Ransomware is a form of malicious software that seizes control over a victim’s data or device and presents them with a dire ultimatum: either pay a ransom or face the consequences. Whether this is prolonged lockdown or a widespread data leak, the threat is almost always high enough to convince victims into paying up.
The IBM Security X-Force Threat Intelligence Index of 2023 reveals that last year, ransomware attacks constituted almost a quarter of all cyberattacks. Ransomware’s popularity is a result of wide-reaching global socioeconomic factors – each of which combine to create an ever-present threat to your organization.
From hyper-complex attacks to an exploitation of simple oversights, almost every ransomware attack unfolds over four to five crucial stages.
Stage 1: Exploiting a Vulnerability
Whether a vulnerability in a piece of your tech stack – or a single oversight by a staff member – the primary stage of every ransomware attack is an access vector of some sort. Oftentimes, the weak link can be your own colleagues (or even yourself!). Phishing is one of the most common ways in which otherwise secure organizations can be broken into; it’s what allowed attackers to unleash a ransomware attack on UK-based newspaper the Guardian at the beginning of 2023.
Other infiltration attempts take advantage of malicious websites or attack software vulnerabilities directly.
Stage 2: Unleash the RAT
Remote access is most commonly seen in the context of tech support – with this enabled, your IT team is able to help colleagues with their day-to-day computing tasks. Remote support enables other users to assume complete administrative privileges, giving them full control over every process on your PC. A RAT warps this by being installed onto a computer without the user’s knowledge.
It’s common for attackers to use RATs as a way round established security measures – whereas anti-virus solutions can identify ransomware via simple file signature detection, a remote access trojan is harder to detect pre-implantation. Piggybacking on legitimate-looking files such as software packages and video games, the RAT offers a variety of pathways to any scheming attacker, paving the way to the following stage of the attack.
Stage 3: Reconnaissance
With a foothold on the victim’s system, it then becomes possible for the attacker to begin snooping around. A primary focus is placed on understanding the local systems, along with the domain they currently have access to. From there, they are free to begin moving laterally. This is where the major weakness with perimeter-style security lies; if reliant on just a single line of defense, lateral movement is made far easier – and the eventual attack more wide-reaching. At this point, however, the attacker is actively expanding its hold over the system and compromising increasingly privileged accounts while remaining as stealthy as possible.
Stage 4: Exfiltration
The attacker has, at this stage, lodged its reach into as many areas of the organization as possible. Only now, however, is there any action taken that directly benefits the attacking group. The focus switches to identifying and exfiltrating data – the more sensitive, the better. The rise of conjoined extortion and ransomware attacks is thanks to the context of today’s threat management landscape. Data breaches come with hefty fines and a blast of bad PR; from the attacker’s perspective, this data can also be sold to other areas of the cybercrime machine. By this point, the attackers have claimed another victim. Regardless of the ensuing final stage, they’re likely able to make the money they’re after.
Stage 5: Encryption
Finally, after stealthily siphoning off TBs of company data – across login credentials, customers’ personal information and intellectual property – the cybercriminals are able to land one final blow. Cryptographic ransomware works its way through every file it can access via impacted networks, encrypting as it goes. Advanced forms of some ransomware strains go even further, disabling features that would allow for a last-ditch system restore, and deleting any backups on the infected network. Not all ransomware encrypts, however: some will lock the device’s screen or even flood the user with a never-ending barrage of pop-ups.
Finally, once the device and its associated files are inaccessible, the victim is informed of their ill fate via a ransom note. This often materializes as a .txt file deposited on the computer’s desktop, and contains instructions on how to pay the ransom.
With every successful attack, the ransomware attacker grows bolder, targeting industries in ways that cause the most pain possible. In recent years, one area has been targeted with particular ruthlessness: critical infrastructure.
An attack on an energy provider can result in grid failure or inconsistent energy output to homes, commercial buildings, or other critical service providers. Power plants, water treatment facilities, transportation systems, and communication networks have all been areas of particular focus over the last few years. This is largely a result of major flaws hidden deep within industrial control systems, which are used to monitor and control these critical infrastructure components.
Schneider Electric and Siemens are two industrial control solutions that have already offered attackers multi-chain attack paths. One recent example is a flaw affecting Schneider Electric’s ION and PowerLogic power meters. These provide energy monitoring to organizations across the manufacturing, energy and water sectors; tagged as CVE-2022-46680, this exploit has been issued a severe CVSS score of 8.8 out of 10, and allows threat actors to access credentials that would help them change configuration settings and modify firmware.
The number of ransomware attacks continues to skyrocket – in part due to a shifting global economy. As ransomware is an attack that’s often heavily financially motivated, socio economic issues such as poverty and wealth inequality play a major role in its popularity. This has accelerated within the last few years, too – partly because ransomware is now the most accessible it’s ever been. Aspiring cybercriminals no longer require an in-depth understanding of network security. Instead, certain ransomware developers opt to share their malware code through ransomware-as-a-service (RaaS) arrangements. In this setup, the cybercriminal acts as an affiliate, leveraging pre-written code and sharing a portion of the victim’s ransom payment with the original developer. This symbiotic relationship proves mutually advantageous: affiliates can reap the benefits of extortion without the need to develop their own malware, while developers can enhance their profits without placing themselves on the front lines.
The final reason for an increase in ransomware cases is geopolitical tension. It’s the driving force behind such massive campaigns against infrastructural heavyweights. The idea of a state-backed hacker used to be isolated to attack actors that were directly funded by malicious states. Now, times have changed. With Russia’s invasion of Ukraine – and the increasing accessibility of ransomware – unaffiliated threat actors have gotten involved with fervent enthusiasm. Critical infrastructure such as railways have been proudly halted – such as Cyber Partisans’ hack of Belarusian railways, which was orchestrated in an attempt to prevent the movement of Russian soldiers.
Starting with an experimental Floppy disk, ransomware has taken a long time to evolve into the hyper-aggressive attacks facing organizations today.
1989: Low-Tech Beginnings. The very first documented ransomware was the AIDS Trojan. Distributed via floppy disks, the birth of ransomware has astonishingly low-tech roots. File directories on the victim’s computer were hidden, before the ransomware popup demanded $189 to reveal them. However, since it encrypted the file names rather than the actual files, users were eventually able to reverse the damage themselves.
2005: New Encryption Styles Emerge. Following a relatively small number of ransomware attacks in the early 2000s, a surge in infections began, mainly concentrated in Russia and Eastern Europe. The first variations that utilized asymmetric encryption emerged. As newer ransomware offered more effective methods for extorting money, an increasing number of cybercriminals started spreading ransomware worldwide.
2009: Untraceable Payments Join the Fray. The advent of cryptocurrency, particularly Bitcoin, provided cybercriminals with an avenue to receive untraceable ransom payments, resulting in the next wave of ransomware activity.
2013: CryptoLocker Proves Itself. The modern era of ransomware commences with the introduction of CryptoLocker, marking the onset of encryption-based ransomware scripts that, once deployed, demand the victim to make their payment in cryptocurrency.
2015: RaaS is Born. The Tox ransomware variant pioneers the ransomware-as-a-service (RaaS) model, allowing other cybercriminals to easily access and deploy ransomware for their own malicious purposes.
2017: WannaCry hits the NHS. The emergence of WannaCry signifies the first widely utilized self-replicating cryptoworms, enabling rapid propagation of the ransomware across networks and systems.
2018: Ryuk targets the Wall Street Journal and LA Times. Ryuk gains popularity and establishes the concept of big game hunting in ransomware attacks, targeting high-value organizations for larger ransom payouts.
2019: Double Extortion Becomes the Norm. Double ransomware attacks begin to surge. The majority of ransomware incidents handled by the IBM Security Incident Response team now involve both the encryption of data, and a threat to expose it if the ransom goes unpaid.
2023: Thread Hijacking Is Now Popular. Thread hijacking emerges as a prominent vector for ransomware, wherein cybercriminals insert themselves into online conversations of their targets to facilitate the spread of ransomware and increase their chances of successful extortion.
In 2019, most ransomware victims ended up paying their attackers. However, in the first quarter of 2022, that had decreased. This is partly thanks to the overwhelming number of reasons stacked against making that crucial ransom payout.
You May Not Get a Decryption Key
On average, in 2021, organizations that paid the ransom retrieved only 61% of their data. The number of organizations that paid and subsequently received all of their data was a tiny 4%. Once hackers have received the ransom, your data is still worth money to them – selling and leaking it offers them an even greater return on investment.
You Might Get Ransom Demands Repeatedly
An overwhelming majority of victims who pay up are hit with more ransom attacks further down the line. A leading report from 2022 analyzed what happens after an organization simply pays its attackers, and discovered hideously high rates of reoffending. Of all victims that admitted to paying the ransom, 80% of them were later hit a second time – 68% of which saw attacks the very same month with a higher ransom demand. One reason for this is the fact that those choosing to pay up are seen as vulnerable targets. 9% paid a third time.
You Could Soon Be Breaking the Law
The US Department of Treasury has already released an advisory warning of future legal trouble. Being involved in ransomware payments — whether as the victim, a cyber insurance firm or financial institution — could potentially violate laws regarding international security. This is largely thanks to the final point that emphasizes ransomware’s economic realities.
You Fund Criminal Activity
With every victim that pays, hacking groups are able to develop even more advanced methods of using malware to infiltrate more vulnerable businesses. Paying the ransom doesn’t only make the ransomware itself worse – but directly funds aggressive nation states that are often funding such public and disruptive attacks.
On the flipside, the more obstacles that hackers face in their criminal activities, the chances of them being able to continue to hurt other companies goes down.
Ransomware often takes a variety of different forms, and whilst encryption-based ransomware is one of the more common types, encrypting sensitive data isn’t the only way in which organizations’ data can be held at knifepoint.
Scareware is ransomware’s low-tech cousin. Often, these will see a malicious payload boot up a message that claims to be from law enforcement or even from a legitimate virus infection. It may point the user toward a fake antivirus software – making victims pay for the privilege of downloading their own ransomware.
This form of ransomware blocks user access not with encryption, but by simply preventing the user from interacting with any of their files in the first place. Locking up the victim’s entire device is usually achieved by blocking off access to the operating system. Instead of booting up as usual, the device simply displays the ransom demand.
While encryption-based ransomware often lures victims into paying with the promise of everything returning to normal, wipers take a more aggressive approach. The ransom note will threaten to destroy all data if left unpaid. Even in cases where victims pony up, the data is often deleted regardless. The sheer destructive potential of wipers make them a particularly well-utilized tool for nation-state actors and hacktivists.
In the muddy, ever-evolving realm of ransomware, variants can be here one moment and gone the next. Four major players have entered the scene in the last decade, each of which has played a unique role in pushing the illicit industry into new terrain.
WannaCry was the first prominent example of a cryptoworm – the type of ransomware that’s able to spread to other devices within a network. It targeted over 200,000 computers across 150 countries, exploiting the EternalBlue vulnerability in Microsoft Windows that administrators had failed to patch. In addition to encrypting valuable data, WannaCry ransomware also posed a threat to wipe files if payment was not received within a seven-day period.
The WannaCry attack stands as one of the largest ransomware incidents recorded to date, with estimated costs reaching as high as USD 4 billion. Its wide-scale impact and rapid propagation highlighted the significant consequences that unpatched vulnerabilities and the negligence of system administrators can have in the face of such cyber threats.
REvil, also referred to as Sodin or Sodinokibi, played a significant role in popularizing the Ransomware-as-a-Service (RaaS) model for distributing ransomware. This approach allows other cybercriminals to access and utilize the REvil ransomware for their own malicious activities. REvil gained notoriety for its involvement in big-game hunting attacks and double-extortion tactics.
In 2021, REvil was responsible for notable attacks on JBS USA and Kaseya Limited. JBS, a prominent beef processing operation in the United States, experienced a disruption that led to the payment of an USD 11 million ransom. The attack impacted JBS’ beef processing operations across the entirety of the US. Kaseya Limited, a software provider, saw over a thousand customers affected thanks to the significant downtime caused by the attack.
In early 2022, the Russian Federal Security Service stated that they’d dismantled REvil and had begun charging several of its members for their past crimes.
First observed in 2018, Ryuk ransomware spearheaded the “big-game ransomware” attacks that specifically target high-value entities; their ransom demands regularly exceeded one million dollars. Ryuk is equipped to target such successful organizations thanks to its aggressive ability to identify and disable backup files and system restore functionalities. In 2021, a new strain of Ryuk with cryptoworm capabilities was identified, further enhancing its capacity for rapid and extensive infection.
DarkSide is a ransomware variant that is believed to be operated by a group suspected to be based in Russia. On May 7, 2021, DarkSide carried out a significant cyberattack on the U.S. Colonial Pipeline, which is considered the most severe cyberattack on critical infrastructure in the United States thus far. As a consequence of the attack, the pipeline, responsible for supplying approximately 45 percent of the fuel to the U.S. East Coast was temporarily shut down.
The DarkSide group not only conducts direct ransomware attacks but also licenses its ransomware to other cybercriminal affiliates, allowing the group to expand its reach and profits.
It is crucial to thoroughly investigate the source of a ransomware attack and take appropriate measures to address the issue. If the attack originated from an employee clicking on a risky link, it is important to enhance employee training in identifying phishing attacks and emphasize the importance of maintaining secure, unique passwords, such as passphrases. Implementing two-factor authentication software for all devices and employees can provide an extra layer of protection.
Regularly updating software and hardware is essential to mitigate potential vulnerabilities. Strengthening your cybersecurity infrastructure is necessary to keep up with the ever-evolving tactics employed by attackers. Regularly configuring your network can help intercept malicious traffic and make it more challenging for criminals to target your organization.
Identifying any security gaps and promptly addressing them is vital. Each security incident should be viewed as an opportunity to gain insights into infrastructure vulnerabilities and enhance the overall security posture. Security is an ongoing process that requires constant testing and improvement to stay ahead of potential threats.
As ransomware tactics have grown from strength to strength, the vulnerabilities that pave the way for attackers have shifted. At the same time, the browser has become a core component of the modern workspace, as have applications that span from managed to wholly unsanctioned apps. Sitting between the safe environment of a protected endpoint and the world wide web is the unique intersection of these applications – and the weak point of many organizations.
LayerX protects the assets that are beyond the control of the enterprise’s security team by introducing deep granularity. This singles out any activities that may introduce the risk of ransomware or RAT download. A focus on on-the-ground protection allows LayerX to deploy with a rapid-installation browser extension at the level of user profile. User-first visibility is combined with industry-leading analysis at the forefront of LayerX’s threat intel cloud. Upon the proactive identification of high-risk elements, LayerX’s enforcer elements act decisively – neutralizing any threat of widespread encryption without the threat of user disruption. With LayerX, organizations can deploy full protection to anywhere users access the web.