Ransomware is undeniably one of the most notorious security risks currently prevailing. Malefactors worldwide are requesting funds from victims by seizing control of their devices and data. This form of attack, where data is either encrypted or stated to be encrypted, and victims are urged to pay for the key to restore access, has been rapidly increasing since 2013 and is now one of the most prevalent kinds of malware.
The ransomware cheat sheet from TechRepublic is a summary of this malware menace. This manual will be periodically updated as new vulnerabilities and defenses emerge.
Understanding Ransomware
Ransomware is a form of malware assault distinguished by demanding control over devices – and consequently, locally saved data – in exchange for ransom, which victims normally pay in bitcoin or with alternative digital currencies. Advanced ransomware attacks utilize disk or file-level encryption, rendering file recovery impossible without adhering to the hackers’ ransom demands.
Traditionally, ransomware has utilized the façade of law enforcement entities to coerce victims into paying. These notifications frequently exhibited alerts bearing the FBI emblem and a notice claiming illicit file sharing had been identified on the system, inducing individuals to disburse a fine or face legal prosecution. As ransomware attacks have grown more prominent, assailants have begun producing payloads that unequivocally state that a device has been compromised, and that victims are required to remit funds to regain accessibility.
On the other hand, some attacks like the WhiteRose ransomware exhibit perplexing and scarcely coherent messages to unsuspecting victims regarding inconsequential matters, narrating idyllic scenes like a hacker “seated on a wooden chair near a bushy tree” with “a legible book” by William Faulkner in a garden in a remote location. Such an eccentric narrative may intensify a victim’s distress or even humanize the attacker, potentially heightening the likelihood of compliance with demands. It might also amplify media coverage or buy the attackers some time while victims attempt to comprehend the situation.
SEE: Identity theft protection policy (TechRepublic Premium)
Ransomware incursions are frequently disseminated through file-sharing networks and have also been circulated as part of a malvertising initiative on the Zedo advertising network, as well as through phishing emails camouflaging the payload as malevolently crafted images or as executable attachments in emails. WannaCry, one of the most renowned single ransomware attacks, exploits a flaw in Microsoft’s SMB protocol, rendering any unpatched, internet-connected computer susceptible to infection. Other assaults exploit unsecured Remote Desktop services by scanning the internet for susceptible systems.
The reported global cases of ransomware surged by over 27% between 2023 and 2024, as indicated by Thales. Another study from Chainalysis estimated that ransom payments exceeded $1 billion in 2023 for the first time. The U.K.’s National Cyber Security Centre contended that the number of ransomware attacks is not expected to dwindle due to the increased accessibility of generative AI. This technology could offer “capability lift” and lower the entry obstacle for assailants. Indeed, as businesses have commenced backing up their data to diminish the likelihood of a successful ransomware assault, attackers are progressively targeting the backups.
SEE: Ransomware’s Impact Could Encompass Heart Attacks, Strokes & PTSD
Significance of Ransomware
For cybercriminals, employing ransomware offers a straightforward route from development to monetary gain. Consequently, the proliferation of ransomware can be attributed to the simplified deployment facilitated by ransomware-as-a-service propositions and AI enhancement, along with a substantial return on investment relative to the effort exerted. Modern ransomware assaults emphasize the financial aspect, allowing cryptocurrency miners to leverage the processing capabilities of infected systems as they remain idle, awaiting ransom payment from victims.
Generally, ransomware assaults exploit well-known vulnerabilities, obviating the necessity for groundbreaking research by cybercriminals striving for swift earnings. The WannaCry attack provided a unique scenario – leveraging two exploits named EternalBlue and DoublePulsar. These exploits were uncovered and utilized by the NSA, with the revelation of these vulnerabilities being disclosed by The Shadow Brokers, a group attempting to vend access to a cache of vulnerabilities and hacking tools created by the U.S. government.
Ransomware assaults are typically highly lucrative for cybercriminals, as victims often pay the ransom irrespective of expert counsel. A report from cybersecurity company Sophos highlighted that, for the first time, over half of the organizations that succumbed to ransomware confessed to paying the ransom to retrieve their data in 2023. Targeted attacks may entail progressively escalating ransom requests, as malicious actors grow bolder in their endeavors to extort funds from victims.
“False” ransomware assaults, where attackers demand a ransom despite deleting files whether payment is made or not, have also become widespread. Among these, perhaps the most audacious yet futile attacks involve a KillDisk variant demanding a $247,000 ransom; however, the encryption key is neither stored locally nor remotely, rendering file decryption impossible even if the ransom were paid.
Principal Targets of Ransomware Attacks
While home users were traditionally the focus of ransomware assaults, business networks have become increasingly alluring to malefactors. Moreover, servers, healthcare facilities, and utilities (e.g., the Colonial Pipeline attack) have emerged as prominent targets for malign ransomware perpetrators.
Enterprises represent particularly enticing targets for these malware assaults due to their ample financial resources; nonetheless, these larger organizations are also more likely to possess resilient IT frameworks with recent backups to mitigate any harm and evade ransom payment.
In 2023, central and federal governments were targeted more frequently than any other industry, with 68% of organizations falling victim to ransomware, as per aSophos cybersecurity company’s report shows the impact of ransomware attacks on various sectors such as healthcare, utilities, higher education, financial services, and manufacturing. These attacks could lead to significant downtime in organizations, affecting a large number of individuals and providing cybercriminals with more leverage for their demands.
For strategies on protecting against ransomware-as-a-service attacks, visit this informative guide
Famous ransomware attacks
CryptoLocker
Although ransomware attacks have been around since 1989, the widespread encrypting ransomware attack, CryptoLocker, emerged in September 2013. Victims initially faced a strict deadline to recover their files, with a later option to decrypt their systems for a high price of 10 BTC (equivalent to approximately $672,300 USD as of May 2024).
The original CryptoLocker creators are estimated to have made around $3 million USD, while imitators under the same name surfaced in the following years. The FBI reports that victims paid over $18 million USD between April 2014 and June 2015 to decrypt their files.
Locky
Locky, another early ransomware attack, exhibited an unusual pattern of disappearing and resurfacing at random intervals. Initially appearing in February 2016 and ceasing in December 2016, Locky briefly reappeared in January and April 2017, each iteration demonstrating refined capabilities. The distribution of Locky through the Necurs botnet shifted to the related Jaff ransomware, both of which erase themselves on systems using Russian language settings.
Learn more about ransomware attackers employing triple extortion tactics in this in-depth coverage from TechRepublic
WannaCry
WannaCry, initiated on May 12, 2017, halted just three days later when a security researcher identified and registered the domain responsible for the payload’s command and control. The National Cyber Security Centre attributed the WannaCry attack to North Korea and estimated that it cost the U.K.’s NHS £92 million due to service disruptions.
a secret code. Immediately after that, a declaration in Russian was acquired by various cybersecurity companies indicating DarkSide decided to cease their operations. Several specialists mentioned that the ransomware gang BlackCat, which had previously ceased in March 2024, could be a potential rebranding of DarkSide.
SEE: Steps to avoid another Colonial Pipeline ransomware attack (TechRepublic)
BlackCat
The ransomware strain BlackCat, alternatively named ALPHV, was initially recognized by cybersecurity researchers towards the end of 2021. BlackCat stands out because it is coded in Rust, it often involves extortion tactics, and chooses to expose victims’ data on a public leak site instead of the Dark Web. Some experts suspect that the group responsible for the ransomware is an offshoot of DarkSide and REVil, both of which disbanded in 2021.
By exploiting known security weaknesses or vulnerable account passwords, ALPHV infiltrates its targets and pressures organizations to pay the ransom by launching distributed denial-of-service attacks against them. The group also enjoys publicizing stolen files through a data leak search engine.
BlackCat was implicated in several prominent ransomware incidents between 2021 and its closure in 2024. In the third quarter of 2022, this ransomware variant hit 30 organizations, affecting real estate enterprises, consulting and professional services firms, consumer goods and industrial manufacturers, as well as tech companies.
In February 2022, the aviation services firm Swissport experienced file encryption, resulting in minor flight delays before the issue was resolved. However, shortly after, BlackCat shared samples of an alleged 1.6 TB of data stolen from Swissport and was prepared to sell it to the highest bidder. Subsequently in September, ALPHV claimed responsibility for targeting fuel pipeline operators, gas stations, oil refineries, and other providers of critical infrastructure.
SEE: Black Basta Ransomware Affected Over 500 Organizations Worldwide
LockBit
As per CISA, LockBit was the most widespread form of ransomware deployed globally in 2023. The distribution of LockBit ransomware could occur through compromised website links, phishing, credential theft, or other techniques. LockBit targeted over 2,000 victims since its emergence in January 2020, amassing over $120 million in total ransom payments.
The gang operated ransomware-as-a-service portals like a legitimate business, offering a data leak blog, a bug bounty program for identifying ransomware vulnerabilities, and routine updates. “Affiliates” who carried out attacks were supplied ransomware through the LockBit portals.
LockBit ransomware has been unleashed on organizations across diverse sectors, specially targeting manufacturing, semiconductor production, and healthcare. Furthermore, perpetrators utilizing LockBit have directed the ransomware at local entities, including the Royal Mail in the U.K.
In February 2024, the Cyber Division of the U.K. National Crime Agency, the FBI, and global associates successfully blocked access to LockBit’s website, which was functioning as a vast ransomware-as-a-service marketplace. A few days later, the group resumed operations at an alternate Dark Web address, and continues to take credit for worldwide ransomware attacks.
SEE: All of TechRepublic’s reference guides
How can enterprises safeguard themselves from a ransomware assault?
The threat intelligence provider Check Point Research offers the following recommendations to shield organizations and assets from ransomware.
- Regularly back up all corporate data to mitigate the potential repercussions of a ransomware assault. In case of an incident, the ability to swiftly revert to a recent backup is crucial.
- Ensure software is kept up to date with the latest security fixes to prevent attackers from exploiting known vulnerabilities to access the company’s system. Devices running outdated operating systems should be disconnected from the network.
- Employ an automated threat detection system to pinpoint early indications of a ransomware attack, enabling timely response from the organization.
- Deploy anti-ransomware tools that monitor software activities on a device for suspect behaviors often exhibited by ransomware. Upon detecting such activities, the tool can prevent further encryption and minimize damage.
- Implement multi-factor authentication as a safeguard against unauthorized access to the organization’s system by individuals who have stolen an employee’s login information. Phishing-resistant MFA methods, such as smartcards and FIDO security keys, offer added security as mobile devices may also be compromised.
- Adopt the principle of least privilege, ensuring that employees only have access to essential data and systems required for their roles. This restricted access would limit cybercriminals’ reach in case an employee’s account gets compromised, reducing potential harm.
- Regularly inspect and oversee emails and files, and consider setting up an automated email security solution to block malicious emails that could lead to ransomware or data breaches from reaching end users.
- Educate employees about proper cybersecurity practices to reduce risks stemming from the human attack vector. Being informed about cybersecurity helps the team in recognizing phishing attempts, thereby preventing ransomware attacks from being executed.
- Refrain from paying the ransom if a business falls victim to ransomware. Cyber authorities discourage this action as there is no assurance that the attacker will honor their word, and paying the ransom may encourage subsequent attacks.
Moreover, businesses can turn to the No More Ransom project. This initiative, involving Europol, the Dutch National Police, Kaspersky Lab, and McAfee, offers victims of ransomware infections decryption tools to eliminate ransomware for over 80 variants of widespread ransomware strains, including GandCrab, Popcorn Time, LambdaLocker, Jaff, CoinVault, and many others.
About Author
