Ransomware is a type of malicious software (malware) that encrypts a victim’s important files in demand of a payment (ransom) to restore access. If the ransom payment is not made, the malicious actor publishes the data on the dark web or blocks access to the files in perpetuity.
Ransomware remains one of the most profitable tactics for cybercriminals, with increasing ransom demands often ranging from $1 million to $10 million USD.
- Ransomware Examples
- Types of Ransomware
- History of Ransomware
- What is Ransomware-as-a-Service?
- How to Prevent Ransomware?
Ransomware in the News
In 2020, CrowdStrike predicted that the ransomware would only worsen, and news since have borne this out. Hardly a day passes without news of another company, hospital, school district or municipal government temporarily brought to a halt by ransomware. Stories of attacks since the start of May 2021 alone include:
- DarkSide ransomware being used to disrupt a major U.S. pipeline that transports almost half of all fuel consumed on the East Coast of the United States
- The claimed theft of 3 terabytes of sensitive data from part of the Asian operations of a global insurance subsidiary in attacks using Avaddon ransomware
- The shutting down of the IT systems of Ireland’s Health Service Executive — another victim of a DarkSide attack — disrupting patient care throughout the country
- The U.S. Federal Bureau of Investigations (FBI) alerting of a spate of Conti ransomware attacks targeting American healthcare organizations and first responder agencies
- The world’s largest meatpacking company finding its North America and Australia operations disrupted by a REvil ransomware attack thought to have originated in Russia
How Do Ransomware Attacks Work?
There are several social engineering methods that are used to infect a computer or system with ransomware. One of the most common is via email phishing — messages that include either a malicious attachment or a link to a compromised website. Once an unsuspecting user opens the attachment or clicks the link, the ransomware can infect the victim’s computer and spread throughout the network.
The ransomware infection allows the threat actor to either block access to the hard drive or encrypt some or all of the files on the computer. You may be able to remove the malware and restore your system to a previous state, but your files will remain encrypted because they’ve already been made unreadable, and decryption is mathematically impossible without the attacker’s key.
The ransom itself is set at a level that’s low enough to be payable, but high enough to make it worthwhile for the attacker, prompting companies to do a cost-benefit analysis of how much they’re willing to pay to unlock their systems and resume daily operations. Cyber criminals may also target certain organizations or industries to exploit their specific vulnerabilities and maximize the chances of a ransom being paid.
Below are just a few examples of some infamous ransomware detected over the last few years:
Cryptolocker: Screen lockers virtually disappeared after the introduction of a ransomware family known as CryptoLocker in 2013. CryptoLocker ransomware was developed by the so-called BusinessClub that used the massive Gameover Zeus botnet with over a million infections.
DarkSide: DarkSide is a RaaS operation associated with an eCrime group tracked by CrowdStrike as CARBON SPIDER. DarkSide operators traditionally focused on Windows machines and have recently expanded to Linux, targeting enterprise environments running unpatched VMware ESXi hypervisors or stealing vCenter credentials. On May 10, the FBI publicly indicated the Colonial Pipeline incident involved the DarkSide ransomware. It was later reported Colonial Pipeline had approximately 100GB of data stolen from their network, and the organization allegedly paid almost $5 million USD to a DarkSide affiliate.
Maze: Maze ransomware is a malware targeting organizations worldwide across many industries. It is believed that Maze operates via an affiliated network where Maze developers share their proceeds with various groups that deploy Maze in organizational networks. Maze operators also have a reputation for taking advantage of assets in one network to move laterally to other networks.
WannaCry: Also referred to as WCry, WanaCrypt, or Wanna, WannaCry was identified in May 2017 during a mass campaign affecting organizations across the globe. WannaCry has targeted healthcare organizations and utility companies using a Microsoft Windows exploit called EternalBlue, which allowed for the sharing of files, thus opening a door for the ransomware to spread.
Who Does Ransomware Target?
Organizations of all sizes can be the target of ransomware. Although big game hunting is on the rise, ransomware is frequently aimed at small and medium-sized organizations, including state and local governments, which are often more vulnerable to attacks.
Small businesses are targeted for a number of reasons, from money and intellectual property (IP) to customer data and access. In fact, access may be a primary driver because an SMB can be used as a vector to attack a larger parent organization or the supply chain of a larger target.
The success of ransomware attacks on small businesses can be attributed to the unique challenges associated with smaller size and also the more ubiquitous challenges faced by organizations of any size: the human element. While a work-issued computer is common and even expected in larger organizations, smaller organizations do not always provide work computers and instead can rely on employees using their personal devices.
These devices are used both for work-related purposes, including accessing and storing privileged documents and information, along with personal activities such as browsing and searching. These dual-purpose machines contain high volumes of both business and personal information, including credit card information, email accounts, social media platforms, and personal photos and content.
Universities, for example, often have smaller security teams and a large user base that engages in a lot of file sharing, so defenses are more easily penetrated. Medical organizations may also be targeted because they often need immediate access to their data and lives may be at stake, leading them to pay right away. And financial institutions and law firms may be more likely to pay the ransom because of the sensitivity of their data—and to pay it quietly to avoid negative publicity.
Targeted Industries During COVID-19
The global pandemic has caused ransomware actors to prey on certain industries. One of their main targets are healthcare organizations. Data from the 2021 CrowdStrike Global Threat Report shows that over 100 healthcare organizations have already been targeted by Big Game Hunters during COVID-19.
This comes after Big Game Hunters such as TWISTED SPIDER claimed they would refrain from infecting medical organizations until the pandemic has stabilized. As it turns out, TWISTED SPIDER was responsible for at least 26 successful healthcare ransomware infections with their Maze and Egregor families.
Another interesting trend is the increasing number of attacks that use data extortion tactics. This is summarized within CrowdStrike’s Ransomware During 2020 Infographic. There were 1,430 attacks detected by CrowdStrike Intelligence services that used data extortion according to the 2021 CrowdStrike Global Threat Report. These attacks have been broken done by industry below:
Industrials & engineering was the most attacked industry by data extortion tactics in 2020 (229 incidents). This was closely followed by manufacturing (228 incidents), technology (145 incidents), retail (142 incidents), and healthcare (97 incidents).
Targeted Countries During COVID-19
Survey Data from the 2020 CrowdStrike Global Security Attitude Survey reveals that the following countries have been the most impacted by all types of ransomware attacks during 2020:
India has the most respondents reporting at least one ransomware attack in 2020 (74%). This is closely followed by Australia (67%), France (60%), Germany (59%), and the U.S. (58%).
In terms of data extortion, it’s clear there is a bias towards North America. According to CrowdStrike Intelligence & the 2021 CrowdStrike Global Threat Report, there were 947 incidents identified here, 117% higher than second place Europe (342 incidents).
Similar trends are expected in 2021, in fact 72% of recent surveyed cybersecurity experts in the 2020 CrowdStrike Global Attitudes Survey have said they are more worried about ransomware attacks as a result of COVID-19.
Should You Pay the Ransom?
The FBI does not support paying a ransom in response to a ransomware attack. They argue paying a ransom not only encourages the business model, but it also may go into the pockets of terror organizations, money launderers, and rogue nation-states. Moreover, while few organizations publicly admit to paying ransoms, adversaries will publicize that info on the dark web – making it common knowledge for other adversaries looking for a new target.
Paying the ransom doesn’t result in a faster recovery or a guaranteed recovery. There may be multiple decryption keys, there may be a bad decryption utility, the decryptor may be incompatible with the victim’s operating system, there may be double decryption and the decryption key only works on one layer, and some data may be corrupted. Less than half of ransomware victims are able to successfully restore their systems.
How to Protect Against Ransomware
Once ransomware encryption has taken place, it’s often too late to recover that data. That’s why the best ransomware protection relies on proactive prevention. Robust backup is, of course, a foundational best practice to prepare in case of an attack, but newer malware variants can also delete or damage backups.
Ransomware is constantly evolving, making protection a challenge for many organizations. Follow these best practices to help keep your operations secure:
1. Train all employees on cybersecurity best practices:
Your employees are on the front line of your security. Make sure they follow good hygiene practices — such as using strong password protection, connecting only to secure Wi-Fi and being on constant lookout for phishing — on all of their devices.
2. Keep your operating system and other software patched and up to date:
Cybercriminals are constantly looking for holes and backdoors to exploit. By vigilantly updating your systems, you’ll minimize your exposure to known vulnerabilities.
3. Use software that can prevent unknown threats:
While traditional antivirus solutions may prevent known ransomware, they fail at detecting unknown malware threats. The CrowdStrike Falcon® platform provides next-gen antivirus (NGAV) against known and unknown malware using AI-powered machine learning. Rather than attempting to detect known malware iterations, Falcon looks for indicators of attack (IOAs) to stop ransomware before it can execute and inflict damage.
4. Continuously monitor your environment for malicious activity and IOAs:
CrowdStrike® Falcon Insight™ endpoint detection and response (EDR) acts like a surveillance camera across all endpoints, capturing raw events for automatic detection of malicious activity not identified by prevention methods and providing visibility for proactive threat hunting.
For stealthy, hidden attacks that may not immediately trigger automated alerts, CrowdStrike offers Falcon OverWatch™ managed threat hunting, which comprises an elite team of experienced hunters who proactively search for threats on your behalf 24/7.
5. Integrate threat intelligence into your security strategy:
Monitor your systems in real time and keep up with the latest threat intelligence to detect an attack quickly, understand how best to respond, and prevent it from spreading. CrowdStrike Falcon X automates threat analysis and incident investigation to examine all threats and proactively deploy countermeasures within minutes.
SMB Ransomware Threats
Download this white paper to learn how SMBs can protect against ransomware, prepare for a potential incident, and find help if they’ve experienced a breachDownload Now