Ransomware is a type of malicious software or malware that virtually holds your data hostage, locking up your computer and threatening to keep it locked until you pay the attacker’s ransom. The International Business Machines Corporation (IBM) reports that in 2021, ransomware attacks accounted for 21% of all cyberattacks and resulted in a staggering USD 20 billion loss.
What is Ransomware?
In the past, ransomware attacks were aimed solely at locking a person’s data or device until they paid money to unlock it.
Nowadays, however, cybercriminals are taking matters to a whole new level. The 2022 X-Force Threat Intelligence Index revealed that virtually all ransomware attacks have now adopted the ‘double extortion’ strategy, which not only locks data but also expects a ransom payment to prevent theft. In addition, these malicious cybercriminals are introducing an additional threat in their repertoire – triple extortion campaigns involving Distributed Denial of Service (DDoS) assaults – and they are becoming increasingly common.
Ransomware and Malware
To better understand ransomware, we must first examine what malware (malicious software) is and its implication.
Malware – a term that prompts more questions than answers. Is the malicious software, or is it simply being used for nefarious purposes? As with many aspects of cybersecurity, there’s no single answer to this question; instead, it’s an intricate and complex area in which we must consider multiple factors. The software can be malevolent in its own right; however, the human who operates said software is ultimately responsible for determining whether and how malicious it will be.
Cyber threats are broad, from destructive viruses to crafty Trojans. But there’s a unique strain even more dangerous than these – ransomware. Uncover the mystery behind this malicious software, and learn how to protect yourself from it!
How does ransomware work?
Ransomware is designed to lock access and all content within the target computer or network until its attacker receives payment. Even more sophisticated attacks may initiate disk-level encryption with such intensity that, without paying the ransom, it would be impossible to decrypt any files. From 2013 to 2020, the FBI’s Internet Crime Complaint Center noticed a dramatic surge of 243% in reported ransomware occurrences.
Unlike other forms of cybercrime, ransomware necessitates that its victims collaborate with the criminal to make it successful.
As stated on their website, the FBI warns against paying a ransom if an individual or company is attacked with ransomware. By paying the ransom, there is no guarantee that an organization or victim will regain access to their data, making it a risky and unreliable solution. Sadly, in some cases where victims have paid the ransom money demanded by attackers, they still never receive a legitimate decryption key to unlock their data. Even if they get one, it is possible that not all files may be recoverable. By paying the ransom, not only are you providing incentives for criminals to continue executing ransomware attacks on organizations and individuals alike, but you are also making it more attractive to other potential cyber criminals.
Popular ransomware variations
With numerous ransomware varieties existing, it is no wonder that some are more successful than others. In fact, there are a select few who have risen above the rest in terms of effectiveness and popularity – making them stand out from their counterparts.
Ryuk is a type of ransomware that targets a specific type of user. It is usually delivered through an email or someone’s login information to get into a system. Once the system is infected, Ryuk encrypts some files and then asks for money to give them back.
Ryuk is notorious for being one of the costliest ransomware varieties, with average ransom demands exceeding $1 million. Because of this, Ryuk-related cybercriminals regularly target businesses with access to ample financial resources to meet these exorbitant payments.
REvil (also known as Sodinokibi) is a malicious ransomware strain that predominantly plagues large-scale firms.
Infamous REvil ransomware, operated by the Russian-speaking group since 2019, is one of the most notorious cyber threats on the internet today. For example, they have been held responsible for significant breaches such as ‘Kaseya’ and ‘JBS’, making them a serious threat to businesses across numerous industries.
Over the last few years, REvil has gone head-to-head with Ryuk for the title of most costly ransomware. Reports have surfaced that this malicious software requested ransom payments of up to $800,000.
Initially, REvil was just another traditional ransomware variant, yet it has since progressed. Presently, they use the Double Extortion technique – not only encrypting files but also stealing data from businesses. This means that apart from requesting a ransom to decrypt data, attackers will threaten to publicly expose the stolen information if an additional payment is not rendered.
The Maze ransomware has gained notoriety for its innovative approach to extortion. It not only encrypts files but also steals sensitive data from the victim’s computer and threatens to make it public or sell it if a ransom is not paid. This menacing strategy puts targets in an even more difficult situation – either pay up or face much higher costs due to an expensive data breach.
Although the Maze ransomware group has disbanded, this does not signify that ransomware threats are now obsolete. Several former affiliates of Maze have shifted to using Egregor ransomware instead, and it is widely speculated that these three variants – Sekhmet being the third – share an identical originator.
In March 2021, Microsoft released critical updates for four vulnerabilities within their Exchange servers, yet before everyone could apply the fixes to protect themselves from potential harm; DearCry stepped in with a new ransomware variant specifically designed to exploit these weaknesses.
DearCry ransomware can lock down many files, leaving users with a ransom note on their computers that instructs them to contact its operators to learn how to restore access.
The South American ransomware gang, Lapsus$, has been linked to cyberattacks on noteworthy targets worldwide. With intimidation and the potential for sensitive data exposure, the cyber gang has established a name for itself by extorting its victims unless their demands are met. They have bragged about penetrating Nvidia, Samsung, and Ubisoft, amongst other global organizations. This group utilises pilfered source code to make malicious files appear as legitimate software.
LockBit is software that was created to stop people from being able to access data. It has been around since September 2019. Recently, it has become a Ransomware-as-a-Service (RaaS). This means that people can pay to use it to prevent others from accessing their data.
Ransomware costly consequences
People dealing with ransomware are often reticent to admit the amount of ransom they have paid. As outlined in the report Definitive Guide to Ransomware 2022, ransom demands have increased drastically; what used to comprise only single-digit payments has now expanded into seven and eight-digit figures. In the most extreme instances, companies may need to pay a hefty ransom of USD 40-80 million for their data to be returned. Yet these payments aren’t the only cost associated with ransomware attacks; other direct and indirect costs can compound an organization’s financial burden. As reported in IBM’s Cost of Data Breach 2021 study, the standard cost of ransomware attacks without including ransom payments amounted to a staggering USD 4.62 million on average.
The DCH Hospitals case
The DCH is a regional medical centre in Tuscaloosa, Alabama, operating since 1923.
On October 1st, 2019, DCH Hospitals got attacked by ransomware. Everything electronic was down. They couldn’t take any new patients and had to use all paper for everything.
A representative from DCH revealed that the system was compromised when somebody opened and interacted with a corrupted email attachment. Fortunately, no patient information was jeopardized.
The DCH Hospital System boasts three major hospitals — DCH Regional Medical Center, Northport Medical Center, and Fayette Medical Center — that serve a large portion of West Alabama. These three medical facilities offer over 850 beds and welcome more than 32,000 patients annually.
On Saturday, October 5th, in order to swiftly regain access to their systems, DCH Hospitals opted to pay the ransom and obtain a decryption key from the attackers. However, they have decided not to disclose how much they paid. As healthcare systems are critical and sensitive, they make easy targets for ransomware attacks. Often, these organizations find paying the ransom more beneficial than confronting potential data loss or disruptions. The confidential information stored in their systems is too valuable to lose. The malicious ransomware utilized to breach the security of DCH Hospital was unknowingly facilitated by an employee who opened a phishing email containing a contaminated attachment. This enabled the malware to gain access and subsequently infect their computer network.
5 Steps to prevent becoming a ransomware victim
1. Train your employees about cybersecurity threats.
To protect ourselves from cyberattacks and to be able to identify their occurrence in the workplace, we must acknowledge our individual accountability for cybersecurity. Every employee should receive specialized training on identifying and preventing cyberspace threats. But it is ultimately up to each individual to take the information they have received to assess potential risks within their daily lives accurately. The incident at DCH Hospitals is an important example of how valuable it can be to possess a personal understanding of cyber security.
The company must inform the employee of the potential risks of opening email attachments from unknown senders, particularly in a work environment. When in doubt, it’s always best to consult someone with experience before opening any messages, links or attachments. Many businesses have an in-house IT department that will take any reports concerning a phishing attempt to confirm if it is legitimate to the employee. If the message comes from a reliable source like your bank account provider or acquaintances you know personally, contact them directly and confirm that they sent the message and its contents before clicking on any links provided. This way, you can protect yourself from potential cyber-attacks.
2. Back up your files.
If you’re ever targeted by ransomware or have some data lost in an attack and don’t want to pay the ransom, having a secure backup of your most valuable information is essential.
To minimize the consequences of a malicious attack, DCH Hospitals should have taken preventative measures and backed up their essential files before the incident. A backup would have enabled them to stay open and continue operations without interruption due to ransomware.
3. Keep your software updated.
Cybercriminals frequently prey on existing weaknesses to introduce nefarious software into a device or system. Unpatched, or zero-day, security flaws can be hazardous as they are either not known to the digital safety industry or identified yet unaddressed. Certain ransomware groups have been observed purchasing intelligence on zero-day vulnerabilities from cyber criminals, which they use for their malicious operations. It is also known that hackers can utilize patched security flaws to enter systems and launch attacks.
It is essential to apply patches regularly to protect against ransomware attacks that target software and operating system vulnerabilities.
4. Install and update cybersecurity tools
It’s essential to upgrade cybersecurity tools – anti-malware and antivirus software, firewalls, secure web gateways, as well as enterprise solutions such as endpoint detection and response (EDR), extended detection and response (XDR), which can help security teams detect malicious activity in real-time.
5. Implement access control policies
Organizations should deploy multi-factor authentication, zero-trust architecture, network segmentation, and related safeguards to protect vulnerable data and halt crypto-worms from transiting to other machines on the network.
Ransomware targets individuals as well.
Generally, ransomware stories focus on the aftermath of corporate or healthcare system hacks; however, it is essential to recognize that individuals are not immune from these attacks. In fact, they occur more often than you may think. Individuals must be aware of ransomware’s genuine danger when using the internet, as it could risk their safety and security.
Cybercriminals use two main methods when deploying ransomware: encryption and lock screen.
Cybercriminals are mainly targeting specific files saved locally on devices via encryption ransomware. To pick out these documents, the attacker uses phishing tricks or other forms of malicious software to investigate their target. Once the files are encrypted, the victim will demand a ransom to receive the decryption key required for accessing their data. Hackers typically use this strategy to access confidential or sensitive information that companies are trying hard to protect. This approach has become popular among malicious parties, making businesses and organizations a common target.
Lock screen ransomware
Conversely, lock screen ransomware encrypts specific files and renders a user’s device completely inoperable. Locking-screen ransomware will lock up your device and display a full-screen message that is unmovable and unminimizable. You’ll be asked to pay a ransom to unlock the system or retrieve lost data or files.
These programs often employ fear tactics to pressure you into making payments, such as a ticking clock that warns it will delete all your files if time runs out. Cyber attackers often attempt to intimidate individuals by fabricating stories about their devices being linked with illegal activities or inappropriate material and threatening to report them to the authorities if the victim doesn’t pay. To further coerce victims into paying the ransom, some ransomware developers leverage pornographic imagery and threaten that the victim cannot remove it without payment.
Implementing effective cybersecurity measures, such as regularly updating your software and security tools, enforcing access control policies, and being aware of the various tactics used by these malicious programs to protect your business against ransomware attacks. In addition, individuals should take proactive steps to protect their devices from ransomware attacks – including exercising caution when opening emails or clicking on links from unknown sources. With awareness and prudent practices, we can all help reduce the threat of ransomware in our digital world.