What Is Ransomware?

What is ransomware?

Ransomware is a form of malware that, once installed on a computer, locks up access to your hard drive until you pay a ransom. Victims see an onscreen message alerting them the computer has been locked or the data encrypted. They are told to pay a specific ransom to regain access to their systems. Usually the payment is required in bitcoin, a popular cryptocurrency, which further complicates the situation. The cost to get your data back varies depending on the target. An individual may be required to pay $500, while a company might have to pay $500,000. This year alone, ransomware has wreaked havoc on supply chains, utilities and even schools.

Ransomware has grown in popularity over the years as cybercriminals have become more sophisticated. With victims willing to pay, cybercriminals have all the incentive they need to deploy ransomware aggressively.

“As with any industry, it is a supply and demand business,” said Daniel Clayton, vice president of global security operations and services for the cybersecurity firm Bitdefender. “If we continue to pay ransomware, we will continue to be attacked. It’s not unusual to see a company get hit once and then again, sometimes by the same group.”

How does ransomware work?

There are several ways hackers can pull off a ransomware attack. Cybercriminals obtain access to a business’s computer network via phishing emails that contain malicious links or attachments. These emails aim to trick users into visiting websites that download the malware behind the scenes. Then the malware gets ahold of employees’ credentials for a company network. Instant messaging apps on social media can also spread malware.

“The main ways they come in is through phishing emails or clicking on a link,” said Raj Samani, fellow and chief scientist at McAfee, the security company. “Some of the big game hunters and even lower operators are looking for a chink in the armor.”

That has been made easier thanks to the COVID-19 pandemic, which made remote work a much more common practice. Before the pandemic, McAfee conducted a scan of the internet and found about 1.5 million systems with Remote Desktop Protocols (RDP) exposed to the internet, which is a common vector for ransomware. Within months, that number had increased to 3.5 million.

In the past, hackers targeted specific companies with ransomware, but that, too, has changed. Now their strategy is volume. “The groups going after the big game are quite small in number as opposed to the volume attacks. There are millions of them, which impact everybody,” said Samani.

What are the types of ransomware?

Ransomware comes in many flavors, but the end goal is usually to make money. That’s been the case with previous high-profile attacks, including one on Colonial Pipeline, which operates the country’s largest gasoline pipeline. When hacker group DarkSide unleashed the attack this spring (without admitting guilt), it said the group intended to make money, not create chaos. Hackers use some of the following tactics to achieve success:

• Crypto ransomware: This is the most popular method, and the most costly for small business owners. Hackers break into your network and encrypt your files and data. You won’t be able to access any of it without a decryption key, which you have to purchase from the hacker via cryptocurrency.
• Locker malware: Instead of encrypting your files, this type of ransomware locks you out of your network. To regain access, you have to pay the ransom. This line of attack doesn’t target your essential files, it just aims to keep you out of your computer.
• Master boot record ransomware (MBR): With this type of attack, the hackers infiltrate the MBR, the part of the hard drive that enables the operating system to start. When you try to turn on your computer, the software will not boot up. Instead, a message demanding ransom will appear on your screen.
• Scareware: Users are tricked into visiting a website that downloads malicious code. A warning, which appears to be from an antivirus software company, pops up claiming files have been infected. Users are directed to purchase software to fix the problem. Instead of a fix, they receive malware aimed at stealing their credentials.
• Ransomware as a service (RaaS): Some professional hacker groups run the ransomware attack and collect payments for a cybercriminal in exchange for a cut of the ill-gotten gains.

Who is susceptible to ransomware attacks?

Ransomware attacks are big business for hackers, costing victims $29 million in 2020. While attacks like the one on Colonial Pipeline garner a lot of attention, ransomware impacts every industry. The areas most prone to attacks include the following:

• Small businesses
• Healthcare and medical services
• Educational institutions
• Governmental organizations
• Banking and financial services
• Energy and utility companies

“Ransomware is that category where they are targeting companies big and small,” Clayton said. “Unfortunately, it’s something everyone should be concerned about.”

What impacts can ransomware have on a business?

The impacts of ransomware vary depending on the cost associated with recovering your data or unlocking your network. The $29 million it cost the country last year doesn’t include lost business, time, wages, files, equipment and third-party remediation services. Here are a few of the many negative impacts of ransomware:

• Temporary or permanent loss of your business’s critical data.
• A shutdown of operations if you are locked out or can’t access the data needed to run the business.
• A hit to your company’s reputation.
• High expenses associated with restoring your network.
• The confidence of your IT staff is shaken.
• Your business is more susceptible to future attacks, particularly if you paid the ransom.

How can you prevent and manage ransomware attacks?

Ransomware isn’t completely avoidable, but there are steps you can take to reduce the likelihood you’ll be a victim. Here are four steps you can take to help prevent ransomware attacks:

Step 1: Assess your situation.

The longer it takes to recover your data, the longer your business isn’t operational. But if you already have a data recovery and continuity plan in place, you can better manage a ransomware attack. That is why a cybersecurity risk assessment goes a long way in prevention.

“Ask yourself if my systems were no longer accessible could my business continue to run,” Samani said. If the answer is no, it’s time to plan for the unthinkable.

Step 2: Give your employees cybersecurity chops.

Educating employees on how to stay safe online is extremely important, particularly with many workers still connecting remotely. Clicking on a phishing link in an email or visiting a questionable website are still common ways to infect a network, which is why employees need to know what to be on the lookout for. It’s also important to require strong passwords and multifactor authentication when logging in to the network. Miller-Osborn said periodically conducting phishing tests of your staff won’t break the bank and will help identify any areas where further training is necessary.

Step 3: Fortify your network.

Ransomware attackers treat their operations as a business, focusing on targets that are easy to infiltrate. As a result, Clayton said one of the best defenses is making your company too expensive for hackers to attack. That means keeping systems up to date and patched, ensuring antivirus and antimalware software are set to update and run scans automatically, and backing up your data regularly. It also means putting in place a business continuity plan if your data is held for ransom.

“You want the attackers to have to jump through as many hoops as possible,” Clayton said.

Step 4: Consider cyber liability insurance.

Many leading insurance companies offer what is known as small businesses cyber insurance. For under $2,000 per year, you can get protection from ransomware and other attacks. That is the case with many of the best insurance providers. Consider the providers below:

• AIG: This insurance provider offers cyber insurance as a standalone policy or as part of one of its financial, property, and casualty policies. Its CyberEdge policy covers the costs associated with a breach and any expenses associated with managing the attack, restoring data, and paying third-party providers. With its CyberEdge Plus plan, AIG covers the losses from business interruptions due to the attack, property damage, and physical injuries to third parties. 

• Chubb: When it comes to cyber security insurance, Chubb knows a thing or two. After all, it wrote its first cyber policy in 1998. A lot has changed since then, and so has its coverage. The policy covers a range of items, including comprehensive cyber liability (third-party) and expense (first-party) coverage, the cost of forensic and public relations experts to help with a breach, business interruptions, vandalism expenses, and privacy notification expenses. Our research into Chubb found that it offers several different policies depending on your needs.

• Thimble: We learned in Thimble’s cyber insurance policy gives you first-party coverage, which helps pay for the damages associated with a breach or cyber attack. That includes the cost to recover data, loss of income if you have to shut down operations, and expenses incurred notifying customers of the breach. Thimble will also cover any costs associated with protecting your reputation and any harm to third parties as a result of the attack. The policy can also help cover the ransom in a ransomware attack.

How do you remove ransomware?

Despite your best efforts, you may still fall victim to ransomware. While your first inclination may be to pay the ransom and get back to business, security experts say that is a big no-no. Not only does that embolden the bad guys, prompting more attacks, but you are more likely to get hit again. After all, they know how to get in and they know you will pay up to get your data back.

A better initial option is to check with No More Ransom, an initiative between the National High Tech Crime Unit of the Netherlands police, Europol’s European Cybercrime Centre, Kaspersky, and McAfee to help victims recover their data without paying a ransom to the cybercriminals. On the website, you can search for free decryption keys, which may regain access to your data. It’s also important to report the attack to the FBI by contacting your local field office. The more information the FBI collects on ransomware, the better equipped it is to thwart future attacks.

After an attack, focus on containing the malware in your network and preventing it from spreading. After all, you can’t get your business up and running until the threat is contained. Have your IT staff or outside support pinpoint, contain and clean up the malware. Only after that should you restore your data from backup. Don’t forget to alert your customers, investors and other critical constituents about the breach. They have a right to know, and you don’t want them to sue you for sitting on an attack. The more forthcoming and transparent you are, the more your clients will trust you.

Ransomware is scary and costly, but it doesn’t have to mean the end of your business. If you follow the above tips and back up your data on a regular basis, you should be able to survive a ransomware attack.