Ransomware Attacks: What Are They and How to Stop Them Exploiting Your Organization
Table of Contents
Where does ransomware come from, and how can it affect your organization? A guide to what ransomware is, how cybercriminals infect organizations with it, and how to prevent it from damaging your company.
Ransomware hit the news headlines in 2017 when the infamous Wannacry ransomware crypto worm rapidly spread worldwide. Hospitals were forced to turn patients away, and manufacturing plants stopped production. In all, 200,000 computers across 150 countries were infected. Eight years later, ransomware is as prevalent and harmful as ever, taking new pathways, thanks to AI. But what is ransomware, and how can this most insidious form of cybersecurity threat be stopped?
A Brief History of Ransomware
Ransomware may have made recent headlines, but the history of ransomware goes back decades Here's a timeline of some ransomware highlights:
Facts About Ransomware Attacks
Sophos, in their "State of Ransomware 2024" report highlighted that 59% organizations were affected by ransomware in the previous year. These attacks come with a heavy burden as ransom amounts have increased five-fold in that time.
The sectors impacted by ransomware are broad. Some of the most at threat include energy and utilities, healthcare, tech, and finance. However, no company, whatever size, is safe from the threat of ransomware attacks:
Source: Information is Beautiful
The price paid by organizations worldwide is staggering. Ransom payments exceeded $1 billion in 2023, with 73% of companies paying the ransom to regain their data. The average ransom is around $2 million.
But ransoms are not the only cost incurred from a ransomware attack.
The Cost of a Ransomware Attack
Ransom aside, a ransomware attack incurs heavy costs. Estimates for the overall costs of a ransomware attack are around seven times higher than the cost of the average ransom. Costs included in this figure are:
Operational Downtime
The cost of downtime is roughly $25,620 for SMBs and $540,000 for enterprises per hour.
Recovery Costs
These vary across sectors and business size, but estimates for the education sector come in at $2.73m.
Reputational Damage
Estimates for the cost of reputational damage after a ransomware attack come in at around 20% of the overall cost.
Is Cyber Extortion the Same as Ransomware?
Cyber extortion is a broad term for digital extortion; ransomware is a subset of cyber extortion. Where ransomware is a malware-assisted extortion, cyber extortion also includes non-malware methods. Examples of cyber extortion include romance scams, sextortion, doxing (using embarrassing information on an individual or company), and Distributed Denial of Service (DDoS) attacks.
Five Examples of Ransomware Attacks
2300+ organizations infected, 2018, NotPetya
NotPetya ransomware infected over 2,300 in more than 100 countries. The combined losses have been estimated as more than $10 billion.
Colonial Pipeline, 2021, critical infrastructure utility firm
The ransomware attack on Colonial Pipeline cost the company 4.4 million. The attack shut down operations and an emergency was declared in 17 states.
Costa Rica Government, 2022
The ransomware attack on the Costa Rican government was declared an act of war by the pro-Russian Conti hacking group. The government closed down during the attack, and it is believed to have cost the government $30 million per day of closure.
Change Healthcare, 2024 healthcare technology
Data breach affected 100 million customers. The company paid the Alphv/BlackCat ransomware group $22 million.
Blue Yonder, 2024 supply chain management
Affected downstream customers including Starbucks, Sainsbury's and Morrisons Supermarkets. Morrisons was forced to rebuild a new warehouse management system others suffered service disruptions.
What Happens When an Organization is Infected with Ransomware?
The impact of ransomware has come a long way since the early days. Back then, an infected organization would be forced to pay a ransom to receive a decryption key that would (hopefully) decrypt any encrypted files. Today, modern ransomware exerts even more pressure on an organization. Once infected, a chain of events begins that prevents work, creates chaos, and leaves a company vulnerable to nefarious entities. This is what you should expect if your organization is infected with ransomware:
Double- and Triple-extortion Ransomware Attacks
For a brief period, organizations pushed back on ransomware attacks, refusing to pay the ransom, often being protected by secure backups. However, the cybercriminals behind the attacks adjusted their techniques to include double and triple extortion tactics. If you are infected with ransomware today, there is a high likelihood that the encrypted data will have been stolen too. These data are used as a bargaining tool; threats include selling the data to cybercriminals unless the ransom is paid.
Other tactics used to enforce ransom payments include going after business partners and even customers and clients; attackers threatening to release sensitive data on those targets unless they too pay a ransom.
Multiple Attacks in One
Encrypting files and stealing data is bad enough, but modern ransomware attackers fuel the flames using integrated attacks. Attackers are now using a mix of DDoS and ransomware to incapacitate an organization, forcing them to pay a ransom.
Reputational Damage
Damage to reputation is an ongoing issue for companies impacted by ransomware. Data theft added to the attack can lead to a loss of customer trust. Add to this the impact of downtime, and an organization's reputation can be massively damaged.
Regulatory Fines and Compliance Costs
Stolen data can lead to non-compliance fines. For example, in the UK, a firm of solicitors was fined £98,000 ($123,000) for security breaches after a ransomware attack.
Loss of Business
Many of the headlines covering ransomware attacks focus on major billion-dollar companies. However, ransomware attackers also target smaller companies. Some of the most infamous ransomware gangs are focusing on small companies. Ransomware like LockBit, Cl0p, and Black Cat are used to target small and medium businesses (SMBs) specifically. AN SMB may not have the extensive cyber protection of their larger counterparts, so they are viewed as easy targets. Ransomware inevitably leads to productivity losses. This loss may be challenging to overcome for a smaller company and could lead to a business closing its doors.
Source: ransomware.org
Exploits Used by Ransomware Attackers
By understanding how ransomware is delivered, a company can begin to prepare itself to prevent a cyber-attack. Below are some of the most popular methods used to infect organizations worldwide with ransomware.
Phishing
Cybercriminals love phishing, using emails, text messages, and social media to manipulate individuals. Phishing is a favorite vector for initiating a ransomware attack. Email phishing and, in particular, spear phishing are the commonest methods. The UK Cyber Security Breach Survey 2024 found that 84% of businesses were victims of phishing. Phishing often results in stolen login credentials that allow the attacker to access a network. Alternatively, ransomware is contained in an infected email attachment. The net result is a network-wide ransomware infection.
Social Engineering
Human-centered cyber-attacks involve manipulating human behavior to perform a task that benefits an attacker. In the case of ransomware, attackers use many social engineering methods to ensure a successful payout. Tactics include having a countdown clock on the ransom note to put pressure on a business.
Misconfiguration and Vulnerabilities
Cybercriminals exploit any chance to execute a cyberattack. This includes a simple misconfiguration of an app or network vulnerabilities. Common errors are involved in 80% of ransomware infections. The CISA recently listed some of the most prevalent exploits used by ransomware attackers. The list includes unauthorized access to Remote Desktop Protocol (RDP) because of weak or stolen credentials and exploitation of weak or default passwords in the File Transfer Protocol (FTP).
Zero-Day Exploits
Zero-day exploits are software or hardware vulnerabilities that remain unknown and unfixed by vendors. Zero-days can provide an open door to ransomware attackers. Cl0p is an example of ransomware that exploits a zero-day vulnerability (CVE-2024-50623).
Next-Gen Ransomware: How AI Assists Ransomware Attacks
AI has entered the world of ransomware and is being used by attackers to automate and promote ransomware threat chains. Funksec has emerged as a serious threat in the AI-assisted ransomware stakes. The hacking group uses AI to develop and refine ransomware malware. The types of areas that AI is assisting in developing and distributing ransomware include the following:
Automation and Modification
AI automates the scanning of network vulnerabilities to find weaknesses. It can also be used to change ransomware files to help evade detection.
Deep Fakes and Generative AI
Phishing attacks increased by 4,151%; the increase is believed to be due to the use of ChatGPT to generate believable phishing email content. Deepfakes are being used to socially engineer individuals into releasing login credentials and other useful information to help initiate cyber-attacks.
Personalization and Intelligence Gathering
Generative AI is used to search for information about a target. This intelligence is then used to create spear phishing emails and social engineering scams.
Technique and Tactic Improvements
AI is being used to develop improved malware, malware modification tactics, and evasion methods.
Target Identification
Generative AI is used to search for specific, often vulnerable targets. This is used alongside general intelligence gathering to develop highly targeted and successful social engineering and spear phishing scams.
What is Ransomware-as-a-Service (RaaS)?
The Funksec group is part of a trend toward ensuring the mass distribution of ransomware using a Ransomware-as-a-Service model. RaaS is a business model in which ransomware developers use affiliates for a subscription fee / % of ransom income to launch ready-made ransomware attacks.
RaaS has become popular because it allows cybercriminals without coding skills to create ransomware attacks. The RaaS kits come with all of the tools needed to initiate a ransomware infection. RaaS kits are easy to find on the dark web. RaaS has made ransomware campaigns affordable and accessible. As such, Ransomware-as-a-Service has contributed in large part to the increase in these types of cyberattack in recent years. The use of AI-assistance in formulating RaaS kits is also helping to make this type of cybercrime model popular.
How Can Your Organization Prevent Ransomware Attacks?
No one measure can stop a ransomware infection. Instead, an organization must take a layered approach to preventing ransomware infection. The following measures should be used in combination to help detect, prevent, and in worst-case scenarios, recover from ransomware:
Policies that include ransomware mitigation and response
Policies must reflect the current state of play with regard to all cyberattacks, including ransomware. Because the threat landscape is continuously adapting to new methodologies and technologies, these policies must be routinely updated.
Security awareness training
Many of the methods used by ransomware attackers involve behavior manipulation and phishing. Security awareness training involves educating employees and the wider user base about tactics and techniques used by cybercriminals. Also, many security awareness training packages include simulated phishing exercises. These fake phishing emails are automatically generated and sent to employees to see how the fare when presented with a phishing scam. The simulation software optimizes the training for each individual.
Secure backup:
Having a robust and anti-ransomware backup system is used to help to quickly recover from an attack.
Endpoint Detection and Response (EDR) solutions
EDR tools are used to identify ransomware attacks. Advanced EDR uses AI and machine learning to identify zero-day assisted attacks.
Multi-Factor Authentication (MFA)
The theft of login credentials is often behind the first phase of a ransomware attack. Enforcing the use of another factor after entering a password, e.g., a mobile phone code, helps prevent unauthorized access to networks.
Regular and timely patching
Ransomware attacks often exploit vulnerabilities. Regular patching of software and hardware flaws is essential in the fight against cyberattacks.
Next-gen antivirus and next-gen firewalls
AI enables antivirus and firewalls to identify automated cyberattacks.
Email security:
Advanced email security solutions use AI and machine learning to identify phishing attacks and stop them before they enter an employee's inbox.
Robust access controls and least privilege enforcement
The Principle of Least Privilege (PoLP) is used to allow access to IT resources on a need to know basis. Identity management systems must be configured to enforce least privilege access. This helps to reduce unauthorized access.
Ransomware Focused Incident Response
If the worst case scenario happens, and a ransomware infection takes hold, an organization must be ready to deal with the aftermath. An incident response plan should set out the steps to mitigate a ransomware infection's impact. These steps should include:
Containment
Capture the evidence, including screen images and relevant system files on infected devices. This intelligence gathering exercise is essential to help prevent future infections.
Eradication
the removal of the ransomware infection. The steps to eradication depend on the ransomware variant.
Recover and Restore
Using secure backups, check for any signs of infection and, if safe, restore files and documents. Continue to monitor the situation and use the ransomware intelligence gathered to close any security gaps and design security awareness training.
Communicate
The details of the ransomware infection may need to be communicated to the relevant regulatory bodies, partners, and customers.
Staying Ahead of Ransomware
Ransomware is a threat that should not be underestimated in terms of its impact on an organization. SMBs are particularly vulnerable to this form of cyberattack. However, with an awareness of cybercriminals' tactics, companies can plan ahead to prevent becoming victims of this insidious cybercrime.
Sentinex provides a core capability in the fight against ransomware by monitoring your vital business information such as your main domain name, emails, bank account numbers, passwords, tax IDs, DBAs, and other information. Sentinex keeps your business notified of any data breaches at your organization. We also detect any trading of your data on the dark web so you can take preemptive measures, and contain and minimize both the financial and reputational impact of ransomware and other forms of cyberattacks.
Table of Contents
- Ransomware attacks: What are they and how to stop them exploiting your organization
- A Brief History of Ransomware
- Facts About Ransomware Attacks
- The Cost of a Ransomware Attack
- Is Cyber Extortion the Same as Ransomware?
- Five Examples of Ransomware Attacks
- What Happens When an Organization is Infected with Ransomware?
- Exploits Used by Ransomware Attackers
- Next-Gen Ransomware: How AI Assists Ransomware Attacks
- What is Ransomware-as-a-Service (RaaS)?
- How Can Your Organization Prevent Ransomware Attacks?
- Ransomware Focused Incident Response
- Staying Ahead of Ransomware