Glossary

What is Ransomware? Definition & Examples

Ransomware is malware that encrypts or steals an organization’s data with the goal of demanding a ransom. The logic behind this attack is that companies may be willing to pay a ransom to get the decryption key needed to restore their data or to prevent an attacker from releasing stolen, sensitive data.

Ransomware has quickly emerged as one of the most significant cybersecurity threats that companies face. In 2023, 66% of companies were hit by ransomware attacks, and the average ransom demand was $1.54 million. Some major incidents included an attack on the U.S. division of the Industrial and Commercial Bank of China (ICBC), which disrupted the trading of U.S. Treasury notes, and the U.K. Royal Mail, which disrupted overseas deliveries around the world.

How Does Ransomware Work?

At its core, the goal of ransomware is to make money for an attacker by threatening an organization’s data. A ransomware attack can be broken up into three main stages: the initial infection, data encryption or exfiltration, and the final ransom demand.

Infection

Ransomware can gain access to a computer in various ways. Some of the most common ransomware infection vectors include:

  • Phishing emails: Phishing emails can deliver ransomware via infected attachments or links to malicious websites. Alternatively, they can be used to collect login credentials used to access target systems and plant ransomware.
  • Compromised accounts: The rise of remote work has resulted in companies making their IT environments remotely accessible. If an attacker gains access to a user account via compromised credentials, they can plant and execute their malware themselves.
  • Trojan horses: Trojan horses are malware that are designed to look like legitimate and desirable files. Trojan ransomware can be hosted on a phishing website and trick users into downloading and running the malware while believing that it is a legitimate file.
  • Vulnerability exploitation: Some ransomware spreads itself by exploiting software vulnerabilities. For example, WannaCry used vulnerabilities in Windows SMB to spread itself from system to system.

Regardless of the attack vector used, the goal is to install and execute the malware on a corporate device. The ransomware may then try to access other systems to spread out its effects or to gain access to high-value systems and data.

Encryption and Exfiltration

While ransomware has evolved, the goal has always been to make money for the attacker. Initially, this was accomplished solely through data encryption. Once running on an infected computer, the ransomware would identify and encrypt the user’s files. The key used for encryption and decryption was known only to the attacker, forcing victims to pay to regain access to their files.

Over time, many ransomware groups have shifted focus from data encryption to data theft. These attackers will exfiltrate data from an infected organization’s systems and demand a ransom payment to not leak the stolen data publicly or sell it on the Dark Web.

Ransom Demand

After the attacker has encrypted or stolen the victim’s data, they move on to a ransom demand. Typically, this requires payment via cryptocurrency, which is more difficult to trace than wire transfers or other traditional financial transfers.

After negotiations are complete, the organization may decide to pay the final ransom demand. If they do so, the ransomware gang should provide the decryption key or delete the stolen data. However, there is no guarantee that the cybercriminals will follow through on their promises. Many ransomware victims have paid and not received a decryption key in response. Also, even if an organization pays the ransom, it may not be able to fully restore all encrypted data.

Types of Ransomware Attacks

At a high level, the various ransomware groups have the same goal: encrypting or exfiltrating data to force the victim to pay a ransom. However, many different ransomware groups are in operation, each with its own malware and techniques. Some of the most significant ransomware groups include:

Ryuk

Ryuk is a high-profile ransomware variant that targets large enterprises. Often, it gains access by exploiting vulnerabilities or via phishing attacks.

Maze

Maze was one of the first ransomware groups to add data exfiltration to its technique. This increased the threat to victims since they are also at risk of data breaches.

REvil/Sodinokibi

REvil is known for operating under a Ransomware as a Service (RaaS) model. Under this model, affiliates deploy the malware to target organizations and split ransom payments with the ransomware group.

Lockbit

Like REvil, Lockbit operates under a RaaS model, using affiliates to increase the number of organizations infected by the malware. Additionally, Lockbit’s ransomware is known for its rapid data encryption capabilities.

DearCry

DearCry ransomware spreads by exploiting vulnerabilities, including in software like Microsoft Exchange Server.

Lapsus$

Lapsus$ is known for focusing on data exfiltration over data encryption. This ransomware group has an international presence and has performed many high-profile attacks.

BlackCat/ALPHV

Like many other ransomware groups, BlackCat performs double extortion, including data exfiltration as well as data encryption. This ransomware group is known for using the Rust programming language, which most ransomware groups do not.

Clop

The Clop ransomware group performs “triple extortion” attacks, going beyond data encryption and exfiltration. In these attacks, the ransomware group also contacts or goes after the victim’s contractors, partners, etc. to increase the pressure to pay the ransom.

Preventing Ransomware Attacks

A successful ransomware infection can be an expensive and damaging security incident for an organization. However, there are numerous steps that organizations can take to reduce their risk of a ransomware infection.

Regular data backups

Traditionally, ransomware attacks have focused on data encryption. By encrypting a victim’s data, the cybercriminal denies them access to it and forces them to pay a ransom to regain access. Backups provide an alternative method for an organization to restore its data without paying the ransoms. 

Backups should be performed regularly and stored on media that is not writable or accessible from the network to prevent the ransomware from encrypting it as well.

Email scanning

Phishing emails are one of the most common methods for delivering ransomware. The malware can be attached to the email or delivered via a malicious website indicated by the email. Alternatively, phishing emails can be used to steal employee credentials that provide attackers with the required access. 

Email scanning solutions can help to identify and block phishing emails from reaching an employee’s inbox. These can detect ransomware attached to an email, inspect the targets of embedded links, or use natural language processing (NLP) to identify likely phishing content in the text of an email.

Keeping software and systems up-to-date

Ransomware can also spread itself independently by exploiting unpatched vulnerabilities. The WannaCry ransomware cryptoworm is famous for this, taking advantage of a vulnerability in Windows SMB to spread around the world. Often, ransomware like WannaCry use known vulnerabilities for which a patch is readily available. 

Promptly applying these updates when they are published can help to close the window during which a ransomware attacker can use them to infect a computer.

Vulnerability scanning

Patch management is an important part of ransomware prevention. However, it is only effective if the organization knows that a vulnerability and a related patch exist. 

Regular vulnerability scans — along with periodic penetration tests — can help an organization identify unpatched vulnerabilities and other potential security gaps in its network. This information can be used to develop a remediation plan geared toward minimizing the risk of ransomware and other cyber threats.

Access management

Ransomware can also gain access to an organization’s devices via compromised credentials. This risk has increased with the rise of remote work, which requires remote access to network, systems, or applications. If a user has a weak password or one compromised via phishing or similar means, then a ransomware group can hijack their credentials and use remote access to connect to and plant ransomware on an organization’s systems.

Organizations can manage the risk of compromised accounts by implementing access control best practices. For example, the use of multi-factor authentication (MFA) or passwordless authentication systems can increase the difficulty for an attacker to steal and abuse an employee’s authentication credentials.

User privilege management

Along with abusing access to an employee’s account, ransomware groups commonly take advantage of excessive permissions to carry out their attacks. For example, an attacker may exploit the fact that an attacker has access to high-value systems or databases.

Users’ access and privileges should be managed based on the principle of least privilege, which states that a user, device, or application should only have the minimum set of permissions required to do its job. By implementing least privilege, an organization reduces the damage that can be done using a compromised account and a ransomware group’s ability to use it to achieve its goals.

Employee education

Many common methods of distributing ransomware target the employee. For example, phishing attacks can be used to trick a user into installing ransomware, or an attacker may attempt to guess or steal credentials to log into a user’s account.

Employee education can be an invaluable tool for reducing an organization’s exposure to ransomware. Employees should be trained on the common techniques used to deliver ransomware, how to identify potential malware, and best practices for responding to a suspected ransomware infection, such as promptly reporting it to the corporate security team.

Network segmentation

Ransomware is designed to maximize the potential profit for an attacker. Often, this involves seeking out systems that contain high-value data to encrypt or steal. Maximizing the impact of a ransomware infection may require the malware to move laterally through a corporate network from an initial infection point – likely an employee workstation – to one of these high-value targets. 

Network segmentation can make this lateral movement more difficult by dividing the network based on purpose and trust level. If an attacker or malware needs to cross one or more internal trust boundaries to reach its goal, it has a much higher probability of detection.

Anti-malware solutions

Ransomware is one of the most significant malware threats that companies face. A successful ransomware infection can result in data loss, financial losses, and other potential harm and damages to an organization’s reputation and operations.

Anti-malware solutions are targeted to identify and remediate ransomware infections on a computer. Deploying these solutions on endpoints – especially those with increased exposure to ransomware like remote devices – can help to identify and mitigate a ransomware infection before it causes significant damage to the organization.

Security policies

Ransomware infections commonly take advantage of some weakness in an organization’s cybersecurity posture. This could be unpatched vulnerabilities, excessive permissions, exposure to phishing attacks, or other threats.

In addition to implementing technical solutions and security controls to manage ransomware risk, companies should also put security policies in place that guide these implementations and help to close non-technical security gaps. For example, policies on secure remote work or the use of personal devices under a bring-your-own-device (BYOD) policy may reduce the risk that ransomware can access corporate systems via an infected remote device.

Network traffic analysis

Most ransomware infections occur over the network, exploiting vulnerabilities, compromised credentials, or phishing attacks. If the ransomware performs exfiltration of sensitive data – which is increasingly common in modern attacks – then this will occur over the network as well.

Network traffic analysis can be an invaluable tool for identifying, preventing, and triaging ransomware attacks. Some ransomware effects that can be identified via network traffic analysis include the following:

  • Infection attempts: Some ransomware variants are spread using drive-by-downloads or malicious sites indicated by phishing emails. Connection attempts to these sites could be identified and blocked before malware is delivered.
  • Lateral movement: Ransomware may attempt to move laterally through an organization’s network from the initial infection point to higher-value systems. Network traffic analysis can help to identify anomalous network traffic, including scanning and attempting to connect to other corporate systems.
  • Vulnerability exploitation: Some ransomware – such as WannaCry – spreads itself by exploiting vulnerabilities in other systems. Network traffic analysis can help to identify scans for and attempted exploitation of vulnerable systems.
  • Data exfiltration: Ransomware increasingly steals corporate data and demands a ransom not to leak it. Large flows of data outside the corporate network can be a warning sign of a ransomware infection.
  • Infected systems: Once a ransomware infection has been identified, network traffic analysis can be used to help identify other infected systems. For example, traffic analysis can be used to identify other instances where a vulnerability is exploited or the systems are accessed by a compromised user account.

How to Respond to a Ransomware Attack

If an organization is the victim of a ransomware attack, a rapid, correct response is essential to minimizing the impact of the incident and the cost to the organization. It is crucial to draw up a ransomware remediation plan in advance that should include the following steps.

Contain the infection

Many ransomware variants are designed to move laterally through a corporate network after gaining an initial foothold. This enables the malware to expand its influence or to access more critical systems that could be used to demand a higher ransom payment.

After a ransomware infection has been identified, an important first step is to quarantine affected systems. This can be accomplished by physically disconnecting the systems from the network or implementing access controls that block attempted communication with other systems.

Identify the ransomware variant and scope

Numerous ransomware variants exist, and each uses different tools and techniques to achieve their goals. Determining which ransomware variant was used to perform an attack can help with assessing the potential impact and removing the malware from infected systems.

During this step, the incident response team (IRT) can also investigate the scope of the incident. For example, the company may be facing a single infected system or malware that has gained access to multiple corporate computers.

Report the incident

A successful ransomware attack is a major cybersecurity incident. After one occurs, the security team and the company may need to report it to various parties, including the C-Suite, law enforcement, regulators, insurance providers, and affected customers.

An organization may have various stakeholders who need to be notified about a ransomware infection or other security incident. Each of these may have different reporting requirements and required timelines that the organization should be aware of. These reporting requirements should be determined in advance and, ideally, incorporated into incident response policies and plans in advance of a security incident.

Attempt data recovery

Ransomware attacks target an organization’s data, and the goal may be to encrypt or steal the data.

If the malware encrypts corporate data, the organization may try to recover the data before attempting to remediate the infection. If an organization has backups, this could involve ensuring that the backups exist and preparing to restore from them. If the company lacks backups or the malware is focused on data exfiltration, then the organization may consider whether to pay the demanded ransom. However, while this provides the potential for data recovery, it is not guaranteed and may be illegal in some jurisdictions.

In any case, it’s wise to make a copy of the encrypted data before attempting to restore systems. This can enable recovery in the future in the event that a decryptor or decryption keys are released for the ransomware variant in question.

Remediate the malware infection

After the organization has made any desired efforts to recover encrypted data, the next step is to remediate the security incident by eradicating the malware infection. The organization can accomplish this in a few ways, including:

  • Targeted Remediation: The security team attempts to track the malware’s attack trail and removes any traces of the ransomware from infected systems.
  • Restore from Backups: If the organization has clean backups of affected systems, restoring from these backups removes the malware while limiting data loss.
  • Factory Reset: In the absence of backups, the organization can factory reset affected systems and manually rebuild them to their desired configuration.

Restore normal operations

After eradicating the malware infection, the security teams should perform testing to verify that all traces of the malware are removed. If there are no signs of an ongoing infection, the organization can begin restoring normal operations.

After a system has been sanitized, quarantine can be relaxed. However, it’s best to perform increased monitoring for some time afterward to ensure that the ransomware infection has been completely removed and the device hasn’t been reinfected.

CATO is the Key Ally vs. Ransomware Attacks

Ransomware poses a major threat to an organization’s data, profitability, and reputation, and managing this threat is a crucial component of a modern cybersecurity strategy. While ransomware targets an organization’s data and endpoints, a network-based defense enables an organization to block these attacks and protect all of its IT resources.

Cato’s network-based ransomware mitigation strategy addresses the ransomware threat at multiple stages of the MITRE ATT&CK framework. Machine learning helps to identify malware traveling over the network and common communication patterns associated with ransomware attacks. Additionally, Cato’s Firewall-as-a-Service can detect and block exploits targeting vulnerabilities commonly targeted by ransomware. Cato’s Secure Access Service Edge (SASE) offers robust protection against ransomware and other major cyber threats. Learn more about Cato’s approach to using SASE for ransomware protection.