What Is Ransomware?

Ransomware is a type of malware (i.e., malicious software) that locks a victim’s device or encrypts their data until they pay a ransom. To regain access or decrypt data, victims require a private key known as a decryptor that is usually only known to the attacker.

Many modern ransomware variants can also exfiltrate data from victims at the same time as denying them access. This capability is known as “double extortion.” It allows cybercriminals to threaten victims with the release of sensitive stolen data unless they pay up. Some cybercrooks may go even further, contacting and blackmailing a victim’s clients or customers with data exposure (i.e., “triple extortion”).

In the past, ransomware posed a threat only to individual devices. Modern ransomware creates risks for entire companies. Commonly used ransomware strains can spread throughout victims’ networks to shared servers, connected devices, drives, and other accessible systems. 

Ransomware attacks have crippled health services, shut down local governments, and devastated thousands of companies in sectors ranging from finance to utilities to retail. When faced with a ransom, most businesses pay up. In 2021, 82% of UK business ransomware victims paid a ransom.

Every company that relies on IT systems to function or processes customer and client data is a potential target for a ransomware attack. Avoiding ransomware is virtually impossible, no matter how well protected you think you are.

Following best practices on how to avoid a ransomware infection is not enough to mitigate ransomware risk in 2022. Human-operated ransomware strains can persist in an infected device for weeks or even months. It can be impossible to detect and stop a ransomware threat without powerful telemetry based tools like SenseOn’s automated detection and response platform in place.

How Does Ransomware Work?

The ransomware kill chain consists of five stages:

  1. Initial access. Attackers typically use one of four ways to gain access to a victim’s systems: phishing campaigns with malicious attachments, credential stuffing/reuse, vulnerability exploitation, and trojanised software (for example, a legitimate-looking app that contains malicious code).

  2. Reconnaissance & lateral movement. Once inside a connected device, attackers use hacked credentials to explore and map their victims’ networks. Their goal is to gain access to critical servers, deploy ransomware, and find sensitive data.

  3. Exfiltration. Attackers scan for sensitive files they can exfiltrate to blackmail their victims. Cybercriminals are especially interested in client and project data, finance documents, accounting information and personally identifiable information (PII) records.

  4. Deployment. Attackers encrypt/destroy backups and test ransomware on one or two systems before deploying it across the network.

  5. Extortion. Attackers attempt to extort their victims, creating a sense of urgency and entering into negotiations if needed.

What Is Ransomware-as-a-Service?

Ransomware-as-a-Service (RaaS) is a subscription-based business model where ransomware operators rent out already-developed ransomware tools to affiliates. Affiliates usually pay a one-time licensing fee, a flat monthly subscription fee, or share a percentage of their profits with RaaS operators. 

Described by the New York Times as a “tightly organised, highly compartmentalised business,” RaaS distributors generally give affiliates 24/7 customer support, feature updates, and access to communities. Some RaaS distributors even provide customers with detailed instructions on how to launch an attack. 

Examples of RaaS attacks include the Colonial Pipeline attack (attributed to the RaaS group DarkSide) and the Kaseya ransomware attack (accredited to the REvil RaaS operation).

What Is Targeted Ransomware?

Also known as human-operated ransomware or hands-on keyboard attacks, targeted ransomware does not spread automatically. Rather, these types of attacks are executed and controlled by skilled cybercriminals. 

In a hands-on keyboard attack, threat actors gain access to a business’s IT environment through exploiting network vulnerabilities and use compromised administrator accounts to disable security controls and deploy ransomware.

DoppelPaymer and Ryuk are two commonly encountered strains of human-operated ransomware.

Types of Ransomware

Popular types of ransomware include:

  • Encrypting ransomware or crypto-ransomware encrypts data on a victim’s computer (or other device types).

  • Screen lockers lock victims out of their devices so that they can’t access their files or data.

  • Leakware or extortionware steals data and threatens victims to publish sensitive information if a ransom is not paid. 

Brief History of Ransomware

Ransomware is not a new technology. The first-ever case of ransomware was documented in 1989. Back then, the biologist Joseph Popp spread the Trojan AIDS/PC Cyborg virus via 20,000 infected discs titled "AIDS Information Introductory Diskette." 

The ransomware, sent to scientists and researchers in 90 countries, counted how many times a computer was booted, encrypting files in the C:directory when it hit 90. Victims were then told to make a payment to a PO box in Panama. 

Up until the early 2010s, ransomware attackers focused on individual devices or users. However, as ransomware technology developed and digital currency made large, anonymous ransom payments possible, ransomware groups began to target corporate networks.

Why Has Ransomware Become So Widespread?

Ransomware’s rise is the result of several developments:

  • Cryptocurrencies. Although not necessarily untraceable, cryptocurrencies like Bitcoin provide criminals with a fast, efficient, and easily verifiable way of receiving payments. 

  • Digitisation. The COVID-19 pandemic led to more people and companies relying on digital services as many individuals shifted to working/learning remotely. In many cases, employees now work away from secure networks at least some of the time.

  • Ransomware-as-Service. In the past, criminals needed deep technical knowledge to develop and execute cyberattacks. Today, the rise of RaaS means that even low-skilled hackers can launch advanced attacks.

  • Ransomware pay-outs. In 2021, ransomware affected 80% of organisations worldwide. Of these, 60% paid a ransom. Many organisations see paying a ransom as the easiest way to resume operations. However, until businesses stop playing by the rules, ransomware will remain a problem.

Who Is at Risk from Ransomware?

Today, every business, organisation, or public sector body is at risk from ransomware. Size and industry do not matter. That being said, although every organisation is vulnerable, some are still more vulnerable than others. 

Here is a shortlist of what makes an organisation most likely to be a target and victim of a ransomware attack:

  • Based either in the EU or US

  • Making at least $100 million (around £80 million) in annual revenue.

  • Being an “SMB.”

  • Insured against cyber attacks.

  • Operating in the following industries: construction, manufacturing, finance, healthcare, education, technology & IT, logistics & transportation, automotive, municipal services, and legal. 

  • Employing a remote/hybrid workforce

  • Having some involvement in time-sensitive financial events, like IPOs or mergers and acquisitions. 

  • Hosting unpatched vulnerabilities.

  • Wanting to avoid publicity.

  • Needing immediate access to files (for example, government agencies or healthcare institutions).

  • Having fallen victim to a ransomware attack previously

The Business Impact of Ransomware

The consequences of a ransomware attack on a business can be devastating and may include:

Operational downtime. Business disruption from a ransomware attack can result in huge productivity losses, inability to operate critical services, and downstream impacts. After a ransomware attack, more than three-quarters of employees report losing access to networks and systems. A further 26% say they can’t do their job for at least a week. 

Damaged reputation. Many customers don’t trust organisations that experienced a data breach. In fact, nearly half of customers say they would stop using a service following a cyber attack. 

Financial burden. Between ransom payments, remediation, involuntary downtime, and reputation rebuilding costs, ransomware can have significant financial implications for affected organisations. 

Talent loss. Ransomware attacks are sometimes followed by staff layoffs. Almost one-third of organisations are forced to eliminate jobs after an attack. A similar number also lose C-level leadership after a ransomware attack, either due to resignation or dismissal. 

Regulatory sanctions. In some jurisdictions, a ransomware victim may also have to pay steep penalties for being hacked. This is one of the reasons why cybercriminals prefer to target companies in the EU. According to one ransomware attacker, organisations in the EU “pay quickly and quietly” to avoid fines under the GDPR.

Intellectual property and customer data loss. A ransomware attack creates a substantial risk that sensitive data, including customer information and intellectual property, will be leaked. Not only can exposure of this data damage the company, but it can also benefit its competitors, who can gain unauthorised access to confidential information, like product designs, strategic plans, and more. 

Business closure. Not all organisations hit with ransomware survive being attacked. Research shows that three-quarters of small to mid-sized businesses would have to close shop in the event of a ransomware attack. 

Popular Ransomware Groups and Variants

New ransomware families and variants emerge all the time. Here are some of the more notable ransomware variants used by threat actors today and in the past.

Wannacry

In May 2017, computers around the world fell victim to Wannacry ransomware. This ransomware exploited vulnerabilities within a retired Microsoft Windows operating system to infect over 230,000 computers worldwide.

Wannacry was spread through EternalBlue; an exploit allegedly developed by the US National Security Agency (NSA), later disclosed by a hacker group called The Shadow Brokers. 

Although Microsoft released a patch against the exploit before May 2017, Wannacry was able to hack organisations that did not update their operating systems. Today, updated versions of Wannacry are still a threat — attacks have increased by over 53% since 2021.

Cryptolocker

Released in 2013, Cryptolocker ransomware targeted business professionals and individuals using Windows computers. 

It spread through phishing emails and the Gameover ZeuS botnet. Cryptolocker phishing emails were made to look like customer complaints against the victim’s organisation or a problem with clearing a cheque. 

The botnet was taken down in 2014 by a consortium of law enforcement agencies, security software firms, and universities. 

Ryuk

First noted “in the wild” in 2018, Ryuk ransomware is one of today's best-known and most dangerous ransomware variants. 

Described by Microsoft as a human-operated ransomware campaign, the Ryuk group uses manual hacking techniques to gain entry and move across the network before encrypting files. The group goes exclusively after large organisations that have the means to pay steep ransoms.

With Ryuk, only critical files are encrypted, making detection more challenging. Ryuk ransomware is usually distributed through Trickbot or Emotet malware.

Locky

Currently out of use, the infamous Locky ransomware strain was released in 2016. It was delivered primarily through phishing emails masquerading as invoices that needed to be paid. Locky has been linked to the hacking group Dridex

This ransomware variant favoured hospitals as its targets. For example, one of its earliest victims was the Hollywood Presbyterian Medical Centre. The centre paid 40 Bitcoin (around £21,000 at the time) for its computer systems to be released.

REvil (Sodinokibi)

REvil, aka “Ransomware Evil,” or Sodinokibi, is a notorious RaaS operation. It is known for hacking the world’s largest beef producer JBS Foods as well as the IT service company Kaseya and threatening Apple with the release of stolen product blueprints. 

REvil encrypts files and steals data. If a victim refuses to pay a ransom, REvil publishes the stolen information on their leak site “Happy Blog.”

In January 2022, Russian authorities said they dismantled REvil, arresting 14 of its members. However, Bleeping Computer has since reported that REvil’s leak site redirects to a new site that details new victims. 

Petya and NotPetya

Targeting Microsoft Windows-based systems, Petya is a family of related malware that can encrypt a victim’s entire hard drive, preventing the device from booting. Variants of Petya initially spread through malicious email attachments in 2016.

In 2017, a new variant known as NotPetya led to a global cyber attack. Ukrainian organisations, including newspapers, banks, and electricity firms, were among the first to be hacked but infections were also soon reported in the UK, US, France, Germany, Poland, and Italy. 

According to a White House assessment, the attack caused $10 billion (approximately £8 billion) in damages. 

Conti

Conti is one of the biggest and most prolific ransomware groups, also operating as RaaS. The group behind Ryuk ransomware, Wizard Spider, is also behind Conti. 

Like most modern ransomware groups, Conti steals data and encrypts it, threatening victims to publish stolen information on their leak site if a ransom isn’t paid. It also sells access to some of the organisations it has penetrated. 

Following Conti’s declaration of support for Russia in the Russia-Ukraine war, the group’s internal chat logs were leaked, giving security professionals an insight into how it operates. Despite the leak, the group is still active.

How to Protect Your Business Against Ransomware

Based on our experience in helping companies avoid cyber threats, the tips below can reduce your organisation’s exposure to the threat of ransomware.

Carry out regular anti-ransomware training

Phishing emails are among the most common ransomware infection vectors. Unfortunately, employee awareness of social engineering attacks seems to be decreasing. Many workers assume that their organisation automatically filters out all suspicious or dangerous emails. 

In response, companies need to train their employees to spot phishing campaigns and use phishing tests to imitate real-life threats.

Businesses should also teach employees how to recognise a ransomware attack in progress and establish a line of communication when an attack is happening. 

Apply the principle of “least privilege”

To restrict ransomware’s ability to spread through the network, companies should give users, accounts, and applications the least amount of network access permissions they need.

Create data backups

Secure, up to date backups are vital for mitigating ransomware risk.

According to a LockBit 2.0 ransomware representative, "the victims who are paying are the ones who do not make backups and poorly protect sensitive information, regardless of the industry." 

Because ransomware attackers will attempt to encrypt backups, too, organisations must keep backups isolated from normal network traffic.

Use strong user authentication

Cybercriminals use weak or stolen credentials to override security controls. Strong authentication can make it harder for attackers to take advantage of compromised passwords. 

Perform regular patching

Most of the vulnerabilities exploited by cybercriminals have been around for years and have vendor patches available. But 71% of security IT professionals think that patching is too time-consuming and complex. 


Businesses need to invest in patch management. It’s vital to patch systems as soon as patches become available to minimise potential vulnerabilities. Critical software, like antivirus software and other anti-malware solutions, should be updated regularly on all devices (this includes mobile devices).

Disable macros by default

According to security researcher Kevin Beaumont, around 25% of ransomware enters through macros. Organisations should therefore ensure staff can’t enable macros.

Invest in threat detection and response technologies

The longer it takes for organisations to notice suspicious behaviour, the more time malicious actors have to explore corporate networks, steal data, and launch ransomware. 

When multiple siloed security tools slow down threat investigation, it’s challenging, if not impossible, for security teams to detect ransomware fast enough.

Technologies like SenseOn that automate detection and response short circuit delays in threat investigation and remediation. By allowing security professionals to prioritise genuine alerts quickly, SenseOn makes it possible to stop ransomware threats before deployment happens. 

How to Detect a Ransomware Attack

Security teams that notice suspicious behaviour before ransomware is launched can minimise the effects of the attack — or even stop it altogether.

Automated threat detection and response tools like SenseOn can automatically identify unusual activity in an infected system, issue high-priority alerts in real-time, and even take containment measures against forms of malware like ransomware. SenseOn can do this without human input. 

How to Remove Ransomware

Ransomware victims should first check if they can avail of free decryption tools from “No More Ransom,” a joint initiative between Europol and the cybercrime unit of the Dutch police.

Launched in 2016, the project claims to have since saved users about £855 million. It provides 100+ decryptor tools for 150+ ransomware variants.

Through the project’s website, organisations can upload ransom notes and encrypted files to understand the attack better and see if there is a decryptor.

Should You Pay a Ransom?

Law enforcement agencies like the Federal Bureau of Investigation (FBI) in the United States and the National Crime Agency (NCA) advise victim’s not to pay a ransom. Giving in to ransom demands encourages future criminal activity and provides cyber crooks with funds for additional attacks. 

Nevertheless, many organisations choose to pay a ransom for fear that not doing so would threaten the business’ survival. To some companies, paying a ransom may also make more financial sense than restoring systems from scratch. 

But paying a ransom doesn’t guarantee data recovery. Only a tiny fraction of companies that pay a ransom get all of their data back. Most organisations admit that some or all of the retrieved data is corrupted. 

Moreover, the vast majority of businesses that pay criminals to regain access to their systems are hacked later, often by the same attackers. This is because once an organisation pays a ransom, cybercriminals see them as a good investment and often leave backdoors into their systems for future use. 

Paying a ransom also doesn’t mean that attackers won’t publish stolen data. There have been numerous instances where a business paid a ransom to have their data deleted, only for it to be leaked anyway. In its 2021/2022 report, Group-IB reported a 935% rise in the number of organisations that had their data published on a leak site. 

Unlike a decryption key, which can’t be taken away once it’s shared with a company, with stolen data, blackmail never has to end. Often, organisations may not see a second extort attempt coming. The Conti gang shared fake files with victims to prove that they deleted stolen data but later published this data or re-extorted their victims. 

How Can SenseOn Reflex Help

SenseOn Reflex offers around-the-clock ransomware protection for organisations ranging from SMBs to enterprises. 

Unique on the market, SenseOn integrates security tools like:

  • Endpoint detection and response (EDR).

  • Network detection and response (NDR).

  • User and entity behaviour analytics (UEBA).

  • Intrusion detection systems/ intrusion prevention systems (IDS/IPS).

  • Security information and event management (SIEM).

  • Security orchestration, automation, and response (SOAR).

By combining security information from an organisation’s entire IT suite into a single platform, SenseOn gives security teams deep visibility into their entire digital estate.

Using a blend of detection methods (“Detections-in-Depth”) — including rules and signatures, supervised and unsupervised machine learning, user and entity behaviour analysts, and detection and deception techniques for threats — SenseOn detects and correlates suspicious behaviour, only issuing alerts when it spots a genuine threat. This dramatically reduces the burden of false positives.

A market leader in stopping ransomware attacks, SenseOn’s automated remediation means that ransomware can be stopped without security personnel’s input. SenseOn can immediately isolate affected devices to ensure that ransomware has no way of spreading across the network. 

With SenseOn in place, organisations don’t have to worry about missing signs of ransomware until it’s too late.

Previous
Previous

What Is Security Information and Event Management (SIEM)?

Next
Next

Threat Detection In 2024 Is Broken. Here’s How to Fix It