Ransomware is a type of malware that locks and encrypts a victim's data, files, devices or systems, rendering them inaccessible and unusable until the attacker receives a ransom payment.
The first iterations of ransomware used only encryption to prevent victims from accessing their files and systems. Victims that had regular backups were able to restore their data, however, negating the need to pay a ransom. In turn, malicious actors began to incorporate cyber extortion tactics, using additional threats to blackmail victims into making ransom payments. Also, attackers started increasingly targeting victims' backups to prevent organizations from restoring their data. Veeam's "2023 Ransomware Trends Report" found more than 93% of ransomware attacks the previous year specifically targeted backup data.
Malware is the umbrella term for any malicious software that enables unauthorized access to a user's systems. Ransomware is a subset of malware that demands payment to unlock and decrypt the data, enabling the victim to regain access.
Ransomware can be devastating to individuals, organizations and even entire municipalities or countries. Because they continue to be successful, these financially motivated attacks are becoming increasingly common. Verizon's "2023 Data Breach Investigations Report" found ransomware was involved in 24% of all breaches, and Sophos' "The State of Ransomware 2023" reported 66% of organizations experienced a ransomware attack in the past year, with 76% of those attacks resulting in data encryption.
Read more ransomware trends, statistics and facts.
The ransomware lifecycle has six general stages: malware distribution and infection; command and control; discovery and lateral movement; malicious theft and file encryption; extortion; and resolution.
Before attackers can demand a ransom, they must infiltrate their victims' systems and infect them with malware. The most common ransomware attack vectors are phishing, Remote Desktop Protocol (RDP) and credential abuse, and exploitable software vulnerabilities:
A command-and-control (C&C) server set up and operated by the ransomware attackers sends encryption keys to the target system, installs additional malware and facilitates other stages of the ransomware lifecycle.
This two-step stage involves attackers first gathering information about the victim network to help them better understand how to launch a successful attack, and then spreading the infection to other devices and elevating their access privileges to seek out valuable data.
In this stage, attackers exfiltrate data to the C&C server to use in extortion attacks down the line. Attackers then encrypt the data and systems using the keys sent from their C&C server.
The attackers demand a ransom payment. The organization now knows it is a victim of a ransomware attack.
The victim organization must go into action to address and recover from the attack. This could involve restoring backups, implementing a ransomware recovery plan, paying the ransom, negotiating with attackers or rebuilding systems from the ground up.
Ransomware is defined and categorized by how it is delivered and what it impacts. Delivery includes ransomware as a service (RaaS), automated delivery (not as a service) and human-operated delivery. The impact could be data unavailability, data destruction, data deletion, and data exfiltration and extortion.
The following terms further describe the different types of ransomware:
Depending on the attack's sophistication, the attacker's motivation and the victim's defenses, the consequences of ransomware can range from minor inconvenience to expensive and painful recovery to complete devastation.
When people hear, "We've been hit with ransomware," their minds usually turn to the amount of the ransom demand. The Sophos survey found the average ransomware payment in 2023 was $1.54 million, up from $812,380 the previous year.
Cybersecurity experts and government authorities discourage individuals and organizations from paying ransoms. Some businesses choose to pay, however, often in hope of recovering and regaining access to their sensitive data faster. Experts argue that paying ransoms encourages attackers, puts targets on victims' backs for future attacks and can cause future legal issues. Plus, paying a ransom is never a guarantee that attackers will return the victim's data -- or that they won't use it in extortion attacks in the future.
Read more on whether to make ransom payments.
Ransomware negotiation services can sometimes help reduce ransom payment amounts, for victims that choose that path. These specialized third-party brokers act as intermediaries between attackers and victims. They are better equipped to handle negotiations because they are well versed in ransomware groups and their demands.
Read more about ransomware negotiation services and what to expect from them.
The total cost of a ransomware attack, however, far exceeds the ransom price tag. IBM's "Cost of a Data Breach Report 2023" found the average dollar amount attached to a ransomware attack was $5.13 million, an increase of 13% over the previous year -- and that doesn't even include the cost of the ransom payment.
The difference can be attributed to multiple factors, including the following:
Ransomware can also have the following affects:
Cyber insurance could help lessen the financial burden of a ransomware attack. Cyber insurance services generally offer pre-breach services -- such as training, vulnerability scanning and tabletop exercises -- as well as post-breach services, including data recovery efforts and breach investigation assistance. Some cyber insurance services will also work with negotiation services to try to lower ransom payment amounts.
Finding cyber insurance coverage isn't always easy, however. The onslaught of ransomware attacks over the past five years have led to huge losses for cyber insurers, resulting in premium hikes or even denial of coverage for customers.
Read about the state of cyber insurance, as well as tips on how to find coverage.
Research has shown that reporting a breach to law enforcement could lessen the cost of a ransomware incident. IBM's survey found the average cost of a ransomware breach was $5.11 million when law enforcement was not involved, as opposed to $4.64 million when law enforcement was involved.
Decision-makers should discuss whether to report a breach to law enforcement. Security experts and law enforcement recommend any organization affected by ransomware notify the authorities -- such as CISA, the Internet Crime Complaint Center or the organization's local FBI field office. Some organizations are legally required to report ransomware attacks. Public organizations, for example, must report cyber attacks within four business days, per new regulations announced by the Securities and Exchange Commission. In some cases, cyber insurers might not issue payments to victims if they have not notified a federal agency.
Along with deciding whether to report a breach, decision-makers must discuss whether to disclose the attack to the public. No national ransomware attack notification law exists for private companies, but if attacks involve personally identifiable information, organizations must notify the individuals affected.
Read more about best practices for reporting ransomware.
While certain industries, such as critical infrastructure, education and healthcare, tend to make the headlines when they become ransomware victims, it is important to note that no organization -- regardless of size or industry -- is immune to ransomware attacks.
That said, the Sophos report listed the following as the top 13 ransomware targets by sector:
Read more about the top ransomware targets.
Ransomware has bedeviled organizations and individuals for more than three decades, with the first known ransomware campaign reaching its victims via snail mail in 1989. Harvard-educated biologist Joseph L. Popp, now regarded as the "father of ransomware," sent infected floppy disks to 20,000 people who had recently attended a World Health Organization AIDS conference.
Popp's malware became known as the AIDs Trojan. Upon insertion into a victim's computer, the disk -- which appeared to contain a medical research questionnaire but actually harbored malicious code -- encrypted the system and instructed the victim to mail $189 to a P.O. box in Panama. IT experts soon found a decryption key, but the incident marked the beginning of a new cybercriminal era.
Despite Popp's early efforts, ransomware wouldn't come to mainstream prominence until the 2000s, when internet use soared. Early variants, such as GPCode and Archievus, eventually gave way to more sophisticated strains. Several new types of ransomware and ransomware delivery models emerged in the early 2010s, including locker ransomware, such as WinLock in 2011; RaaS, such as Reveton in 2012; and crypto ransomware, such as CryptoLocker in 2013.
The birth of cryptocurrency in 2009 marked another pivotal moment in the history of ransomware, as it gave threat actors an easy and anonymous way to collect payments. In 2012, Reveton became one of the first ransomware campaigns in which the attackers demanded victims pay ransoms in bitcoin.
In 2017, hundreds of thousands of computers running Microsoft Windows fell victim to a new ransomware variant, the notorious WannaCry cryptoworm, in one of the biggest ransomware attacks of all time. The threat actors targeted organizations across 150 countries, including major banks, law enforcement agencies, healthcare organizations and telecommunications firms. WannaCry arguably marked the beginning of a new chapter in ransomware, in which attacks became larger, more lucrative, more destructive and more widespread.
As a worm, WannaCry is able to self-replicate, moving laterally to automatically infect other devices on a network without human assistance. The malware uses the EternalBlue exploit, originally developed by the National Security Agency and leaked by Shadow Brokers hackers, which takes advantage of a vulnerability in Microsoft's implementation of the SMB protocol. Although Microsoft released a software update fixing the vulnerability before the attacks, unpatched systems continue to fall prey to WannaCry infections to this day.
Shortly after the WannaCry attacks began, NotPetya -- a variant of Petya ransomware, which had emerged a year earlier -- started making headlines. Like WannaCry, NotPetya takes advantage of the EternalBue exploit. As wiperware, however, it destroys victims' files after encrypting them -- even if they meet ransom demands.
NotPetya caused an estimated $10 billion in losses worldwide. One of the highest-profile targets, Danish shipping and logistics giant A.P. Moller-Maersk, lost around $300 million in the incident. The CIA has attributed the ransomware attack to a Russian military espionage agency, and according to cybersecurity vendor ESET, around 80% of NotPetya's targets were in Ukraine.
In 2018, another notorious ransomware variant, Ryuk, became one of the first to encrypt network drives and resources and disable Windows System Restore. Ryuk made it virtually impossible for victims to recover their data if they didn't have rollback tools or offline backups already in place, unless they paid the ransoms.
So-called big game hunting, in which ransomware operators target large organizations with deep pockets, has exploded in recent years. High-profile ransomware victims and high-impact ransomware attacks have included Colonial Pipeline, JBS USA, the government of Costa Rica, Ireland's national health service, Travelex, CNA Financial and many more.
The late 2010s also saw the rise of new forms of ransomware, including double extortion and triple extortion ransomware. RaaS also continues to grow in popularity and sophistication, making it possible for threat actors with limited technical abilities and resources to become ransomware operators. In 2021, for example, ransomware attributed to the REvil gang's RaaS operation hit managed service provider Kaseya, in one of the largest ransomware episodes ever. More than 1 million devices became infected.
Ransomware prevention is a huge challenge for organizations of all types and sizes, with no magic-bullet remedy. Experts say enterprises need a multi-pronged ransomware prevention strategy that includes the following:
Even organizations that follow ransomware prevention best practices will inevitably fall victim to attacks. In fact, many experts say companies should consider it not a question of if but when.
If security teams can detect a ransomware attack in its early stages, however, they might be able to isolate and remove malicious actors before they have time to find, encrypt and exfiltrate sensitive data.
An important first line of defense is antimalware tools that can recognize known ransomware variants based on their digital signatures. Some offerings, such as XDR and SIEM platforms, also scan for behavioral anomalies to catch novel and otherwise unrecognizable ransomware strains. Possible indicators of compromise include abnormal file executions, network traffic and API calls -- any of which could point to an active ransomware attack.
Some organizations use deception-based detection to flush out adversaries, baiting them with fake IT assets that act as tripwires to alert security teams to their presence. While cyber decoys require considerable resources to deploy and maintain, they have exceptionally low false-positive rates, making them valuable weapons in the fight against ransomware.
Any credible suggestion that a ransomware intrusion is underway should automatically trigger the first step of a ransomware incident response plan: validation of the attack. If the security team confirms the incident is indeed a ransomware attack, it can then proceed to the following steps:
Read more about how to recover from a ransomware attack.
04 Oct 2023