Online criminals are often motivated by collecting currency. Ransomware is a tool malicious hackers use to extort valuable assets from people or organizations.
Ransomware is a form of malware designed to encrypt files on a device, rendering any files and the systems that rely on them unusable.
Malicious hackers commonly use ransomware to lock valuable systems and data that organizations need to operate their systems and business. After these scammers gain control of an organization’s valuable assets, they demand a ransom be paid to unlock the hostage files.
Ransomware demands are growing in value.
While the overall number of detected ransomware threats went down in 2021 H1 compared to 2020 H1, the demands against large enterprises are rising to multiple millions of dollars, including a payout from a large U.S. insurance company for $40 million in March 2021. These changes signify that ransomware scammers are becoming more targeted with their attacks.
Ransomware is a powerful tool for malicious hackers, but they’re only in control of the situation after they have encrypted your files. Maintain control of your files and systems to defend them against ransomware threats.
To protect your organization from ransomware attacks, you need to understand how the scam works, assess the amount of risk it poses to your organization, and take steps to proactively address it in your security plan.
Understand the ransomware extortion scam.
Malicious hackers use ransomware to execute a type of scam known as a cryptoviral extortion scam. Ransomware helps malicious hackers exploit attack surface weaknesses to gain control of systems as leverage. With the systems now held hostage by the malicious hacker thanks to ransomware, they then extort organizations to give them currency.
The ransomware extortion scam can be dressed up into many forms, but its skeleton follows a common pattern:
- Install ransomware software on a valuable system.
- Execute the ransomware to encrypt or exfiltrate an organization’s valuable files.
- Demand and collect a ransom payment from the organization in exchange for decrypting or releasing their valuable files.
Stage 1: Gain access to a valuable system
Malicious hackers must execute the ransomware code on your system to gain leverage for their demands. They use their knowledge of common attack surface weaknesses to find opportunities to install ransomware on valuable systems.
Just as the skill levels of malicious hackers vary, so does the sophistication of their attempts to successfully gain access to a device to run their ransomware. Some attempts are easy to spot with practice, while others are harder to spot.
Ransomware often locks the device it is installed on immediately, but some more sophisticated ransomware scams run quietly in the background collecting additional valuable data for a while before they make themselves known by making their demands.
Malicious hackers can infiltrate your organization with their ransomware in different ways including:
- An infected email attachment
- A malicious link
- Systems with out-of-date patching or other critical system vulnerabilities
- A website embedded with malware
- Brute-force attack on weak passwords
- Trojan horse applications
After ransomware infects one device, it can be spread to other devices through the use of botnets. A botnet is a network of computers created by malware and controlled remotely, without the knowledge of the users of those computers.
Stage 2: Take the organization’s files hostage and make demands
When the ransomware executes, it begins to scan the device and encrypt any files it can find, locking access to them from anyone without a decryption key. Malicious hackers are hoping the ransomware will find and encrypt valuable files that an organization is willing to pay a ransom fee to get back.
After encrypting all of the files on the device, the ransomware displays a screen with a ransom note. The note outlines what is happening to the device and its files, how to unlock the encrypted files, and how to pay the ransom.
Sometimes the note includes a threat to permanently delete the files or increase the ransom amount after a timer completes. This gives the organization a sense of urgency to complete the ransom payment quickly.
Stage 3: Collect payoff
Collecting currency is the motivation for most malicious hackers to run a ransomware scam. Ransoms are almost always demanded and paid in anonymous or hard-to-trace currencies to cover the scammer’s trail.
Cryptocurrency like Bitcoin is the most popular type of currency to demand, due to its perceived anonymity and online format. Gift cards are also used to collect ransom fees.
After they get the reward, the scammers may or may not unlock your systems. They still maintain control over your organization until they give you the decryption key and hopefully move on from targeting you.
Some scammers don’t stop at demanding payment for unlocking the files. In addition to paying to regain access to your organization’s files, scammers sometimes also ask for additional payment coupled with new threats. Examples of threats include releasing your confidential information on the internet, selling it to other cybercriminals, and even communicating with customers and stakeholders.
Are you at risk for a ransomware attack?
If the thought of being involved in a ransomware attack stresses you out, you’re not alone. In 2020, the U.S. Small Business Administration reported that 88% of small business owners felt their businesses were vulnerable to a cyber-attack.
While dealing with an active attack is difficult, proactively protecting against a ransomware attack from starting in the first place is attainable for organizations of all sizes.
Scammers want the biggest payoff with the least amount of work.
While every business has some risk of becoming a target for a ransomware attack, there are attributes that may make you more attractive to malicious hackers.
Here are some qualities of an organization that may appeal to scammers:
- Easy to attack: It’s simple for the scammer to gain control of your organization’s systems.
- Good leverage: You have valuable assets that your organization would be willing to pay to get back.
- Ability to pay: You have enough resources to meet or increase their ransom demands.
Find your weakest points, then prioritize adding protection where your organization needs it most.
Learn all the parts of your systems to better understand how they work together, then identify which are most valuable to your organization. Next, evaluate your system’s attack surface to determine how malicious hackers may be able to gain access to your organization’s devices. These points of entry are your attack risk.
Evaluate and rank each ransomware attack risk. Prioritize your resources to mitigate the risks that are most likely to happen and would cause the biggest impact to your organization. Defining and prioritizing these weaknesses helps create a security program that reinforces protection against ransomware where your organization needs it most.
Learn more about how to confidently protect your organization’s data and assets with a risk-based approach to information security in ZeroWall’s whitepaper, Think Like a Hacker. Defend Like a CISO.
A proactive approach is the strongest ransomware defense.
Scammers don’t have leverage over your organization until they take control of your valuable assets. Build layers of protection around your organization’s weaknesses to keep scammers from being able to break through your attack surface.
Paying the ransom is not the answer.
Government agencies recommend zero-tolerance for payment, stating that paying ransom encourages attackers to continue the behavior and can also be seen as funding terrorism.
That advice is easier said than done if your organization’s livelihood is suddenly being held hostage. While there are strategies of how to handle active ransomware attacks to help teams forced to make hard decisions, the best protection is a preventative security strategy and solid backup plan to keep you in control of your systems and other valuable assets, despite the efforts of scammers.
Secure your attack surface.
Use your understanding of your attack surface areas to identify how malicious hackers could infiltrate your system with their ransomware code, then take action to add protection where your organization needs it most.
Consider these examples of actions you can take to secure your attack surface against ransomware attacks:
- Train employees to recognize and report suspicious communications.
- Patch software and address critical system vulnerabilities.
- Regularly review and optimize your security program for the current environment. Review your approach to information security with a vendor like ZeroWall to identify additional methods of defense against ransomware.
- Foster an informed security culture at your organization.
Back up your data offline in a different area.
In addition to defending your valuable assets, you should also have a backup of them. A backup is a copy of your data that is stored on another computer system. It can be used to restore the original data in the event you experience data loss on your active system, including data taken hostage in a ransomware attack.
The quality of your backup strategy matters. In addition to having a backup copy of your valuable data, it is critical to practice restoring your backup to understand if it works and how long it takes. A backup that can’t be restored is not valuable. A quality backup strategy ensures that you won’t be starting from scratch even if your active files and systems are compromised.
Ransomware is ominous but preventable.
Losing valuable data, time, and revenue to anonymous cybercriminals has a huge impact on an organization, so it’s smart to pay attention to the risk of a ransomware attack. Scammers don’t have leverage on you until they can install their ransomware code. Focus your efforts on securing your attack surface and backup data to keep control of your valuable assets and your organization.
Find out if your systems are at high risk for a ransomware attack.
Understand your information security risk profile with ZeroWall’s tools and insights.
Taking the ZeroWall Assessment™ is the fastest way to get an expert evaluation of your security profile and risks, including ransomware.
ZeroWall’s Threat Model Engine™ works its magic on your answers and delivers you an Insights Report that outlines:
- The gaps in your security program
- How your current investments are addressing risks
- How you compare to similarly-sized organizations in your industry
- Right-sized recommendations catered to your unique organization
Get the information you need to build your organization’s right-sized program. Get started >