What Is Ransomware?

Ransomware is a type of malware that attackers use to encrypt a victim’s data. The attackers then demand a ransom in exchange for the decryption keys needed to restore system access, and they may threaten to publish or delete data if the ransom isn’t paid. Ransomware attackers employ various attack types to compromise systems.

If a ransom is not paid, cybercriminals may disclose or sell a company’s information, potentially including confidential customer data, intellectual property, payment information and medical records. This type of attack is known as “leakware” or “doxware.” Unlike traditional ransomware, data backups cannot overcome the threat of a leak.

In a crypto ransomware attack, attackers target individuals and organizations by encrypting important files and data, making them inaccessible without a decryption key. This is one of the most common and destructive forms of ransomware attacks, and it is what many people are referring to when they use the general term “ransomware.”

Unlike crypto ransomware, locker ransomware does not encrypt files but rather locks users out of their devices until a ransom is paid. For example, Lockerpin is a form of PIN-locking mobile ransomware that targets Android devices.

Attackers who target users’ phones with mobile ransomware sometimes demand smaller ransom payments from a larger number of victims. For example, two young cyber criminals in Moscow launched a 2014 attack demanding $100 for Apple users in the UK and Australia to restore access to their iPhones.

During a wiper attack, hackers look to permanently delete or corrupt data on targeted systems, rendering them inoperable. Unlike ransomware attacks, wipers are designed to inflict permanent, irreparable damage.

In a scareware attack, hackers may not actually encrypt any files at all. Instead, after they infiltrate a network, they will bombard victims with alerts and threats, claiming they have the ability to delete or expose data. The scare tactics sometimes result in ransom payments, even though the attackers do not actually have the ability to carry out their threats.

Hackers can now outsource some ransomware activities to RaaS providers, who offer access to advanced malware in exchange for a fee. These agreements are mutually beneficial: Hackers do not need to develop their own ransomware, and malware developers can profit even without having to actually launch attacks themselves.

CryptoLocker: Spread via email attachments that often mimicked FedEx and UPS tracking notices, CryptoLocker emerged in 2013, encrypting files on shared network drives, USB drives, network file shares and even cloud storage drives.

WannaCry: The highly infectious ransomware WannaCry, which exploited a vulnerability in the Windows SMBv1 server, highlighted the importance of patching vulnerabilities to prevent successful attacks.

Petya and NotPetya: Petya is a ransomware variant that targets Windows systems. NotPetya, which emerged in 2017, initially appeared to be a variant of Petya, but it was later identified as a wiper disguised as ransomware. The malware’s encryption process was irreversible, meaning that victims could not recover their data even if they paid a ransom.

Ryuk: This targeted ransomware variant is known for attacks involving particularly high ransom demands, and it has been used in costly attacks on large enterprises.

DarkSide: DarkSide is a ransomware group known for highly targeted attacks, including the Colonial Pipeline hack. The group engages in “double extortion,” exfiltrating sensitive data and threatening to publish it unless a ransom is paid.

Locky: Often delivered via malicious fake email invoices, Locky tricks users by instructing them to download macros if the attached files cannot be read.

REvil: Also known as Sodinokibi, REvil is a RaaS operation that offers its malware to attackers for a price. The Russian Federal Security Service has said that it has dismantled REvil and charged several group members.

Conti: Conti is another RaaS operation. The group infects systems through phishing emails, software vulnerabilities and backdoor malware that disables security tools and encrypts files. Conti operators often delete data backups to increase the likelihood of a ransom payment.

LockBit: This ransomware uses lateral movement and post-exploitation tools to disable security measures before encrypting files. LockBit, the most deployed ransomware variant across the world in 2022, also exfiltrates data, with attackers employing a double extortion strategy to maximize ransom payments.

Ransomware spreads through a number of threat vectors, including infected websites, phishing emails containing malicious attachments or links, exploit kits that take advantage of software vulnerabilities and social engineering attacks that trick users into installing malware. Once ransomware is inside a network, attackers can move laterally across systems by leveraging stolen credentials or network vulnerabilities.

Financial Loss: Ransomware attacks can result in significant financial losses, including the cost of ransom payments, expenses related to data restoration, lost revenue due to downtime, legal fees and regulatory fines. These costs will typically be even higher for organizations that lack robust data backups and incident response plans.

Data Breaches: During ransomware attacks, cybercriminals often exfiltrate sensitive information before encrypting it. If this data is disseminated publicly, organizations may face additional legal expenses, compliance fines or costs related to fraud and identity theft.

Operational Disruptions:When an organization loses access to its business data due to a ransomware attack, employees are often left unable to do their jobs. This can halt business operations, delay project timelines and disrupt critical infrastructure, resulting in a significant hit to productivity. Additionally, businesses often have to devote considerable employee time to recovery efforts.

Reputational Damage: A successful ransomware attack can erode customer trust and confidence, especially if customer data is compromised. Negative publicity can exacerbate this reputational harm, and the damage often persists long after IT systems are restored.

Ransomware can have significant legal and regulatory implications, making proactive steps to protect your organization’s IT environments even more important. At the same time, a number of regulatory and advisory bodies have developed guidelines to help organizations prevent ransomware attacks.

The NIST Cybersecurity Framework offers a structured approach to identifying, responding to and recovering from ransomware attacks. In particular, NIST IR 8374 provides best practices for ransomware prevention and mitigation.

The European Union’s GDPR imposes strict data protection requirements on any organization that handles the personal data of EU residents. Ransomware attacks can lead to GDPR violations if sensitive data is compromised.

Healthcare organizations are required by HIPAA to aggressively safeguard protected patient information. The Department of Health and Human Services reports that HIPAA compliance can help healthcare organizations prevent the introduction of malware, including ransomware.

The PCI DSS mandates security controls for organizations handling payment card data. Ransomware events can cause violations that lead to potential fines and reputational damage.

The CMMC is a framework aimed at enhancing the cybersecurity posture of defense contractors. Compliance with this framework is essential for contractors to secure and maintain government contracts.

Cyber insurance policies can provide financial protection against ransomware attacks, but insurers typically require organizations to take aggressive steps to protect their networks before they will provide coverage.

Some states, including North Carolina and Florida, have passed laws specifically prohibiting agencies from paying ransoms to cybercriminals. These laws are meant to both encourage proactive cybersecurity measures and reduce the incentive for attackers to target government agencies.

Sky Lakes Medical Center: This healthcare organization avoided paying a ransom after an attack thanks to a joint solution from CDW, Cohesity and Cisco. The organization used Cohesity’s immutable backup solution to quickly recover its Cisco HyperFlex environment, ensuring continuous patient care while also averting significant financial losses.

Coventry University: Coventry University in the UK worked with CDW to implement CrowdStrike, which significantly improved the school’s ability to detect and block ransomware attacks.

Eastern Carver County Schools (ECCS): CDW helped ECCS in Minnesota enhance its cybersecurity posture by implementing robust backup solutions and disaster recovery plans. This proactive approach has helped the district protect itself from a rise in ransomware infections, phishing scams and other cyberattacks on schools.

Security Software: Robust security software can provide multilayered protection from ransomware, detecting and remediating threats in real time. The best tools can block — and, in some cases, even reverse — the actions of disk-encrypting ransomware. 

Data Backup: Many experts advise that organizations follow a 3-2-1 backup strategy. This means three copies of all essential data, stored on two different media types, with one backup stored offsite. Immutable storage solutions ensure that backups cannot be altered or deleted by ransomware.

Cybersecurity Training for Employees: Training helps employees recognize phishing emails and avoid clicking on malicious links that may introduce ransomware to the network. Educated employees can also serve as a first line of defense, identifying and reporting suspicious activities before any damage is done.

Network Segmentation: By isolating critical assets, can limit the lateral movement of ransomware across enterprise networks. In addition to limiting the spread of ransomware, effective network segmentation can accelerate and simplify the recovery process.

Multifactor Authentication (MFA): Many cyberattacks are the result of stolen login credentials. tools mitigate this risk by requiring additional verification steps beyond passwords, such as one-time access codes or biometric identifiers such as fingerprints.

Security Information and Event Management (SIEM) Systems and Anomaly Detection: A system monitors and analyzes security data, helping organizations identify and respond to cyberthreats. These systems, along with other anomaly detection tools, can prevent ransomware by identifying unusual patterns and enabling security teams to contain threats before they spread.

1. Disconnect from Network: As soon as a ransomware attack is detected, systems should be disconnected from the network to prevent further spread. This can involve unplugging devices from network cables or even taking an entire network offline if multiple systems are infected.
2. Do Not Immediately Pay the Ransom: Contrary to popular belief, paying a ransom does not guarantee data recovery, and it can even fund future attacks. Authorities typically advise against paying ransoms to attackers, instead instructing organizations to focus on recovery from backups and incident response strategies.
3. Report the Attack: By reporting attacks to law enforcement, organizations can potentially limit further damage, facilitate threat intelligence sharing and meet their own compliance obligations. Collectively, law enforcement reports can lead to the eventual dismantling of cybercriminal networks.
4. Restore from Backups: Restoring from securely stored immutable backups is a key step in recovering from a ransomware attack. Regular testing helps ensure that backup restoration processes can be executed quickly in the event of a crisis.
5. Seek Expert Assistance: Most organizations have little internal experience in responding to ransomware attacks. Professionals from a third-party partner such as CDW can help contain threats, restore systems and strengthen defenses against future attacks.

Myth: Ransomware attacks only target large organizations. Ransomware attacks target organizations of all sizes. Attackers know that small businesses and individuals are particularly vulnerable because they are less likely to have robust security measures in place.

Myth: Paying a ransom guarantees data recovery. Even after organizations make ransomware payments, attackers sometimes simply fail to hand over decryption keys.

Myth: Encryption is the only threat. Modern ransomware attacks often involve data exfiltration, in addition to encryption. Once attackers have copies of enterprise data, they will often threaten to distribute it unless a ransom is paid.

To overcome ransomware threats, your organization need a proactive strategy that builds your capability to recover from an attack. You must assume that attackers will gain access to your environment and may spend months inside, undetected. Limit attackers’ ability to compromise the clean, reliable backups that will enable your organization to recover data, resume operations quickly and minimize the fiscal impact of an attack.  It all starts with a strong security posture built around data protection strategies, incident response plans, threat detection and response, cyber resilience and data recovery.