What is ransomware? Understanding and defending against attacks

As a growing concern, ransomware continues to evolve in complexity, finding new ways to damage individuals, reputations and the bottom line. To safeguard your organisation against ransomware attacks, it’s crucial to adopt a multi-faceted approach that combines proactive measures, robust defences and effective incident response strategies. 

In this blog, we take you through what ransomware is – including types of attacks and examples – and how you can defend against them.   

What is ransomware? 

Ransomware is a type of malware (malicious software) that encrypts an organisation’s data and/or devices, demanding a payment in order to restore access to those assets. 

Typically, the threat actor demands a ransom in exchange for a decryption key, theoretically unlocking access to information and systems once the extortion payment has been received. This form of cybercrime can cause severe disruptions, leading to loss of critical data, operational downtime, and significant financial costs. 

How does ransomware work? 

Ransomware works by infiltrating a victim’s system, often through phishing emails, malicious attachments, or compromised websites. Once inside, the ransomware encrypts the victim’s files, rendering them inaccessible. The attacker then demands a ransom, usually in cryptocurrency, in exchange for a decryption key that can unlock the files.  

The process typically involves several stages: 

Initial infection 

The ransomware is delivered via email, an infected website, or a malicious link. Unsuspecting users click on these links or open attachments, allowing the malware to infiltrate the system. 

Execution and encryption 

Once executed, the ransomware begins encrypting files on the system. It may also seek out network shares and other connected devices to maximise its impact. The encryption process ensures that the files cannot be accessed without the decryption key held by the attacker. 

Ransom demand 

The attacker then displays a ransom note on the victim’s screen, detailing the amount demanded and the payment method, typically involving cryptocurrencies like Bitcoin due to their anonymity. The note often includes threats to delete or publish sensitive data if the ransom is not paid within a specified timeframe. 

Decryption key 

Upon receiving the ransom payment, the attacker may, or may not, provide a decryption key that can unlock the encrypted files. There have been instances where victims paid the ransom but did not receive the promised key. 

If the payment is not made, the attacker may conduct ‘double extortion’. They could do this by refusing to decrypt the information/systems and even threatening to publicly publish information on the open web, sell compromised data, or further expand their foothold in the victim’s IT infrastructure. 

Types of ransomware attacks and techniques 

There are many different ways in which ransomware can find its way onto systems, coupled with coercion and extortion techniques that contribute to its high profitability. 

• Phishing/social engineering: Attackers use deceptive emails, messages or websites to trick users into clicking on malicious links or downloading infected attachments. Social engineering techniques manipulate individuals into revealing sensitive information or executing actions that facilitate ransomware installation. 

• Web drive by/malicious ads: Cyber criminals compromise legitimate websites or display malicious ads that, when clicked, initiate the download and execution of ransomware. Drive-by attacks exploit vulnerabilities in browsers or plugins, allowing ransomware to be delivered without any user interaction beyond visiting a compromised site. 

• Trojanised business or OpenSource software: Attackers infiltrate legitimate software packages with ransomware, exploiting the trust users place in well-known applications. Trojanised software, often distributed through unofficial channels, can lead to the inadvertent installation of ransomware on systems. 

• Infrastructure vulnerabilities (zero days): Zero-day vulnerabilities target undiscovered or unpatched flaws in software, providing attackers with the opportunity to exploit systems before security updates are available. Ransomware groups may use sophisticated methods to identify and exploit these vulnerabilities to gain unauthorised access to systems. 

Ransomware attack examples 

Several high-profile ransomware attacks have made headlines in recent years, including: 

• WannaCry: In 2017, this ransomware targeted Windows systems, causing widespread disruption across various sectors, including healthcare, transportation, and telecommunications. The attack exploited a vulnerability in Windows systems, leading to massive encryption of files and demanding ransom payments in Bitcoin. 

• NotPetya: Also in 2017, this ransomware attack affected major corporations and infrastructure across the globe. Unlike typical ransomware, NotPetya aimed to cause maximum disruption rather than extorting ransom. It spread rapidly through network shares and compromised systems, leading to significant financial and operational damage. 

• Conti: A ransomware group known for human-operated attacks and a sophisticated extortion strategy. Conti targets large organisations, using manual hacking techniques to infiltrate networks and maximise the impact of their attacks. Their operations have affected various sectors, including healthcare, education, and critical infrastructure. 

Why businesses should care about ransomware 

Ransomware poses a significant threat to your business due to its potential to cause financial loss, operational disruption, reputational damage, and legal complications. 

The increasing sophistication of ransomware attacks necessitates robust security measures to protect sensitive data and maintain business continuity. You should prioritise ransomware prevention and response strategies to mitigate the risks and ensure resilience against such threats. 

How to prevent ransomware 

Preventing ransomware requires a multi-faceted approach combining proactive measures, robust defenses, and effective incident response strategies: 

Backup and recovery 

Regularly back up critical data and systems. Ensure backups are isolated from the production network and regularly tested for reliability. 

Implement versioning in backups to allow the restoration of unencrypted files from different points in time. 

Create a detailed recovery plan that includes steps for data restoration and system recovery. 

Patch management 

Keep software, operating systems, and applications up to date with the latest security patches. Many ransomware attacks exploit known vulnerabilities that could have been patched. 

Prioritise vulnerabilities that are actively being exploited in the wild by threats as part of your overall approach to vulnerability management. 

User training and awareness 

Frequently educate employees about the risks of phishing emails and other social engineering tactics that ransomware attackers often use. 

Encourage users to exercise caution when clicking on links or downloading email attachments. 

Email security 

Implement robust email security solutions that can detect and quarantine phishing emails and malicious attachments. 

Use advanced email filtering to reduce the chances of users encountering malicious links or attachments. 

Ensure you have appropriate incident runbooks in place in the event sophisticated phishing emails do get through and are acted on by end users. 

Network segmentation 

Segment your network to limit lateral movement for attackers in case of a breach. Isolating critical systems can prevent the spread of ransomware. 

Where possible, adopt a zero-trust approach to network security, not trusting any network location or segment by design until verified on each interaction. 

Endpoint security 

Deploy advanced endpoint security solutions that can detect and block ransomware before it can execute on endpoints. 

Regularly update and configure endpoint security software to maximise its effectiveness. 

Ensure you have appropriate incident runbooks in place where novel or sophisticated ransomware techniques were able to bypass automated block capabilities in endpoint security solutions. 

Replace anti-malware/virus solutions with advanced endpoint detection and response technologies to address the advanced techniques used by threats. 

Access control 

Limit user privileges and access to only what is necessary to perform their job. 

Implement the principle of least privilege to minimise the attack surface. 

Review privileges regularly to ensure they remain minimised over time. 

Incident response plan 

Develop a well-defined incident response plan that includes ransomware-specific procedures. 

Ensure all relevant stakeholders understand their roles and responsibilities during a ransomware incident. 

Cryptocurrency policies 

Create a clear policy regarding the payment of ransoms. Avoid paying ransoms whenever possible, as there is no guarantee of receiving a decryption key. 

Threat intelligence 

Stay informed about the latest ransomware threats and attack techniques through threat intelligence feeds. 

Use this information to fine-tune your defences and incident response procedures. 

Security audits and penetration testing 

Regularly audit your security posture and conduct penetration testing to identify vulnerabilities that could be exploited by ransomware. 

Data encryption 

Encrypt sensitive data both at rest and in transit. This adds an additional layer of protection in case of a breach. 

Collaboration with law enforcement 

Establish relationships with law enforcement agencies to report ransomware incidents and potentially receive assistance in tracking and apprehending attackers. 

Regular tabletop exercises 

Conduct ransomware-specific tabletop exercises to simulate real-world scenarios and test the effectiveness of your incident response plan. 

Ransomware attack: should you pay? 

What if the worst happens, and your organisation falls victim to a ransomware cyber attack? It may seem worth the financial loss to pay whatever it costs to get your data back. Should you? 

International law enforcement agencies – along with cyber security specialists such as our teams at Advania – do not encourage, endorse or condone the payment of ransom demands. Doing so only encourages attackers to continue with their threats against other organisations, further legitimising the cybercrime gig economy. 

There are many reasons why you shouldn’t cave into the attacker’s demands. If you pay an attacker’s ransom, then: 

• there is no guarantee that you will get access to your data 
• your computer will still be infected 
• you’re paying money to criminal groups 
• you’re more likely to be targeted in the future 

If you don’t pay it, attackers will continue to threaten. You should counter this by making sure you have the measures in place to minimise the impact of a data loss – such as maintaining recent offline backups of your most important files and data. 

What to do in case of a ransomware attack 

It’s essential to respond swiftly and effectively if a ransomware attack occurs in your organisation. Here are a few steps we recommend you should follow. 

• Isolate affected systems: As soon as the attack is detected, isolate affected systems to prevent further spread. 

• Notify relevant stakeholders: Alert your incident response team, executive leadership, and legal counsel. 

• Assess the extent of damage: Determine the extent of the damage and whether data has been exfiltrated. 

• Contact law enforcement: If required, contact law enforcement to report the incident and seek their guidance. 

• Invoke your incident response plan: Follow your well-defined incident response plan to contain the attack, recover data, and restore operations. 

• Communicate transparently: Keep stakeholders, including employees and customers, informed about the situation and the steps being taken to resolve it. 

• Forensic analysis: After the incident is resolved, conduct a forensic analysis to understand how the attack occurred and prevent future occurrences. 

What does the law say about ransomware? 

Ransomware attacks can lead to legal and compliance problems, potentially resulting in fines and legal action. Data protection authorities, such as the Information Commissioner’s Office in the UK, impose significant financial penalties on organisations that suffer breaches of personal data. Understanding the legal landscape and adhering to regulations is essential for minimising legal risks and ensuring compliance. 

Is there insurance against ransomware attacks? 

Cyber insurance can help cover some of the costs associated with ransomware attacks, providing you meet the requirements of the underwriter.  

Insurers can also connect you to expertise such as public relations firms to manage fallout. However, cyber insurance policies vary, and it’s crucial to review coverage details and ensure that the policy addresses ransomware-specific risks. 

How does AI change ransomware? 

AI enhances the sophistication of ransomware attacks by automating the identification of vulnerabilities and optimising extortion strategies. Attackers can use AI to develop more targeted and effective ransomware, increasing the threat landscape. Conversely, AI also aids in defense, enabling advanced detection and response capabilities to thwart potential attacks. AI-powered security solutions can analyse vast amounts of data, identify patterns, and respond to threats in real-time, improving overall cybersecurity resilience.