What is ransomware? 

Ransomware is a type of malware designed to give cybercriminals leverage over victims by holding their data hostage. Most forms of ransomware do this by encrypting sensitive or mission-critical data. This renders the data unusable until the victim obtains a decryptor tool from the cybercriminal group responsible. 

In a typical ransomware attack scenario, cybercriminals take control of the victim’s systems and force them to display a message. The message is a ransom note instructing the victim to pay money directly to the criminal group, usually through anonymous cryptocurrency accounts. Once payment is confirmed, the group will release the decryptor and allow the victim to continue normal operations. 

However, there is no guarantee the cybercriminals responsible will keep their word. There is also nothing to prevent them from launching repeat attacks. In fact, cybercriminals know that victims who pay once are likely to pay again. That’s why the FBI recommends not paying the ransom, even if it’s the most expedient option. 

Types of ransomware 

Although all ransomware variants work along similar lines, there is a great deal of depth and variation between individual types of ransomware. The ransomware industry is supported by a surprisingly mature market, with complex organizations and innovative specialists working together to launch increasingly sophisticated attacks. 

 Established ransomware syndicates now develop and sell full-service kits that allow inexperienced hackers to launch complex attacks. The development of the “ransomware-as-a-service” business model has led to a worldwide surge in the frequency and sophistication of ransomware attacks. 

Some types of common ransomware attacks include: 

• Encryptors. These are among the most well-known types of ransomware attacks. Cybercriminals encrypt critical systems or data and then demand money for a decryption key. Some encryption tools are stronger than others though, and threat intelligence operatives sometimes find and publish decryption tools online. 
• Lockers. Lockers do not focus on encrypting specific files. Instead, they lock users out of important systems and applications. They usually do this by modifying user permissions or compromising the device’s master boot record. 
• Leakware. This type of attack revolves around the threat of leaking sensitive information. If cybercriminals find damaging or sensitive data, they may not need to encrypt it or impact system usability at all.  
• Double extortion. This is when an attacker combines multiple threats into a single demand. For example, hackers might charge money to decrypt sensitive data and then threaten to leak the data publicly if additional demands are not met. 
• Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks. Attackers can use these attacks to disrupt operations and take down their victim’s web applications. When they try to extort victims for money in return for restoring normal operations, they’re conducting a type of ransomware attack. 

Six stages of a typical ransomware attack 

No two ransomware attacks are exactly alike, but many follow a similar pattern. Here’s an example of how a typical ransomware scenario might look like: 

• Initial access. First, attackers need to gain access to the network. This might happen through phishing, social engineering, or in cooperation with a malicious insider. 
• Deployment. Depending on the specific ransomware deployed, the attacker may inject it into a running process or execute it as a standalone application. Some malware variants carry ransomware as a malicious payload. 
• Exploitation. The ransomware is now active. It will begin searching for sensitive files to encrypt while concealing itself and disabling processes that may stop it — like the device’s antivirus software. 
• Lateral movement. Encrypting a single device isn’t enough. The ransomware attack must spread across as many devices and subnetworks as possible before launching. The more assets and applications infected, the more credible the attack will be. 
• Data collection. Once attackers spread ransomware throughout the victim’s network, they are ready to collect the data and analyze it. Any data the organization needs to function on a daily basis will be prioritized. 
• Exfiltration. Attackers will copy the data to an offsite location and replace it with an encrypted placeholder that displays a ransom message. The attack is now complete. 

Ransomware prevention, detection, and response 

Secure organizations address ransomware on three levels. First, they craft policies that make it difficult for attackers to launch ransomware attacks in the first place. Then they deploy solutions for detecting successful attacks and mitigating risk with well-established response strategies. 

Secure backups are key to ransomware prevention 

Preventative measures that reduce the organization’s attack surface are effective against ransomware. However, secure backups are the single most important asset an organization can leverage against most ransomware attacks. 

Without secure backups, organizations have no leverage against cybercriminals who encrypt their data. Catastrophic damage is virtually guaranteed whether you pay the ransom or not. 

With secure backups and a segmented network built along Zero Trust principles, you may be able to simply ignore ransomware demands entirely. The organization can run off its backup infrastructure while the security team addresses the threat and eliminates any potential spread. 

Ransomware detection depends on behavioral analytics 

Early ransomware variants were easy to detect because they processed large volumes of information very quickly. In a modern security operations center, any attempt to encrypt large volumes of data would immediately trigger critical alerts. 

However, more recent ransomware variants work more slowly. They may take weeks or months to encrypt sensitive data, making the attack much harder to detect.  

In this case, security teams need deeper visibility into how authorized users and assets behave normally. They can then use that activity as a baseline model and compare observed network activity to that baseline. This is the fundamental premise of User Entity and Behavioral Analytics (UEBA).  

Ransomware response is delicate and time-sensitive 

Security teams that detect ransomware on their network need to act quickly and decisively. Even if the organization has secure backups, threat actors may still attempt to extort the organization by publishing sensitive data or intellectual properties online. 

To protect the organization’s users and assets effectively, incident response teams must first investigate the attack carefully. Ideally, the investigation is conducted quietly, without letting threat actors know their activities have been detected. 

Once the security team knows the full extent of the attack, they can begin isolating compromised devices and blocking malicious executions. Threat actors are unlikely to immediately give up their attack after this kind of setback, so the team will need to remain in a state of heightened vigilance afterwards as well. 

Examples of well-known ransomware attacks 

• Colonial Pipeline (DarkSide RaaS): This attack made headlines across the world and introduced ransomware to the public. It led to an extensive FBI investigation, a Presidential Executive Order to improve US cybersecurity, and the eventual disbanding of the group responsible for the attack. 
• JBS USA (REvil RaaS): Another headline-making attack in 2021 impacted the operations of one of the world’s largest beef manufacturers. As with Colonial Pipeline, the group responsible was dismantled shortly afterwards. 
• Maersk (NotPetya): The Danish shipping conglomerate suffered $300 million in losses as a result of a global ransomware crisis in 2017. NotPetya was an unusual ransomware variant because it actually wiped victims’ files entirely so that they could not be recovered, even through decryption. 
• Swissport (BlackCat RaaS): In February 2022, Swissport announced it suffered a ransomware attack. Since the company had secure backups, the initial attack had a minimal impact. However, cybercriminals still tried to sell 1.6 TB of stolen data on the Dark Web afterwards — a classic example of double extortion. 

Mitigate ransomware risks by preparing ahead of time 

Ransomware attacks can be highly disruptive, paralyzing organizations and doing irreparable harm to their users and customers. Alarmingly, ransomware payout amounts surged to $1.5 million on average in 2023, reflecting the fact that most organizations remain unprepared for addressing this threat. 

Secure backups offer organizations an effective, low-cost way to mitigate ransomware risks. Despite this fact, many large, high-revenue enterprises neglect to proactively deploy ransomware-resistant backup solutions. This is especially concerning since ransomware threat actors tend to target these types of organizations the most. 

Overworked security teams may not have enough time and resources available to proactively develop ransomware-resistant backup solutions. Managed detection and response vendors like Lumifi allow organizations to protect themselves from ransomware threats without compromising on their day-to-day security needs. Discover how we use automation and behavioral analytics to mitigate information security risks like ransomware for our customers.