, or threatening additional attacks like DDoS.
So, what is ransomware? Ransomware is malware that encrypts data and extorts the victim to pay for a decryption key.
Ransomware typically gains access to a system by exploiting vulnerabilities in an application or website. Some variants are spread through phishing emails, which include malicious attachments or links to websites that host the malware. In contrast, other ransomware is spread through drive-by downloading (when a user unknowingly visits a compromised site and it downloads and executes malware).
Once ransomware has gained access to a device, it starts encrypting files. It may also delete backup and shadow copies of files, making it impossible to recover them without paying the ransom. Some ransomware variants will also display a message to the victim urging them to pay a ransom in digital currency.
More sophisticated ransomware will even use scare tactics to coerce victims into paying. For example, ransomware combines file encryption with data theft, collecting sensitive information from the victim and storing it on external drives before encrypting it. The threat is that the stolen data will be publicly exposed or sold on the dark web if the victim doesn’t pay up.
How Does Ransomware Work?
Ransomware attacks are some of the most disruptive malware businesses, and governmental organizations face. This attack type encrypts critical files and applications to deny access until the victim pays a ransom to unlock the data. Ransomware uses modern encryption algorithms that can be virtually impossible to crack.
Like most types of malware, ransomware exploits a gap in an organization’s security defenses or takes advantage of software vulnerabilities. These weaknesses can be found in the minor elements of a network, such as computers, printers, smartphones, wearables, and even point-of-sale (POS) systems.
Once an attacker gains unauthorized access to the system, ransomware will begin searching for and infecting files it can modify. Threat actors are careful only to target files that users have access to. However, more is needed to prevent a ransomware attack from affecting the entire organization.
After the malware encrypts the data, it will replace the originals with encrypted versions that can only be decrypted with a key controlled by the attacker. Many variants of this malware also take steps to erase backup or shadow copies, making a recovery more difficult for victims.
Depending on the type of ransomware, criminals may threaten to publish or publicly disclose the victim’s information or block access to specific devices in their homes or workplace. Others might demand payment of money in digital currencies.
What Can You Do to Prevent a Ransomware Attack?
The good news is that preventing a ransomware attack requires a holistic, all-hands-on-deck approach. The best practices include the following:
Ensure all devices are patched and updated, mainly operating systems and third-party applications. Cybercriminals constantly develop new malware variants that seek out unpatched vulnerabilities, so updates are essential.
Train employees to identify suspicious emails, messages, and calls requesting personal information. These are often used in phishing attacks.
If a device becomes infected, isolate it from the network, internet, and other devices as soon as possible. This will minimize the impact of a ransomware infection and reduce the chance that other devices will also be infected.
Secure all networks and devices with a firewall that monitors incoming and outgoing data based on pre-set rules and threat intelligence. Firewalls are considered the first software-based line of defense against many attacks, including ransomware.
Continuously back up all data, even to external devices, and ensure that backups are regularly tested. This will allow a business to recover from an attack without paying the demanded ransom.
Immediately report the attack to local and international authorities, such as your country’s FBI office.. This will help law enforcement to track down the culprits and bring them to justice.
What Can You Do to Recover from a Ransomware Attack?
There are many things an organization can do to recover from a ransomware attack, including using continuous data backups. This can ensure that if the attack does occur, there are valid copies of the encrypted files available for restoration.
This option can save an organization from the financial burden and stress of paying a ransom to criminals. However, it does not guarantee that the attackers will decrypt the affected files. Criminals are in the business of making money, not providing a service. They commonly deliver a decryptor that only works enough for the victim to say they followed their promise.
Isolate the infected system(s) as soon as possible and disconnect them from the network (turn off WiFi, flip the “Airplane Mode” switch on laptops). Run a full scan of all systems and external storage devices to identify and isolate compromised files. Report the attack to law enforcement and the FBI’s Internet Crime Complaint Center.
Use a continuous, defense-in-depth security solution that includes antimalware, firewalls, endpoint protection, and granular reporting and analysis. These solutions can block most ransomware attacks. It’s also a good idea to practice good cybersecurity hygiene by installing updates regularly and avoiding shady websites, and downloading apps that may appear to be legitimate but are not.