What Is Ransomware?

The History of Ransomware and an Increase in Attacks

Though cybercriminals have been using ransomware attacks for more than 30 years, there has been a significant uptick in recent years. According to the FBI, ransomware attacks started picking up in 2012, and show no sign of slowing.

In the past, ransomware attacks that locked down a user’s files or computer could be easily reversed by a trained professional. But in recent years, these attacks have become more sophisticated and, in many cases, have left the victims with little choice but to pay the ransom demands or lose their data forever.

A recent and notable change in many ransomware family variants is the addition of a data exfiltration feature. This new feature allows cybercriminals to exfiltrate sensitive data from victim organizations before encrypting the data. This exfiltrated data is like an insurance policy for attackers: even if the victims have good data backups, they’ll make the ransom payment to avoid having their data exposed.

Due to the capacity limitations of legacy security technologies such as next-generation firewalls, most organizations do not have the ability to inspect all encrypted traffic traveling to and from endpoints. Attackers know this, so they are increasingly using encryption to hide their malicious code inside links and attachments.

How Ransomware Works

A ransomware infection is most commonly spread by phishing emails and ads with infected links or a planted website embedded with malware. These scams often appear as though they have been sent from a legitimate organization or someone known to the victim (in targeted attacks), tricking the user into clicking on a malicious link or opening a malicious attachment which deploys the ransomware payload onto the machine.

In ransomware attacks on an individual, documents, photos, and financial information are most commonly locked and held hostage. While individuals might be an easier target, corporations—especially larger organizations—are far more attractive. If hackers can get just one employee to download the malware, it can then spread from that victim’s computer or mobile device onto the network, where the stakes are much higher. Not only can an attack disrupt business, but the threat of data loss or exposure could be devastating and costly in dollars and in company reputation.

Types/Examples of Ransomware Attacks

Among the myriad types of ransomware and ransomware groups, some of the most common and well-known are:

• Cryptolocker: In 2014, CryptoLocker malware was largely neutralized by an international collaboration of security companies and law enforcement. However, as a result of its success, a slew of Cryptolocker copycats has spawned.
• GandCrab: According to VirusTotal’s Ransomware in Global Context report, this family has been the most prevalent in ransomware attacks since 2020, with 78.5% of the samples taken for the report coming from this family.
• REvil/Sodinokibi: This group is notorious for stealing large quantities of information in the legal and entertainment industries as well as the public sector. They first made headlines in May 2020, but carried out successive attacks each month from March to October 2021, including the Kaseya VSA attack.
• WannaCry: A ransomware cryptoworm that targets the Microsoft Windows operating system, it has impacted more than 300,000 systems (and counting) worldwide since its release in 2017.
• Ryuk: This strain of ransomware has been tied to a number of groups that have impacted industries such as healthcare, the public sector, and education, particularly US school systems.
• Evil Corp: This group is responsible for Dridex, a type of malware deployed through phishing emails that’s known for stealing banking credentials. It has since been associated with other types of ransomware such as WastedLocker, BitPaymer, and DoppelPaymer.

These are but a few of the most noteworthy examples of ransomware; there are new ransomware variants being born every day, each one designed to attack a variety of vectors. So, how safe are you against ransomware attacks? Run a free Internet Threat Exposure Analysis to find out.

Ransomware as a Service (RaaS)

Ransomware as a service is a byproduct of ransomware's popularity and success. Like many legal SaaS offerings, RaaS tools are usually subscription-based. They're often inexpensive and readily available on the dark web, providing a platform for anyone—even those without programming skills—to launch an attack. If a RaaS attack is successful, the ransom money is divided between the service provider, the coder, and the subscriber.

Ransomware Prevention Best Practices

While some organizations are investing in cybersecurity insurance to help cover costs in the event of a cyberattack or data breach, the best course of action when it comes to ransomware is prevention. To protect your organization from ransomware, CISA, the Cybersecurity & Infrastructure Security Agency and the FBI recommend the following:

• Back up computers, so you can restore your system to its previous state using your backups.
• Store backups separately, such as on an external hard drive or in the cloud, so they cannot be accessed from a network.
• Update and patch computers to negate vulnerabilities in applications and operating systems.
• Train employees with ongoing, mandatory cybersecurity awareness sessions to ensure they are aware of current cyberthreats and security best practices. Be sure they are cautious with email—even from senders they know, verifying the sender’s legitimacy before opening any email attachments or clicking links.
• Create a continuity plan for remediation in the event your organization becomes the victim of a ransomware attack.
• Use anti-malware and/or antivirus software to assist users in stopping threats before they can wreak havoc.
• Implement strong authentication measures using zero trust to prevent hackers from breaching your network, applications, and data.

The Best Technological Defenses

Modern ransomware defense technology is not only highly effective but also easy to deploy. Sufficient ransomware protection begins with adopting a security posture that’s natively built in the cloud to protect users, applications, and sensitive data from these attacks, regardless of where users connect or what devices they’re using.

To keep up with today’s most common ransomware threats, a prevention strategy must incorporate the following principles and tools to prevent these attacks from exposing your data, disrupting your business, or costing your organization time and money:

• Use an AI-driven sandbox quarantine to hold and inspect suspicious content before allowing it to pass through to the recipient
• Inspect all SSL/TLS-encrypted traffic to ensure there are no hidden threats
• Implement always-on protection for users on and off the network

No company, large or small, is safe from ransomware without a dedicated security defense. Avoid becoming the next victim of ransomware, or the next organization in the news as a result of an attack.

Strengthen Your Ransomware Protection Strategy Today

As research and headlines show, ransomware isn’t going anywhere. Zscaler has already helped thousands of customers prevent ransomware and countless other cyberattacks from reaching their networks with unparalleled scalability and superb user experiences.

Here are some further resources to consider as you refine your overall security strategy:

• Internet Threat Exposure Analysis—free threat exposure analysis tool
• Three Secrets to Stopping Ransomware Cold—on-demand webinar
• Three Secrets to Stopping Ransomware Cold—white paper
• Zscaler Cloud Sandbox
• Zscaler SSL Inspection