What is Ransomware?

Ransomware is a type of malware that attackers use to hold data hostage unless a ransom is paid. If not prevented, or caught shortly after infection, ransomware attacks can cripple organizations by stealing it to sell on the Dark Web, making sensitive information public, or destroying data entirely. Customer information, financial data, intellectual property, and employee details are frequently targeted during attacks, and may still be stolen, even when attackers are paid off.

Ransomware has been the most pervasive cyber threat since 2005. According to the 2020 Malware Report by Cybersecurity Insiders, 43% of cybersecurity professionals surveyed experienced an attack and 80% of respondents felt it was at least moderately likely they would experience another attack within the next 12 months. Additionally, 82% of those surveyed were most concerned about ransomware out of any type of malware.

Read more>

ransomware attacker

How Does Ransomware Work?

How does ransomware work

Ransomware can be deployed in several ways. According to the 2020 Malware Report, 83% of security professionals consider phishing emails to be the most dangerous attack vector. In fact, according to the Verizon Data Breach Investigations Report, 94% of malware deliveries are completed through a phishing email of some type. Other potential entry points are email attachments, users visiting malicious or compromised websites, and exploit kits.

Though there are various strains of malware, every type shares a few common characteristics. First, ransomware blocks access to a victim’s files. Next, targets receive a note with demanding a certain amount of money to restore access to their files. Though the cost varies, the payment typically must be made through some form of cryptocurrency, like Bitcoin or Monero. Unlike marked bills or money wiring, cryptocurrency is nearly impossible to trace, so cybercriminals can be confident that they won’t be tracked through their payment.

There are two types of ransomware. Encrypting ransomware (crypto-ransomware) converts files into ciphertext, rendering them unreadable . Attackers will deliver a decryption key upon payment, and threaten to delete the encryption key if the ransom goes unpaid, which effectively destroys the data by making it unusable.

Non-encrypting ransomware uses lock screens that take up the entire screen and display a ransom note in some form. These strains are often less successful, since once the lock screen is removed, which is possible to achieve without paying the threat actors, the files remain unaltered.

What is the Purpose of Ransomware?


Of course, ransomware’s primary purpose is typically financial gain. No matter what a victim chooses to do, once they receive the ransom note, the attacker has the opportunity to make money in some way. If the ransom is paid, they get money without having to do any more work. If they aren’t paid, most strains of ransomware enable attackers to steal the data they are holding hostage. From there, they can sell the data, and make their money that way.

However, another big threat of ransomware is its power to be used as a decoy. In fact, the power of ransomware as a tool for distraction dates back to 2015. By the end of 2016, a large number of targeted attack groups began adopting these methods of using ransomware as a tool to get IT and security teams chasing potential infections, allowing them to infiltrate the network and get what they are truly seeking.

This approach causes considerable damage, as it causes so much confusion among victims and often delays effective responses. While attackers are entering the system in another area, IT response teams are preoccupied trying to recover from the initial ransomware attack—performing backup activities, shutting down offending systems, identifying internal ransomware procedures, and determining if they should pay the ransom.

Read more>

What is Ransomware-as-a-Service (RaaS)?


Savvy threat actors, inspired by the legitimate software-as-a-service (SaaS) model, have created their own version to sell on the Dark Web. RaaS is an increasingly common practice in which cybercriminals create ransomware, and either sell it to others or rent it and take a portion of any bounty collected when it is used in a successful attack. This model has helped proliferate ransomware, as it opens up an entirely new clientele to cyber attacks. People who don’t know how to code or create ransomware can now easily become attackers.

For example, Satan RaaS provides quite a few features for users to easily tailor this malware without needing any expertise. They can set the extortion amount, customize their notes, translate the malware into different languages, track transactions, and even obtain new releases of Satan. Additionally, they get detailed instructions on how to test and deploy their malware. In exchange, the developers of Satan get a 30% of whatever income attackers using the ransomware receive.

ransomware computers

What Are Some Examples of Ransomware?


First appearing in 2017, BadRabbit is crypto-ransomware strain that has infected targets mainly through hacked websites and drive-by spreads. It is able to move quickly, using an SMB component that allows it to move across an infected network and propagate without user interaction.

An epidemic of BadRabbit began in October 2017, attacking over 200 organizations across the globe. For example, media outlets in Russia were targeted, as well as the Odessa airport in Ukraine.

What Do You Do After a Ransomware Attack?

Part of what makes ransomware so dangerous is that once you receive the ransom note, attackers have successfully breached your network. Once you have been infected, there are usually only two options: pay the ransom or rebuild from backups/scratch.

Experts almost universally advise not to pay the ransom. The fact is, you simply cannot trust that attackers will return your data once you’ve paid. Once you’ve paid, they have what they want, and face zero consequences for not holding up their end of the bargain. For example, XBash malware poses as ransomware, but is programmed merely to destroy Linux databases, and contains no restoration mechanism.  

Despite this, according to a survey by CyberEdge Group, 38.7% of organizations paid the ransom, and only half of these victims recovered their data. Of the 61.3% that did not pay the ransom, 53.3% were able to recover some of their data. It’s far better to invest the ransom payment into recovering the data through other means. Ultimately, paying ransom is bad for everyone. You’re unlikely to get your data back and giving into demands only encourages either a repeat attack, or further attacks on other organizations.

Read more>

Regardless of what path an organization chooses, it is still strongly recommended to contact authorities. For example, U.S. companies can contact the FBI, either through their local office, or with an IC3 complaint form. Reporting ransomware attacks allows as much knowledge as possible be collected in order to learn and improve prevention methods. Additionally, such agencies are often the most capable of widely disseminating information, putting other organizations on high alert.

Core impact Banner

How Do You Prevent and Manage Ransomware Attacks?


There are five key ways to reduce the risk of ransomware attacks:

1. Prepare.

In order to ensure that there won’t be any disruption to operations in the event of an attack, it’s best to create backups of all of your critical information. However, it’s important to segregate your backups. Many strains of ransomware have begun to seek out and encrypt backups that are on the same network. Backups should be stored on different networks to avoid being affected in an attack.

2. Educate.  

Unfortunately, users present an unavoidable risk to ransomware. However, pen testing and pen testing solutions can help prepare users to better recognize ransomware infection methods. For example, phishing emails trick users into clicking a link in an email designed to look as though it came from a trusted source. Social engineering pen testing can uncover who is susceptible to these attacks by launching phishing simulation campaigns. From there, additional training should be provided to teach your employees how to be more vigilant before clicking another suspicious email.  

3. Deter.

Penetration testing can also help deter attacks by uncovering and exploiting security weaknesses, demonstrating the feasibility of systems or end-user compromise and the potential related consequences such incidents may have on the involved resources or operations. Pen tests not only help expose these weaknesses, they also prioritize them based on their level of risk. Organizations can structure their remediation plans based on these priorities.

Additionally, becoming an easy target can be avoided by keeping systems and devices up to date. If a patch is available for any devices or third-party software, patch them. These patches fix known vulnerabilities that attackers can easily take advantage of to gain access and deploy ransomware. Make sure that these patches are properly installed—many require a restart in order to take effect.

Finally, Identity Governance and Administration (IGA) solutions mitigate risk by limiting access, reducing the exposure of sensitive data. IGA solutions enable a robust approach to managing and governing access by focusing on the principle of least privilege, eliminating excess privileges, and granting access to only those who absolutely need it in order to do their jobs.

4. Detect.

Ransomware typically lurks for some time, finding sensitive files to steal or encrypt. The ransom only occurs at the end of the attack cycle, so as long as you can detect the ransomware before then, it significantly reduces the risk of long term or permanent damage.  

Threat detection tools like network traffic analysis (NTA) work to monitor your network for malicious activity, alerting your security team the moment a risk is uncovered. These solutions help prioritize risk, providing vital information to enable a rapid response so that security analysts can both eliminate the threat and minimize damage, enabling rapid recovery and remediation. Instead of monitoring the network, NTA solutions monitor the traffic, looking for and confirming malicious activity, ensuring that immediate action can be taken.

5. Validate.

An organization’s security posture shouldn’t be assessed just once. IT environments, and the methods used to attack them, are constantly evolving, so it is to be expected that new weaknesses will emerge. Evaluating and testing processes on a regular basis will continuously strengthen and improve them.


Ransomware Solutions from Core Security


Left Column

Core Impact

Simple enough for your first test, powerful enough for the rest.


Learn More >
Middle Column

Network Insight

Immediately detect critical threats other solutions miss.

Learn More >
Right Column

Powertech Antivirus

Native virus protection software for IBM systems (Linux, AIX, and IBM i).

Learn More >