Resources > Security Terms Glossary > What Are Ransomware Attacks?

What Are Ransomware Attacks?

What are Ransomware Attacks?

Ransomware is a type of malware (malicious software) that “locks” a system or encrypts files, making the data inaccessible until a victim pays a specified amount of money, usually in cryptocurrency. Once the ransom payment is made, the victim is supposed to receive a decryption key to regain access to files and systems.

These attacks have quickly become a preferred method of extortion by cybercriminals. As organizations hold larger amounts of sensitive data—and as remote and hybrid work models expose endpoints to new vulnerabilities—hackers are taking advantage by leveraging this effective cybercrime method.

Ransomware attacks have become so pervasive that the FBI is stepping in to give guidance on how to prevent them. The problem is that ransomware and the groups who use it are constantly evolving to become more adept at avoiding typical detection methods such as anti-malware and antivirus.

What Happens During a Ransomware Attack?

A typical ransomware attack happens in four phases.

The first phase, delivery, is usually carried out by a phishing email designed to entice a user to open it. The email often appears to be from a trusted source, such as a well-known brand. Shipping companies, banks, and large retailers are commonly “spoofed” in phishing emails with messages about a delay in delivery, fraudulent purchases, low balance, and so on.

These emails are designed to look like they’re from familiar senders, but they include malicious files such as PDFs or Google Drive links. These files contain malware loaders that, once the file is opened, drop the malicious content onto the victim’s system and set up the attack.

In the next phase, exploitation, the attack spreads once the malware has been successfully loaded. This phase typically begins after the recipient opens an email attachment that transmits malware to a device.

If the infected device is on a network, the malware identifies the domain controller with which the device is communicating. Once identified, it steals credentials, allowing it to move throughout the network and infect other devices.

The next phase is the callback, wherein the malware payload attempts to communicate with its command-and-control (C&C) servers where the stolen data is sent.

The C&C servers then send the payload instructions on how to carry out the final phase: detonation. During this phase, the malware steals data and installs the ransomware, encrypting and locking the system or data so an individual or company can’t access it. The victim typically has a limited amount of time to pay the ransom before the data is lost forever, and sometimes, the ransom demands increase in the hours before the payment is due.

If the ransom is paid, victims are supposed to get a decryption key that allows them to retrieve their data back, but they don’t always get the key—and even when they do, it doesn’t always work.

In recent attacks, some criminals have begun stealing the data before encrypting it, and then threatening to expose it. This way, even if victims have good backups, they're more likely to pay the ransom.


How Have Ransomware Attacks Evolved?

Ransomware may be the tool of choice among today’s cybercriminals, but it’s not new. In fact, it’s been around in various forms for decades.

The first known ransomware was introduced in 1989 by Dr. Joseph Popp. He mailed floppy disks titled "AIDS Information Introductory Diskette" to World Health Organization AIDS conference attendees in Stockholm. These disks contained malicious code that installed itself onto MS-DOS systems and began counting the number of times users started up their machines.

On the 90th time, Dr. Popp’s trojan hid all the directories and encrypted all the files on the drive, making them unusable. Victims then saw a note claiming to be from PC Cyborg Corporation stating that the owner’s software lease had expired and that they had to send $189 to an address in Panama to regain access.

The next wave of ransomware-style cyberattacks was dubbed "scareware." Users would receive a warning about a catastrophic error on their computer, followed by a command to pay for and download software to clean or fix their device. Of course, the software was merely more malware designed to steal information from the computer.

As file sharing became more popular, another common form of ransomware developed, dubbed the Police Locker attack. Often hidden on peer-to-peer download sites or websites hosting pirated or adult material, this attack would change the user's desktop to display a note claiming that law enforcement had locked the computer due to suspected illegal activity.

Fear led many victims to pay a few hundred dollars to have their computers unlocked. However, in many of these attacks, the locker could have been removed by simply restarting the system.

Consider ransomware infections as destructive attacks, not an event where you can simply pay off the bad guys and regain control of your network.

Cybersecurity and Infrastructure Security Agency

Types/Examples of Ransomware Attacks

Among the myriad types of ransomware and ransomware groups, some of the most common and well-known are:

  • GandCrab: According to VirusTotal’s Ransomware in Global Context report, this family has been the most prevalent in ransomware attacks since 2020, with 78.5% of the samples taken for the report coming from this family.
  • REvil: This group is notorious for stealing large quantities of information in the legal and entertainment industries as well as the public sector. They first made headlines in May 2020, but carried out successive attacks each month from March to October 2021, including the Kaseya VSA attack.
  • WannaCry: A ransomware cryptoworm that targets the Microsoft Windows operating system, it has impacted more than 300,000 systems (and counting) worldwide since its release in 2017.
  • Ryuk: This strain of ransomware has been tied to a number of groups that have impacted industries such as healthcare, the public sector, and education, particularly US school systems.
  • DarkSide: Associated with the DarkSide ransomware group, this variant was responsible for the Colonial Pipeline attack in 2021 and is one of the most noteworthy examples of double extortion ransomware. This particular attack is typically utilized as a service.
  • Evil Corp: This group is responsible for Dridex, a type of malware deployed through phishing emails that’s known for stealing banking credentials. It has since been associated with other types of ransomware such as WastedLocker, BitPaymer, and DoppelPaymer.
  • Maze: This variant was first found in May 2019 and used in a ransomware attack on Cognizant, which caused service disruptions for some of its clients.

So, how safe are you against ransomware attacks? Run a free Internet Threat Exposure Analysis to find out.

The Link Between Ransomware and Cryptocurrency

In the beginning, ransom demands were typically a few hundred dollars because the targets were still mostly home users. Victims of ransomware would pay with standard currency, meaning the criminals responsible had a much greater chance of being identified.

The rise of cryptocurrencies—digital currencies based on anonymity and encryption—has seen a reversal of fortune for these attackers. Cryptocurrencies such as bitcoin make transactions nearly impossible to trace, allowing bad actors to cover their tracks.

In some recent cases of ransomware attacks, the victim organizations have paid huge amounts to the attackers, which can be one of the reasons these attacks are getting more popular.

Paul Webber, Senior Director Analyst, Gartner

Paying ransom will not ensure your data is decrypted or that your systems or data will no longer be compromised

Cybersecurity and Infrastructure Security Agency

Ransomware as a Service (RaaS)

Ransomware as a service is a byproduct of ransomware's popularity and success. Like many legal SaaS offerings, RaaS tools are usually subscription-based. They're often inexpensive and readily available on the dark web, providing a platform for anyone—even those without programming skills—to launch an attack. If a RaaS attack is successful, the ransom money is divided between the service provider, the coder, and the subscriber.


Should You Pay the Ransom?

This is the age-old question when it comes to ransomware. To pay, or not to pay?

Of course, many organizations are willing to pay given the risk of their data being exposed, but is that the right way to handle the situation? Gartner data says that “80% of (organizations who pay) suffer another ransomware attack.” Perhaps it’s not a best practice to pay, but what’s the alternative—letting the bad actors expose your data to the world?

Unfortunately, there’s no definite correct answer. Gartner analyst Paul Proctor effectively asserts that it’s up to you: “It comes down to when business outcomes are impacted by the lack of the stolen data. The organization must weigh if the business loss is worth rolling the dice on making a payment.”

The State of Encrypted Attacks 2021

Download the report
Learn how ransomware attacks are being hidden inside encrypted traffic.

Three Secrets to Stopping Ransomware Cold

Watch the webinar
Join Us Live: Three Secrets to Stopping Ransomware Cold

Ransomware in 2022: What You Need to Know and How to Prepare

Watch the webinar
Join Us Live: Three Secrets to Stopping Ransomware Cold

So, What’s the Outlook?

Gartner has named “new ransomware models” as the top risk organizations face. According to the firm's Emerging Risks Monitor Report, concerns about ransomware have become even greater than those about the pandemic.

If it wasn’t clear before, it’s clear now—you need to know not only how to prepare for a ransomware attack, but how to prevent one altogether.

Stopping every ransomware attack that comes your way is impossible, but through rigorous due diligence, awareness training, and with the right technology, you can minimize the threat these attacks pose to your business.


Ransomware Protection

To keep up with the ever-evolving and ever-looming threat of ransomware, you need an effective anti-ransomware strategy, including principles and tools that:

  • Use an AI-driven sandbox to quarantine and inspect suspicious content
  • Inspect all TLS/SSL-encrypted traffic
  • Implement always-on protection by following off-network connections

Pairing modern solutions with a proactive defensive approach is widely regarded as the most effective ransomware protection model in today's cybersecurity playbook.


How Zscaler Can Help

Zscaler offers cloud native ransomware protection to secure organizations against ransomware through the Zscaler Zero Trust Exchange™, a platform that:

1. Uses AI-driven sandbox quarantine

With an AI-driven sandbox quarantine built on a cloud native proxy architecture, files can be quarantined and fully analyzed before delivery, virtually eliminating the risk of patient zero infections. In contrast to legacy passthrough approaches, suspicious or never-before-seen files are guaranteed to be held for analysis and will not reach your environment.

A cloud native, AI-driven solution like Zscaler Cloud Sandbox (part of the Zero Trust Exchange) delivers benefits beyond those of legacy anti-malware solutions, including:

  • Complete control over quarantine actions with a granular policy defined by groups, users, and content type
  • Real-time security verdicts on unknown files powered by machine learning
  • Fast, secure file downloads, with any files identified as malicious marked for quarantine

2. Inspects all encrypted traffic

Zscaler operates a cloud native proxy architecture that lets you perform complete SSL inspection at scale without worrying about performance or expanding the processing power of costly appliances. 

Using a global cloud distributed across more than 150 data centers on six continents, SSL traffic can be thoroughly inspected for hidden ransomware threats with no dips in performance—even if user bandwidth dramatically increases.

3. Follows off-network connections

The Zero Trust Exchange can deliver the two aforementioned strategies—AI-driven sandbox quarantine and complete SSL inspection—to users regardless of their location or device. Every connection over any network gets identical protection to uncover and thwart both known and unknown threats, keeping your organization free from patient zero ransomware infections.

This approach to preventing ransomware starts with user connections being secured. Off network users simply add Zscaler Client Connector, our lightweight endpoint agent, to their laptops or mobile devices (with support for Android, iOS, macOS, and Windows) to enjoy the protection of the same security tools, policy enforcement, and access controls they would get in your headquarters.

Any way you slice it, ransomware attack prevention starts with zero trust and the Zero Trust Exchange.