Resources > Security Terms Glossary > What Are Ransomware Attacks?

What Are Ransomware Attacks?

What Are Ransomware Attacks?

Ransomware is a type of malware (malicious software) that “locks” a system or encrypts files, making the data inaccessible until a victim pays a specified amount of money, usually in cryptocurrency. Once the ransom payment is made, the victim is supposed to receive a decryption key to regain access to files and systems.

These attacks have quickly become a preferred method of extortion by cybercriminals. As organizations hold larger amounts of sensitive data—and as remote and hybrid work models expose endpoints to new vulnerabilities—hackers are taking advantage by leveraging this effective cybercrime method.

Ransomware attacks have become so pervasive that the FBI is stepping in to give guidance on how to prevent them. The problem is that ransomware and the groups who use it are constantly evolving to become more adept at avoiding typical detection methods such as anti-malware and antivirus.

How Do Ransomware Attacks Work?

A typical ransomware attack happens in four phases.

  1. Delivery

The first phase, delivery, is usually carried out by a phishing email designed to entice a user to open it. The email often appears to be from a trusted source, such as a well-known brand. Shipping companies, banks, and large retailers are commonly “spoofed” in phishing emails with messages about a delay in delivery, fraudulent purchases, low balance, and so on.

These emails are designed to look like they’re from familiar senders, but they include malicious files such as PDFs or Google Drive links. These files contain malware loaders that, once the file is opened, drop the malicious content onto the victim’s system and set up the attack.

     2. Exploitation

In the next phase, exploitation, the attack spreads once the malware has been successfully loaded. This phase typically begins after the recipient opens an email attachment that transmits malware to a device.

If the infected device is on a network, the malware identifies the domain controller with which the device is communicating. Once identified, it steals credentials, allowing it to move throughout the network and infect other devices.

     3. Callback

The next phase is the callback, wherein the malware payload attempts to communicate with its command-and-control (C&C) servers where the stolen data is sent.

     4. Detonation

The C&C servers then send the payload instructions on how to carry out the final phase: detonation. During this phase, the malware steals data and installs the ransomware, encrypting and locking the system or data so an individual or company can’t access it. The victim typically has a limited amount of time to pay the ransom before the data is lost forever, and sometimes, the ransom demands increase in the hours before the payment is due.

If the ransom is paid, victims are supposed to get a decryption key that allows them to retrieve their data back, but they don’t always get the key—and even when they do, it doesn’t always work.

In recent attacks, some criminals have begun stealing the data before encrypting it, and then threatening to expose it. This way, even if victims have good backups, they're more likely to pay the ransom.

 

How Have Ransomware Attacks Evolved?

Ransomware may be the tool of choice among today’s cybercriminals, but it’s not new. In fact, it’s been around in various forms for decades.

  • The first known ransomware was introduced in 1989 by Dr. Joseph Popp. He mailed floppy disks titled "AIDS Information Introductory Diskette" to World Health Organization AIDS conference attendees in Stockholm. These disks contained malicious code that installed itself onto MS-DOS systems and began counting the number of times users started up their machines.
  • On the 90th time, Dr. Popp’s trojan hid all the directories and encrypted all the files on the drive, making them unusable. Victims then saw a note claiming to be from PC Cyborg Corporation stating that the owner’s software lease had expired and that they had to send $189 to an address in Panama to regain access.
  • The next wave of ransomware-style cyberattacks was dubbed "scareware." Users would receive a warning about a catastrophic error on their computer, followed by a command to pay for and download software to clean or fix their device. Of course, the software was merely more malware designed to steal information from the computer.
  • As file sharing became more popular, another common form of ransomware developed, dubbed the Police Locker attack. Often hidden on peer-to-peer download sites or websites hosting pirated or adult material, this attack would change the user's desktop to display a note claiming that law enforcement had locked the computer due to suspected illegal activity. Fear led many victims to pay a few hundred dollars to have their computers unlocked. However, in many of these attacks, the locker could have been removed by simply restarting the system.

Consider ransomware infections as destructive attacks, not an event where you can simply pay off the bad guys and regain control of your network.

Cybersecurity and Infrastructure Security Agency

Types/Examples of Ransomware Attacks

Among the myriad types of ransomware and ransomware groups, some of the most common and well-known are:

  • GandCrab: According to VirusTotal’s Ransomware in Global Context report, this family has been the most prevalent in ransomware attacks since 2020, with 78.5% of the samples taken for the report coming from this family.
  • REvil: This group is notorious for stealing large quantities of information in the legal and entertainment industries as well as the public sector. They first made headlines in May 2020, but carried out successive attacks each month from March to October 2021, including the Kaseya VSA attack.
  • WannaCry: A ransomware cryptoworm that targets the Microsoft Windows operating system, it has impacted more than 300,000 systems (and counting) worldwide since its release in 2017.
  • Ryuk: This strain of ransomware has been tied to a number of groups that have impacted industries such as healthcare, the public sector, and education, particularly US school systems.
  • DarkSide: Associated with the DarkSide ransomware group, this variant was responsible for the Colonial Pipeline attack in 2021 and is one of the most noteworthy examples of double extortion ransomware. This particular attack is typically utilized as a service.
  • Evil Corp: This group is responsible for Dridex, a type of malware deployed through phishing emails that’s known for stealing banking credentials. It has since been associated with other types of ransomware such as WastedLocker, BitPaymer, and DoppelPaymer.
  • Maze: This variant was first found in May 2019 and used in a ransomware attack on Cognizant, which caused service disruptions for some of its clients.

So, how safe are you against ransomware attacks? Run a free Internet Threat Exposure Analysis to find out.

The Link Between Ransomware and Cryptocurrency

In the beginning, ransom demands were typically a few hundred dollars because the targets were still mostly home users. Victims of ransomware would pay with standard currency, meaning the criminals responsible had a much greater chance of being identified.

The rise of cryptocurrencies—digital currencies based on anonymity and encryption—has seen a reversal of fortune for these attackers. Cryptocurrencies such as bitcoin make transactions nearly impossible to trace, allowing bad actors to cover their tracks.

In some recent cases of ransomware attacks, the victim organizations have paid huge amounts to the attackers, which can be one of the reasons these attacks are getting more popular.

Paul Webber, Senior Director Analyst, Gartner

Paying ransom will not ensure your data is decrypted or that your systems or data will no longer be compromised

Cybersecurity and Infrastructure Security Agency

Ransomware as a Service (RaaS)

Ransomware as a service is a byproduct of ransomware's popularity and success. Like many legal SaaS offerings, RaaS tools are usually subscription-based. They're often inexpensive and readily available on the dark web, providing a platform for anyone—even those without programming skills—to launch an attack. If a RaaS attack is successful, the ransom money is divided between the service provider, the coder, and the subscriber.

 

Should You Pay the Ransom?

This is the age-old question when it comes to ransomware. To pay, or not to pay?

Of course, many organizations are willing to pay given the risk of their data being exposed, but is that the right way to handle the situation? Gartner data says that “80% of (organizations who pay) suffer another ransomware attack.” Perhaps it’s not a best practice to pay, but what’s the alternative—letting the bad actors expose your data to the world?

Unfortunately, there’s no definite correct answer. Gartner analyst Paul Proctor effectively asserts that it’s up to you: “It comes down to when business outcomes are impacted by the lack of the stolen data. The organization must weigh if the business loss is worth rolling the dice on making a payment.”

 

What Are the Effects of Ransomware on Businesses?

You only need to check the news every other day to understand how ransomware is impacting businesses across all industries. But, in case you’ve been living under a rock, here are some of the ways which ransomware can hurt your bottom line:

  • You will lose money (and/or data)

The most obvious complication brought on by ransomware lies in the fact that those who deploy it are seeking to hold your data hostage (hence “ransom”) until you pay them a sum of money for its return. This factor alone plays into a dangerous catch-22 for your business, particularly if you work in healthcare, the public sector, finance, or other industries housing boatloads of sensitive data.

If you ignore a bad actors’ demands, you risk exposing your data to the public, or worse, to other threat groups who will pay large sums for it. But, even if you pay the ransom, odds are you will not get your data back. This is why ransomware protection is key.

  • Your reputation will suffer

Whether you choose to pay the ransom or not, you're obligated to report the crime, and eventually, your organization will end up on a headline. Many have experienced this already, and the list will continue to grow as long as ransomware keeps evolving and companies keep failing to prepare for it.

Often, businesses who fall victim to ransomware lose business due to a loss of trust from their customers. While the company may not be 100% to blame, it’s likely that’s where customers and potential consumers will pin it.

  • You may face legal repercussions

Yes, paying the ransom on a ransomware attack is illegal. In a 2020 ruling, the U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC) and the Financial Crimes Enforcement Network (FinCEN) declared it illegal to pay a ransom in most cases.

As if the loss of data and capital and the harm to public image weren’t bad enough, legal fees may also cost you as a result of ransomware.

 

The State of Encrypted Attacks 2021

Download the report
Learn how ransomware attacks are being hidden inside encrypted traffic.

Three Secrets to Stopping Ransomware Cold

Watch the webinar
Join Us Live: Three Secrets to Stopping Ransomware Cold

Ransomware in 2022: What You Need to Know and How to Prepare

Watch the webinar
Join Us Live: Three Secrets to Stopping Ransomware Cold

So, What’s the Outlook?

Gartner has named “new ransomware models” as the top risk organizations face. According to the firm's Emerging Risks Monitor Report, concerns about ransomware have become even greater than those about the pandemic.

If it wasn’t clear before, it’s clear now—you need to know not only how to prepare for a ransomware attack, but how to prevent one altogether.

Stopping every ransomware attack that comes your way is impossible, but through rigorous due diligence, awareness training, and with the right technology, you can minimize the threat these attacks pose to your business.

 

Steps to Take to Remove Ransomware

Ransomware can be ousted, but it must be done carefully and cautiously by following a step-by-step process.

Step 1. Isolate the infected device

This means disconnecting said device from any wired or wireless connections to quarantine the ransomware and prevent it from spreading. Be sure to immediately remove the malware from the system if the ransom hasn’t been demanded yet.

Step 2. Find out what kind of ransomware you’re dealing with

With the help of a security professional or tool, learn which strain of ransomware needs to be removed. This knowledge will give you a better understanding of how to mitigate the ransomware that’s made its way into your system.

Step 3. Remove the ransomware

Remove the infection from your hard drive with a ransomware removal tool, the help of an IT security professional, or your own manual process. Then, use a ransomware decryptor or decryption tool to retrieve the encrypted data being held hostage.

Step 4. Restore the system with a backup

Use a system store or recover files from the compromised OS. As a part of this process, it’s important to ensure that you’ve backed your data up, as this will be the only to access it once ransomware has encrypted it. This is a best practice for ransomware and data breaches alike.

 

Ransomware Protection

To keep up with the ever-evolving and ever-looming threat of ransomware, you need an effective anti-ransomware strategy, including principles and tools that:

  • Use an AI-driven sandbox to quarantine and inspect suspicious content
  • Inspect all TLS/SSL-encrypted traffic
  • Implement always-on protection by following off-network connections

Pairing modern solutions with a proactive defensive approach is widely regarded as the most effective ransomware protection model in today's cybersecurity playbook.

 

How Zscaler Can Help

Zscaler offers cloud native ransomware protection to secure organizations against ransomware through the Zscaler Zero Trust Exchange™, a platform that:
 

1. Uses AI-driven sandbox quarantine

With an AI-driven sandbox quarantine built on a cloud native proxy architecture, files can be quarantined and fully analyzed before delivery, virtually eliminating the risk of patient zero infections. In contrast to legacy passthrough approaches, suspicious or never-before-seen files are guaranteed to be held for analysis and will not reach your environment.

A cloud native, AI-driven solution like Zscaler Cloud Sandbox (part of the Zero Trust Exchange) delivers benefits beyond those of legacy anti-malware solutions, including:

  • Complete control over quarantine actions with a granular policy defined by groups, users, and content type
  • Real-time security verdicts on unknown files powered by machine learning
  • Fast, secure file downloads, with any files identified as malicious marked for quarantine
     

2. Inspects all encrypted traffic

Zscaler operates a cloud native proxy architecture that lets you perform complete SSL inspection at scale without worrying about performance or expanding the processing power of costly appliances. 

Using a global cloud distributed across more than 150 data centers on six continents, SSL traffic can be thoroughly inspected for hidden ransomware threats with no dips in performance—even if user bandwidth dramatically increases.
 

3. Follows off-network connections

The Zero Trust Exchange can deliver the two aforementioned strategies—AI-driven sandbox quarantine and complete SSL inspection—to users regardless of their location or device. Every connection over any network gets identical protection to uncover and thwart both known and unknown threats, keeping your organization free from patient zero ransomware infections.

This approach to preventing ransomware starts with user connections being secured. Off network users simply add Zscaler Client Connector, our lightweight endpoint agent, to their laptops or mobile devices (with support for Android, iOS, macOS, and Windows) to enjoy the protection of the same security tools, policy enforcement, and access controls they would get in your headquarters.

Any way you slice it, ransomware attack prevention starts with zero trust and the Zero Trust Exchange.