Ransomware is arguably the most high-profile security threat of the moment. Cybercriminals across the world are demanding money from victims by holding their devices and data hostage. This type of attack, in which data is encrypted or claimed to be and victims are prompted to pay for the key to restore access, has been growing rapidly since 2013 and is now one of the most common types of malware.
TechRepublic’s cheat sheet about ransomware is an overview of this malware threat. This guide will be updated periodically as new exploits and defenses are developed.
What is ransomware? Ransomware is a type of malware attack characterized by holding device control — and, therefore, locally stored data — for a ransom, which victims typically pay in bitcoin or with other virtual currencies. Sophisticated ransomware attacks employ disk or file-level encryption, making it impossible to recover files without paying the ransom demanded by the hackers.
Historically, ransomware has invoked the image of law enforcement organizations in order to coerce victims into paying. These messages often displayed warnings with the FBI logo and a message indicating that illegal file sharing was detected on the system, prompting users to pay a fine or risk criminal prosecution. As ransomware attacks have grown into the public consciousness, attackers have taken to crafting payloads that clearly indicate that a device has simply been hacked and that victims must pay the hackers to return access.
Other attacks, such as the WhiteRose ransomware, display mystifying and scarcely grammatical messages to unsuspecting victims about nothing in particular, describing such idyllic settings such as a hacker “sitting on a wooden chair next to a bush tree” with “a readable book” by William Faulkner in a garden in a remote location. Such a bizarre story can work to further distress a victim or even humanize the attacker, making them more likely to comply with demands. It can also amplify its media coverage or buy the attackers some time as victims try to make sense of it.
SEE: Identity theft protection policy (TechRepublic Premium)
Ransomware attacks are often propagated through file-sharing networks and have also been distributed as part of a malvertising campaign on the Zedo ad network, as well as through phishing emails that disguise the payload as maliciously crafted images or as executables attached to emails. WannaCry, one of the most well-known single ransomware attacks, uses a flaw in Microsoft’s SMB protocol, leaving any unpatched, internet-connected computer vulnerable to infection. Other attacks leverage unsecured Remote Desktop services, scanning the internet for vulnerable systems.
The number of ransomware cases reported worldwide rose by more than 27% between 2023 and 2024, according to Thales. Another study from Chainalysis estimated that payouts hit $1 billion in 2023 for the first time. The U.K.’s National Cyber Security Centre claimed the number of ransomware attacks is unlikely to slow down thanks to the new accessibility of generative AI. The technology could provide “capability uplift” and lower the barrier to entry for attackers. Indeed, as companies have started backing up their data to reduce the risk of a successful ransomware attack, attackers are increasingly also targeting the backups.
SEE: Ransomware’s Impact Could Include Heart Attacks, Strokes & PTSD
Why does ransomware matter? For cybercriminals, the use of ransomware provides a very straight line from development to profit. As such, the growth of ransomware can be attributed to the ease of deployment made easier by ransomware-as-a-service offerings and AI uplift and a high rate of return relative to the amount of effort put forth. Modern ransomware attacks double down on the profit factor, including allowing cryptocurrency miners to utilize the processing power of infected systems as they are left otherwise idle, waiting for victims to pay the ransom.
Typically, ransomware attacks leverage known vulnerabilities, so original research is not required of cybercriminals seeking to make fast money. The WannaCry attack was a special case — it leveraged two exploits named EternalBlue and DoublePulsar. These exploits were discovered and used by the NSA and the existence of these vulnerabilities was disclosed by The Shadow Brokers, a group attempting to sell access to a cache of vulnerabilities and hacking tools developed by the U.S. government.
Ransomware attacks are generally quite successful for cybercriminals, as victims often pay the ransom despite expert advice. A report from cybersecurity company Sophos noted that, for the first time, more than half of the organizations that had fallen to ransomware admitted they paid the ransom to recover their data in 2023. Specifically targeted attacks may result in increasingly higher ransom demands, as malicious attackers become more brazen in their attempts to extort money from victims.
“False” ransomware attacks, in which attackers demand a ransom, though files are deleted whether users pay or not, have also become widespread. Perhaps the most brazen though unsuccessful of these attacks is a KillDisk variant that demands a $247,000 ransom; however, the encryption key is not stored locally or remotely, making it impossible for files to be decrypted if anyone were to pay the ransom.
What are the primary targets of ransomware attacks? While home users were traditionally the targets of ransomware, business networks have been increasingly targeted by criminals. Additionally, servers, healthcare and utilities (e.g., the Colonial Pipeline attack) have become high-profile targets for malicious ransomware attackers.
Enterprises are particularly appealing targets for these malware attacks because larger organizations have deeper pockets to pick from; however, those larger businesses are also more likely to have robust IT operations with recent backups to mitigate any damage and avoid ransom payment.
In 2023, central and federal governments were targeted more than any other industry, with 68% of organizations hit by ransomware, according to a report by cybersecurity company Sophos. Other top targeted sectors include healthcare, utilities, higher education, financial services and manufacturing. Downtime in these organizations would significantly impact a large number of individuals, giving the cyber criminals more leverage for their demands.
SEE: How to protect your organization from ransomware-as-a-service attacks
What are some of the most well-known ransomware attacks? CryptoLocker While the first rudimentary ransomware attack dates back to 1989, the first widespread encrypting ransomware attack, CryptoLocker, was deployed in September 2013. Originally, victims of CryptoLocker were held to a strict deadline to recover their files, though the authors later created a web service that can decrypt systems for which the deadline has passed at the hefty price of 10 BTC (as of May 2024, the USD equivalent of 10 Bitcoin, or BTC, is approximately $672,300).
While the original CryptoLocker authors are thought to have made about $3 million USD, imitators using the CryptoLocker name did appear in the following couple of years. The FBI’s Internet Crime Complaint Center estimates that between April 2014 and June 2015, victims of ransomware paid more than $18 million USD to decrypt files on their devices.
Locky Locky, another early ransomware attack, has a peculiar tendency to disappear and reappear at seemingly random intervals. It first appeared in February 2016 and stopped propagating in December 2016, only to reappear briefly in January and April of 2017. With each disappearance, the creators of Locky appear to refine the attack. The Necurs botnet, which distributes the Locky attack, seems to have shifted to distributing the related Jaff ransomware. Both Locky and Jaff automatically delete themselves from systems with Russian selected as the default system language.
SEE: Ransomware attackers are now using triple extortion tactics (TechRepublic)
WannaCry The WannaCry attack, which started on May 12, 2017, stopped three days later when a security researcher identified and registered a domain name used for command and control of the payload. The National Cyber Security Centre, a division of GCHQ, identified North Korea as the origin of the WannaCry attack. Estimates indicate that the WannaCry attack cost the U.K.’s NHS £92 million due to disruptions in patient care.
Petya Petya, also known as GoldenEye, was first distributed via infected email attachments in March 2016; like other ransomware attacks, it demanded a ransom to be paid via Bitcoin. A modified version of Petya was discovered in May 2016; it uses a secondary payload if the malware is unable to obtain administrator access.
NotPeyta In 2017, a false ransomware attack called NotPetya was discovered. NotPetya was propagated through the software update mechanism of the accounting software MeDoc, which is used by about 400,000 firms in Ukraine. While Petya encrypts the MBR of an affected disk, NotPetya also encrypts individual files as well as overwrites files, making decryption impossible.
Like WannaCry, NotPetya used the NSA-developed EternalBlue vulnerability to propagate through local networks. Compared to Petya, the cheaper ransom that NotPetya demanded, combined with the single Bitcoin wallet victims are instructed to use, suggested that the aim of that attack was to inflict damage rather than generate profits. Given that the affected organizations were almost entirely Ukrainian, NotPetya can be inferred to be a cyberwarfare attack.
SEE: Hiring Kit: Cybersecurity Engineer (TechRepublic Premium)
SamSam In March 2018, the computer network of the City of Atlanta was hit by the SamSam ransomware, for which the city projected costs of $2.6 million to recover from. Although the city did not pay a ransom, the attackers behind the SamSam malware netted nearly $6 million since the attack began in late 2015, according to a report by Sophos. That report also indicates that the attackers continue to gain an estimated $300,000 per month as of August 2018.
In November 2018, the U.S. Department of Justice charged two hackers working out of Iran with creating SamSam and, shortly afterwards, it appeared to cease as an active form of ransomware.
DarkSide On May 6, 2021, the Colonial Pipeline Company — which is responsible for 45% of the East Coast’s fuel, including gas, heating oil and other forms of petroleum — discovered it was hit by a ransomware attack. The company was forced to shut down some of its systems, stopping all pipeline operations temporarily.
The FBI identified the DarkSide ransomware gang as the culprits for the attack. DarkSide, a “professional” and “organized” hacking group that saw profits in the millions (ransom demands range from $200,000 to $2 million), typically targeted English-speaking countries and avoided Soviet Bloc nations, according to Lior Div, CEO of security firm Cybereason. Div also noted that DarkSide historically targeted domain controllers, which threatened entire networks.
It was reported on May 13, 2021 that Colonial Pipeline paid a ransom demand of close to $5 million in return for a decryption key. Shortly afterwards, a Russian-language statement was obtained by numerous cybersecurity firms stating DarkSide was shutting down its operations. Some experts report that the ransomware group BlackCat, that only shut down in March 2024, was a possible rebranding of DarkSide.
SEE: How to prevent another Colonial Pipeline ransomware attack (TechRepublic)
BlackCat The ransomware family BlackCat, also known as ALPHV, was first identified by cyber researchers in late 2021. BlackCat is unique in that it is written in Rust, it is often used with extortion tactics, and because victims’ data is often posted on a public leak site and not the Dark Web. Some experts believe that the group behind the ransomware is a successor of DarkSide and REVil, which both dismantled in 2021.
Infiltrating its victims by exploiting known security flaws or vulnerable account credentials, ALPHV pressures organizations to pay the ransom by launching distributed denial-of-service attacks against them. The group also likes to expose stolen files publicly through a search engine for the data leaks of its victims.
BlackCat was involved in numerous high-profile ransomware attacks between 2021 and its closure in 2024. During the third quarter of 2022, this ransomware variant hit 30 organizations, impacting real estate businesses, professional services and consulting firms, consumer and industrial product makers, and technology companies.
In February 2022, aviation services firm Swissport had its files encrypted, leading to minor delays in a small number of flights before the situation was resolved. However, a few days later, BlackCat posted samples of an apparent 1.6 TB of data it had stolen from Swissport and was poised to sell it to the highest bidder. The following September, ALPHV took credit for attacking fuel pipeline operators, gas stations, oil refineries and other critical infrastructure providers.
SEE: Black Basta Ransomware Struck More Than 500 Organizations Worldwide
LockBit According to CISA, LockBit was the most common type of ransomware deployed globally in 2023. LockBit ransomware could be deployed through compromised website links, phishing, credential theft or other methods. LockBit targeted more than 2,000 victims since its first appearance in January 2020, for more than $120 million total in ransomware payments.
The gang ran ransomware-as-a-service websites like a legitimate business, offering a data leak blog, a bug bounty program to find vulnerabilities in the ransomware, and regular updates. Attackers known as “affiliates” would be provided ransomware from the LockBit sites.
LockBit ransomware has been deployed against organizations across various industries, in particular manufacturing, semiconductor fabrication and healthcare. In addition, attackers using LockBit have turned the ransomware on municipal targets, including the U.K.’s Royal Mail.
In February 2024, the U.K. National Crime Agency’s Cyber Division, the FBI and international partners successfully cut off access to LockBit’s website, which had been used as a large ransomware-as-a-service storefront. A few days later, the group resumed operations at a different Dark Web address, and continues to claim responsibility for global ransomware attacks.
SEE: All of TechRepublic’s cheat sheets
How can businesses protect themselves from a ransomware attack? Threat intelligence provider Check Point Research provides the following advice to protect organizations and assets from ransomware.
Back up all company data regularly to mitigate the potential impacts of a ransomware attack. If something goes wrong, you should be able to quickly and easily revert to a recent backup. Keep software updated with the latest security patches to prevent attackers exploiting known vulnerabilities to gain access to the company system. Legacy devices running unsupported operating systems should be removed from the network. Leverage an automated threat detection system to identify the early warning signs of a ransomware attack and give the company time to respond. Install anti-ransomware solutions that monitor programs running on a computer for suspicious behaviours commonly exhibited by ransomware. If these behaviours are detected, the program can stop any encryption before further damage is done. Implement multifactor authentication as it prevents criminals who discover an employee’s log-in credentials from accessing the organization’s system. Phishing-resistant MFA techniques, like smartcards and FIDO security keys, are even better as mobile devices can also be compromised. Use the principle of least privilege, which means employees should only have access to the data and systems essential for their role. This limits the access of cybercriminals should an employee’s account become compromised, minimizing the damage they could do. Scan and monitor emails and files on an ongoing basis, and consider deploying an automated email security solution to block malicious emails from reaching users that could lead to ransomware or data theft. Train employees on good cyber hygiene to help minimize the risks of the inevitable human attack vector. Cyber training equips the team with the ability to recognize phishing attempts, preventing attackers from ever being able to deploy ransomware. Do not pay the ransom if a business does fall victim to ransomware. Cyber authorities advise this because there is no guarantee the attacker will be true to their word, and the remuneration will encourage future attacks. Additionally, businesses can refer to the No More Ransom project. This is a collaboration between Europol, the Dutch National Police, Kaspersky Lab and McAfee that provides victims of a ransomware infection with decryption tools to remove ransomware for more than 80 variants of widespread ransomware types, including GandCrab, Popcorn Time, LambdaLocker, Jaff, CoinVault and many others.
Be First to Comment