Ransomware attack: What is it and how does it work?

The definition of ransomware is rather straightforward — it is a type of malware that prevents a user or an organization from accessing files on their computer. Hackers use ransomware to lock or encrypt files on infected devices and to demand a ransom payment for the decryption key.

Usually, the motivation for a ransomware attack is financial gain, but sometimes, the main goal is to disrupt business operations to cause downtime and reputational harm.

According to the Threat Landscape 2022 report by the European Union Agency for Cybersecurity (ENISA), ransomware was the leading cyberthreat in 2021 and 2022. The worldwide statistics backs up these findings — in 2022, about 68% of cyberattacks reported worldwide were ransomware (with 155 million instances reported). It continues to be one of the main cyberthreats for companies and individuals.

A ransomware attack typically follows a specific sequence of steps to gain access to the victim’s files, encrypt them, and demand a ransom payment in exchange for the decryption key.

Ransomware typically uses asymmetric encryption, a cryptography technique that relies on a pair of keys for the encryption and decryption of files. A cybercriminal generates a pair of keys for the victim — a public and a private key. The private key for decrypting the files is stored on the attacker’s server. Ransomware developers use strong encryption algorithms that are nearly impossible for the victim to decrypt without the decryption key

Here’s how a ransomware attack typically works:

1. Research. The attacker gathers information about a potential target and identifies software vulnerabilities.
2. Infection. The criminal delivers ransomware to the victim’s system by tricking the unsuspecting individual into downloading a malicious file or clicking a link. Criminals achieve this through phishing attacks (phishing emails with infected attachments and links or spear phishing) or by exploiting software vulnerabilities. Attackers may also use social engineering techniques, such as disguising ransomware as software updates and luring individuals and organizations into downloading them.
3. Encryption. Once malicious software gains access to the victim’s computer or network, it starts encrypting files. Encrypted files become unreadable without a decryption key.
4. Expansion. Having entered the victim’s system, the attacker might explore the network to find other systems to compromise and spread the malicious software.
5. Ransom note. Once the ransomware has encrypted the files, it displays a ransom note on the infected computer screen. This note informs the victim that their files are locked and provides instructions on how to pay the ransom to receive the decryption key.
6. Ransom demand. The ransom note usually includes a demand for payment, often in cryptocurrency because it’s more difficult to trace. The criminals also set a deadline for the payment. The note might also include a threat to tamper with or destroy the encrypted data or the decryption key if the ransom payment is not delivered in time.
7. Payment (not recommended). Some ransomware victims might pay the hackers in hope to recover their files. However, there is no guarantee that the criminals will restore access to the files.

But what does ransomware do to the endpoint device? It encrypts valuable files on the device, making them inaccessible, and disrupts the device’s normal operation. If not detected in time, an active ransomware infection may spread to connected devices or networks.

Ransomware victims range from individuals to organizations and businesses. According to Statista’s global data on ransomware attacks, cybercriminals mostly target institutions and organizations that are mission critical, such as healthcare, finance, manufacturing, and government organizations. These entities typically have more valuable data, greater financial resources, and a higher likelihood of paying a significant ransom.

Businesses

Ransomware attackers target companies and corporations of various sizes knowing that these entities possess valuable data, customer information, and intellectual property that they will want to regain.

In 2020, the wearables and GPS navigation company Garmin suffered a crippling ransomware attack and were held to a $10 million ransom. In 2023, 72% of businesses worldwide were affected by ransomware attacks. This is the highest figure reported in the last five years, indicating a growth trend in ransomware attacks on businesses.

Healthcare organizations and critical infrastructure

In the eyes of cybercriminals, healthcare organizations store lucrative targets — highly sensitive and life-critical patient information, which makes attacks on hospitals lethal. In case of critical infrastructure, such as power grids and transportation systems, targeting them can cause widespread disruption.

As per the 2021 Internet Crime Report by the US federal Bureau of Investigation, health care was the most targeted industry by ransomware in 2021 in the US. Same year, the US Department of Health and Human Services reported that the average ransom demand against hospitals has been around $131,000.

Individuals and home users

Cybercriminals attack individuals as well because they too have sensitive personal information they need to recover, like financial information, family photos, or personal documents. Statistics on ransomware attacks on individuals is less definite as they are less likely to inform law enforcement.

Ransomware attacks cause companies financial, reputational, and legal damage. Even if the targeted organization does not pay a ransom, the expenses it incurs due to downtime and reputational damage can be significant.

Financial costs

Ransomware victims might suffer a severe financial impact if they decide to fulfill ransom demands. ENISA shares distressing data about the EU: the highest ransomware demand grew from €13 million in 2019 to €62 million in 2021 and the average ransom paid doubled from €71,000 in 2019 to €150,000 in 2020. According to Statista, in the second quarter of 2023, globally the average amount of ransom paid exceeded $740,000.

Even if the company does not pay a ransom, a ransomware infection usually causes costly downtime. J.P. Morgan quotes the Q3 2020 Claims Analysis Report from the US insurance company AIG which states that the typical outage length from US companies that suffered a ransomware attack in 2020 ranged from 7-10 days.

Aside from downtimes, the recovery process might also be lengthy and expensive. The company must investigate the breach, improve their cybersecurity defenses, and restore their systems and data. J.P.Morgan also shares IBM’s 2020 Annual Cost of a Data Breach Study which notes that the average cost of rectifying a ransomware attack, across all industries, was $1.27 million.

Reputational damage

Reputational damage is another critical consequence of ransomware attacks because these attacks erode public trust. Customers may lose confidence in the organization’s ability to protect their sensitive data, leading to a loss of business and potential long-term damage to the brand’s good name.

For example, in 2021, ransomware attackers robbed CNA Financial of a trove of data, including customer data, disrupting its business operations and damaging the company’s reputation. Even if hackers do not steal any sensitive data, the public disclosure of a ransomware attack can raise concerns among customers and partners about the organization’s cybersecurity resilience.

Legal and regulatory consequences

Ransomware infections may cause severe legal and regulatory consequences, such as fines and penalties for failing to protect sensitive data. Organizations must comply with data protection laws, such as the General Data Protection Regulation (GDPR) in Europe or the California Consumer Privacy Act (CCPA) in the United States.

Failure to report data breaches promptly and take appropriate security measures can lead to fines and lawsuits. For example, in 2018, British Airways suffered a data breach that affected approximately 500,000 customers. The company faced regulatory investigations and received a fine from the UK Information Commissioner’s Office (ICO) under GDPR regulations.

A successful ransomware prevention model involves proactive measures. These measures include:

• Regular data backups. The ransomware attack will not be effective if the victim maintains access to their data after the breach. This is why it’s important to have a secure data backup solution — so that the data lost to a ransomware attack is minimal or non-existent. It’s crucial that the backup data can’t be encrypted by the criminals. Make sure to store it in a read-only format, which can not be affected by ransomware. Keep the backup data offline or in a secure cloud environment, enabling versioning to retain multiple copies of files and periodically testing backups to confirm their integrity.
• Employee training and cybersecurity awareness. Regular cybersecurity awareness training helps to diminish your company’s vulnerability to ransomware. Instruct its employees to do the following:
  • Never click on suspicious links.
  • Never open suspicious or unexpected attachments.
  • Never reveal personal or sensitive data to unverified individuals.
  • Verify software legitimacy before downloading it.
  • Never use unknown USB drives.
  • Use a VPN when connecting to a public or unsecure Wi-Fi network.
• User authentication and access control. Implement secure user authentication methods, such as multi-factor authentication (MFA), and strong access controls. Enforce the principle of least privilege to limit user access to the minimum necessary for their job roles and restrict administrative access to only authorized personnel.
• Security software and patch management. Antivirus and antimalware software, endpoint detection and response solutions, email security gateways, and browser security extensions help prevent ransomware attacks. Timely software updates and patches fix software vulnerabilities that cybercriminals might exploit. Updates keep your security tools and operating system equipped with the latest threat intelligence, enhancing their ability to detect and block existing and new ransomware variants.

There are six main ransomware infection signs that should immediately draw your attention and encourage to take action:

• Inexplicable slowdown of computers and network activities. It’s one of the earliest signs of a ransomware attack. Ransomware begins its nasty work by scanning devices for file storage locations, which causes the slowdown. You might think the device slowed down because of many users depleting bandwidth, but take a closer look to determine the real reason.
• Suspicious changes to files, their names and locations. If files or entire folders are changed, unknown or unaccounted for files appear, or some files are without an extension, it may indicate a cyberattack.
• Unauthorized extraction of data. If files go missing, treat it as a sign of a potential breach and inspect it.
• Unrecognized and unwanted file encryption. If you notice encrypted files on your network that no one has knowledge of or accountability for, this should set off an alarm to act.
• A locked desktop. Some ransomware variants lock your entire desktop, preventing you from accessing your computer or files until you pay a ransom.
• A message flashing on the screen and informing about an attack. The most obvious indicator of a ransomware attack is the message on your computer screen informing you about the ransomware infection.

There are numerous ransomware families, each with its own set of ransomware variants. Here’s a list of most infamous ransomware variants that have caused the most damage in recent years:

1. WannaCry (or WanaCrypt0r). In 2017, the WannaCry ransomware variant rapidly spread like a computer virus across networks, exploiting a Microsoft Windows vulnerability known as EternalBlue. It infected hundreds of thousands of computers worldwide and hit the National Health Service (NHS) in the UK, causing damages of over £90 million.
2. Petya/NotPetya. While Petya was an older variant, NotPetya emerged in 2017 and was particularly destructive. It hit Windows computers in Europe and the US. Instead of just encrypting files, it would overwrite the master boot record to cause more systemic damage and permanently delete files.
3. Ryuk. Believed to be linked to the Lazarus Group in North Korea, Ryuk targets large businesses, hospitals, and law enforcement agencies for high-ransom payouts, mostly in Bitcoin. It has been responsible for multiple high-profile attacks, especially in the US.
4. GandCrab. Active between 2018 and 2019, GandCrab was one of the most prolific “ransomware as a service” (RaaS) strains. RaaS is a criminal business model where ransomware groups create ransomware and allow other individuals, even with little technical expertise, to carry out attacks using the ransomware for a percentage of the ransom payments.
5. REvil (or Sodinokibi). Another example of the “ransomware as a service” model, REvil has been responsible for several high-profile attacks, including the one on Kaseya in 2021. It’s an example of a double extortion model, in which criminals not only encrypt the victim’s data but also release it publicly if the victim does not pay up.
6. Dharma (or CrySiS). This ransomware targets Windows systems and has multiple variants. Crysis usually infiltrates systems through exposed remote desktop protocol (RDP) ports. It’s known for its frequent updates and the ability to evade detection.
7. Locky. Having emerged in 2016, Locky is one of the most widespread ransomware types, with variants and tactics still popping up to this day. Locky was distributed via malicious attachments. Typically, an attacked Word document would trick users into enabling macros, which would in turn let loose a trojan that would encrypt the victim’s files.
8. Cerber. This ransomware stood out for using text-to-speech to “read” its ransom note to victims. Its creators sold Cerber as software as a service (SaaS) to other cybercriminals for a percentage of their revenues.
9. Maze. Active throughout 2019 and 2020, Maze was the pioneer of the double extortion tactic. It spread through email phishing and spear phishing attacks.
10. NetWalker. NetWalker is another example of double extortion ransomware. It spread during the COVID-19 pandemic, mostly targeting organizations involved in pandemic response
11. DarkSide. One more example of “ransomware as a service,” DarkSide spread with hackers exploiting weaknesses in remote desktop protocols (RDP). This group claimed responsibility for the high-profile attack on Colonial Pipeline in May 2021, which resulted in significant fuel shortages in parts of the US.
12. GoodWill. First identified in 2022, GoodWill is modern ransomware that stands out for its goal — instead of a payment, the ransomware group demands its victims to perform an act of kindness for the poor.

If, despite all of your effort, you or your company are hit by a ransomware attack, you can take the following steps to handle the incident. Also, make sure it’s not simply scareware or other malware you are dealing with.

1. Isolate the infected system. Immediately disconnect the infected device from the network to prevent the ransomware from spreading.
2. Do not pay the ransom. There are no guarantees you receive the description key from the hackers, and paying them will only fuel their criminal activity.
3. Report the incident. Notify your organization’s IT or security team and your local law enforcement agencies to initiate an investigation. Inform relevant stakeholders, including employees, customers, and partners, about the incident and recovery efforts.
4. Assess the impact. Evaluate the scope of the attack, identifying which systems and data have been affected.
5. Ensure compliance with data breach notification laws and regulations.
6. Try to recover the data. Restore the affected files from backups unaffected by ransomware, if available.
7. Remove the ransomware from the system, patch up all vulnerabilities, and strengthen security measures.

Here are the steps both individuals and organizations can take to remove ransomware from their systems:

• Isolate the infected device(s). Disconnect the affected device(s) from any wired or wireless connections, including the internet, networks, mobile devices, flash drives, external hard drives, and cloud storage accounts to prevent the ransomware from spreading. Check if the connected devices have not been infected.
• Determine the type of ransomware. Knowing which ransomware strain affected your device can help to remove it. You might need to show your device to a cybersecurity professional or use a specific software tool for diagnosis.
• Remove the ransomware. Check if the ransomware is still on your device, because sometimes it deletes itself after a successful infection. If it’s still there, use an anti-malware or anti-ransomware software to quarantine or remove the malware. We advise you to get a security professional to help you locate and uninstall the ransomware file manually because it is a complicated task.
• Restore from backup. If you have clean and up-to-date backups, use them to restore your system to a state before the ransomware infection hit. Ensure that your backups are free from malware.

Is it possible to recover files after a ransomware attack?

It is possible to recover files after a ransomware attack if you have secure and up-to-date backups, unaffected by ransomware. You may also recover your files that have been encrypted by a ransomware strain for which a decryption tool exists. To get this tool, you will need to carry out an online search, contact law enforcement agencies, or contact cybersecurity companies providing ransomware removal services.

Ransomware attacks target individuals and organizations alike. Some ransomware strains might penetrate even the toughest cybersecurity defense — all it takes is one absent-minded click on a malicious attachment. So your best call is to educate yourself on safe online practices and react as soon as you notice the first signs of a potential attack.