What is Ransomware?

Kurt Baker - December 29, 2021

Ransomware Definition

Ransomware is a type of malware attack that encrypts a victim’s data until a payment is made to the attacker. If the ransom payment is not made, the malicious actor publishes the data on data leak sites (DLS) or blocks access to the files in perpetuity.

Ransomware remains one of the most profitable tactics for cybercriminals. According to Cybersecurity Ventures, the global cost of ransomware in 2020 is estimated at $20 billion and the average ransom payment totaling $1.79 million.

Ransomware Statistics

Below are some 2021 ransomware statistics from CrowdStrike’s annual Global Security Attitude Survey:

  • the average ransom payment increased by 63% in 2021 to $1.79 million (USD), compared to $1.10 million (USD) in 2020
  • the average ransom demand from attackers is $6 million
  • 96% of those who paid the initial ransom also had to pay extortion fees
  • 66% of respondents’ organizations suffered at least one ransomware attack this year 
  • 57% of those hit by ransomware didn’t have a comprehensive strategy in place to coordinate their response

Ransomware Resources

How Ransomware Works

Today, ransomware is usually distributed through highly targeted phishing emails, social engineering schemes, watering hole attacks or malvertising networks. In most cases, the victim ends up clicking a malicious link, introducing the ransomware variant on their device.

After a device or system has been infected, ransomware gets to work immediately to identify and encrypt the victim’s files. Once the data has been encrypted, a decryption key is required to unlock the files. In order to get the decryption key, the victim must follow the instructions left on a ransom note that outline how to pay the attacker – usually in Bitcoin.

Threat actors count on individuals and enterprise users becoming so frantic about regaining timely access to data that they’ll be willing to shell out a hefty ransom for the decryption key necessary to unlock the data.

ransom letter from hackers demanding bitcoin

Ransom letter demanding payment in bitcoin

Types of Ransomware

Encrypting Ransomware: In this instance the ransomware systematically encrypts files on the system’s hard drive, which becomes difficult to decrypt without paying the ransom for the decryption key. Payment is asked for using BitCoin, MoneyPak, PaySafeCard, Ukash or a prepaid (debit) card.

Screen Lockers: Lockers completely lock you out of your computer or system, so your files and applications are inaccessible. A lock screen displays the ransom demand, possibly with a countdown clock to increase urgency and drive victims to act.
Scareware: Scareware is a tactic that uses popups to convince victims they have a virus and directs them to download fake software to fix the issue

Malvertising: Malvertising — or malicious advertising — is a technique that injects malicious code within digital ads

Example Ransomware Variants

CryptoLockerCryptoLocker ransomware was revolutionary in both the number of systems it impacted and its use of strong cryptographic algorithms. The group primarily leveraged their botnet for banking-related fraud.
NotPetyaNotPetya combines ransomware with the ability to propagate itself across a network. It spreads to Microsoft Windows machines using several propagation methods, including the EternalBlue exploit for the CVE-2017-0144 vulnerability in the SMB service.
RyukWIZARD SPIDER is a sophisticated eCrime group that has been operating the Ryuk ransomware since August 2018, targeting large organizations for a high-ransom return.
REvil (Sodinokibi)Sodinokibi/REvil ransomware is commonly associated with the threat actor PINCHY SPIDER and its affiliates operating under a ransomware-as-a-service (RaaS) model.
WannaCryWannaCry has targeted healthcare organizations and utility companies using a Microsoft Windows exploit called EternalBlue, which allowed for the sharing of files, thus opening a door for the ransomware to spread.

Who Does Ransomware Target?

Organizations of all sizes can be the target of ransomware. Although big game hunting is on the rise, ransomware is frequently aimed at small and medium-sized organizations, including state and local governments, which are often more vulnerable to attacks.

Small businesses are targeted for a number of reasons, from money and intellectual property (IP) to customer data and access. In fact, access may be a primary driver because an SMB can be used as a vector to attack a larger parent organization or the supply chain of a larger target.

The success of ransomware attacks on small businesses can be attributed to the unique challenges associated with smaller size and also the more ubiquitous challenges faced by organizations of any size: the human element. While a work-issued computer is common and even expected in larger organizations, smaller organizations do not always provide work computers and instead can rely on employees using their personal devices.

These devices are used both for work-related purposes, including accessing and storing privileged documents and information, along with personal activities such as browsing and searching. These dual-purpose machines contain high volumes of both business and personal information, including credit card information, email accounts, social media platforms, and personal photos and content.

Universities, for example, often have smaller security teams and a large user base that engages in a lot of file sharing, so defenses are more easily penetrated. Medical organizations may also be targeted because they often need immediate access to their data and lives may be at stake, leading them to pay right away. And financial institutions and law firms may be more likely to pay the ransom because of the sensitivity of their data—and to pay it quietly to avoid negative publicity.

Should You Pay the Ransom?

The FBI does not support paying a ransom in response to a ransomware attack. They argue paying a ransom not only encourages the business model, but it also may go into the pockets of terror organizations, money launderers, and rogue nation-states. Moreover, while few organizations publicly admit to paying ransoms, adversaries will publicize that info on the dark web – making it common knowledge for other adversaries looking for a new target.

Paying the ransom doesn’t result in a faster recovery or a guaranteed recovery. There may be multiple decryption keys, there may be a bad decryption utility, the decryptor may be incompatible with the victim’s operating system, there may be double decryption and the decryption key only works on one layer, and some data may be corrupted. Less than half of ransomware victims are able to successfully restore their systems.

Ransomware Defense

Once ransomware encryption has taken place, it’s often too late to recover that data. That’s why the best ransomware defense relies on proactive prevention.

Ransomware is constantly evolving, making protection a challenge for many organizations. Follow these best practices to help keep your operations secure:

1. Train all employees on cybersecurity best practices:

Your employees are on the front line of your security. Make sure they follow good hygiene practices — such as using strong password protection, connecting only to secure Wi-Fi and never clicking on links from unsolicited emails.

2. Keep your operating system and other software patched and up to date:

Cybercriminals are constantly looking for holes and backdoors to exploit. By vigilantly updating your systems, you’ll minimize your exposure to known vulnerabilities.

3.Implement and Enhance Email Security

CrowdStrike recommends implementing an email security solution that conducts URL filtering and also attachment sandboxing. To streamline these efforts, an automated response capability can be used to allow for retroactive quarantining of delivered emails before the user interacts with them.

4. Continuously monitor your environment for malicious activity and IOAs:

CrowdStrike® Falcon Insight™ endpoint detection and response (EDR) acts like a surveillance camera across all endpoints, capturing raw events for automatic detection of malicious activity not identified by prevention methods and providing visibility for proactive threat hunting.

For stealthy, hidden attacks that may not immediately trigger automated alerts, CrowdStrike offers Falcon OverWatch™ managed threat hunting, which comprises an elite team of experienced hunters who proactively search for threats on your behalf 24/7.

5. Integrate threat intelligence into your security strategy:

Monitor your systems in real time and keep up with the latest threat intelligence to detect an attack quickly, understand how best to respond, and prevent it from spreading. CrowdStrike Falcon X automates threat analysis and incident investigation to examine all threats and proactively deploy countermeasures within minutes.

6. Develop Ransomware-Proof Offline Backups

When developing a ransomware-proof backup infrastructure, the most important idea to consider is that threat actors have targeted online backups before deploying ransomware to the environment.

For these reasons, the only sure way of salvaging data during a ransomware attack is through ransomware-proof backups. For example, maintaining offline backups of your data allows for a quicker recovery in emergencies.

7. Implement a Robust Identity Protection Program

Organizations can improve their security posture by implementing a robust identity protection program to understand on-premises and cloud identity store hygiene (for example, Active Directory, Azure AD). Ascertain gaps, and analyze behavior and deviations for every workforce account (human users, privileged accounts, service accounts), detect lateral movement, and implement risk-based conditional access to detect and stop ransomware threats.

What To Do If You Get Hit By Ransomware

Once ransomware penetrates a device on your network, it can wreak havoc – causing disruption that grinds business operations to a halt. With company and client data, financial wellbeing and brand reputation at stake, knowing what to do if you get ransomware is critical.

If you do encounter ransomware, it’s important to:

1. Find the infected device(s): if ransomware penetrates your network, it’s important to identify and isolate any infected devices immediately – before the breach spreads to the rest of the network.

Firstly, look for any suspicious activity on the network, such as file renaming or file extensions changing. It’s likely that the system was breached by human error – for example, an employee clicking a suspicious link on a phishing email – so, employees can be a useful source of information. Ask if anyone has received or spotted any suspicious activity that may help pinpoint infected devices.

2. Stop ransomware in its tracks: the difference between a business-sinking infection and a minor network interruption can come down to reaction time. Businesses must swiftly cut or restrict network access to stop the spread from infected devices.

If possible, every device connected to the network – both on and off-site – should be disconnected. If necessary, disable any wireless connectivity, too – including Wi-Fi and Bluetooth – as this helps stop ransomware from traversing the network, seizing, and encrypting crucial data.

3. Review the extent of the problem: it’s important to understand the extent of the damage caused by the breach to prepare an appropriate response.

Examine all devices connected to the network. Initial symptoms of ransomware encryption include file name changes and employees struggling to access files. Any devices displaying these signs should be noted – and immediately disconnected from the network – and may lead you to the gateway device where the infection first gained access to the network.

Build a list of infected devices and data centers. The business’ remediation process should include decryption of every compromised device, to stop the encryption process from restarting when you return to work.

4. Look to your backups: in a day and age where cybersecurity risks lurk around every corner, having backups of all your digital data – separated from the centralized network – is crucial to getting things up and running again quickly, and minimizing downtime, in the event of a breach.

Once all devices have been decrypted and fitted with antivirus software, it’s time to turn to your backup data to restore any compromised files.

However, before you do, run a quick check on any backup files. The increasing sophistication and resilience of modern ransomware means these files may also have been corrupted and rolling this data out to the network could simply put you back to step one.

5. Report the attack: while the immediate priority post-breach is to stop the spread and start the recovery phase, consideration must also be given to the wider consequences of the attack. Compromised data not only impacts the business but also its employees and clients.

As ransomware typically involves the threat of data leaks, any attack should be reported to the relevant authorities as soon as possible.

American data legislation doesn’t really exist on the federal level. However, a mix of individual states and some federal regulations issue strict fines to those data compliance regulations. If you suffer a data breach in California for example, you must report it to the CCPA, and any individual violation results in $7,500 fines per violation.

Ransomware and other forms of malware should also be reported to law enforcement authorities, who can help identify those responsible and prevent future attacks.

Ransomware removal

If the worst happens and individual company devices or even your entire network is compromised by ransomware, there are a few recovery options available.

Common strategies for ransomware removal include:

  • Attempting to remove ransomware using software
  • Paying the ransom
  • Resetting infected devices to factory mode

It’s not recommended you pay the ransom. Cybercriminals cannot be trusted to decrypt and return access to the data, even after you’ve paid. And at worst, you may even be listed as a target for future malware attacks, if malicious actors know you’re likely to give in to their demands.

Plus, successful ransomware attacks only encourage more criminals to enter a potentially lucrative space, worsening the problem for everyone.

Instead, restrict network access to any compromised devices – and those displaying suspicious behavior – and aim to stop the further spread of the ransomware.

Tips for ransomware removal include:

  • Reboot to safe mode – depending on the type of ransomware, rebooting the device and restarting it in safe mode can halt the spread. Although some trojans like ‘REvil’ and ‘Snatch’ can operate during a safe-mode boot, this isn’t true of all ransomware and safe mode can buy you valuable time to install anti-malware software. However, it’s important to note that any encrypted files will remain encrypted even in safe mode and will need to be restored via data backup.
  • Install anti-ransomware software – once the infected device(s) have been identified and disconnected from the network, the ransomware needs to be removed using anti-malware software. If you attempt business as usual before the devices are fully decrypted, you risk a resurgence of the undetected malware, resulting in further spread and more compromised files.
  • Scan for ransomware programs – when you believe your devices are clear of any ransomware or other worms, make sure you scan the system – both by manually searching for any suspicious behaviour like file extension changes, and using next-generation firewalls. A thorough scan should reveal any hidden trojans that could wreak havoc again once you restore your computer.
  • Restore the computer – businesses should always keep backups of their files, isolated away from the network. This way, any encrypted files can be quickly restored from a safe source once the ransomware is removed, minimising downtime and disruption.
  • Report the attack to the police – ransomware attackers are cybercriminals. Any attack needs to be documented and reported – it shouldn’t be something companies simply let slide once they’ve managed to restore their devices.Log screenshots or take pictures of any ransom notes and gather all available evidence – like emails or websites that could potentially be the source of the malicious malware – and report the breach as soon as possible.


Get to Know the Author

Kurt Baker is the senior director of product marketing for Falcon Intelligence at CrowdStrike. He has over 25 years of experience in senior leadership positions, specializing in emerging software companies. He has expertise in cyber threat intelligence, security analytics, security management and advanced threat protection. Prior to joining CrowdStrike, Baker worked in technical roles at Tripwire and had co-founded startups in markets ranging from enterprise security solutions to mobile devices. He holds a bachelor of arts degree from the University of Washington and is now based in Boston, Massachusetts.