Ransomware: A Comprehensive Guide to One of Cybersecurity’s Biggest Threats
Ransomware is a type of malware that locks a victim’s sensitive data or device, demanding a ransom from the victim to regain access. The attacker may threaten to keep the data locked, or even destroy it unless the ransom is paid.
Initially, ransomware attacks simply encrypted data and demanded a ransom for the decryption key. Regular backups could often mitigate the impact, allowing victims to restore their data without paying the ransom. However, ransomware has evolved to include double-extortion and triple-extortion tactics, increasing the pressure on victims. In double-extortion, attackers also threaten to leak stolen data online, while in triple-extortion, they target the victim’s customers or business partners using the stolen data.
Why Ransomware is a Major Cyber Threat
Ransomware is one of the most prevalent forms of malware, causing significant financial damage to organizations. According to IBM® X-Force® Threat Intelligence Index, 20% of all recorded cyberattacks in 2023 involved ransomware. These attacks are swift, with hackers often deploying ransomware within four days of network access, leaving little time for organizations to respond.
Ransom demands can reach seven or eight figures, and ransom payments are just part of the total cost. The IBM Cost of a Data Breach report states the average cost of a ransomware breach is USD 5.13 million, excluding ransom payments. However, improved threat detection and prevention have led to an 11.5% decline in ransomware infections from 2022 to 2023.
Types of Ransomware
Ransomware generally falls into two categories:
- Encrypting Ransomware (Crypto Ransomware): Encrypts the victim’s data, requiring a ransom for the decryption key.
- Non-encrypting Ransomware (Screen-locking Ransomware): Locks the victim’s device, blocking access to the operating system and demanding a ransom for unlocking.
Subcategories include:
- Leakware or Doxware: Steals and threatens to publish sensitive data.
- Mobile Ransomware: Targets mobile devices, often using screen-lockers.
- Wipers: Threatens to destroy data, sometimes even if the ransom is paid.
- Scareware: Uses scare tactics to coerce payment, sometimes posing as law enforcement or antivirus alerts.
Infection Vectors
Ransomware can infect systems through various methods, including:
- Phishing and Social Engineering: Trick victims into downloading ransomware through malicious attachments or links.
- Operating System and Software Vulnerabilities: Exploit unpatched vulnerabilities.
- Credential Theft: Use stolen or cracked credentials to access systems.
- Other Malware: Use existing malware to deliver ransomware.
- Drive-by Downloads: Inject ransomware through web application vulnerabilities.
- Ransomware as a Service (RaaS): Developers share their ransomware code with affiliates who launch the attacks.
Stages of a Ransomware Attack
A typical ransomware attack progresses through several stages:
- Initial Access: Through phishing, exploiting vulnerabilities, or compromising remote access protocols.
- Post-exploitation: Deploying intermediary tools to gain a foothold.
- Understand and Expand: Gaining access to other systems.
- Data Collection and Exfiltration: Stealing valuable data.
- Deployment and Sending the Note: Encrypting files or locking devices and demanding ransom through a note.
Notable Ransomware Variants
Significant ransomware strains include:
- CryptoLocker: Initiated the modern era of ransomware in 2013.
- WannaCry: Spread to 200,000 computers in 150 countries in 2017.
- Petya and NotPetya: Rendered systems unbootable; NotPetya was used in a large-scale attack on Ukraine.
- Ryuk: Known for targeting high-value victims with large ransom demands.
- DarkSide: Responsible for the Colonial Pipeline attack in 2021.
- Locky: Spread through email attachments with malicious macros.
- REvil: Used in high-profile attacks like those on JBS USA and Kaseya Limited.
- Conti: Operated a RaaS scheme and used double extortion tactics.
- LockBit: Acquired other malware strains to expand its capabilities.
Ransom Payments
Ransom demands typically range from high six figures to low seven figures. However, the percentage of victims paying the ransom has declined, dropping from 70% in 2020 to 37% in 2023, likely due to better preparedness and cybercrime prevention measures.
Law Enforcement Guidance
US federal agencies advise against paying ransoms, as it can encourage further attacks and fund illegal activities. Victims should report ransomware attacks to authorities such as the FBI’s Internet Crime Complaint Center (IC3). Under certain conditions, paying a ransom can be illegal, especially if it involves sanctioned countries.
Ransomware Protection and Response
Organizations can protect against ransomware by:
- Maintaining Backups: Regularly back up data and system images.
- Applying Patches: Regularly update software and systems.
- Using Cybersecurity Tools: Employ antimalware, network monitoring, and endpoint detection tools.
- Employee Training: Educate staff on recognizing and avoiding phishing and other attacks.
- Implementing Access Controls: Use multifactor authentication, network segmentation, and identity and access management (IAM).
- Formal Incident Response Plans: Develop plans to quickly respond to breaches.
For more detailed guidance, refer to the IBM Security Definitive Guide to Ransomware and the National Institute of Standards and Technology (NIST) incident response lifecycle.