What Are Ransomware Attacks?

How Do Ransomware Attacks Work?

A typical ransomware attack sequence looks like this:

Initial Compromise

Many ransomware attacks begin with phishing emails, often masquerading as messages from trusted retailers, banks, or other entities regarding delivery delays, fraudulent purchases, low balances, and so on. Such emails include infected files or links that, when opened, drop malicious software onto the victim’s computer or mobile device to set up an attack.

Lateral Movement

Once malware infects a device, the attack spreads. If the infected device is on a network, the malware will attempt to compromise a domain controller or otherwise steal credentials that enable it to move laterally throughout the network and infect other devices.

Execution

The malware will execute once it has sufficient access, exfiltrating and/or stealing the victim’s data. Finally, the victim will receive a ransom demand, typically with a time limit before the data is sold, leaked, or unrecoverable. If the victim pays, they’re supposed to receive a decryption key that lets them retrieve their data, but they don’t always—and even when they do, it doesn’t always work.

How Have Ransomware Attacks Evolved?

Ransomware began in 1989, when attendees of an international AIDS conference received “AIDS Information” floppy disks laden with a trojan virus. After 90 system reboots on an infected system, the trojan would hide all directories, encrypt all files on the infected hard drive, and display a note from "PC Cyborg Corporation" requesting a $189 payment to an address in Panama to restore access.

The next wave of ransomware-style cyberattacks came in the early 1990s with “scareware,” so called for its use of fear-based social engineering techniques. Infected computers would display an error message, followed by an offer to buy and download software to fix the issue. Of course, the software was more malware, often designed to steal data.

The rise of file sharing popularized a category of ransomware called police lockers, screen lockers, or simply lockers. Often hidden on sites hosting peer-to-peer downloads or adult content, lockers would display a message explaining that the system had been locked (frequently citing a law enforcement or government agency such as the FBI, suspected illegal activity, etc.) until the user paid a fine. Many lockers simply restricted mouse movement, and a system restart could restore normal functions, but fear led many victims to pay.

The Link Between Ransomware and Cryptocurrency

Early on, ransom demands typically peaked at a few hundred dollars from individual users. Moreover, ransom payments were usually made with ordinary payment cards, making the transactions far easier to track and the threat actors easier to catch.

Today, innovations in cybercrime and crypto technology have helped ransomware explode in popularity. In particular, bitcoin and other cryptocurrency—digital currency based on anonymity and encryption—have enabled bad actors to cover their tracks by making transactions nearly untraceable.

Ransomware as a Service (RaaS)

A byproduct of that heightened popularity and success, RaaS tools are often subscription-based and inexpensive, just like legal SaaS offerings. Many are readily available on the dark web, and they enable even people without programming skills to launch a cyberattack and earn a portion of its gains.

Double Extortion Ransomware

Eventually, better data backup and decryption technology began to move the needle in victims’ favor. In response, in 2019, a criminal group called TA2102 perpetrated the first high-profile double extortion ransomware attack, both encrypting and exfiltrating the victim’s data before threatening to leak it unless paid US$2.3 million in bitcoin. This way, even if the victim had managed to restore their data, they would still suffer a severe data breach unless they paid.

Encryption-less Ransomware

In 2022 and 2023, an insidious trend emerged that redefined ransomware at its core. Both an evolution and a sort of regression, encryption-less ransomware attacks don’t encrypt victims’ files. Instead, attackers focused only on exfiltrating sensitive data as leverage for extortion.

Victims of these attacks tend to be in industries that handle highly sensitive PII, such as the legal and healthcare sectors. Because their key concern is preventing leaks of their sensitive data, many will pay the ransom regardless of encryption. Because the data isn’t encrypted, it’s quicker and easier to recover, often translating to faster ransom payouts.

Types/Examples of Ransomware Attacks

Among the myriad types of ransomware and ransomware groups, some of the most common and well-known are:

• CryptoLocker: This ransomware, characterized by its strong encryption and massive botnet, was so successful in 2013 and 2014 that it continues to inspire copycat attacks.
• Dridex: A prominent trojan known for stealing banking credentials via phishing emails, it’s associated with types of ransomware like WastedLocker, BitPaymer, and DoppelPaymer.
• WannaCry: A cryptoworm that targets the Microsoft Windows operating system, it has impacted more than 300,000 systems (and counting) worldwide since its release in 2017.
• NotPetya: Surfacing soon after WannaCry, NotPetya first appeared to be ransomware, but was actually virulent ”destructionware” credited to the Russian hacker group Sandworm.
• Ryuk: This ransomware strain has been tied to a number of groups that have impacted the healthcare industry, the public sector, and education, particularly US school systems.
• REvil: Notorious for breaches in the legal, entertainment, and public sectors, REvil launched a barrage of attacks between May 2020 and October 2021, including the Kaseya VSA attack.
• DarkSide: This variant, responsible for the 2021 Colonial Pipeline attack, is one of the most famous examples of double extortion ransomware. This attack is typically utilized as a service.
• GandCrab: VirusTotal’s 2021 Ransomware in a Global Context report cited GandCrab as the most prevalent ransomware attack, accounting for 78.5% of samples taken for the report.

What Are the 7 Main Ransomware Attack Vectors?

Ransomware attackers are always working to find new ways to innovate their attacks, but several strategies stand out as the most popular (and effective) means of infiltrating systems. These are the most common ransomware attack vectors:

• Phishing: Deceptive emails or similar messages, usually laden with infected links or attachments, trick users into letting ransomware onto their system.
• Drive-by downloads: Attackers exploit software, OS, or browser vulnerabilities to enable stealthy downloads of ransomware when victim interact with compromised websites or links.
• Software vulnerabilities: Attackers exploit weaknesses in applications or systems, giving them entry points into a network, where they can deploy ransomware directly.
• Malicious websites: Attackers create fake or copycat sites that users mistake for legitimate ones, which host ransomware that they entice visitors into downloading under false pretenses.
• Watering hole attacks: Attackers compromise legitimate websites used by their intended victims, and then use social engineering to trick visitors into downloading ransomware.
• Remote Desktop Protocol (RDP) attacks: Hackers gain illicit access to RDP connections, generally by cracking or stealing login credentials, to deploy ransomware directly onto a target network.
• Malvertising (malicious advertising): Attackers place infected ads on otherwise legitimate website, which infect systems with ransomware when victims interact with the ad.

Should You Pay the Ransom?

Many a ransomware victim’s most difficult question: “To pay, or not to pay?”

Many organizations are willing to pay to protect their data, but is that the right decision? Multiple reports since 2021 have found that some 80% of organizations that do so still suffer a repeat attack. Beyond that, as Zscaler CISO Brad Moldenhauer put it, “There is a real argument to be made that paying digital ransoms could aid and abet terrorism and certainly does so for cybercrime.”

There are other angles to consider, as well:

• There’s no guarantee you’ll recover all your data—assuming that was the attacker’s intent to begin with (read about NotPetya).
• In some circumstances and jurisdictions, paying a ransom is illegal. Read more.
• In the case of double extortion, even if your remediation efforts recover your data, choosing not to pay means letting the threat actors expose your data to the world.

Often, the choice comes down to your organization’s unique circumstances, including how your operations, users, and customers are affected by a breach and the possibility that you won’t recover your data.

What Are the Effects of Ransomware on Businesses?

Ransomware is impacting organizations of all kinds worldwide, with more attacks each year, and it can have ill effects on revenue, public opinion, and more.

Lost Capital and/or Data

Making the choice between losing data and losing money is a dangerous dilemma, particularly in industries that handle sensitive data. If you ignore ransom demands, you risk a data leak. And even if you pay, there’s no guarantee you’ll get your data back.

Reputational Damage

Whether you pay or not, you're obligated to report the crime, which can lead to media coverage. When attacks hit the news, victim organizations risk losing business, customer trust, or both, even if the organizations themselves are arguably not at fault.

Legal Repercussions

In a growing number of US states, paying a ransom is illegal in most cases, and other jurisdictions worldwide are considering the same. In addition, a breach can result in added regulatory scrutiny, which may lead to fines and other legal costs.

Steps to Take to Remove Ransomware

Ransomware can be overcome, but you have to take it a step at a time:

Step 1: Isolate infected devices, disconnecting them from any wired or wireless connections—even disconnecting them from AC power, if necessary—to help prevent the ransomware infection from spreading. If you discover ransomware before it executes, you may be able to remove it from the system before the attacker can make a ransom demand.

Step 2: Find out what you’re facing and if a decryptor tool exists, which may help you recover encrypted data. You shouldn’t count on it, however. Decryptors are often ineffective against sophisticated ransomware, and they won’t help much in the case of double extortion.

Step 3: Recover your lost data, usually by restoring it from a backup. Maintaining regular backups is the only way to guarantee you can recover all your data once it’s encrypted. If for any reason you cannot recover your data, carefully consider the potential legal and financial consequences before complying with any ransom demands.

Step 4: Remove the ransomware with the help of a security professional, who should conduct a thorough root cause investigation to determine the vulnerability that enabled the attack.

Step 5: Evaluate the cause of the infection and take steps to shore up your defenses wherever they failed, whether that’s a backdoor exploit, a flaw in your email filtering, a lack of sufficient user training, or something else. Repeat attacks can and do happen, and you can be better prepared.

Ransomware Prevention Is Key

The reality is that once your data is encrypted or exfiltrated, one way or another, you lose. That’s why prevention is the real key to ransomware defense.

Stopping every ransomware attack that comes your way is likely impossible, but with due diligence, cybersecurity awareness training, and the right technology, you can minimize your risk. You need an effective anti-ransomware strategy, including principles and tools that:

• Use an AI-driven sandbox to quarantine and inspect suspicious content
• Inspect all TLS/SSL-encrypted traffic
• Implement always-on protection by following off-network connections

Pairing modern solutions with a proactive defensive approach is widely regarded as the most effective ransomware protection model in today's cybersecurity playbook.

How Zscaler Can Help

Zscaler offers cloud native ransomware protection to secure organizations against ransomware through the Zscaler Zero Trust Exchange™, a platform that:

Uses AI-Driven Sandbox Quarantine

Zscaler can quarantine and fully analyze suspicious or never-before-seen files before delivery, virtually eliminating the risk of patient zero infections. In contrast to legacy passthrough approaches, such files won’t reach your environment unless first deemed safe.

A cloud native, AI-driven solution like Zscaler Sandbox (part of the Zero Trust Exchange) delivers benefits beyond those of legacy antivirus/anti-malware solutions, including:

• Complete control over quarantine actions, with granular policy defined by groups, users, and content type
• Real-time security verdicts on unknown files powered by machine learning
• Fast, secure file downloads, with any files identified as malicious marked for quarantine

Inspects All Encrypted Traffic

Zscaler operates a cloud native proxy architecture that lets you perform full TLS/SSL inspection at scale without worrying about the performance limitations of costly appliances. 

Using a global cloud distributed across more than 150 data centers on six continents, the Zscaler cloud thoroughly inspects TLS/SSL traffic for hidden ransomware threats with no dips in performance—even if user bandwidth dramatically increases.

Follows Off-Network Connections

The Zero Trust Exchange delivers AI-driven sandboxing and TLS/SSL inspection to users anywhere, on any device. Every connection over any network gets identical protection to uncover and thwart both known and unknown cyberthreats, keeping your organization free from patient zero ransomware infections.

This approach to preventing ransomware starts with user connections being secured. Off network users simply add Zscaler Client Connector, our lightweight endpoint agent, to their laptops or mobile devices (with support for Android, iOS, macOS, and Windows) to enjoy the protection of the same tools, policy enforcement, and access controls they would get at headquarters.