What Is Ransomware?

Did you know that in 2023 alone, 66% of organizations were hit by ransomware attacks?¹ Meanwhile, another report has detected over 130 different ransomware strains since 2020.² 

So, what is ransomware, and why should it be on your radar? Here’s why it’s such a serious threat and how it could affect your business.

What Is the Difference Between Malware & Ransomware? 

Malware and ransomware are both types of harmful software, but they work in different ways. Here’s the difference between the two:

Malware

Malware is a broad term that refers to any software designed to harm your computer, steal your data, or cause trouble. The word “malware” comes from “malicious software.”

There are many types of malware, including viruses, worms, spyware, adware, and more. Each type does different things, like stealing your information, spying on you, or making your computer slow.

The main goal of malware is to disrupt, damage, or gain unauthorized access to your computer or data.

Ransomware

Ransomware is a specific type of malware. It’s designed to lock you out of your computer or encrypt your files, so you can’t access them.

After locking you out, the cybercriminals demand money (a ransom) to unlock your computer or give you access to your files again. They usually ask for payment in cryptocurrency because it’s hard to trace.

The primary goal of ransomware is to make money by forcing you to pay to regain control of your computer or data. Even if you pay the ransom, there’s no guarantee that the criminals will unlock your computer or return your files. They might take the money and disappear.

Ransomware is like a digital hostage situation; threat actors even use services for this type of attack, known as Ransomware-as-a-Service (RaaS).

What Is Ransomware-as-a-Service (RaaS)?

RaaS is a business model used by cybercriminals, where they offer ready-made ransomware tools and services to other attackers. 

As-a-Service: This means that instead of building the ransomware themselves, criminals can “rent” or buy it from others who have already created it. It’s similar to subscribing to a service, where they get access to off-the-shelf ransomware tools.

How it works: The creators of the ransomware provide everything needed to launch an attack, including the software, instructions, and sometimes even customer support. The people using the service don’t need to be tech experts; they just pay for access to the ransomware and launch attacks.

Payment and profit: When the victim pays the ransom, the money is often split between the person who rented or bought the service and the person who created the ransomware.

So, RaaS makes it easier for more people to get involved in cybercrime, which increases the number of ransomware attacks.

What Are Some Of The Ways Ransomware Is Spread? 

Ransomware spreads in various ways, and cybercriminals are constantly finding new methods to attack. Here are some common and emerging ways ransomware is spread:

Phishing Emails

You receive an email that looks legitimate, but it contains a malicious link or attachment. If you click on it, ransomware can get into your computer.

Phishing emails remain a popular method because it preys on human error. Cybercriminals often make these emails look like they’re from trusted sources.

Malicious Websites & Ads

Visiting a compromised website or clicking on a malicious ad can automatically download ransomware to your computer without you realizing it.

Attackers increasingly use these methods because they require less interaction from the victim and can spread widely.

Supply Chain Attacks

Attackers target the software or services you use, infecting them with ransomware before they reach your computer. When you download or update the software, the ransomware comes with it.

Supply chain attacks are growing because they allow attackers to reach many victims by compromising a single supplier or service.

Unpatched Systems

Attacking unpatched systems is common because many people and businesses don’t always keep their software up to date, leaving them vulnerable.

Ransomware can exploit vulnerabilities in your software or operating system if they’re not updated or “patched.” If your system is out of date, attackers can use these security holes to infect your computer.

Triple Extortion

In addition to locking your files and demanding a ransom, attackers also threaten to expose your data or attack your customers or business partners if you don’t pay.

Triple extortion is a newer tactic that puts extra pressure on victims by involving more people and potential damage.

Where Do Most Ransomware Attacks Come From? 

Most ransomware attacks come from well-organized cybercriminal groups and can originate from various parts of the world. 

For instance, Phobos ransomware is structured as a RaaS model and a variant of the Crysis/Dharma ransomware. It encrypts files and demands a ransom for the decryption key. Phobos is often spread through phishing emails or by exploiting vulnerabilities in systems.

One of 2Secure’s clients is a jewelry store in Georgia, which was hit by Eight, a variant of the Phobos ransomware. It took 16 hours to detect the ransomware and 71 days to fully remediate the issue. The store had to pay $25,000 to the hackers to get the decryption key and regain access to their files. Yigal’s team took two months to rebuild everything from scratch, which resulted in an additional $25,000 in out-of-pocket expenses for this client.

U.S. cybersecurity and intelligence agencies warned about Phobos ransomware attacks targeting government and critical infrastructure entities. The alert was issued by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC).

Another ransomware example, which became notorious during the pandemic, was the Conti Ransomware Group. Conti is known for its highly organized and aggressive attacks. This group has targeted a wide range of industries and is infamous for demanding large ransoms and using multiple methods to ensure their attacks are successful.

There’s also REvil Ransomware—also known as Sodinokibi—which is tagged as the “Crown Prince of Ransomware”. REvil has been involved in high-profile attacks and often uses sophisticated techniques to spread their ransomware.

The attacks can be severe, as shown by the case of the jewelry store ransomware case study, where considerable time, money, and resources were required to resolve the issue.

What Is The First Thing To Do In A Ransomware Attack?

If you or your business is facing a ransomware attack, the first thing to do is stay calm and act quickly. Here’s how you can approach a ransomware attack:

1. Inform your IT department or cybersecurity team immediately. They have the expertise to handle the situation and can start taking necessary actions to deal with the attack.
2. Identify which files or systems are affected and determine the type of ransomware if possible. Knowing what you’re dealing with helps you decide the next steps.
3. Consult with cybersecurity experts or your Managed Service Provider (MSP) before deciding to pay the ransom. Paying does not guarantee that you’ll regain access to your files, and it encourages more attacks.
4. If you have up-to-date backups, restore your files from them. This is often the quickest way to get your data back without paying the ransom.
5. After dealing with the attack, review what happened and improve your defenses. 2Secure always recommends The Onion Layer approach, a strategy that uses layers of security measures to protect your systems and data. Each “layer” acts like a protective barrier, and if one layer is breached, the others still provide defense.

Readiness & Simulation

Being prepared means having a plan in place for dealing with ransomware attacks, including regular backups and a recovery strategy.

Also, businesses can conduct ransomware attack simulations to practice how they would respond to a ransomware attack. This helps in training your staff and improving your overall response plan.

FAQ

How Does Ransomware Get On Your Device?

Ransomware can get on your device through phishing emails with malicious links or attachments, unsafe websites, infected software downloads, or unpatched system vulnerabilities. It may also spread via removable drives or fake updates. Always be cautious with emails, websites, and downloads to protect yourself.

What Does Ransomware Do To Your Computer?

Ransomware locks or encrypts your files, making them inaccessible. It demands a ransom payment to unlock them. If you don’t pay, you might not retrieve access to your data. It can also spread to other devices on your network.

What Happens In A Ransomware Attack? 

In a ransomware attack, malicious software locks or encrypts your files and demands a ransom to decrypt them. The attackers may threaten to delete your files or expose sensitive information if you don’t pay up. The attack can disrupt your work and cause major financial stress.

Can You Recover From Ransomware? 

Yes, you can recover from ransomware. First, contact your IT team as they will know what to do. If you have backups, restore your files from them. If not, consult experts like the 2Secure team, who can help with recovery, decryption, and improving your security to prevent future attacks.

Source:

1. Sophos. (2023). The State of Ransomware 2023 Findings from an independent, vendor-agnostic survey of 3,000 leaders responsible for IT/cybersecurity across 14 countries. https://assets.sophos.com/X24WTUEQ/at/c949g7693gsnjh9rb9gr8/sophos-state-of-ransomware-2023-wp.pdf
2. ‌VIRUSTOTAL RANSOMWARE ACTIVITY REPORT. (2021). https://storage.googleapis.com/vtpublic/vt-ransomware-report-2021.pdf