What is ransomware?

Learn more about ransomware, how it works, and how you can protect yourself and your business from this type of cyberattack.

Ransomware defined

Ransomware is a type of malicious software, or malware, that threatens a victim by destroying or blocking access to critical data or systems until a ransom is paid. Historically, most ransomware targeted individuals, but more recently, human-operated ransomware, which targets organizations, has become the larger and more difficult threat to prevent and reverse. With human-operated ransomware, a group of attackers use their collective intelligence to gain access to an organization’s enterprise network. Some attacks of this kind are so sophisticated that the attackers use internal financial documents they’ve uncovered to set the ransom price.

Recent ransomware attacks

Unfortunately, mentions of ransomware threats in the news have become a common occurrence. In 2021 alone, ransomware attacks shot up by 935 percent. As you might imagine, the effects can be devastating. Here’s a look at some recent ransomware attacks and how they’ve affected organizations.

 

Kronos

 

Human resources (HR) giant Kronos was hit by a ransomware attack in December 2021, at which point its payroll and time-off system for clients that use Kronos Private Cloud were affected. Because so many organizations rely on Kronos for HR services, including New York City’s Metropolitan Transportation Authority, the George Washington University, and the Oregon Department of Transportation, the breach of personal data and employee information was no small matter.

 

Colonial Pipeline

 

In May 2021, U.S. fuel pipeline Colonial Pipeline shut down its services to prevent further breaches after a ransomware attack compromised thousands of its employees’ personal information. The effects were catastrophic and sent gas prices soaring throughout the east coast, which heavily relies on Colonial Pipeline. Ultimately, the company paid a cryptocurrency ransom of $4.4 million to the criminal hacking group DarkSide; the FBI later seized about $2.3 million back.

 

Brenntag

 

German chemical distribution company Brenntag, like Colonial Pipeline, suffered a ransomware attack by DarkSide. In this attack, occurring in April 2021, DarkSide says that it was able to breach Brenntag’s network through stolen credentials purchased from an unnamed seller. The attack stole more than 6,000 individuals’ birth dates, Social Security numbers, and driver’s license numbers, as well as some medical data. After negotiating the original ransom down to $4.4 million, Brenntag paid.

 

JBS

 

The largest meat supplier in the world, JBS, became the target of a ransomware attack in May 2021 that affected its North American and Australian operations. After temporarily taking its website offline and halting productions, JBS felt pressure to act to prevent the food supply chain from being interrupted and to avoid increasing food prices. JBS ended up paying an $11 million ransom in Bitcoin to cybercriminal group REvil.

How does ransomware work?

Ransomware attacks rely on seizing control of an individual’s or organization’s data or device(s) as a means of demanding money. In years past, social-engineered attacks were the most prevalent, but recently, human-operated ransomware has become popular to criminals because of the potential for a huge payout.

 

Social-engineered ransomware


These attacks use phishing—a form of deception in which an attacker poses as a legitimate company or website—to trick a victim into clicking a link or opening an email attachment that will install ransomware on their device. The attacks often feature alarmist messages that prompt a victim to act out of fear. For example, a cybercriminal might pose as a well-known bank and send an email alerting someone that their account has been frozen because of suspicious activity, urging them to click a link in the email to address the issue. Once they clink the link, ransomware is installed.

 

 

Human-operated ransomware


Human-operated ransomware often begins through stolen account credentials. Once the attackers have gained access to an organization’s network in this way, they use the stolen account to determine the credentials of accounts with wider scopes of access and look for data and business-critical systems with the potential for high financial payoff. They then install ransomware on these sensitive data or business-critical systems, for example, by encrypting sensitive files so that the organization can’t access them until it pays a ransom. Cybercriminals tend to ask for payment in a cryptocurrency because of its anonymity.

 

These attackers target large organizations that can pay a higher ransom than the average individual, sometimes asking for millions of dollars. Because of the high stakes involved with a breach of this scale, many organizations opt to pay the ransom rather than have their sensitive data leaked or risk further attacks from the cybercriminals, even though payment does not guarantee the prevention of either outcome.

 

As human-operated ransomware attacks have grown, the criminals behind the attacks have become more organized. In fact, many ransomware operations now use a Ransomware as a Service model, meaning that a set of criminal developers create the ransomware itself and then hire other cybercriminal affiliates to hack an organization’s network and install the ransomware, splitting the profits between the two groups at an agreed-on rate.

Different types of ransomware attacks

Ransomware comes in two main forms: crypto ransomware and locker ransomware.

 

Crypto ransomware


When an individual or organization is the victim of a crypto ransomware attack, the attacker encrypts a victim’s sensitive data or files so that they can’t have access unless they pay a requested ransom. In theory, once the victim pays, they receive an encryption key to gain access the files or data. Even if a victim pays the ransom, however, there’s no guarantee that the cybercriminal will send the encryption key or relinquish control. Doxware is a form of crypto ransomware that encrypts and threatens to reveal a victim’s personal information publicly, usually with the goal to humiliate or shame them into paying the ransom.

 

Locker ransomware


In a locker ransomware attack, a victim is locked out of their device and unable to log in. The victim will be presented with an on-screen ransom note explaining that they’ve been locked out and including instructions for how to pay a ransom to regain access. This form of ransomware typically doesn’t involve encryption, so once the victim regains access to their device, any sensitive files and data are preserved.

Responding to a ransomware attack

If you find yourself the victim of a ransomware attack, you do have options for recourse and removal.

 

Be cautious about paying the ransom


Although it might be tempting to pay the ransom in the hopes of making the problem just go away, there’s no guarantee that the cybercriminals will keep their word and grant you access to your data. Security experts and law enforcement agencies recommend that victims of ransomware attacks don’t pay the requested ransoms, because doing so could leave victims open to future threats and would actively support a criminal industry. If you’ve already paid, immediately contact your bank—it may be able to stop payment if you paid with a credit card.

 

Isolate the infected data


As soon as you’re able, isolate the compromised data to help prevent the ransomware from spreading to other areas of your network.

 

Run an antimalware program


Many ransomware attacks can be dealt with by installing an antimalware program to remove the ransomware. Once you’ve chosen a reputable antimalware solution, such as Windows Defender, be sure to keep it up to date and always running so you have protection against the latest attacks.

 

Report the attack


Contact your local or federal law enforcement agencies to report the attack. In the United States, these are your FBI local field office, the IC3, or the Secret Service. Although this step likely won’t solve any of your immediate concerns, it’s important because these authorities actively track and monitor different attacks. Providing them with details about your experience could be a useful piece of information in the bigger picture of finding and prosecuting a cybercriminal or a cybercriminal group.

Ransomware protection

With ransomware attacks higher than ever before and so much of people’s personal information contained digitally, the potential fallout from an attack is daunting. Thankfully, there are many ways to keep your digital life just that—your digital life, not someone else’s. Here’s how to gain peace of mind with proactive ransomware protection.

 

Install an antimalware program


The best form of protection is prevention. Many ransomware attacks can be detected and blocked with a trusted antimalware service, such as Microsoft Sentinel, Microsoft 365 Defender, or Microsoft Defender for Cloud. When you use an antimalware program, your device first scans any files or links that you attempt to open to help ensure they’re safe. If a file or website is malicious, the antimalware program will alert you and suggest that you not open it. These programs can also remove ransomware from a device that’s already infected.

 

Hold regular trainings


Keep employees informed about how to spot the signs of phishing and other ransomware attacks with regular trainings. This will not only teach them safer practices for work but also how to be safer when using their personal devices.

 

Move to the cloud


When you move your data to a cloud-based service, like Azure Cloud Backup ServiceAzure Block Blob Storage Backup, or Office 365 Backup and Recovery Services, you’ll be able to easily back up data for safer keeping. If your data is ever compromised by ransomware, these services help ensure that recovery is both immediate and comprehensive.

 

Adopt a Zero Trust model


A Zero Trust model evaluates all devices and users for risk before permitting them to access applications, files, databases, and other devices, decreasing the likelihood that a malicious identity or device could access resources and install ransomware. As an example, implementing multifactor authentication, one component of a Zero Trust model, has been shown to reduce the effectiveness of identity attacks by more than 99%. To evaluate your organization’s Zero Trust maturity stage, take our Zero Trust Maturity Assessment.

 

Join an information-sharing group


Information-sharing groups, frequently organized by industry or geographic location, encourage similarly structured organizations to work together toward cybersecurity solutions. The groups also offer organizations different benefits, such as incident response and digital forensics services, news about the latest threats, and monitoring of public IP ranges and domains.

 

Maintain offline backups


Because some ransomware will try to seek out and delete any online backups you may have, it’s a good idea to keep an updated offline backup of sensitive data that you regularly test to make sure it’s restorable if you’re ever hit by a ransomware attack. Unfortunately, maintaining an offline backup won’t fix the issue if you’ve been hit with a crypto ransomware attack, but it can be an effective tool to use in a locker ransomware attack.

 

Keep software up to date


In addition to keeping any antimalware solutions updated (consider choosing automatic updates), be sure to download and install any other system updates and software patches as soon as they’re available. This helps minimize any security vulnerabilities that a cybercriminal might exploit to gain access to your network or devices.

 

Create an incident response plan


Just like having an emergency plan in place for how to exit your home if there’s a fire keeps you safer and more prepared, creating an incident response plan for what to do if you’ve been hit with a ransomware attack will provide you with actionable steps to take in different attack scenarios so that you can get back to running normally and safely as soon as possible.

Frequently asked questions

|

Unfortunately, nearly anyone with an online presence can become the victim of a ransomware attack. Personal devices and enterprise networks are both frequent targets of cybercriminals.

 

Investing in proactive solutions, however, like threat-protection services, is a viable way to prevent ransomware from ever infecting your network or devices. Therefore, individuals and organizations with antimalware programs and other security protocols in place, such as a Zero Trust model, before an attack occurs are the least likely to become victims of a ransomware attack.

Traditional ransomware attacks occur when an individual is tricked into engaging with malicious content, such as opening an infected email or visiting a harmful website, which installs ransomware on their device.

 

In a human-operated ransomware attack, a group of attackers target and breach an organization’s sensitive data, usually through stolen credentials.

 

Typically, for both social-engineered ransomware and human-operated ransomware, a victim or organization will be presented with a ransom note that details the data that was stolen and the cost of having it returned. Paying the ransom, however, does not guarantee that the data will actually be returned or that future breaches will be prevented.

The effects of a ransomware attack can be devastating. At both the individual and organizational levels, victims could feel forced to pay high ransoms with no guarantee that their data will be returned to them or that further attacks wouldn’t occur. If a cybercriminal leaks an organization’s sensitive information, its reputation could be tarnished and seen as untrustworthy. And, depending on the type of information leaked and size of the organization, thousands of individuals could be at risk of becoming victims of identity theft or other cybercrimes.

Cybercriminals who infect victims’ devices with ransomware want money. They tend to set ransoms in cryptocurrencies because of their anonymous and untraceable nature. In a social-engineered ransomware attack targeting an individual, the ransom may be hundreds or thousands of dollars. In a human-operated ransomware attack targeting an organization, the ransom could be millions of dollars. These more sophisticated attacks against organizations may use confidential financial information that the cybercriminals found when breaching the network as grounds for setting a ransom that they believe the organization can afford.

Victims should report ransomware attacks to their local or federal law enforcement agencies. In the United States, these are your FBI local field office, the IC3, or the Secret Service. Security experts and law enforcement officials recommend that victims do not pay ransoms—if you’ve already paid, immediately contact your bank and local authorities. Your bank may be able to block the payment if you paid with a credit card.