What is a Ransomware?

Cyber Protect Cloud

In 2020, 51% of surveyed businesses were hit by ransomware and it is expected that in 2021 a company will be hit by a ransomware attack every 11 seconds. Since the introduction of COVID, cybercriminals have started to attack new entities, including schools, healthcare providers/researchers, and government institutions. 

Regardless of your company’s size or industry, your organization is not immune to a ransomware attack, which makes it essential that your organization implement data protection and cybersecurity software.   

What is a ransomware attack?  

Nearly 40% of the victims who pay the ransom never get their data back and 73% of those that pay are targeted again later.

Ransomware is a form of malware software that infects your systems and encrypts your files. The user cannot access their data until a ransom is paid in exchange for a decryption key. Once the ransom is paid, a user can only hope that the attacker will provide the decryption key and regain access to their files. In any event, the ransom must be paid to the attacker in Bitcoin and typically ranges from a few hundred to thousands of dollars.

A form of ransomware–the AIDS Trojan– was first created in 1989 by Joseph L. Popp, an evolutionary biologist with a PhD from Harvard, who is now known as the “father of ransomware.” Also known as the PC Cyborg virus, the ransomware was released on 20,000 floppy disks and distributed to AIDS researchers in over 90 countries. The disks contained a program that was able to analyze an individual’s risk of acquiring AIDS via a questionnaire, but the disk also contained a malware program that remained dormant until after a computer was powered on 90 times.

The AIDS Trojan consisted of malware that was weak and easily removed with decryption software, so Popp did not receive much of a payout. However, it did cause damage as some research and medical organizations lost a year of work. It also set the stage to use malware to force users/organizations to pay money and popularized the use of ransomware infection and future ransomware attacks. 

Since then, the use of ransomware has exploded:

  • Over 50% of all businesses were hit by ransomware in 2020.
  • In 2019, cybercriminals reaped over $11.5 billion in ransom payments.
  • In 2020, the average ransom demand was over $178,000.
  • The average ransom for a small business is $5,900.

How does ransomware work?

Phishing emails and email phishing campaigns are some of the most popular techniques used to spread ransomware. These types of emails are sent to the victim and contain an attachment. Believing the email is from a trustworthy source, the victim clicks on it and the malware is downloaded and installed without the user’s knowledge.   

Ransomware can also be spread through drive-by downloading, water holding attacks, malvertising, and social media attacks.  

  • Drive-by downloading happens when a user innocently visits an infected website where malware is downloaded and installed without the user’s knowledge.
  • Water holding attacks occur when a user visits a legitimate website–one frequently used by an organization–where a cybercriminal has injected malicious software to gain access to a user’s computer.
  • Malvertising occurs when an attacker injects a malicious online advertisement into a legitimate advertising network or webpage.
  • Social media attacks use Facebook Messenger and LinkedIn to direct people to malicious websites containing malware. More modern social media attacks include images in Facebook Messenger that look like jpeg files but use a double extension. They are actual HTA or IS files.

Once the malware infects the computer, all the user’s files are encrypted and cannot be decrypted without the decryption key, which is held by the attacker. The user sees a message like this:

"ransomware attack"

In most cases, the attacker demands payment in the form of cryptocurrency, such as Bitcoin, to provide the key so the user can decrypt their files. In other cases, the attacker steals confidential or sensitive information before encrypting the files, and then threatens to publicly release that information if the ransom is not paid – an attack known as doxware or leakware.

Ransomware as a service (RaaS) offers a new revenue model for ransomware developers. With RaaS, a developer can sell or lease their ransomware variants to affiliates who then use them to attack businesses and consumers. Now, non-technical people can use ransomware, which has generated a sharp increase in the number of ransomware attackers and attacks.  

What are the most common ransomware targets? 

No individual or organization is immune to a ransomware attack. Attackers employ several methods and are introducing new attack methods every day. Here are some examples:

  • Attackers look for easy opportunities, such as individuals, small-to-medium-sized (SMB) businesses, or schools and universities that do not have security experts on staff. Attackers assume – rightly – that these organizations have system vulnerabilities, especially when it comes to modern threats.
  • Alternatively, attackers will specifically target an organization because of the sensitive nature of the files (e.g., healthcare organizations and government agencies), and the fact that the organization needs access to those files to operate. For that reason, the attacker assumes that the organization will be more willing to pay the ransom rather than lose the files or have the files leaked to the public.
  • Attackers will also exploit new technologies. For example, when banks and retailers started offered online mobile services to consumers, attackers knew that consumers tend to struggle using new technology and apps, making them a ripe opportunity for a ransomware attack. 

Examples of big ransomware attacks

The estimated global damage from ransomware attacks increased from an estimated $1 billion in 2016 to $20 billion in 2020. Here is a listing of the major ransomware attacks from 2016 through 2019.

2016: A strain of HDDCrypter infected the Sam Francisco’s transport systems and demanded 100 bitcoins or $70,000 in ransom.

2017: A updated version of WannaCry infected the U.K.’s National Health Service, Telefonica, and other targets by exploiting EternalBlue, a vulnerability that Microsoft patched later in 2017. In total, WannaCry demand $300 in bitcoin from more than 300,000 organizations worldwide.

2017: NotPetya first attacked power distributors in the Ukraine and the Netherlands and then later attacked the Ukraine’s government and the offices of multinationals in Spain.

2017: A BadRabbit outbreak attacked Ukrainian and Russian organizations via drive-by attacks. A ransom of .5 Bitcoins was demanded from hundreds of victims.

2018: A SamSam ransomware variant attacked Colorado’s Department of Transportation’s (CDOT) computers running Windows OS and McAfee AV software. Working with the FBI, the CDOT recovered its systems from backups but was infected from another SamSam variant just one month later.

2018: The City of Atlanta had several customer-facing systems infected by what was believed to be another SamSam attack. The city planned to pay a $51,000 ransom but the ransom payment was not approved by then major, Keisha Lance Bottoms. Instead, the city spent millions to rebuild the system. 

2018: The Port of San Diego suffered a ransomware attack caused by another SamSam variant, bringing down the IT systems used by the Port.

2019: Two Florida governments–Riviera Beach and Lake City– were both attacked and paid hundreds of thousands of dollars to recover their data. Lake City suffered a triple attach where the Emotet malware downloaded Trickbot and Ryuk ransomware.

2019: Twenty local Texas government agencies were attacked by a coordinated REvil or Sodinokibi ransomware attack. 

Here is a listing of some of the critical ransomware cyberattacks that occurred in 2020 and the variant used: 

  • Australian-based Toll Group was hit twice by two different variants: NetWalker and Nefilim
  • New York-based Grubman Shire Meiselas & Sacks: REvil
  • University of California, San Francisco: NetWalker
  • U.S. defense subcontractor, Westech International: Maze
  • Multinational firm, Garmin: WastedLocker
  • University Hospital of Dusseldorf: Unpublished ransomware variant
  • LG Electronics and Xerox: Maze
  • Argentinian borders: NetWalker

The ransomware attack on the University Hospital of Dusseldorf resulted in the first fatality caused by ransomware.

How to prevent a ransomware attack?

Ransomware prevention requires your organization to address security issues from three perspectives, focusing on people, process, and technology. 

People. Your organization’s employees must be trained on how to prevent ransomware attacks, so they follow email best practices, avoid infected sites, and exercise good judgement before opening text and instant messages. Training should be rigorous and ongoing.

Process. Your IT organization must be sure to have a well-thought-out data protection and security policy in place and follow the procedures. As examples, it is critical that you ensure your systems and data are backed up on a timely basis so you can meet Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs). It is also imperative that you keep all software – both operating systems and applications – up to date.

Technology. Your organization needs a solution that both protects your data with full-image backups, identifies and stops ransomware attacks, and helps you recover your data in the event a ransomware attack succeeds. In this era of remote work, you also want to be sure that the solution protects remote desktops.

Removing Ransomware

By the time the user identifies ransomware on their computer, it will be too late to save the data but there are four ransomware removal options that can help a user get back up and running.

  • You can restore the infected system from a cloud or off-line full-image backup. Unfortunately, any on-site backups may also be encrypted or deleted by the attacker so they may be of no use. This is how the 3-2-1 backup rule can save the day.
  • There are ransomware decrypt tools – some of which are available at no charge – and ransomware recovery experts who specialize in ransomware decryption. A decrypt tool may work if the ransomware is an older variant and/or not frequently updated. Ransomware removal specialists can be expensive and again, there is no guarantee that they can remove the ransomware. It is almost impossible to decrypt ransomware without the decryption key.
  • If you do not have a protected full-image backup, you can choose to format the infected computer’s hard drive and re-install the operating system and applications. Unfortunately, with this option, all data will be lost.
  • You can choose to pay the ransom and hope that the attacker will provide the decryption key but there are no guarantees. Unfortunately, nearly 40% of the victims who pay the ransom never get their data back and 73% of those that pay are targeted again later.

Acronis Cyber Protect stops ransomware attacks

Acronis Cyber Protect unifies all the necessary technology – full-image backups, hybrid cloud storage, artificial intelligence (AI), encryption, and blockchain – into a single solution that detects ransomware attacks, stops encryption, restores affected files, and ensures the safety, accessibility, privacy, authenticity, and security (SAPAS) of all of your workloads and systems. 

The unique integration of cybersecurity, data protection, and endpoint protection management enables Acronis Cyber Protect to provide proactive, active, and reactive protection, ensuring the best ransomware security and protection of your organization’s endpoints, systems, and data.  

More from Acronis