What is Ransomware? An Easy To Understand Guide

By: Kris Lahiri, Chief Security Officer

Share this Page

If you’re reading this, you’re probably wondering, what exactly is ransomware? Ransomware is a dangerous form of malware that locks users out of their files or their device, then demands an anonymous online ransom payment to restore access.

If you think your business isn’t susceptible to an attack, take this quote into consideration. “There are only two kinds of companies. Those that have been hacked, and those that will be hacked.” This oft-repeated saying originated at the RSA Cyber Security Conference in 2012 in a talk by FBI Director Robert S. Mueller.

The ways organizations get hacked vary, but analysts, press, and vendors agree—ransomware leads the pack of security threats. Studies consistently show that the scale and cost of ransomware continue to grow.

In this guide, we’ll address the basics of ransomware in terms of what, why, who, and how this type of malware can affect your business. We’ll then explain how a data-centric security and prevention system like Egnyte can help protect against attacks from taking down your network.

What Size Organizations Are Most Susceptible to Ransomware?

At the highest level, this answer is simple: ‘everyone!’ From small businesses to medium-sized companies, all the way up to enterprises and organizations, nobody is in the clear when it comes to ransomware.

However, when you dig into the details, the answer can become much more complicated. Depending on the perception of value a criminal hacker may have regarding your data, you may be more or less susceptible to an attack.

Other factors include how critical it may be that you respond quickly to a ransom demand, how unprotected your security is, and how consistently you keep employees trained about phishing emails, and other ransomware tactics.

Why Large Organizations Must Understand How Ransomware Protection Works?

Large enterprises tend to attract “big-game hunters.” These cybercriminals target the organizations that have the funds or insurance to pay a ransom. Sophisticated attacks and patience are the hallmarks of big game hunters. They usually operate as a group and can spend months inside an organization preparing for a ransomware assault. The Cyber Front Lines Report says, “average dwell time grew 10 days to 95 in 2019, up from 85 in 2018. Their efforts have been lucrative, with an average payment of $41,198, as of Q3 2020, and larger enterprises facing demands over $1 million.

The US was hit by a barrage of ransomware attacks in 2019 that impacted at least 948 government agencies, educational establishments and health-care providers at a potential cost in excess of $7.5 billion.

Multinational manufacturers and US city and county governments spent more $176 million responding to the biggest ransomware attacks of 2019, spending on everything from rebuilding networks and restoring backups to paying the hackers ransom.

Michael Novinson, CRN

Small and Mid-Size Businesses Must Also Learn How To Prevent Ransomware

Small and midsize enterprises (SMEs)—from mom-and-pop businesses and small municipal agencies to multi-location companies and larger government organizations with hundreds of employees—are attractive targets to cybercriminals. This is due to the number of SMEs and their predictable cybersecurity weaknesses.

The World Bank says, “They represent about 90 percent of businesses and more than 50 percent of employment worldwide.” Despite admirable achievements, SMEs generally do not dedicate IT resources to cybersecurity and inevitably have technical vulnerabilities. And, human nature is a vexing vulnerability.

SMEs become targets not only to harvest their content, but also to gain access to partners’ and clients’ content and systems. In May 2020, a ransomware attack on M.J. Brunner, a technical services vendor, leapfrogged to its client SEI Investments Co. Once the ransomware had moved from M. J. Brunner to SEI, it attacked SEI’s clients—among them Pacific Investment Management Co. (Pimco), Fortress Investment Group LLC, and Centerbridge Partners. Although compliance agreements between clients and vendors abound, SMEs’ vulnerabilities often make them the first rung on the ladder for ransomware.

  • 61% of companies experienced ransomware attacks
  • 70% of companies paid ransom
  • 72% of respondents said that attackers had evaded intrusion detection systems
  • 82% of respondents said that attackers had evaded anti-virus solutions
  • 79% of respondents said that ransomware attacks were from phishing/social engineering

The State of Cybersecurity in Small & Medium Size Businesses
Ponemon Institute

How Recent Ransomware Attacks Have Succeeded

Ransomware attacks succeed despite the numerous security tools that most organizations have in place. Cybercriminals circumvent security systems and take advantage of the inherent weaknesses of people. Attackers favor humans as the entry point because criminals of all stripes successfully exploit their vulnerabilities. Despite training, common sense, and perpetual warnings, people remain susceptible to ransomware.

Attackers use social engineering to trick people into engaging. The top four methods that have worked for recent ransomware attacks are —lack of attention to detail, trust without verification, curiosity, and fear.

  1. 1. Lack of attention to detail

    At a glance, the message seems to be offering a person something that they had asked for or were interested in exploring.

  2. 2. Trust without verification

    The message appears to come from a trusted source with a call to action that seems reasonable.

  3. 3. Curiosity

    An enticing offer is presented when someone is busy overrides second thoughts about the legitimacy of the message.

  4. 4. Fear

    A threat, commonly related to a late payment or a law enforcement agency message, scares someone into falling for the attack.

Also, security systems require near-constant attention and maintenance to sustain an effective security posture. Even with dedicated security teams, this remains a tall order for most organizations. These weaknesses in security and IT systems are exploited to perpetrate ransomware attacks.

3 Ransomware Attack Methods Used By Cybercriminals

Ransomware attacks succeed despite the numerous security tools that most organizations have in place. Cybercriminals circumvent security systems and take advantage of the inherent weaknesses of people. Attackers favor humans as the entry point because criminals of all stripes successfully exploit their vulnerabilities. Despite training, common sense, and perpetual warnings, people remain susceptible to ransomware.

Attackers use social engineering to trick people into engaging. The top four methods that have worked for recent ransomware attacks are —lack of attention to detail, trust without verification, curiosity, and fear.

1. Malicious Email

The social engineering ploys noted above lure people into clicking and unwittingly unleashing ransomware via email. An unsolicited message delivers ransomware through infected attachments or links to malicious websites.

Ransomware email screenshot
Ransomware email screenshot

2. Malicious Pop-Ups

More insidious are malicious advertising and pop-ups delivered while a person browses a website—even legitimate ones. Again, targeting people’s inherent vulnerabilities, these ads can trick even the most vigilant. Malicious ads are often disguised as legitimate ads or, ironically, a security notification. Triggers to start the ransomware download can also be sneaky, such as click the “x” to close the pop-up or even roll over the ad.

In 2017, a ransomware named Bad Rabbit infected websites and asked visitors to click to install Adobe Flash. Kaspersky Labs describes the attack. “While the target is visiting a legitimate website, a malware dropper is being downloaded from the threat actor’s infrastructure.”

3. Infected USB Memory Sticks

Perpetrators also use Infected USB memory sticks to deliver ransomware to a device. A busy person grabs a USB flash drive that carries the ransomware, and the spread starts—from the first system to any subsequent ones and systems connected to the network.

Try2Cry, launched in July 2020, initially looked for connected removable drives and inserted itself into the root folder of the USB flash drives. Malware Guide calls this crytpo ransomware, that compromises all kinds of content, “a dangerous and lethal file-encrypting virus that has been created to intimidate and receive ransom money from victimized users.”

Sprawling Ransomware Attack Surface

Ransomware targets any vulnerable device, but it focuses on those connected to networks. This increases the reach of the ransomware and the potential size of the demand.

People get hit on their commonly used connected mobile devices, primarily desktops, laptops, phones, and tablets. The recent spike in the number of connected devices, often used on unsecured home networks, creates an enticing attack surface for ransomware as organizations struggle to provide adequate security. And, they suffer knowing that behind this porous perimeter lies the content that organizations depend on for day-to-day use, compliance, and back up.

Seventy-six percent of IT executives are concerned about unstructured data sprawl, and more than half say remote work is the main culprit.

Away from the office, nearly a third of employees are accessing corporate files through unsecured WiFi networks and on personal devices with no password requirements. This is a big problem because a large portion of these files contain sensitive information.

Fall 2020 Data Governance Trends Report

5 Dangerous Types of Ransomware

Content and systems mostly fall prey to two types of ransomware—locker ransomware and crypto ransomware. Others include scareware and doxware.

#1 Locker Ransomware

Locker ransomware takes over an operating system then locks the device’s user interface to prevent access to computing resources—except for a communication channel with the attacker. WannaCry, a locker ransomware that spread across 150 countries in 2017, was estimated to have caused $4 billion in financial losses.

#2 Locky Ransomware

Locky ransomware malware was released in 2016. It was delivered by email with an attached Microsoft Word document containing malicious macros (in the form of an invoice requiring payment. When the user opens the document, it appears to be full of gibberish and includes the phrase “Enable macro if data encoding is incorrect,” a social engineering technique.

If the user does enable macros, they save and run a binary file that downloads Trojan’s actual encryption, which will encrypt all files that match particular extensions. Filenames are converted to a unique 16 letter and number combination. Initially, only the .locky file extension was used for these encrypted files.

Subsequently, other file extensions have been used, including .zepto, .odin, .aesir, .thor, and .zzzzz. After encryption, a message (displayed on the user’s desktop) instructs them to download the Tor browser and visit a specific criminal-operated Web site for further information.

The Web site contains instructions that demand a payment of between 0.5 and 1 bitcoin (as of November 2017, one bitcoin varies in value between $9,000 and $10,000 via a bitcoin exchange).

Since the criminals possess the private key, and they control the remote servers, the victims are motivated to pay to decrypt their files.

#3 Crypto Ransomware

With crypto ransomware, the impacted device can be accessed, but the files are encrypted. The attacker threatens that all content in the files and folders will remain encrypted until they receive the ransom payment. UCSF networks within the School of Medicine IT environment were attacked in June 2020, and data described as “important to some of the academic work we pursue as a university serving the public good” was encrypted. The university paid $1.4 million to recover the data.

Reach of Ransomware Continues to Grow
Ransomware cases doubled in the first quarter of 2020.

Out of 121.2 million recorded ransomware attacks, 79.9 million were recorded in the US and 5.9 million in the UK.

Channel Pro

#4 Doxware

Also referred to as extortionware, doxware encrypts personal content (e.g., contacts, photos, messages, files) then threatens to make it public unless the attacker receives the ransom payment. In July 2020, the University of Utah paid $457,000 ransom to prevent the release of student and employee information.

#5 Scareware

Scareware commonly appears as a warning from security software that payment must be made to fix or remove a problem. Unlike locker ransomware or crypto ransomware, scareware only presents annoying pop-up messages. Below is an example of scareware from “SpySherriff.”

Ransomware scareware screenshot
Ransomware scareware screenshot

Ransomware-as-a-Service (RaaS)

Based on the SaaS model, RaaS offers criminals the use of ransomware tools for a fee. Cybercriminals create ransomware then provide access to it along with tools and instructions to launch attacks. Depending on the RaaS provider, criminals pay for the use of the ransomware and share a portion of the ransom—service fees can be high. The RaaS crypto ransomware, Satan, takes 30% of the ransom collected.

RaaS makes ransomware easily accessible to criminals with novice hacker resources. Would-be cybercriminals find RaaS options, such as Satan, on the Dark Web and sign up to join the platform just as they would with legitimate SaaS solutions. Once their subscription is set up, they gain access to the malicious code as well as instructions on how to execute their ransomware attack. With the ready availability of RaaS offerings, there is little to no barrier to entry—any organization’s content and systems can be targeted.

Ripple Effect of a Ransomware Attack

In Simi Valley, California, Wood Ranch Medical (WMR) was delivered a death blow by a ransomware attack in August 2019. A month later, with her patients’ health records encrypted and no way to restore them, Dr. Shayla Kasel (founder and owner of WMR) announced that she would permanently close WMR’s doors on December 17. (Happy holidays to the patients and employees of WMR—NOT.)

Victim of ransomware
Victim of ransomware

Dr. Kasel, along with her staff, lost their jobs and patients found themselves without a healthcare provider for their families. And while it is believed that no personally identifiable information (PII) was taken, almost 6,000 patients had to interrupt their holiday season to find a new doctor and set up monitoring services to protect themselves. Another blow was that patients lost their health records.

3 Ways To Protect Yourself From Ransomware Attacks

Deploy an effective defense against this type of malware with:

  1. 1. Prevention

    Have systems in place that protect the essential assets—content. Prevention goes beyond firewalls and anti-virus solutions. It includes data protection, regardless of where it resides (e.g., file storage, applications, devices), and data governance to maintain data stores’ health and safety.

  2. 2. Remediation

    Be prepared to act as soon as an issue is detected. Neutralize the attack and restore systems and data without additional disruption—surgical restoration rather than a blanket rollback.

  3. 3. Monitoring and Maintenance

    Early detection can stop an attacker before damage is done or minimize the impact of an attack. Monitoring should leverage machine learning to analyze user behavior, and it should include signature-based detection. Maintenance should encompass both systems and content. Only content in-use should be accessible. Once it has served its purpose, content should be permanently deleted or encrypted and archived.

Be proactive and assess the state of your security profile to identify the gaps. Find a solution that addresses deficiencies in a way that does not overburden your IT staff or require workflow changes from other team members.

Egnyte has experts ready to answer your questions. For more than a decade, Egnyte has helped more than 16,000 customers with millions of customers worldwide.

Get started with Egnyte.

Request Demo

Last Updated: 16th November, 2020

Share this Page
Additional Resources
Poor Data Governance Cost Capital One $80M
Poor Data Governance Cost Capital One $80M
Learn from Capital One’s example about why data governance is so important.
Learn More
Anatomy of a Ransomware Attack
Anatomy of a Ransomware Attack
How do ransomware attacks work? Read more in this post.
Read Now
Fundamental Steps to Prevent Ransomware
Fundamental Steps to Prevent Ransomware
Discover how you can protect your business from ransomware attacks.
Learn More
Contents
  1. What Size Organizations Are Susceptible to Ransomware?
  2. How Recent Ransomware Attacks Have Succeeded
  3. 3 Ransomware Attack Methods Used By Cybercriminals
  4. Sprawling Ransomware Attack Surface
  5. 5 Dangerous Types of Ransomware
  6. What is Ransomware-as-a-Service (RaaS)
  7. Ripple Effect of a Ransomware Attack
  8. How To Protect Against Ransomware Attacks