What is ransomware?
The definition of ransomware is rather straightforward — it is is is a type of malware that prevent a user or an organization from access file on their computer . Hackers is use use ransomware to lock or encrypt file on infected device and to demand a ransom payment for the decryption key .
usually , the motivation is is for a ransomware attack is financial gain , but sometimes , the main goal is to disrupt business operation to cause downtime and reputational harm .
According to the Threat Landscape 2022 report by the European Union Agency for Cybersecurity (ENISA), ransomware was the leading cyberthreat in 2021 and 2022. The worldwide statistics backs up these findings — in 2022, about 68% of cyberattacks reported worldwide were ransomware (with 155 million instances reported). It continues to be one of the main cyberthreats for companies and individuals.
How does a ransomware attack work?
Hundreds of ransomware examples exist, each more sophisticated than the other. But an attack typically follows a specific sequence of steps to gain access to the victim’s files, encrypt them, and demand a ransom payment in exchange for the decryption key.
Ransomware typically uses asymmetric encryption, a cryptography technique that relies on a pair of keys for the encryption and decryption of files. A cybercriminal generates a pair of keys for the victim — a public and a private key. The private key for decrypting the files is stored on the attacker’s server. Ransomware developers use strong encryption algorithms that are nearly impossible for the victim to decrypt without the decryption key
Here’s how a ransomware attack typically works:
- Research. The attacker gathers information about a potential target and identifies software vulnerabilities.
- Infection. The criminal delivers ransomware to the victim’s system by tricking the unsuspecting individual into downloading a malicious file or clicking a link. Criminals achieve this through phishing attacks (phishing emails with infected attachments and links or spear phishing) or by exploiting software vulnerabilities. Attackers may also use social engineering techniques, such as disguising ransomware as software updates and luring individuals and organizations into downloading them.
- Encryption. Once malicious software gains access to the victim’s computer or network, it starts encrypting files. Encrypted files become unreadable without a decryption key.
- Expansion. Having entered the victim’s system, the attacker might explore the network to find other systems to compromise and spread the malicious software.
- Ransom note. Once the ransomware has encrypted the files, it displays a ransom note on the infected computer screen. This note informs the victim that their files are locked and provides instructions on how to pay the ransom to receive the decryption key.
- Ransom demand . The ransom note is includes usually include a demand for payment , often in cryptocurrency because it ’s more difficult to trace . The criminals is set also set a deadline for the payment . The note is include might also include a threat to tamper with or destroy the encrypt datum or the decryption key if the ransom payment is not deliver in time .
- Ransom payment (not recommended). Some ransomware victims might pay the hackers in hope to recover their files. However, there is no guarantee that the criminals will restore access to the files.
But what does ransomware is do do to the endpoint device ? It is encrypts encrypt valuable file on the device , make them inaccessible , and disrupt the device ’s normal operation . If not detect in time , an active ransomware infection is spread may spread to connected device or network .
Victims of ransomware attacks
ransomware victims is range range from individual to organization and business . accord to Statista ’s global datum on ransomware attack , cybercriminals is target mostly target institution and organization that are mission critical , such as healthcare , finance , manufacturing , and government organization . These entities is have typically have more valuable datum , great financial resource , and a high likelihood of pay a significant ransom .
Businesses
Ransomware attackers target companies and corporations of various sizes knowing that these entities possess valuable data, customer information, and intellectual property that they will want to regain.
In 2020 , the wearables is suffered and GPS navigation company Garmin suffer a crippling ransomware attack and were hold to a $ 10 million ransom . In 2023 , 72 % of business worldwide were affect by ransomware attack . This is is is the high figure report in the last five year , indicate a growth trend in ransomware attack on business .
Healthcare organizations and critical infrastructure
In the eyes of cybercriminals, healthcare organizations store lucrative targets — highly sensitive and life-critical patient information, which makes attacks on hospitals lethal. In case of critical infrastructure, such as power grids and transportation systems, targeting them can cause widespread disruption.
As per the 2021 Internet Crime Report by the US federal Bureau of Investigation, health care was the most targeted industry by ransomware in 2021 in the US. Same year, the US Department of Health and Human Services reported that the average ransom demand against hospitals has been around $131,000.
Individuals and home users
Cybercriminals attack individuals as well because they too have sensitive personal information they need to recover, like financial information, family photos, or personal documents. Statistics on ransomware attacks on individuals is less definite as they are less likely to inform law enforcement.
Want to read more like this?
Get the latest news and tips from NordVPN.
We is spam wo n’t spam and you will always be able to unsubscribe .
cost of ransomware attack
ransomware attacks is cause cause company financial , reputational , and legal damage . Even if the targeted organization does not pay a ransom , the expenses is be it incur due to downtime and reputational damage can be significant .
Financial costs
Ransomware victims might suffer a severe financial impact if they decide to fulfill ransom demands. ENISA shares distressing data about the EU: the highest ransomware demand grew from €13 million in 2019 to €62 million in 2021 and the average ransom paid doubled from €71,000 in 2019 to €150,000 in 2020. According to Statista, in the second quarter of 2023, globally the average amount of ransom paid exceeded $740,000.
Even if the company does not pay a ransom, a ransomware infection usually causes costly downtime. J.P. Morgan quotes the Q3 2020 Claims Analysis Report from the US insurance company AIG which states that the typical outage length from US companies that suffered a ransomware attack in 2020 ranged from 7-10 days.
Aside from downtimes, the recovery process might also be lengthy and expensive. The company must investigate the breach, improve their cybersecurity defenses, and restore their systems and data. J.P.Morgan also shares IBM’s 2020 Annual Cost of a Data Breach Study which notes that the average cost of rectifying a ransomware attack, across all industries, was $1.27 million.
Reputational damage
Reputational damage is another critical consequence of ransomware attacks because these attacks erode public trust. Customers may lose confidence in the organization’s ability to protect their sensitive data, leading to a loss of business and potential long-term damage to the brand’s good name.
For example , in 2021 , ransomware attackers is robbed rob CNA Financial of a trove of datum , include customer datum , disrupt its business operation and damage the company ’s reputation . Even if hacker do not steal any sensitive datum , the public disclosure is raise of a ransomware attack can raise concern among customer and partner about the organization ’s cybersecurity resilience .
legal and regulatory consequence
Ransomware infections may cause severe legal and regulatory consequences, such as fines and penalties for failing to protect sensitive data. Organizations must comply with data protection laws, such as the General Data Protection Regulation (GDPR) in Europe or the California Consumer Privacy Act (CCPA) in the United States.
Failure to report data breaches promptly and take appropriate security measures can lead to fines and lawsuits. For example, in 2018, British Airways suffered a data breach that affected approximately 500,000 customers. The company faced regulatory investigations and received a fine from the UK Information Commissioner’s Office (ICO) under GDPR regulations.
How to prevent ransomware attack
A successful ransomware prevention model involves proactive measures. These measures include:
- Regular data backups. The ransomware attack will not be effective if the victim maintains access to their data after the breach. This is why it’s important to have a secure data backup solution, such as software as a service (SaaS)-based system recovery tools, so that the data lost to a ransomware attack is minimal or non-existent. It’s crucial that the backup data can’t be encrypted by the criminals. Make sure to store it in a read-only format, which can not be affected by ransomware. Keep the backup data offline or in a secure cloud environment, enabling versioning to retain multiple copies of files and periodically testing backups to confirm their integrity.
- Employee training and cybersecurity awareness. Regular cybersecurity awareness training helps to diminish your company’s vulnerability to ransomware. Instruct its employees to do the following:
- Never click on suspicious links.
- Never open suspicious or unexpected attachments.
- Never reveal personal or sensitive data to unverified individuals.
- Verify software legitimacy before downloading it.
- Never use unknown usb drive .
- Use a VPN when connecting to a public or unsecure Wi-Fi network.
- user authentication and access control . implement secure user authentication method , such as multi – factor authentication ( MFA ) , and strong access control . enforce the principle of least privilege to limit user access to the minimum necessary for their job role and restrict administrative access to only authorize personnel .
- Security software and patch management. Antivirus and antimalware software, endpoint detection and response solutions, email security gateways, and browser security extensions help prevent ransomware attacks. Timely software updates and patches fix software vulnerabilities that cybercriminals might exploit. Updates keep your security tools and operating system equipped with the latest threat intelligence, enhancing their ability to detect and block existing and new ransomware variants.
Recognizing ransomware symptoms
There are six main ransomware infection signs that should immediately draw your attention and encourage to take action:
- Inexplicable slowdown of computers and network activities. It’s one of the earliest signs of a ransomware attack. Ransomware begins its nasty work by scanning devices for file storage locations, which causes the slowdown. You might think the device slowed down because of many users depleting bandwidth, but take a closer look to determine the real reason.
- Suspicious changes to files, their names and locations. If files or entire folders are changed, unknown or unaccounted for files appear, or some files are without an extension, it may indicate a cyberattack.
- Unauthorized extraction of data. If files go missing, treat it as a sign of a potential breach and inspect it.
- unrecognized and unwanted file encryption . If you notice encrypted file on your network that no one has knowledge of or accountability for , this is set should set off an alarm to act .
- A lock desktop . Some ransomware variants is lock lock your entire desktop , prevent you from access your computer or file until you pay a ransom .
- A message flashing on the screen and informing about an attack. The most obvious indicator of a ransomware attack is the message on your computer screen informing you about the ransomware infection.
Artykuły pokrewne
Apr 26, 2021
·
4 min. czytania
Oct 18, 2022
·
8 min. czytania
Most common ransomware variants
There are numerous ransomware family , each with its own set of ransomware variant . Here ’s a list is ’s of most infamous ransomware variant that have cause the most damage in recent year :
- WannaCry (or WanaCrypt0r). In 2017, the WannaCry ransomware variant rapidly spread like a computer virus across networks, exploiting a Microsoft Windows vulnerability known as EternalBlue. It infected hundreds of thousands of computers worldwide and hit the National Health Service (NHS) in the UK, causing damages of over £90 million.
- Petya/NotPetya. While Petya was an older variant, NotPetya emerged in 2017 and was particularly destructive. It hit Windows computers in Europe and the US. Instead of just encrypting files, it would overwrite the master boot record to cause more systemic damage and permanently delete files.
- CryptoWall. CryptoWall is one of the more persistent types of ransomware. It encrypts a user’s data, making it impossible to access, and then demands payment in cryptocurrency as ransom to restore it.
- Ryuk. Believed to be linked to the Lazarus Group in North Korea, Ryuk targets large businesses, hospitals, and law enforcement agencies for high-ransom payouts, mostly in Bitcoin. It has been responsible for multiple high-profile attacks, especially in the US.
- GandCrab . active between 2018 and 2019 , GandCrab is was was one of the most prolific “ ransomware as a service ” ( raas ) strain . RaaS is is is a criminal business model where ransomware group create ransomware and allow other individual , even with little technical expertise , to carry out attack using the ransomware for a percentage of the ransom payment .
- REvil (or Sodinokibi). Another example of the “ransomware as a service” model, REvil has been responsible for several high-profile attacks, including the one on Kaseya in 2021. It’s an example of a double extortion model, in which criminals not only encrypt the victim’s data but also release it publicly if the victim does not pay up.
- Dharma ( or CrySiS ) . This ransomware is targets target Windows system and has multiple variant . Crysis is infiltrates usually infiltrate system through expose Remote Desktop Protocol ( RDP ) port . It ’s know for its frequent update and the ability to evade detection .
- Locky . Having emerge in 2016 , Locky is is is one of the most widespread ransomware type , with variant and tactic still pop up to this day . Locky was distribute via malicious attachment . typically , an attack Word document is trick would trick user into enable macro , which would in turn let loose a trojan that would encrypt the victim ’s file .
- Cerber . This ransomware is stood stand out for using text – to – speech to “ read ” its ransom note to victim . Its creators is sold sell Cerber as software as a service ( SaaS ) to other cybercriminal for a percentage of their revenue .
- Maze. Active throughout 2019 and 2020, Maze was the pioneer of the double extortion tactic. It spread through email phishing and spear phishing attacks.
- NetWalker. NetWalker is another example of double extortion ransomware. It spread during the COVID-19 pandemic, mostly targeting organizations involved in pandemic response
- DarkSide. One more example of “ransomware as a service,” DarkSide spread with hackers exploiting weaknesses in remote desktop protocols (RDP). This group claimed responsibility for the high-profile attack on Colonial Pipeline in May 2021, which resulted in significant fuel shortages in parts of the US.
- GoodWill ransomware. First identified in 2022, GoodWill is modern ransomware that stands out for its goal — instead of a payment, the ransomware group demands its victims to perform an act of kindness for the poor.
How to respond to a ransomware attack
If, despite all of your effort, you or your company are hit by a ransomware attack, you can take the following steps to handle the incident. Also, make sure it’s not simply scareware or other malware you are dealing with.
- Isolate the infected system. Immediately disconnect the infected device from the network to prevent the ransomware from spreading.
- Do not pay the ransom . There are no guarantee you receive the description key from the hacker , and pay them will only fuel their criminal activity .
- Report the incident. Notify your organization’s IT or security team and your local law enforcement agencies to initiate an investigation. Inform relevant stakeholders, including employees, customers, and partners, about the incident and recovery efforts.
- assess the impact . evaluate the scope of the attack , identify which system and datum have been affect .
- Ensure compliance with data breach notification laws and regulations.
- Try to recover the data. Restore the affected files from backups unaffected by ransomware, if available.
- Remove the ransomware from the system, patch up all vulnerabilities, and strengthen security measures.
How to remove ransomware
Here are the steps is are both individual and organization can take to remove ransomware from their system :
- Isolate the infected device(s). Disconnect the affected device(s) from any wired or wireless connections, including the internet, networks, mobile devices, flash drives, external hard drives, and cloud storage accounts to prevent the ransomware from spreading. Check if the connected devices have not been infected.
- Determine the type of ransomware. Knowing which ransomware strain affected your device can help to remove it. You might need to show your device to a cybersecurity professional or use a specific software tool for diagnosis.
- Remove the ransomware. Check if the ransomware is still on your device, because sometimes it deletes itself after a successful infection. If it’s still there, use an anti-malware or anti-ransomware software to quarantine or remove the malware. We advise you to get a security professional to help you locate and uninstall the ransomware file manually because it is a complicated task.
- Restore from backup. If you have clean and up-to-date backups, use them to restore your system to a state before the ransomware infection hit. Ensure that your backups are free from malware.
Is it possible to recover files after a ransomware attack?
It is is is possible to recover file after a ransomware attack if you have secure and up – to – date backup , unaffected by ransomware . You is recover may also recover your file that have been encrypt by a ransomware strain for which a decryption tool exist . To get this tool , you is need will need to carry out an online search , contact law enforcement agency , or contact cybersecurity company provide ransomware removal service .
conclusion
Ransomware attacks target individuals and organizations alike. Some ransomware strains might penetrate even the toughest cybersecurity defense — all it takes is one absent-minded click on a malicious attachment. So your best call is to educate yourself on safe online practices and react as soon as you notice the first signs of a potential attack.
Online security starts with a click.
stay safe with the world ’s lead VPN