Ransomware

Learn what ransomware is, how ransomware spreads on a network, how to prevent ransomware and what ransomware as a service (RaaS) is.

This article is from The Defender's Handbook: a knowledge base for cybersecurity enthusiasts to level up their cyber knowledge—one article at a time.

Table of Contents

Introduction

A perfect storm has enabled cybercriminals to launch an unprecedented number of ransomware attacks in recent years.

First, the move to remote work made it easier than ever for threat actors to access the sensitive data of businesses when home networks were unsecured. As more cybercriminals held companies’ data hostage, many companies paid up to get their data restored as soon as possible—providing positive reinforcement to those attackers watching from the sidelines. 

And before we knew it, ransomware became the go-to attack tactic for hackers looking to make a quick buck.

Read on to learn:

  • What ransomware is and how it works
  • How hackers infiltrate environments through ransomware attacks
  • How ransomware as a service (RaaS) works
  • How to prevent ransomware attacks
  • How ransomware spreads on a network

Common Questions

What is ransomware? Ransomware is a type of malware that encrypts data—often critical business data—thereby preventing access. Victims are then forced to pay attackers for a decryption key to regain access to their files. Read more
How does ransomware work? Ransomware scans the file storage disk for files to encrypt and then encrypts those files—making it so only the attackers can access the files with a key they have. Read more
How does ransomware spread on a network?

Typically, ransomware spreads on a network in one of three ways: remote monitoring and management, self-propagation and removable media. Read more

How can I detect ransomware?

The best way to detect ransomware is to leverage the tools in your security stack. Many tools include features specifically designed to prevent ransomware infections. Read more

How can I prevent ransomware?

Keeping your computer updated and patched; verifying and then trusting; verifying that your site connections are secure and increasing your cyber knowledge are all ways you can work to prevent ransomware. Read more

How does Ransomware as a Service work? Similar to the Software as a Service (SaaS) business model, Ransomware as a Service (RaaS) is a business model that enables threat actors to pay for, obtain and use others’ malicious code to conduct their own ransomware attacks.  Read more
How do I respond to a ransomware attack?

If you discover a ransomware attack in progress, disconnect your computer from the networks you’re connected to as well as external devices. This will help you isolate the spread and halt the attack in its tracks. Read more

Does antivirus stop ransomware?

While antivirus may detect ransomware, it often falls short when a new type of ransomware is created. Antivirus only identifies malicious code it’s been trained to know. Read more

Should I pay the ransom for ransomware?

The FBI’s official advice is not to pay a ransom. You may consider reaching out to a ransomware negotiation service to figure out the best move in your unique situation. Read more

What Is Ransomware?

Ransomware is a type of malware that encrypts data on a computer or network into an unreadable format until a sum of money, or ransom, is paid. During a ransomware attack, threat actors hold the readable data hostage until the ransom is paid. Then, the threat actor promises to give the victim the means to decrypt the data into a readable format.

Key Terms

Data exfiltration: The process of transferring data from one system or device to another without authorized access.

Decryption: The process of converting data from an unreadable format into a readable format.

Decryption key: A code that enables victims of ransomware attacks to decrypt their data into a readable format.

Double extortion: During a ransomware attack, double extortion occurs when attackers threaten to publicly release data unless a ransom amount is paid.

Dwell time: The time that an attacker is present in a victim’s environment before they’re detected.

Encryption: The process of converting data from a readable format into an unreadable format.

Foothold: The virtual spot an attacker secures in an environment through persistence, allowing the attacker to maintain access through system disruptions.

Malware: Software designed to disrupt, damage or help an unauthorized user gain access to a computer or network.

Persistence: A stealthy attack tactic that threat actors use to gain and keep unauthorized access to a virtual environment.

Phishing: A type of (usually email-based) cyberattack that occurs when threat actors disguise themselves as legitimate entities to attempt to trick users into revealing personally identifiable or sensitive information.

Ransomware: A type of malware that encrypts a user’s data and requires some type of payment to the attacker for decryption to occur.

Ransomware as a Service (RaaS): A business model that enables threat actors to obtain (for a fee) malicious code to conduct their own ransomware attacks.

Ransomware group: Organized groups of threat actors that work to organize and execute sophisticated ransomware-based cyberattacks.

Ransom note: A message delivered to the victim of a ransomware attack that identifies the threat actor’s demands that must be met for decryption to occur.

How Does Ransomware Work?

Ransomware is just one of the many attack tactics in a threat actor’s toolkit. When run, the ransomware program will scan the file storage disk for files to encrypt, typically documents, spreadsheets, etc. The files are encrypted with a key that only the attackers know, thus preventing access to the files.

How Do Hackers Infiltrate an Environment?

Hackers can infiltrate an environment in many different ways. Let’s dive into a few of the most popular ways that hackers gain their access.

1. Phishing: Phishing is still one of the most prevalent ways that threat actors gain access to an environment. Phishing emails commonly attempt to trick the user to download and open an attachment or enter their credentials into a fake login page. When you run the attachment, a second-stage backdoor is often downloaded. This could be a full-featured backdoor, giving the threat actor complete access to the host, or even the initial deployment of the ransomware.

Should the user enter their credentials into the fake login portal, the attacker may attempt to use those credentials to log in to Office 365. This allows the threat actor to send additional phishing emails from a legitimate email address. Other users are more likely to fall victim to the phishing email if it is coming from a trusted source.

Phishing occurs when a threat actor attempts to trick an unsuspecting victim into handing over their sensitive information, such as their credit card information or Social Security number. Alternatively, threat actors may attach a file with malicious code to a legitimate-looking email, encouraging the recipient to open it and unknowingly give threat actors the ability to access and encrypt their data.

2. Public-Facing Vulnerabilities: Threat actors scan the internet looking for systems with known vulnerabilities. Often, there is a gap between when a new vulnerability is publicly released and when the general public has patched their systems. Threat actors exploit these vulnerabilities to gain initial access into the environment. Once in, they typically escalate privileges and begin to deploy their malware to additional systems.

3. Drive-by downloads. A drive-by download occurs when someone navigates to a malicious webpage and unknowingly downloads malicious code to their computer just by visiting the webpage. The malicious code may run immediately or sit dormant for a period of time before encrypting the user’s data.

4. Purchased access. There’s a marketplace for everything these days, and cyberattacks are no exception. Threat actors often compromise networks at scale and then resell that access to other ransomware operators who then deploy the ransomware.

What Is Ransomware as a Service (RaaS)?

You may have heard of Software as a Service, or SaaS, which is a business model where customers pay a fee to be able to access a vendor’s product—in this case, the product is software. For example, many businesses pay Google a fee to give employees the ability to access the paid versions of Google Workspace (Gmail, Google Calendar, Google Docs, etc.). 

In the same vein, Ransomware as a Service, or RaaS, is a business model that enables threat actors to pay for, obtain and use malicious code to conduct their own ransomware attacks. In turn, this enables threat actors who may not have strong coding knowledge to still be able to conduct sophisticated ransomware attacks.

Ransomware as a Service has become more popular in recent years with the growing number of ransomware attacks targeting critical infrastructures as well as small- to medium-sized businesses (SMBs). 

For example, DarkSide (one form of Ransomware as a Service) powered the Colonial Pipeline ransomware attack that occurred in May 2021. This attack caused panic among the public and an increase in gas prices along the East Coast of the United States. 

Another example is REvil’s Ransomware as a Service supply chain attack on the Kaseya VSA, which occurred in July 2021 and wreaked havoc on SMBs. Because both the creators and the deployers (known as affiliates) of the ransomware get a cut of any profits, it’s easy to see why Ransomware as a Service has become a lucrative business. 

Ransomware as a Service: A Dark Web Special

Read our blog to explore some of the marketplaces on the dark web that feature Ransomware as a Service.
Read blog

What Are Some Examples of Ransomware Attacks?

These days, you can find examples of ransomware attacks simply by turning on the news. A few ransomware attacks really demonstrate why these attacks are so devastating.

1. Colonial Pipeline

In May 2021, cybercriminal group DarkSide unleashed a ransomware attack against Colonial Pipeline, a major pipeline that stretches 5,500 miles and transports gas, diesel and jet fuel from the Gulf Coast to the East Coast in the United States. 

DarkSide discovered a single password and was able to infiltrate Colonial Pipeline’s legacy Virtual Private Network (VPN) because of a lack of multifactor authentication (MFA) in place. In other words, once DarkSide had the password to access the VPN, they were able to simply log in. MFA would have added a secondary barrier to gaining access (e.g. through needing access to a specific cellphone number to receive a texted code). Unfortunately, because this legacy VPN lacked MFA, the attack merely required one set of credentials. 

As a result of this ransomware attack, Colonial Pipeline shut down its operations for a weekend, gas prices rose and the public panicked. The hackers demanded a $4.4 million payment in Bitcoin, which Colonial Pipeline paid. Ultimately, and with the help of the Department of Justice, Colonial Pipeline was able to get back $2.3 million.

This attack was pivotal for a number of reasons. First, it was a direct attack on critical US infrastructure. Had the pipeline needed to be shut down for longer than it was, it’s likely that the East Coast would have been crippled without the ability to transport goods. This attack served as a wake-up call in terms of what today’s threat actors are capable of doing.

2. Kaseya VSA

In July 2021, cybercriminal group REvil (Sodinokibi) deployed ransomware to victimize Kaseya, an IT management software provider for MSPs and IT teams, via the company’s on-premises Virtual System Administrator (VSA). As a result of this supply chain attack, between 50 to 60 MPSs and upwards of 2,000 of their customers were believed to have been impacted. In this scenario, “impacted” ultimately means that many of these businesses experienced several weeks of downtime before finally getting hold of a decryption key.

Not only was this ransomware attack particularly sophisticated; it was one of the most complex and successful ransomware attacks in recent history. This attack was significant not only because of its immediate impact on its victims but also because of the light it shined on what today’s threat actors can do. This type of attack could happen to any vendor, demonstrating why a focus on cybersecurity is critical both for business leaders and the general public.

 

Want a deeper dive into the Kaseya VSA supply chain attack?

Check out our blog to uncover more information as well as lessons learned.
Read blog

3. Hospitals, lawyer’s offices and other small businesses

Leaders who operate small shops, such as city hospitals and lawyer’s offices, may assume that today’s threat actors have larger and more well-known businesses to target. They may mistakenly believe that they are all but immune to cyberattacks. Unfortunately, this isn’t the case.

Smaller shops are just as prone to cyberattacks as larger shops. Why? Because threat actors know that smaller businesses can’t defend themselves as larger businesses can. Why waste time and effort breaking into one larger business that’s hard to hack when they can get better returns with a series of smaller businesses?

Can Ransomware Infections Be Prevented?

Ransomware infections can be prevented through a combination of preventive measures and cybersecurity education. The Cybersecurity and Infrastructure Security Agency (CISA) recommends doing the following:

1. Keep your computer updated and patched.

One of the primary ways that threat actors gain access to launch a ransomware attack is by exploiting a vulnerability that exists in an application or operating system. Keeping your computer updated and patched helps to protect against these vulnerabilities.

2. Verify, then trust.

Make absolutely sure that email attachments and links are legitimate before opening them or clicking them. Verify that you know the sender of the email (check their name and email address!) before opening attachments.

Make sure that links are legitimate before clicking them. Threat actors are known to include slight variations in URLs, such as swapping a .com domain with a .net domain, to trick users.

3. When submitting personal information, make sure the site’s connection is secure.

The easiest way to check if your connection is secure is by verifying that the URL you’ve visited starts with https. The s stands for secure, meaning that the site has a security certificate that encrypts any data submitted. Many modern web browsers also show a padlock in the URL bar to signify that a site is secure.

4. Make a conscious effort to stay up-to-date on cybersecurity education.

The threat landscape changes as threat actors get better at what they do. Stay alert with current threats and vulnerabilities, and be sure to follow the advice of cybersecurity experts when it comes to staying safe online.

(Note: If you’re an IT professional looking for advice on how to prevent ransomware infections, check out this comprehensive guide.)

Should You Pay the Ransom for a Ransomware Attack?

The FBI’s official advice is not to pay a ransom. They say that paying a ransom does nothing more than reward bad behavior, giving other hackers a shining example of why ransomware attacks are worth executing. Instead, the FBI recommends contacting your local FBI field office or submitting a tip online and then filing a report with the FBI’s Internet Crime Complaint Center (IC3).

All of this advice is sound logic—until it’s your business or your data in the crosshairs of a threat actor. Once that happens, decisions don’t feel so black and white.

You may want to consider a ransomware negotiation service. Every business leader must make the right decision for its business. If you are thinking of paying the ransom, it may be helpful to get the guidance of a professional negotiation service that has experience lowering the total cost of the ransom payment.

How Ransomware Spreads on a Network

Ransomware tends to be spread on a network in one of three ways.

Remote Monitoring and Management: Threat actors love to abuse central management platforms such as Remote Monitoring and Management (RMM) software. Once they have gained access to the network, they will attempt to escalate privileges to an account that has access to the RMM. From here, they can push out their ransomware just like an IT administrator would deploy a new application to all computers in the environment.

Self-propagation: Some ransomware has built-in self-propagation techniques. Once the ransomware is on a computer, it attempts to connect to other computers and file shares on the network. It may use stolen credentials or even publicly known vulnerabilities to gain unauthorized access to other systems. It then copies itself and runs on every system it can connect to. 

Removable media: Similar to other malware, ransomware may use removable media such as USB flash drives or external hard drives to spread from machine to machine.  

A History of Ransomware

Not only are ransomware attacks becoming more widespread; they’re growing more sophisticated. Let’s dive into what ransomware attacks used to look like—and how they’ve evolved into what they are today.

The First Known Ransomware Attack

The first known ransomware attack is believed to be PS Cyborg, an AIDS Trojan developed by evolutionary biologist Joseph Popp in 1989. He sent 20,000 infected floppy disks titled “AIDS Information — Introductory Diskettes.” Once a user inserted this floppy disk and rebooted 90 times, the Trojan became active by hiding directories and encrypting files. The ransom note to regain access to the decrypted data was to send $189 to PC Cyborg Corp.

Today’s Ransomware Attacks

Not so long ago, ransomware attacks were fairly straightforward. Threat actors would find their way into an environment, wreak havoc on a network by encrypting the data and then demand to be paid a ransom for the data’s decryption.

Then, defenders got smarter and leveled up their practices. They began isolating their backups to make it impossible to infect them. In turn, this made it more difficult for threat actors to completely cripple an organization because victims of ransomware attacks could still rely on their offline backups.

Necessity warranted threat actors’ leveling up to continue making their money. Now, before they encrypt data on a network, they steal it. As a result, they have a copy of the victim’s data to use as blackmail—if they don’t get their money, they’ll threaten to release the data in a move called double extortion. 

This is particularly devastating for businesses that find their customers’ personally identifiable information in the crosshairs of a ransomware actor. Preventing that data from being leaked could be the only hope that business has of surviving a ransomware attack of this sophistication.

Ransomware Detection

As anyone in cybersecurity knows, prevention is only part of the puzzle. Some attacks, such as zero days, are virtually impossible to prevent. Fast detection and response times help combat tomorrow’s threats that are currently undetectable.

How to Detect Ransomware

The most efficient way to detect ransomware is to leverage the tools in your security stack. For example, Huntress deploys Ransomware Canaries—small, lightweight files placed on protected endpoints that will trigger an alert if a change is made to them (as is often the case during a ransomware attack). Check with the vendors who developed and maintain the components of your security stack to see if they have tips on how to detect ransomware using their products.

Does Antivirus Detect Ransomware?

Potentially, antivirus can detect ransomware; however, its ability to do so relies solely on the shoulders of its developers. Antivirus works by scanning files and comparing their code to existing malware code. In other words, antivirus looks for similarities in code—but it has to be “trained” on what malicious code looks like in order to call it out. Therefore, if new malware code surfaces but the antivirus’ developers haven’t programmed the malicious code in as a threat, the antivirus will fail to flag anything suspicious.

Another factor that makes it hard for antivirus to detect ransomware is that there’s just so much ransomware to go around. It would be virtually impossible to update antivirus software with new batches of malicious code to look for as they’re discovered. As a result, antivirus may not be the best approach to detecting ransomware attacks.

Threat actors are constantly testing their new variants of malware to ensure it can sneak past common antivirus products. There are constantly new techniques being developed to help evade antivirus and it’s not uncommon for new variants of malware to go undetected for days before antivirus successfully detects it.  

What to Do if You Discover a Ransomware Attack in Progress

If you discover a ransomware attack in progress, it’s critical to disconnect your computer from any networks you’re connected to as well as external devices as soon as possible. If you catch the ransomware attack quickly enough, you can isolate the spread and halt the attack in its tracks.

If you have a backup solution, make sure to have a quick way to completely isolate it from the infected host(s). Ransomware will often try to encrypt backups as well. 

Activate an incident response plan if you have one. Begin communicating with the proper people in your organization to make them aware of the situation. Consider moving to an out-of-band communication solution to ensure you can continue communicating if systems begin going offline.

Rapid Response: Mass MSP Ransomware Incident

To see a real-world example of how MSPs and IT resellers worked to recover from the Kaseya VSA supply chain attack, check out our on-demand webinar.
Watch webinar

Additional Resources

To learn more about ransomware, check out these other resources:

Want to learn more about preventing ransomware attacks?

The Huntress Managed Security Platform can help detect potential ransomware incidents with Ransomware Canaries. If you’d like to see The Huntress Managed Security Platform in action against threats, sign up for a free 21-day trial.

Start Your Trial