Ransomware is a type of malware (malicious software) that threatens to either publish or block access to data on a computer or computer network. It does this by encrypting data on a device or network or by locking the victim out of their device altogether.
Ransomware attackers offer the decryption key or access to the victim's device in return for a fee or ransom. Usually, the offer comes with a deadline. If victims don't pay the ransom in time, attackers will threaten to delete encrypted data or publish the victim's data.
Ransomware is a problem that affects all industries including financial firms, government agencies, schools , hospitals and law firms, across the globe. It can hit local drives and spread to attached devices or take out entire networks and backup data at once. Though recovery without paying the ransom is sometimes possible, it can be costly and time-consuming if the victim is unprepared or in the case of a targeted attack. And, if an attacker chooses to publish sensitive data, a system backup won't be effective in stopping them.
The first ransomware attack was in 1989. A doctor handed out floppy disks that supposedly contained a questionnaire to evaluate patients during the AIDS crisis. Instead, the disk held what we now call the AIDS Trojan. It encrypted sensitive data on doctors' computers, forcing them to mail ransom payments to an address in Panama to receive a decryption key for the infected system.
Today's ransomware attacks are far more sophisticated and even more costly. Recently, on July 2, 2021, REvil, a Russian cybercriminal gang, infected over 1500 victims with ransomware. They did it by exploiting a vulnerability in Miami-based Kaseya Ltd.’s Vector Signal Analysis software. The hackers demanded a $70 million ransom to decrypt the blocked data.
The attack left multiple industries struggling to recover information, including a Swedish supermarket chain, several New Zealand schools, and a small town in Maryland.
If REvil sounds familiar, it's because this isn't their first attack. They're also responsible for extorting $11 million from JBS, the world's largest meat processing company, in late May 2021.
And REvil isn't alone. Ransomware attacks are a growing problem. The FBI received 2,500 complaints of ransomware attacks in 2020, a 20% increase over 2019, with total damages expected to reach $20 billion in 2021 (Cybersecurity Ventures).
Each attack can take weeks or months to recover from, if a company recovers at all. 71% of ransomware attack victims are unable to restore their data. And, if you choose to pay the ransom, you might still be in trouble. Fifty percent of ransomware victims who paid the ransom still lost at least some files; 13% lost nearly everything.
Understanding ransomware is the first step in protecting yourself. In general, there are two types to be aware of, crypto ransomware and locker ransomware.
Crypto ransomware encrypts valuable files, making them unusable until a victim pays the ransom. Usually, the attacker imposes a deadline of 24-48 hours.
Locker ransomware doesn't use encryption. Instead, it locks victims out of the device entirely, bringing the victim’s business to a halt.
There are several ransomware variants and each one uses a different technique to infect your files or device. Bad Rabbit, for example, spreads through a fake Adobe Flash update on compromised sites. Locky spreads as malicious attachments when victims open an email claiming to be an invoice.
Ransomware attackers are usually financially motivated. There may be a political component in some cases, but the individuals responsible for the attacks are looking to profit first and foremost.
That means they're looking for potential victims who have valuable data on their devices or network. Any device that contains banking information, social security numbers for customers or employees, or other sensitive data is a top target for cybercriminals to spread ransomware.
And though every industry is a potential victim when it comes to a ransomware virus, attackers are most likely to target infrastructure industries, healthcare companies, law enforcement, and the government.
Ransomware is terrifying to many business leaders, but there are things you can do to protect yourself from major ransomware attacks.
In the modern world, the most common method of storing and transferring information is through digital spaces. It’s no longer necessary to keep extensive binders and file folders in large cabinets in the office; now, we can access those files with the touch of a button. But with the loss of physical record-keeping, the business world has encountered a new problem.
What happens when the hardware on which you keep all of your clients’ sensitive, personal information is damaged, lost, or stolen? What if there is a software error that permanently erases significant portions of your business’s essential records?
In the event of a ransomware attack, there are actions you can take to mitigate the damage, but you'll need to act fast. At the first sign of an attack, you need to isolate the device to prevent the infected computer from spreading more malware. Take it off the network and remove any attached drives. Then, search your business's network for any other devices that are acting suspiciously. Isolate them as well to protect data backups.
Turning off the WiFi at this point is a good idea. You'll also want to shut off all wireless connectivity, or Bluetooth functionality, throughout the network. If possible, lock shares on all your files as well. Doing so will stop the encryption process in its tracks.
After you've blocked the ransomware from spreading, you'll want to assess the damage. Look for encrypted files that won't open or have strange names. Then, create a list of all the affected systems, including network storage devices, external hard drives, laptops, smartphones, and cloud storage.
Once that's complete, you can search for the source of the infection. It may be the device you first noticed acting suspiciously, but it also could be coming from somewhere else. Remember, ransomware works quickly, so finding patient zero can be tricky.
Start by checking for any alerts from your antivirus software. Then, ask your team about their internet activities. Did anyone open a strange email recently? Or click on a pop-up that didn't make sense? You can also look at the affected devices themselves. If one has more open files than usual, it's probably patient zero.
Once you know the source, you can identify the strain of ransomware using a site like No More Ransom. Just scan one of the encrypted files, and the site will help identify the variant. In some cases, it may even be able to provide a free decryption key.
Once you know the variant, you'll know exactly how this strain of ransomware behaves. You can then inform everyone left on the network what to look for, so they don't end up infected.
Finally, you'll want to report the attack to the local authorities. The FBI encourages victims not to pay the ransom. Instead, call and work with your local law enforcement to help bring the perpetrators to justice. In some cases, law enforcement and government agencies can even help you recover data by obtaining the decryption key from the attackers. Sophisticated attacks targeting enterprise corporations are on the rise so it is important to keep law enforcement agencies informed to help stop the spread of ransomware.
After that, you can start the recovery process by using the latest clean backup or, if you're lucky, the decryption key to decrypt files. Unfortunately, some ransomware targets backups, making them unusable, so you may be out of luck entirely. If that's the case, you'll have to move on. The data, unfortunately, is gone.
Fortunately, there are programs available that can keep your backups safe and provide instant recovery from attacks.
Rubrik Instant Ransomware Recovery is one way to ensure your business can recover fast. It provides instant recovery in just a few clicks. And, thanks to immutable backups, Rubrik ensures an attack won't leave you without your data by keeping your backups 100% protected and resilient.
Rubrik also offers Radar which can quickly pinpoint files affected by ransomware. That makes recovery far faster and helps you analyze the attack's total impact quickly. Rubrik also offers Sonar which helps discover and track personally identifiable information (PII) on your network.
Rubrik can even protect data across multi-cloud environments. Rubrik's data protection services provide immutable snapshots, as well as encryption at-rest and in-transit. Together, these services make recovery faster, even if a ransomware attack occurs.
Ransomware is a common and growing problem that costs victims millions every year. There are things you can do to try and prevent it, but in truth, the problem isn't going anywhere. As cybercriminals become more sophisticated, there's no doubt that the attacks will too. That means you need ransomware protection at the point of data.
As a leader in data management and protection, Rubrik can help ensure your data stays protected. And in the event of an attack, we can ensure recovery happens fast.
Whatever you do, don't leave your business unprotected. Ransomware is costly, and it can be detrimental. Use the tips above to keep your data safe and if an attack occurs, be sure to reach out to law enforcement right away.