Understanding What is Ransomware Attack: A Brief Guide

The number of ransomware attacks has been growing steadily for the past years. So have the ransom payments. Experts predict this trend to continue. In this article, we explain what a ransomware attack is and how to protect your data.

Ransomware Basics

Ransomware is a type of malware that encrypts files in a system. It is impossible to retrieve data from them without a decryption key which hackers can provide for the victim in exchange for a hefty sum of money. Recently we’ve seen many new tactics that basically hold the data “hostage” to ensure the ransom is paid.

The first ransomware attack was carried out with AIDS Trojan Horse by evolutionary biologist Dr. Joseph Popp in 1989. He demanded as little as $189 in exchange for the decryption key. Today ransomware payments average in millions of dollars.

Decrypting the files is possible, however, it is a very long and expensive process. The companies that fell victim to ransomware cannot afford to wait for such a long period for their mission-critical data to be recovered. That’s why they usually choose to pay.

Several initiatives to battle this type of malware have been collecting the decryption keys and have made them publicly available for free. Unfortunately, dozens of new ransomware strains emerge every year because it’s very easy to develop.

Ransomware Types

Since its first introduction 30 years ago, ransomware has evolved into one of the most efficient cybercrime tools. Today many ransomware types differ in their impact on the system, their attack type, and extortion techniques.

The most popular ransomware types include:

Cloud (encrypts cloud applications)

Cloud ransomware targets your cloud applications and the data stored in cloud environments. Once an attacker has gained access, they typically encrypt your cloud applications, making the data within inaccessible.

The ransomware strain “Nefilim” is a common and recent example of this kind of attack.

Crypto (encrypts files in the system)

Once they have access to your cloud environment, bad actors can also begin encrypting files individually, instead of mass encryption which can be easier to detect. The attackers then demand a ransom in exchange for a decryption key.

The WannaCry attack in 2017 is one of the most infamous examples. It spread rapidly across the globe, encrypting files on Windows computers and demanding ransom in Bitcoin. The attack affected hundreds of thousands of computers, including systems in healthcare, finance, and other critical sectors.

Full encryption (encrypts all the data)

Full encryption ransomware goes beyond targeting specific files and instead can encrypt all the data on the victim’s system, rendering the entire system unusable until a ransom is paid.

The Petya ransomware discovered in 2016 is a common example, initially appearing as a crypto attack before turning into a full disk encryption. It overwrote the master boot record of infected computers, preventing operating systems from loading, and demanded a ransom for restoring access to the system.

Leakware (steals data before encrypting)

Also known as doxware, leakware steals data from the victim’ system before encrypting it. Attackers will then threaten to relase the stolen data publically or sell it on the dark web if the ransom is not paid. This began the dual-extortion trend, as victims are pressured to pay to prevent sensitive data from being leaked.

In 2020, the REvil ransom group targeted Grubman Shire Meiselas & Sacks, a major entertainment law firm. The attackers were able to exfiltrate and then encrypt sensitive client data, including the personal information of celebrities and other high-profile clients. The group threatened to release this data unless a ransom was paid.

Ransomware-as-a-Service (hackers buy subscriptions to ransomware apps).

Ransomware-as-a-Service, or RaaS, involves hackers providing the ransomware tools and infrastructure to other cybercriminals on a subscription basis. These “clients” pay to use the ransomware to carry out attacks, often sharing a percentage of the ransoms with the service providers.

DarkSide ransomware group operates under a Raas model. In May 2021, they famously targeted the Colonial Pipeline, the largest fuel pipeline in the United States. The attack led to significant fuel supply disruption across the East Coast. The attackers demanded a ransom, which was partially paid by the company to restore operations.

How Ransomware Works

Ransomware can infiltrate the secured IT system via different entry points and attack vectors. Once it has gained access to your network it begins the file encrypting process. Often it happens outside business hours to ensure that the malware has time to affect as many files in the system as possible before anyone notices and takes any actions.

The types of entry points can vary that have generally the same lifecycle, ending with your business locked out of your cloud applications and data until a ransom is paid. Below we cover the common different types of attack vectors, some stand-out statistics and attacks, as well as the stages of the ransomware attack so you educate yourself on what to look out for.

Ransomware attack vectors

Ransomware gets into a victim’s cloud or on-prem system via different “entry points.” There are 4 most popular ransomware attack vectors:

1. Social engineering

This attack vector is probably the most popular one. Social engineering is an attack on the weakest point in any system’s security – the human. In a nutshell, a hacker manipulates people into doing something they do not want to do. Examples include downloading malicious software from email or providing their credentials in a fake app that imitates a legitimate application.

The most widespread social engineering attacks are:

Phishing emails (and their different subtypes, like CEO fraud) with a downloadable file or a link to a malicious
Infected USB flash drives (planted in the office).

This type of attack is carried out in the cloud and on-prem systems.

2. Botnets

Some computers become infected with trojans or other malware due to the lack of antivirus software and visiting risky websites. As a result, they can become a part of a large botnet. At some point, the owner of the botnet might choose to infect the computer with ransomware if they decide that a victim can pay.

3. Account hijack

In certain cases, hackers can steal the credentials of one or multiple accounts in the system to get access to it. There are different ways in which a hacker can “guess” these credentials. It includes getting the right email address. This is easy as many email addresses are either provided online by the company itself or can be purchased from firms that sell outreach lists to sales organizations or marketers.

The password might be trickier to guess. However, the lists of the most popular passwords are available online. According to one such list, there are 4.5M people who use “123456” and another 4M using “admin.”

The two most popular techniques are credential stuffing, keyloggers, and password spraying.

4. Zero-day attacks

A zero-day attack occurs when hackers find a vulnerability in a legitimate SaaS application and exploit it to get access to its user data and IT system to infect it with ransomware. Zero-day attacks gained momentum after most businesses had shifted to the cloud.

Ransomware Trends, Statistics, and Attack Examples

The battle against ransomware is likened to an arms race. As cybersecurity experts come up with new strategies and tools to battle ransomware, hackers invent new ways to make sure their victims pay.

The most recent ransomware trends include:

Multiple extortion;
Intermittent encryption;
Crime reporting.

Multiple extortion
Multiple extortion includes data theft with the subsequent data exposure to the public or on the dark web. In double extortion, criminals only blackmail the victim of the attack. In triple extortion, they also threaten people whose data they have stolen from the victim of the attack. In quadruple extortion, they also threaten to unleash a DDoS attack on the public-facing servers of the victim.
Intermittent encryption
Intermittent encryption is the type of encryption that only targets some of the files in the system (e.g., containing certain keywords or having a certain size). It ensures a faster attack.
Targeting Larger Entities and Critical Infrastructure
Ransomware groups are increasingly targeting larger organizations, including corporations, critical infrastructure, and governmental bodies, due to the potential for larger ransom payouts. These attacks are meticulously planned to disrupt critical operations and exploit the financial capacity of these high-value targets. This trend includes exploiting weaknesses in supply chains and leveraging advanced bots to enhance the sophistication of their attacks
Advanced Programming Languages
Ransomware developers are modernizing their code by using more secure and harder-to-reverse-engineer programming languages like Rust.
Crime reporting.
Crime reporting is when a ransomware gang reports to the authorities about their successful attack. In many countries, companies are mandated by the law to inform a certain government agency about cyber incidents (e.g., SEC in the US).

Some companies try to swipe the ugly truth under the carpet in the hope of avoiding reputational losses and legal implications. Cybercriminals can now threaten to report the crime as leverage in their negotiations with the victim. The disclosure of the attack can also pressure victims to pay ransom.

This tactic is a new thing that emerged in November 2023. It is not yet clear whether it will become a new trend or not. However, in our opinion, it will as there is a great potential to manipulate it in one way or another.

Examples of impactful ransomware attacks in 2023 include:

MOVEit vulnerability exploit
MOVEit is a commonly used file transfer software, and in 2023 a critical vulnerability was discovered that cybercriminals were able to exploit. This zero-day vulnerability allowed hacker group Clop to gain unauthorized access to all the data being transferred across the platform, putting countless businesses at risk of a security leak.
US Marshals Service
Attacks managed to acces sensitive law enforcement data, including personal information about employees and investigativve details. The attack impacted the Technical Operations Group, which tracks fugitives. The hacker group and extent of the date stolen remains unknown
Port of Nagoya, Japan
Japan’s largest port by cargo throughput was targeted by a ransomware attack in 2023, causing significant disruptions to port operations, affecting logistics and supply chains. The port plays a crucial role in Japan’s economy and the ransomware incident had widespread repercussions, highlighting the vulnerablities of critical infarstucture to cyber attacks
Chinese bank ICBC
The ICBC, one of the largest banks in the world, was attacked by ransomware group in 2023, disrupting banking services and compromising sensitive financial information. The incident demonstrated the increasing boldness of ransomware groups in targeting major financial institutions, and hoping for substantial ransom payouts

And here are what we believe to be significant ransomware statistics from 2023 and 2024:

Ransomware attacks increased by 73% from 2022 to 2023, with a total of 4,611 cases reported in 2023.
The average ransom demand in 2023 was $1.54 million, nearly double the 2022 figure of $812,380.
In 2023, 97% of organizations whose data had been encrypted managed to recover it.
Ransomware attacks have risen by 13% in the last five years, with an average cost of $1.85 million per incident.
Organizations in the U.S. are the most likely to be affected by ransomware, accounting for 47% of attacks.
In 2023, 72.7% of all organizations globally fell victim to a ransomware attack.
The average cost of recovering from a ransomware attack in 2023 was $1.82 million, excluding the ransom payment.
Ransomware is identified as the number one concern of the C-suite in 62% of surveyed organizations, up 44% from 2022.
Nearly half (47%) of companies now have a policy to pay ransoms associated with cybersecurity threats, a 13% increase from the previous year.

These statistics highlight the growing threat of ransomware attacks, their increasing financial impact, and the challenges organizations face in dealing with this cybersecurity issue

Check out ransomware examples from the previous years.

Download a full list of ransomware attacks reported on the media.

Stages of a Ransomware Attack

Staying educated on the types of ransomware attacks can help you better prepare your business against them, but understanding the common steps of an attack is equally as important. Below are some common, generalized steps attacks will take when launching an attack and holding your data ransom:

Reconnaissance

Attackers will research potential targets, gather intelligence on their systems and employees, and look for vulnerabilities to exploit.

Initial Access

They then gain entry to the target network, typically through phishing emails, found vulnerabilities, or using stolen credentials.

Command and Control

Attackers then launch their malware and establish a connection with attackers’ servers

Privilege Escalation

Now spreading malware through the victim’s network, attackers work to gain higher-level permissions to gain access to sensitive data.

Encryption

The ransomware then encrypts files across the network and locks users out of their systems

Extortion

Attackers then deploy a ransom note, demanding payment in exchange for the decryption keys while also threatening to leak the stolen data.

Staying informed and understanding the steps attackers take can significantly enhance your protection against these threats, with the combination of implementing effective and robust security measures. Remaining vigilant of unusual behavior, educating your team, and ensuring your security protocols are some of the most effective steps in safeguarding your business data.

Ransomware Prevention Tips for Your Organization

In this section, we discuss the best practices for safeguarding your business systems against ransomware. Get our full guide on ransomware prevention.

Employee training and awareness

As mentioned above, your users will be your weakest link in the security system. People make errors if they’re under stress, have their attention elsewhere, or simply lack knowledge. Empower them with information about ransomware, how it works, and proliferates.

Employee awareness is the first layer of defense against ransomware.

Regular data backup

Data backup is essential when you’re dealing with malware that can cause a massive data loss in your system. You can always recover data once you eliminated the attack source. Keep in mind though, that data recovery will take weeks in the cloud environments.

Strong access control

Imposing multifactor authentication, and strong passwords, and making users change them regularly can minimize the risk of account hijacking. However, access control doesn’t end here.

The zero-trust approach should be your next step. This approach stipulates that every user in your system should have minimal access to the data, just enough to do their job, not more. It will minimize the risk of data extortion in case your hacker uses an account hijack.

Third-party apps control

The control over the applications that have OAuth access to your data can prevent SaaS ransomware from accessing your system. It can also eliminate the risky applications that don’t have good security and don’t patch regularly (and thus are more susceptible to vulnerability exploits).

Third-party ransomware prevention tools

Third-party ransomware prevention tools will become your last layer of defense in case all the previous defenses fail. We suggest using AI-based solutions that analyze data behavior in the system. These tools have the least number of false positives and can detect an attack minutes after it begins.

Learn how to choose the ransomware prevention tool for your organization.

SpinOne - the best tool for terminationg Ransomware attack — SpinOne Ransomware Protection

SpinOne – the Ultimate Ransomware Protection Solution

SpinOne SaaS Ransomware Detection and Response is the ultimate solution to battle cloud ransomware that infects Microsoft 365 and Google Workspace.

SpinOne utilizes AI that monitors your data behavior 24/7 and detects a ransomware attack within minutes after it has begun. The tool immediately alerts your IT security team. Next, it identifies the source of the attack and revokes the ransomware’s access to your system.

After the attack has been successfully terminated, SpinOne recovers the data from an in-built backup solution protected from ransomware intrusion. All these steps are done automatically without any human intervention. Usually, by the time your IT security team has logged in to the system, the attack is over and the data is recovered.

Try SpinOne

FAQ

What are some popular ransomware variants?

Some of the most infamous ransomware variants so far include:

WannaCry. Notorious for its global impact in 2017, exploiting Windows vulnerability and spreading rapidly.

Locky. Known for encrypting files with the .locky extension and distributing through malicious email attachments.

CryptoLocker. Originating in 2013, it stands as one of the initial and notable ransomware variations that required payments in Bitcoin.

Ryuk. Targets large organizations and demands high ransom payments. Often associated with advanced persistent threat (APT) actors.

Conti. A variant of Ryuk, Conti is known for its association with high-profile attacks on healthcare organizations.

NotPetya (ExPetr). Initially thought to be a variant of Petya, NotPetya turned out to be a destructive wiper disguised as ransomware.

How can I protect against ransomware?

To protect your organization from ransomware, do the following:

Defend against prevalent ransomware attack vectors by deploying endpoint protection featuring anti-exploit capabilities. Utilize zero-trust network access (ZTNA) to thwart the misuse of compromised credentials. Establish robust user access protocols and authentication policies to reduce the risk of unauthorized data infiltration.

Do regular backups. While backups cannot thwart a ransomware attack, they can mitigate the impact if one occurs. Therefore, consistently create multiple copies of your data using diverse storage mediums, and ensure that at least one of these copies is stored off-site to provide protection against potential physical damage to your on-site systems.

Use technologies that ensure ransomware detection and response. Consider using an automated AI-driven system such as SpinOne Ransomware Protection. SpinOne incorporates AI-based cybersecurity measures that back up and recover files that might have been exposed to ransomware.

Maintain good security hygiene. Ensure timely patching of your applications and regularly review security tool configurations.

How can I reduce the attack surface against ransomware?

Reducing the attack surface is one of the best ways to protect against ransomware. Consider implementing the following best practices to reduce the attack surface against ransomware:

Assume zero trust. Access to your resources should only be granted once a user has successfully verified their identity and ensured the security of their device.
Create strong user access protocols and authentication policies. Implement advanced measures like Single Sign-On (SSO) and multi-factor authentication (MFA) to guarantee that only authorized accounts gain access to applications.
Monitor network activity. Conduct regular scanning of your active domains, IP addresses, endpoints, and usage patterns that may not be readily visible.
Segment your networks. Perform the network segmentation based on the business role or sensitivity of data to be able to isolate attacks and thereby prevent their spread.
Update your systems regularly. This would prevent ransomware variants such as WannaCry and REvil from exploiting unpatched software and OS vulnerabilities.
Encrypt your data. Strong encryption policies will protect data at rest, in storage, and in use from being exposed if attackers get their hands on it.
Protect your backups. Use strict protection protocols to keep these backups safe from those who might harm you.
Train your workforce about how to spot phishing, social engineering, and other types of malicious activity.

Can you provide some examples of ransomware attacks?

Some of the most infamous examples of the ransomware attacks of recent years include the following:

Ransomware attack on US Marshals Service, February 2023. The breach affected a computer system containing sensitive law enforcement data. Stolen data comprised employees’ personally identifiable information, returns from legal processes, administrative details, and personally identifiable information related to subjects of USMS investigations and third parties.
DarkSide ransomware attack on the Colonial Pipeline (May 2021, $ 4,4, million lost). The company, which operates a major fuel pipeline in the United States, fell victim to the DarkSide ransomware. The attack disrupted the pipeline’s operations, leading to temporary shutdowns and causing significant disruptions in fuel supply along the U.S. East Coast. The attackers demanded a ransom payment in Bitcoin. The incident highlighted the vulnerabilities of critical infrastructure to cyber threats and prompted discussions on cybersecurity measures and incident response strategies for such crucial systems.
NotPetya ransomware attack on Ukraine (2017, $10 billion lost globally). While over 60 nations experienced the impact, the attack mainly targeted France, Germany, and Ukraine. Ukraine bore the brunt of these attacks, sustaining about 80% of the attacks. The cyber incident affected the country’s computer systems, along with networks managed by private firms and electric utilities.

What should I do if I’m a victim of a ransomware attack?

Refer to CISA best practices below to effectively mitigate the risk associated with ransomware and facilitate a well-coordinated and streamlined response to a ransomware incident within your organization:

Determine which systems were impacted, and immediately isolate them.
If you cannot disconnect devices from the network, shut them down to prevent the ransomware infection from spreading further.
Report the incident to law enforcement agencies, such as local police and cybercrime units.
Do not pay the ransom. Paying does not guarantee the recovery of files, and it may encourage further criminal activities.
Assess the damage by determining which systems and data are affected. This assessment is crucial for recovery planning.
Follow notification requirements according to your cyber incident response plan to involve internal and external teams and stakeholders. Ensure they comprehend their roles in aiding the mitigation, response, and recovery efforts following the incident.
Take a system image and memory capture of a sample of affected devices (e.g., workstations, servers, virtual servers, and cloud servers).
Apply mitigation steps including restoring data from backups, applying security updates, changing passwords, etc.

Was this helpful?

Thanks for your feedback!