Blog

Ransomware rising: what it is and how it works

PRESENTED BY PaperCut Logo

What is ransomware?

Ransomware is a type of malware where cyber criminals penetrate or infect your network then block system access or encrypt/lock device and/or network data then demand a ransom for the user to regain access/be unblocked. 

What is malware? It’s any software intentionally designed to disrupt, damage, or gain unauthorized access to a computer system. 

In a ransomware attack data or system access is held hostage for a specified timeframe until a ransom is paid. If the ransom demands are not met by the deadline, the system or data remains unavailable, or the malicious attacker will extort their victim and leak or sell their data on the dark web.  Ransomware attacks target both individual devices and entire networks such as a company or household.   

Essentially, ransomware attacks are when hackers kidnap your data and hold it hostage with the threat of deletion or extortion if the ransom amount is unpaid or the deadline is not met. 

How does ransomware work?

Ransomware attackers will trick users in various ways to download a file onto their device which will then launch a ransomware program to attack their system or network. Once the file is downloaded, it encrypts your data, latches onto your files, and locks them. 

Some ransomware attacks don’t require a human to download a file or click a link.

These are known as “drive-by” ransomware attacks where your systems are infected via seemingly innocuous internet activities like visiting a webpage. 

Once a ransomware program is downloaded onto a device it may detect and exploit network vulnerabilities to spread to and infect other devices and systems.

Ransomware attacks prey and relies on human error. Frequent methods of initiating ransomware include Remote Desktop Protocol, phishing emails, and software vulnerabilities.

The Plunge | What is phishing?

What is phishing? 

Phishing is a way cybercriminals trick users into providing personal information. They do this by sending false communication like an email or text message. 

Phishing emails are how cybercriminals gain access to your systems to steal your online banking information or other personal information to steal your identity or gain access to your network to instigate a ransomware attack on more unsuspecting targets. 

Attackers will falsely present themselves as a trusted authority like a government agency or employer. Their communication will contain a link or downloadable attachment. If a user naively clicks the link or downloads the attachment the ransomware code package then launches its malicious program to seize control of your system.

Spear-phishing is when the communication is personalized and targeted i.e. through the monitoring of cookies, attackers can impersonate organizations you recently or frequently interact with so your guard is lowered and you will haphazardly provide the information they seek. 

Types of ransomware

There are many names for diffeerent Ransomware attacks, but they commonly come in two different forms.

Locker ransomware - Malware that blocks basic computer functions and makes it essentially inoperable like denied access to your desktop other than interaction with the pop-up window demanding the ransom. Locker ransomware just locks you out, it doesn’t usually target or destroy hardware contents.

Crypto ransomware - This malware encrypts your data so you can’t access documents, pictures, or videos, but your basic computer functions haven’t been interfered with. You can see your files but not access them, and deletion of your data is usually the penalty for failing to meet the ransom demands before the deadline.

The Plunge | Who are hackers?

Who are ransomware hackers?

The term “hacker” conjures a hooded figure in a neon-lit dark room stooped before a labyrinth of Matrix-like computer screens while high-energy EDM blasts from their headphones. 

The inconvenient but nuanced definition of “who is a hacker” is simply: humans. They can be operating alone or they can be working for an organization. Hackers and cybercriminals vary from criminal gangs to underworld cartels, to state-sponsored groups, to otherwise seemingly normal folk. 

The one thing we know for certain about cybercriminals is they frequently operate on the dark web. 

What is the dark web?

The public-facing internet you’re on every day is known as the surface or open web. It’s out in the open and easily accessible. 

The dark web is a hidden group of internet sites not indexed or publicly accessible via the open internet. It can only be accessed from a specialized web browser. Its purpose is to carry out internet activity anonymously and privately. It’s not exclusively a realm for illegal operations, however, it is used for nefarious and criminal activities. 

If you don’t know where the dark web is, or even where to begin to look to find it, good news, you’re not a cybercriminal. 

How do ransomware attackers choose their targets?

Most ransomware attacks target Windows computers. With that in mind, ransomware attackers targeting weak devices means they might turn their eye to individuals, homes, SMBs, and enterprises. Large organizations will have more mouthwatevering data and more users to exploit, but the methods of infection are largely the same. 

Public organizations with irreplaceable sensitive data are the potentially highest-paying targets due to the nature of their information on site. This increases the likelihood of the ransom being paid. Essentially, if you’re an exploitable device or network with valuable data, and you’re likely to pay, you’re an ideal target.

How much does ransomware cost a business?

The ransom amounts vary from a couple hundred dollars to hundreds of thousands, even millions, but it depends on who and what has been targeted.

However, a ransomware attack can cost more than the ransom amount. There’s the loss of data if the ransom remains unpaid or if the attacker never provides the decryption key. There’s the downtime and loss of productivity due to combatting the infection. 

After either the ransom is paid or the ransomware has been eradicated, there can be costly recovery efforts. Plus there’s the potential of future attacks if your business remains unprotected.

The Plunge | Cybersecurity

Why are ransomware attacks rising? 

The COVID-19 pandemic saw a surge in ransomware attacks. Organizations pivoting to remote work meant employees were accessing data from remote and unsecure networks, like household internet connections, and even public Wi-Fi networks like libraries, coworking spaces, hotels, airports, and cafes. 

The attack surface widened. Cybercriminals exploited these vulnerabilities. Employees were no longer on secure networks nor did they necessarily have access to antiviral software on their home devices. They were using personal devices on unsecure home networks to access work systems and for personal use. This increased the potential attack surface area for would-be cybercriminals.

In the modern world, where individuals may have a smartphone, a tablet, a laptop, and a desktop at home, the potential entry points for cybercriminals have multiplied per person. Now that we live in a hybrid working world, cybercriminals have more targets and more isolated targets.

Ransomware-as-a-Service (RaaS)

Another factor behind the rise in ransomware attacks is you don’t need to be a hacker or coder to be a cybercriminal. 

There is now a marketplace for ransomware, known as “Ransomware-as-a-Service.” You can purchase malware software from a developer in exchange for a split of the ransom from successful attacks. 

Essentially, it’s not just coders and hackers launching ransomware attacks. The developers of the code package off their services for sale, increasing the amount of “bad actors” to just opportune criminals who don’t have any technological expertise.  

Ransomware attacks often demand their ransom be paid to a Bitcoin address. As cryptocurrencies boomed in prevalence, so did ransomware attacks.

Cryptocurrencies like Bitcoin have made it easier for hackers to secretly receive payments and avoid identification by authorities. Cryptocurrencies are secure and untraceable and therefore an incognito currency method for cybercriminals to profit from their attacks.  

What to do when attacked with ransomware?

To best defend a ransomware attack, you need to have a game plan. You should have a ransomware incident response policy that individuals and your company can follow.

1. Report the incident with the relative law enforcement authority on data security.

2. Stop the spread by disconnecting any infected device from your network and shutdown wireless connectivity.

3. Locate the source with antivirus software to identify how the virus entered your network and diagnose what type of ransomware attack it is. 

4. Share awareness by letting all unaffected users there has been an attack and to look out for their device being infected.

5. Check your backups check if all local encrypted data has been backed up and that you stil have access to your backup servers and hard drives. 

6. Wipe your device clear with an antivirus solution to remove all traces of the malware to avoid future infection.    

How to stop ransomware attacks

1. Education - While companies are the targets, employees are the exploitable weak link. Cybercriminals rely on human error for their attacks to work. Users need to be educated about the prevalence of ransomware attacks, how to identify common vectors like phishing emails, and safe practises like not indiscriminately clicking links or downloading attachments.    

2. Backup - Backup your files with either a secure local server or a cloud service, so that your data isn’t just fastened to one device. This is a good practise in general in the modern working world and is why a lot of modern enterprise can be found in the cloud.

3. Security software - Implement antiviral software with functionality like scanning for viruses, VPNs, attack blockers, as well as protection from phishing emails and providing safe web browsing. 

4. Update OS software - Preventing viruses is one of the key reasons to keep your OS up to date. Software updates contain vital security patches to protect your operating system. 

Should I just pay the ransom?

No, it is generally not recommended to pay the ransom. Law agencies warn against it for good reason. It’s not an easy fix and it comes with elevated risk. There are reports of victims claiming paying the ransom is the quickest and simplest solution. However, law enforcement agencies consider paying a ransom to be ilegal as you are funding criminal activities. 

The risk of paying the ransom is inviting repeat offenders. Your attacker could attack you again or tell other cybercriminals that you or your organization are an easy target. This could see an influx of attacks, with the possibility of more targeted attacks, more ransom demands, and more sophisticated attacks. 

Another thing to consider is paying the ransom isn’t a guaranteed solution. Your attackers could demand more or they might never provide you with the decryption key to unlock your system and data.