Ransomware is a category of malicious software that blocks access to a victim's data or threatens to publish sensitive information unless the attackers' demands are met. Ransomware operates by encrypting computer files; users are forced to either pay the requested ransom or risk facing the consequences.
As our interactions with and dependence on digital systems grows, so too does the value of our sensitive data. And while some cybercriminals are more interested in quietly stealing your data to sell or use for themselves, others are content to hold it hostage. When an outside threat actor takes control of your system, data, applications etc. and then attempts to blackmail you into paying to regain control, that is known as a ransomware attack.
Unfortunately, this kind of cybercrime is all too common; in 2020 alone, the FBI's Internet Crime Complaint Center received nearly 2,500 reports of ransomware attacks, with adjusted losses amounting to more than $29.1 million. And the risk is only growing, with global ransomware reports having increased by over 700% from 2019–2020. In fact, in response to this mounting danger to American citizens, businesses and governmental departments, President Biden issued an Executive Order in May of 2021 (Improving the Nation's Cybersecurity), providing details, federal policies and best practices designed to offer increased protection from the dangers of ransomware.
Although the threat of ransomware is recognised as one of the greatest threats to cybersecurity of the internet age, its origins actually predate the release of the public-facing web. Ransomware has a complex history and has only continued to evolve alongside information technology.
Key events that have contributed to the development of ransomware as a significant danger include:
- 1989: AIDS trojan
The AIDS Trojan, also known as the PC Cyborg virus, is one of the earliest instances of ransomware. It was distributed via floppy disks and demanded a ransom be sent to a PO box in Panama to unlock the infected computer. - 2005: Gpcode
The Gpcode ransomware marked a resurgence in ransomware attacks. It used strong encryption algorithms and demanded a ransom in exchange for a decryption key. This version demonstrated the potential for ransomware to become a serious problem. - 2013: CryptoLocker
CryptoLocker was a game-changer in the history of ransomware. It introduced the use of strong asymmetric encryption, making file recovery nearly impossible without paying the ransom. Cybercriminals demanded payments in Bitcoin, making it harder to trace. - 2016: Locky and Cerber
Ransomware campaigns like Locky and Cerber used sophisticated distribution methods, such as malicious email attachments and exploit kits, to infect a large number of devices worldwide. They highlighted the financial motivation behind ransomware attacks. - 2017: WannaCry
The WannaCry ransomware outbreak affected hundreds of thousands of computers in over 150 countries. It exploited a Microsoft Windows vulnerability, demonstrating the potential for large-scale, global ransomware attacks. - 2018: Ryuk
Ryuk ransomware emerged as a major threat to organisations. It was often deployed after an initial compromise by other malware like TrickBot. Ryuk demonstrated the involvement of organised cybercrime groups in ransomware attacks. - 2019: Maze and ransomware-as-a-service (RaaS)
Maze ransomware popularised the "double extortion" tactic, where cybercriminals not only encrypted data but also threatened to release it publicly if the ransom was not paid. RaaS models made it easier for less skilled attackers to launch ransomware campaigns by hiring the services of skilled operators. - 2021: Colonial Pipeline and JBS
High-profile ransomware attacks on critical infrastructure, like the Colonial Pipeline and JBS meat processing, showcased the potential for severe economic and societal disruptions caused by ransomware incidents. - 2022 and onward: modern ransomware
Today's ransomware is more sophisticated in terms of encryption and much more targeted to specific industries. Perhaps most worrying of all, modern ransomware is beginning to see the incorporation of AI technology, creating intelligent, machine learning (ML) enhanced attacks capable of identifying the highest value targets and creating customised attacks designed to counter established defences.
Unfortunately, protecting your organisation from the mounting threat of ransomware is not always simple. Ransomware attacks are becoming increasingly sophisticated and go beyond targeting surface-level data. Instead, new ransomware is designed to capture and hold backup data and even take control of top-level administration functions. These attacks are often deployed as a single component in a larger strategy, with the goal of fully compromising critical systems.
Likewise, the threat actors themselves are becoming more sophisticated; instead of being limited to individual cybercriminals operating with their own limited resources, today's threats include organised and well-funded groups, corporate-backed industrial espionage teams and even hostile foreign government agencies.
Given the ubiquity and diversity of these cyber-attacks, businesses around the world are in critical danger of falling prey to this digital-age extortion racket.
As with any malicious software, ransomware can enter your network a number of different ways, such as through a spam email attachment, using stolen credentials, via an unsecured internet link, through a compromised website or even hidden as part of a downloadable software bundle. Some forms of ransomware use built-in social engineering tools to try to trick you into granting them administrative access, while other attempt to circumvent permission entirely by exploiting existing security weaknesses.
Once inside your network, the software deploys, executing a series of commands behind the scenes. This often involves subverting critical administrative accounts that control systems, such as backup, active directory (AD) domain name system (DNS) and storage admin consoles. The malware then attacks the backup administration console, allowing the attacker to turn off or modify backup jobs, change retention policies and more easily locate sensitive data that might be worth taking hostage.
Most commonly at this point, the malware begins encrypting some or all of your files. Once those files have been secured against access, the malware reveals itself by informing you that your data is being held for ransom and what demands will need to be met for you to regain access. In other kinds of malware (often called leakware), the attacker may threaten to publicly expose certain kinds of sensitive data if the ransom is not paid. In many cases, the data isn't only encrypted; it's also copied and stolen to be used in future criminal activities.
Ransomware comes in various forms, each with its own unique methodologies and objectives. Understanding the diverse types of ransomware is crucial for establishing an effective cybersecurity ecosystem. Here are some common types:
Encrypting ransomware is the most commonly encountered type of ransomware today. It takes its name from its ability to encrypt the victim's files, or even block access to their entire system. Victims are then prompted to pay a ransom to receive the decryption key. What makes this form of ransomware so effective is that many organisations will choose to comply with the attackers, seeing it as the most direct and uncomplicated solution. That said, once a victim has given in to the demands, the attacker may simply choose not to provide the decryption key, instead demanding more money. Examples of encrypting ransomware include CryptoLocker and Ryuk.
Less dangerous than encrypting ransomware but potentially just as unnerving, Scareware does not encrypt files but instead uses fear tactics to trick its victims. This form of ransomware displays fake warnings or pop-up messages in infected systems, often claiming that the victim's computer is infected with malware or that illegal content has been found. Users are urged to pay for a fake security solution or to take other unsafe actions.
Examples may include fake advertisements, pop-ups or unauthorised changes within the victim's browser.
Screen lockers are a type of ransomware that locks users out of their devices or operating systems, displaying a ransom note on the screen. Victims are unable to access their desktop or files until the ransom is paid. These attacks are more common on mobile devices. Rather than encrypting the victim's data, screen lockers override the operating system to prevent authorised users from accessing their data.
Examples of screen lockers include the police-themed or FBI-themes ransomware that impersonates law enforcement agencies and accuses victims of illegal activities, prompting them to pay a fine to have their systems unlocked.
While ransomware attacks generally fall into categories mentioned above, within these categories are a range of specific ransomware variants, each with its own unique characteristics and modus operandi. These variants continually evolve, making it critical for individuals and organisations to stay informed about the latest threats.
Among the most notable variants are:
Ryuk is known for targeting high-value targets, including corporations, healthcare organisations and government entities. It often follows an initial compromise by other malware (such as TrickBot). Ryuk encrypts files and demands hefty ransoms, usually in cryptocurrency.
As previously stated, Maze was among the first types of ransomware to employ double extortion—locking out users and promising to release sensitive data if the attackers did not receive payment. This variant gained notoriety for its sophistication and in how effective it was at compromising the files and systems of large enterprise businesses.
REvil, also known as Sodinokibi, is famous for its Ransomware-as-a-Service (RaaS) model. This allows other cybercriminals to use this ransomware in exchange for a share of the profits. It often targets organisations and conducts extensive data theft before encryption.
Lockbit is another ransomware variant that uses the RaaS model and that encrypts files and demands a ransom for decryption. What makes this variant noteworthy is its ability to rapidly encrypt substantial amounts of data across entire organisations, often accomplishing its mission before it can be detected. Lockbit is often spread through phishing emails and vulnerable Remote Desktop Protocol (RDP) connections.
DearCry is a relatively newer ransomware variant that gained attention in 2021. It primarily targets Microsoft Exchange servers and Windows systems, encrypting files and demanding a ransom before access is returned to authorised users.
As previously mentioned, the use of ransomware in cyberattacks is on the rise. This explosive escalation can be attributed to several distinct factors:
Long gone are the days when cybercriminals had to have the technical understanding to build their own malware programs. Today, online ransomware marketplaces deal in malware kits, programs and strains, allowing any prospective criminal to easily access the resources they may need to get started.
Ransomware authors were once limited in terms of which platform they were trying to target, with specific ransomware versions needing to be built for every additional platform. Now, generic interpreters (programs capable of quickly translating code from one programming language into another) make it possible for ransomware to be reliable across essentially any number of different platforms.
New techniques are not only making it easier for threat actors to sneak malware into your systems, they're also allowing them to do more damage once inside. For example, modern ransomware programs may be able to encrypt your entire disk, rather than just individual files, effectively locking you out of your system completely.
Unfortunately, there is no single approach to network security that will completely protect your organisation from every kind of ransomware attack. Instead, effective anti-ransomware strategies involve taking full account of existing IT infrastructure and any inherent weaknesses, establishing sound backup and authentication procedures and promoting a cultural shift within your organisation towards increased security awareness.
To get started, consider the following steps:
Eliminate simple network-sharing protocols when backing up data and implement viable security features to protect backup data and administration consoles from attack. This will help ensure that uncorrupted data copies are available when you need them.
As new malware is identified, security software providers and other vendors update their products and systems to counter these new threats. Unfortunately, organisations sometimes neglect to keep up with the latest security patches, leaving themselves vulnerable to known threats. Regularly check for new updates and install them as soon as they are available.
Create and distribute internet policies throughout your organisation detailing best practices and safety measures employees should follow when online. For example, never allow employees to conduct company business or access sensitive systems while on public Wi-Fi. Train all relevant personnel in these policies and establish response plans that they can follow in the event of exposure to malicious software.
Protect administrative accounts from unauthorised access and control by employing two-factor (or more) authentication. Configure accounts so that they only provide the minimum necessary system privileges by default.
Build ransomware recovery into your overall disaster-recovery strategy. Establish an isolated recovery environment (IRE)—a separate, closed off datacentre in which data copies may be kept secure from outside access. Include the IRE in all disaster-recovery tests.
Knowledge and awareness are some of the most effective weapons in your anti-ransomware arsenal; keep them at the ready by following security professionals and experts on social media, regularly checking risk-advisory feeds and advisory sites, and keeping up to date on relevant news.
Develop a comprehensive ransomware response plan that outlines the steps to take in the event of an attack. This plan should include procedures for identifying and isolating infected systems, contacting law enforcement, notifying affected parties and initiating recovery processes. Having a well-defined plan in place can significantly reduce the chaos and downtime associated with ransomware incidents.
Regularly back up all critical data and systems. Ensure that backups are stored securely and offline to prevent ransomware from encrypting or deleting them. Test the integrity of backups regularly to guarantee their reliability in case of data loss. A solid backup strategy can provide a means to recover data without paying a ransom.
Conduct thorough cybersecurity training for all employees, emphasising the importance of data safety. Teach them to recognise phishing attempts, suspicious links and email attachments. Encourage the practice of strong password management and the use of multifactor authentication. Employees should understand their role in preventing ransomware attacks and know how to report any suspicious activity promptly. Ongoing employee education is a critical component of a powerful anti-ransomware defence.
In the event that you are targeted by a ransomware attack, do not give in to the criminals' demands. Doing so only identifies you and your organisation as willing victims and encourages the criminals to continue to target you. In most cases, businesses that pay to have their data or files returned to them never actually receive a working encryption key. Instead, the attackers simply continue to increase their demands until the targeted business stops paying. Additionally, by paying the ransomers, you would be funding their criminal activity and opening up other organisations or individuals to the same risk.
If you find that you have been targeted by ransomware, act quickly by following these steps:
Ransomware gets into a network by infecting a single device or system, but that does not necessarily mean that it remains in that one spot. Ransomware can easily spread through your network. As such, the first thing you need to do when you discover ransomware is to disconnect the infected system and isolate it from contact with the rest of the network. If you are able to do so quickly enough, there's a small chance that you'll be able to contain the malware to a single location, making the rest of your job that much easier.
Much like how firefighters will remove brush and trees from the path of a raging wildfire, you should next take steps to stop any possible ransomware spread by disconnecting and isolating any other systems that might have been exposed. This should include any devices that appear to be behaving abnormally, including those that might not be operating on-premises. Further hinder the spread by shutting down any wireless connectivity options.
With suspicious files isolated away from the network, you now need to assess the extent of the damage. Determine which systems have actually been affected by looking for recently encrypted files (often with strange extension names). Take a close look at the encrypted shares in each device; if one has more shares than the others, it may be the original point of entry for the ransomware into your network. Turn off these systems and devices and create a complete list of everything that may have been affected (including external hard drives, network storage devices, cloud-based systems, desktops, laptops, mobile devices and anything else capable of running or passing along the ransomware).
As mentioned in the previous point, checking the affected devices for high numbers of encryption shares can help you locate 'patient zero'. Other methods of locating the source of the ransomware include checking for any antivirus alerts that directly precede the infection and reviewing any suspicious user action (such as clicking on an unknown link or opening a spam email). Once you have discovered the source, remediation becomes much easier.
Effectively countering a ransomware attack often depends on your ability to identify exactly what variety of ransomware you're dealing with. There are a few different ways to identify the ransomware. The note included in the attack (the one telling you were to send money to unlock your files) may identify the ransomware directly. You may also be able to search the email address associated with the note to discover what ransomware this threat actor is using and what next steps other organisations have taken after being infected. Finally, there are sites and tools available online designed to help identify ransomware types—just be sure that you fully research your options before you commit to any; you do not want to download an untrustworthy tool only to drop more malware into your already-hobbled system.
Once you've contained the ransomware, it is now your responsibility to contact law enforcement. In many cases, this goes beyond simple protocol; under the terms of certain data privacy laws, you may be required to file a report within a predetermined amount of time for any data breach your businesses experiences, with failure to do so potentially resulting in fines or other penalties. But even if you don't have a legal obligation to contact law enforcement, doing so should be a top priority. For one thing, cybercrime agencies will likely have access to better authority, resources and experience in resolving these kinds of issues and can help your business more quickly return to normalcy.
With the fire effectively put out, now is the time to start repairing your systems. Ideally, if you have uncorrupted backup data, you should be able to restore your systems without too much trouble. Double check to make sure that all of your devices are free of ransomware and other forms of malware and then restore your data. Just be aware that modern ransomware attacks often target data backups, so you'll need to be sure that your data is sound before restoring it.
If you do not have data backup available or if the data itself has also been corrupted, then your next-best option is to try to find a decryption solution. As mentioned before, with some research you may actually be able to find a decryption key online to help you restore access and control.
After a ransomware attack, it is your responsibility to communicate with your customers and clients about the incident. Transparency is key in maintaining trust and if you neglect to keep your customers in the loop, that trust will quickly erode. Reach out to the people who support your businesses—inform them of the situation, the actions you are taking to resolve it and any potential impact on their data or services. Providing timely and accurate information can help mitigate the reputational damage that often accompanies such incidents.
While dealing with a ransomware attack can be disruptive, it is essential to make efforts to keep your business operational during the recovery process. Implement business continuity plans to ensure that critical functions can continue. This might involve rerouting tasks to unaffected areas or temporarily shifting operations to minimise downtime. Maintaining business continuity can reduce the financial losses associated with ransomware incidents and demonstrate resilience to customers and stakeholders.
Whether you restore your devices, find a decryption solution or just accept that your sensitive data is gone for good, your final step will always be the same: Rebuild and move on. In even the best-case scenarios, getting back to pre-attack levels of productivity can be an expensive and time-consuming process. Just make sure that you come away from the experience having gained a better understanding of the threats that face your organisation and a clearer idea of how to defend yourself against them.
As cybercriminals adapt to new technologies and security measures, ransomware likewise continues to evolve. Understanding future trends in ransomware is essential for staying ahead of emerging threats. Here are some key trends to watch:
As organisations increasingly migrate their data and services to the cloud, cybercriminals are expected to target cloud-based endpoints much more frequently. Cloud services are attractive targets because they store vast amounts of data, making them potentially more likely to pay off for ransomware operators. It's important for organisations to secure their cloud environments and implement strong access controls to mitigate these threats.
Ransomware has historically targeted widely used platforms like Windows and iOS, but future trends may see an expansion to less common operating systems and platforms. Cybercriminals seek to exploit vulnerabilities where security measures might be less mature. Organisations should ensure comprehensive security measures across all their systems, including those considered less mainstream.
Ransomware operators are shifting from solely encrypting data to also exfiltrating sensitive information before encryption. They then threaten to release this stolen data if the ransom is not paid, making data extortion a powerful tactic. While data extortion is not new, advancing capabilities are making it easier for attackers to share stolen data, thus giving threat actors an additional tool for blackmailing their victims. This trend emphasises the importance of protecting not only data availability but also data confidentiality.
An unfortunate side effect of data exfiltration is that attackers can now more easily diversify their revenue streams by selling stolen data on the dark web, even if victims agree to pay the ransom. This practice exposes organisations to additional risks beyond the immediate impact of a ransomware attack.
Ransomware operators are already beginning to leverage AI and ML to enhance their attacks. AI can automate tasks such as identifying vulnerable targets and tailoring phishing emails, while ML can be used to evade detection by security systems (to name only a few use cases). This trend underscores the importance of incorporating AI and ML into cybersecurity defences to detect and respond to evolving threats effectively—even those threats that rely on intelligent technologies.
When defending against and responding to ransomware attacks, time may be your most valuable resource. ServiceNow, the leader in IT management and workflow automation gives you the time you need, with clear, centralised control and monitoring capabilities. Eliminate security weaknesses before they can be exploited, identify suspicious network activity and respond to breaches at a moment's notice and more quickly recover from ransomware and other attacks with automated security response solutions. ServiceNow makes it all possible.
Protect your organisation against ransomware and other attack elements with continuous monitoring and an automated response. Learn more about ransomware and see how ServiceNow can help your business handle anything the world may throw your way.
Break down silos to manage risk and strengthen compliance across the business.