ProtectCyber Menu ProtectCyber

Cybersecurity 101: Discovering the Ins and Outs of Ransomware and How to Avoid It

By: ProtectCyber

Posted on: 06/09/2021, updated on: 14/06/2024 19:06

The digital era has optimised the way people communicate and work. Today, members of an organisation can conveniently share and access files and data from anywhere in the world. However, this also puts vital data at more risk of being accessed by unsavoury characters and being infected with malicious software. One such malicious software is ransomware.

what is ransomware

What Is Ransomware?

Cybercriminals use malware or malicious software to hijack or damage computers. True to its name, ransomware is used by cybercriminals to take control of an organisation’s data in exchange for a hefty amount of money.

Computers or networks that have been infected with ransomware have their data encrypted, and their owners are unable to access their files. There are many strains of ransomware in the digital space, and they can attack both companies and individuals.

When a ransomware attack happens, victims usually choose from three courses of action:

  • Pay the cybercriminals’ ransom
  • Remove the ransomware from their device
  • Restart the digital device

This article will tackle the origins of ransomware, how it works, how to mitigate ransomware attacks, and how to prevent them from happening.

A Brief History of Ransomware

Ransomware has become more prominent over the past few years, but the act of holding data and information hostage in exchange for cash dates back to decades ago. Cybercriminals began the practice in the late 1980s. They would withhold and encrypt important files, which could be bought back by the owner. Back then, the owner would have to send the ransom money via post.

One of the first documented ransomware attacks was called the AIDS trojan. This was distributed using floppy disks in 1989, targeting random computer users. To regain access to their data, victims had to send $189 to a P.O. box addressed in Panama.

Ransomware gained traction in the early 2000s. Because payments sent via mail were easily traceable, it wasn’t appealing for many cybercriminals. This changed with the emergence of alternative digital payment methods like cryptocurrencies, which prioritise anonymity and data privacy. When the technology for digital payment methods became more established, ransomware also proliferated.

How Does Ransomware Work?

Ransomware targets victims who mistakenly download the malware through malicious links or attachments. Hackers use these links to gain access to your device. However, it’s important to note that while attackers may demand a ransom, it doesn’t mean that they would give you back your files if you do pay the ransom. They may never provide you with the decryption key, which makes ransomware cases difficult to handle.

Ransomware as a Service

Ransomware is fairly easy to distribute and develop, which has paved the way for Ransomware as a Service (RaaS). Through RaaS, even hackers with low technical capabilities can conduct ransomware attacks. Entities that purchase RaaS make the venture more profitable for the developers.

The Types of Ransomware Attacks

As mentioned, ransomware can target both individuals and companies. The malware is often disguised as innocent attachments, which makes them easier to spread. The most common ways for devices and networks to get infected with ransomware are through phishing emails, exploit kits from untrusted websites, remote desktop protocol (RDP) and malicious links. These are also known as attack vectors.

In general, there are two main types of ransomware. Each has its own way of attacking devices and networks. The course of action you can take depends on the type of ransomware you are facing.

1.     Locker ransomware

Locker ransomware prevents users from doing basic computer functions. When a device is hijacked with locker ransomware, you could be prevented from fully using your keyboard or accessing your desktop. The ransom demand may pop up in a window, where the cybercriminal will try to convince you to make a payment.

The good news for victims of locker ransomware is that, typically, this kind of ransomware doesn’t damage or target critical files. It mainly prevents you from accessing your device, so you don’t have to worry about your data getting obliterated.

2.     Crypto ransomware

Unlike locker ransomware, crypto ransomware doesn’t lock you out of your own device. Instead, it encrypts important information like media files and documents, preventing you from accessing your files.

Cybercriminals can program their ransomware to destroy your files after a certain period has passed. They often attach a countdown to their ransom demands, which is particularly distressing for victims who don’t have backups for their data and files. Victims who are hit with crypto ransomware attacks often pay the ransom just to regain access to their files.

Most Common Ransomware Strains

There are hundreds of ransomware strains floating around the digital space. Listed below are the 10 most commonly used ones. These strains have attacked major companies and individual devices alike.

1.     Sodinokibi

According to cybersecurity firm Coveware, the ransomware variant responsible for 14.2% of the most recent ransomware attacks is Sodinokibi. Also known as Sodin and REvil, this ransomware was designed to substantially damage IT systems and pressure victims into paying high ransoms. Most of the time, Sodinokibi is spread through server exploits and brute force attacks, but it can also be spread using phishing and malicious links.

2.     Cryptolocker

This was perhaps the most popular strain of ransomware in the 2010s. This strain became dominant in 2013, and it was able to extort a whopping $3 million from its victims. Since its emergence, cybercriminals have been able to replicate its approach, but none are directly linked to the original copy of the ransomware.

3.     GoldenEye

Human resources departments are the most prone to GoldenEye ransomware attacks. The malware is disguised in a file and once downloaded, it launches a macro that encrypts all files on the recipient’s device. A random string of eight characters is attached to each encrypted file, and the victim’s hard drive is also modified using a custom boot loader.

4.     Jigsaw

Jigsaw got its name from the horror franchise Saw after its ransom notes displayed a character from those films. The ransomware deletes files over time until the victim pays the ransom. It starts with one file after one hour has passed, and it progressively deletes more over a 72-hour period. If the victim hasn’t paid after 72 hours, the rest of the files on their device are deleted.

5.     Locky

Locky disguises itself as an email attachment, usually in the form of an invoice. Once the victim opens the invoice, the characters are scrambled and a prompt requesting the enabling of macros pops up. When the victim enables the macros, the ransomware gets to work on encrypting the files on the device with AES encryption.

6.     Maze

This strain emerged in 2019, and unlike most ransomware, it releases private information to the public. Its victims were mostly in the healthcare sector. However, it has also hit major companies like the Xerox Corporation. The cybercriminals behind the attack were able to steal over 100GB worth of files from the company.

7.     NotPetya

Initially, this strain was recognised as another ransomware strain known as Petya. It has since been discovered that NotPetya is actually a wiper that was designed purely to obliterate data. The ransom isn’t even required from victims at times.

8.     Petya

Petya hijacks entire computer systems. This type of ransomware first came up in 2016, and it prevents victims from rebooting their devices. Petya accomplishes its task by overwriting the device’s master boot record so that the entire operating system becomes unbootable.

9.     Ryuk

This ransomware was most prevalent in 2020 and was responsible for over a third of all ransomware attacks in that year. It was used for attacking major companies, government agencies and hospitals. Ryuk ransomware hijacks files that are crucial to business operations, and the ransom that its attackers demand is usually valued at millions.

10.  WannaCry

This strain has hit more than 125,000 organisations and is present in more than 150 countries. It primarily affects Windows devices, and it’s spread through an exploit called EternalBlue.

Who Is at Risk for a Ransomware Attack?

Ransoms for ransomware attacks range from hundreds of dollars to millions of dollars, depending on the targeted organisation or individual. Usually, attackers request to be paid in Bitcoin because it is virtually untraceable and difficult to hack. Because of ransomware’s accessibility, beginner and seasoned cybercriminals alike can use it to target their victims. As such, everyone is at risk of being attacked with ransomware. In fact, nearly 70% of businesses have been subject to a ransomware attack in 2021.

However, there are some organisations that are more at risk than others. Hackers are likely to attack organisations or individuals that store banking information, credit card details, social security numbers and the like. Additionally, those who don’t back up their data and don’t use heightened security for their computer networks are more vulnerable to ransomware attacks. Here are the industries and sectors that are most likely to be hit with ransomware attacks:

  • Architecture
  • Engineering
  • Construction
  • Healthcare
  • Education
  • Local government organisations
  • Banking and finance
  • Energy providers

In particular, Cloud security firm Egnyte has said that businesses in the first three industries mentioned are twice as likely to be faced with a ransomware attack. Additionally, businesses in North America are more prone to getting attacked with malware. Meanwhile, because of the pandemic, education and healthcare sectors have also become more vulnerable to ransomware attacks.

Ransomware Attacks Facts and Statistics

To know how devastating the effects of ransomware could be and how prevalent attacks are across the globe, here are 10 key statistics on ransomware attacks.

  1. For the year 2021, ransomware attacks are expected to cost businesses and individuals across the globe $20 billion. This is projected to grow to $265 billion in 10 years’ time.
  2. In 2021 alone, businesses have had to shell out an average of $1.85 million to recoup and recover from a ransomware attack. This amount is significantly greater than last year’s ($760K).
  3. Of the 32% of ransomware victims who pay the ransom, only 65% get back their files and data from the attackers.
  4. 37% of all businesses were attacked with ransomware in 2021.
  5. The average ransom demand in 2021 amounts to $220,298, which is over 40% higher than the ransom demanded in 2020.
  6. Meanwhile, the median ransom payment for 2021 is $78,398. Compared to 2020, this number has increased by nearly 60%.
  7. Ransomware attacks are expected to occur every 11 seconds in 2021.
  8. Companies experience an average of 21 days of downtime when facing ransomware attacks, and this period could extend depending on the severity of the attack.
  9. Over 60% of surveyed organisations say that they experienced a significant loss of revenue due to a ransomware attack. Meanwhile, more than 50% say that their brand reputation was damaged as a result of the attack.
  10. The fastest ransomware can hijack a system in 45 minutes or less, and 96.88% of ransomware attacks are carried out in four hours.

These numbers indicate that ransomware attacks are bound to become more complex and more difficult to tackle in the coming years. They may also increase in number and may target more industries. Because of this, businesses and individuals alike must take the necessary steps to beef up their security measures and protect their data.

Major Ransomware Attacks (2020-2021)

1.     Toll Group Attack

Toll Group, Australia’s leading transportation and logistics company, was attacked with ransomware twice in 2020. As a result of the attacks, the company had to shut down major operations across the globe, and customers were unable to track their packages for days. Over 1,000 of the company servers were affected by the attack, and the Toll Group took months to recover from the damage.

2.     Garmin Attack

Wearable tech and GPS navigation company Garmin faced a ransomware attack in July 2020, which rendered the whole company powerless. It had to shut down its services across the globe and had to put a halt to its production lines in Asia. Those with Garmin devices were unable to sync their data. They were also unable to access Garmin’s official domain. Even worse, FlyGarmin, a navigation system for pilots, was disabled. This prevented pilots from getting accurate weather information and other important reports.

3.     UCSF Attack

The University of California San Francisco was attacked with ransomware in June 2020. The malware encrypted its School of Medicine’s servers, which negatively affected its medicine students. The demanded ransom was a whopping $3 million, but the cybercriminals settled for $1.14 million instead.

4.     ACER Attack

Tech company Acer was slapped with a $50 million ransom in the form of Monero cryptocurrency after it faced a ransomware attack back in March. The attack hijacked the company’s financial records. It’s unknown if Acer paid the ransom to regain control of their data.

How to Prevent Ransomware Attacks

It’s fairly easy to have your system infected with a ransomware attack, but there are some steps you can take to avoid getting exposed to ransomware. Here are some strategies you and your organisation must follow to protect your data.

1.     Don’t open suspicious attachments on emails

As mentioned, this is one of the most common ways ransomware is spread. To make sure attachments are safe to open, check the sender and the email address. As a general rule of thumb, don’t open attachments that demand you run macros to view them.

2.     Don’t disclose sensitive or private information

Cybercriminals may try to extract your information via a phone call, text message or email. If the request comes from an unknown number or untrusted source, do not reply to them. Your information may be used to conduct a phishing attack, which will put your organisation’s data at risk.

3.     Don’t click on unsecure links

Unsecure links could lead to an automatic download, which will leave your device vulnerable to ransomware attacks. Avoid clicking on links from suspicious emails or unsecure websites.

4.     Make sure your apps, programs and OS are up to date

Outdated apps, programs and operating systems are more prone to ransomware attacks because they’re less likely to have updated security measures. Additionally, older versions have more vulnerabilities that can be exploited by cybercriminals.

5.     Teach your teams about the importance of data privacy

Your team is only as strong as its weakest link, so it’s important to teach each member of your organisation about the importance of taking care of data and being vigilant. The pandemic has led to many teams working remotely, which has heightened the risk for data breaches. The members of your organisation must know how to spot suspicious attachments and links, and they must take the necessary steps to protect their data.

6.     Don’t use public Wi-Fi networks when working

Public Wi-Fi networks can make your data more easily accessible to other users. Use private network connections when handling sensitive data and information.

7.     Consider using a VPN

VPNs provide a better and more secure connection. VPNs allow organisation members to keep their data strictly within the organisation. By using a VPN, businesses of all sizes can boost overall their cybersecurity efforts.

How to Deal with Ransomware Attacks

Prevention is always better than cure. However, there are some unfortunate cases where ransomware is already able to infiltrate your system before you even realise it is happening. Here’s what you should do when you’re faced with a ransomware attack:

1.     Isolate the infected devices

While ransomware acts fast, it does need some time to infect all the devices it was intended to infect. Immediately after experiencing or being notified of a security breach, disable all network connectivity capabilities for your devices. This halts the spread of the ransomware and keeps it isolated to a number of devices.

2.     Inform your organisation’s IT security team

Bigger companies tend to have a more advanced and tech-savvy IT team that is equipped to handle security breaches. The IT team could work on regaining control of the computer systems that have been breached, or they can get to work on protecting the systems that haven’t been infected by the ransomware.

3.     Take a photo of the ransom note

The ransom note serves as evidence. You must show this to authorities, and it will help your case should the perpetrators be caught and brought to court. This could also help you when applying for cyber insurance.

4.     Identify the type of ransomware in your system

This is key in determining how to respond and combat the ransomware. The type of ransomware you are facing will give you an idea of how it spreads and what type of files are most likely to be affected by the attack. If the attack involves locker ransomware, your organisation’s files are likely to stay intact. However, crypto ransomware can obliterate your data, so it’s important to be prepared for the worst case scenario.

5.     Inform your organisation’s members

Security breaches could cause mass panic, so your organisation members must be informed in a calm, orderly and organised manner. Reassure them that the IT team and authorities are doing the best that they can to stay on top of the situation, and offer support where it’s needed. When dealing with ransomware attacks, transparency with involved parties is crucial.

6.     Notify the authorities

Authorities can help you negotiate with cybercriminals, and they can help you launch a full investigation into the matter. Additionally, some organisations are required to report security breaches, and failure to do so results in a fine.

7.     As much as possible, do not pay the ransom

Authorities claim that paying ransoms emboldens cybercriminals to conduct ransomware attacks. The practice is particularly lucrative, and it could put your organisation at a higher risk of future ransomware attacks. Additionally, there are no guarantees that you will be able to retrieve all of your data.

As mentioned, ransomware can infiltrate anything. It’s important to be aware of how it spreads, how to deal with it and how to prevent it from entering your systems to protect your devices and safeguard critical data.

About the author

ProtectCyber is a leading Australian cyber security firm dedicated to safeguarding businesses and individuals from digital threats. Our expert team, with decades of combined experience in the field, provides insights and practical advice on staying secure in an increasingly connected world. Learn more about our mission and team on our
About Us page.