What Is Ransomware?

Ransomware is a type of malware (malicious software) that threatens to either publish or block access to data on a computer or computer network. It does this by encrypting data on a device or network or by locking the victim out of their device altogether. 

Ransomware attackers offer the decryption key or access to the victim's device in return for a fee or ransom. Usually, the offer comes with a deadline. If victims don't pay the ransom in time, attackers will threaten to delete or publish the victim's data. 

Ransomware is a problem that affects all industries across the globe. It can hit local drives and spread to attached devices or take out entire networks and backup data at once. Though recovery without paying the ransom is sometimes possible, it can be costly and time-consuming if the victim is unprepared. And, if an attacker chooses to publish sensitive data, a system backup won't be effective in stopping them. 

Ransomware: A Growing Problem

The first ransomware attack was in 1989. A doctor handed out floppy disks that supposedly contained a questionnaire to evaluate patients during the AIDS crisis. Instead, the disk held what we now call the AIDS Trojan. It encrypted sensitive data on doctors' computers, forcing them to mail ransom payments to an address in Panama to receive a decryption key. 

Today's ransomware attacks are far more sophisticated and even more costly. Recently, on July 2, 2021, REvil, a Russian cybercriminal gang, infected over 1500 victims with ransomware. They did it by exploiting a vulnerability in Miami-based Kaseya Ltd.’s Vector Signal Analysis software. The hackers demanded a $70 million ransom to decrypt the blocked data.

The attack left multiple industries struggling to recover information, including a Swedish supermarket chain, several New Zealand schools, and a small town in Maryland.  

If REvil sounds familiar, it's because this isn't their first attack. They're also responsible for extorting $11 million from JBS, the world's largest meat processing company, in late May 2021. 

And REvil isn't alone. Ransomware attacks are a growing problem. The FBI received 2,500 complaints of ransomware attacks in 2020, a 20% increase over 2019, with total damages expected to reach $20 billion in 2021 (Cybersecurity Ventures).

Each attack can take weeks or months to recover from, if a company recovers at all. 71% of ransomware attack victims are unable to restore their data. And, if you choose to pay the ransom, you might still be in trouble. Fifty percent of ransomware victims who paid the ransom still lost at least some files; 13% lost nearly everything.

Types of Ransomware

Understanding ransomware is the first step in protecting yourself. In general, there are two types to be aware of, crypto ransomware and locker ransomware. 

Crypto ransomware encrypts valuable files, making them unusable until a victim pays the ransom. Usually, the attacker imposes a deadline of 24-48 hours. 

Locker ransomware doesn't use encryption. Instead, it locks victims out of the device entirely, bringing the victim’s business to a halt. 

There are several variations of each of these types of ransomware, and each one uses a different technique to infect your files or device. Bad Rabbit, for example, spreads through a fake Adobe Flash update on compromised sites. Locky spreads when victims open an email claiming to be an invoice.  

Who's Behind Ransomware and What Are They Looking For? 

Ransomware attackers are usually financially motivated. There may be a political component in some cases, but the individuals responsible for the attacks are looking to profit first and foremost. 

That means they're looking for potential victims who have valuable data on their devices or network. Any device that contains banking information, social security numbers for customers or employees, or other sensitive data is a top target for cybercriminals. 

And though every industry is a potential victim when it comes to a ransomware virus, attackers are most likely to target infrastructure industries, healthcare companies, law enforcement, and the government. 

Avoiding a Ransomware Attack

Ransomware is terrifying to many business leaders, but there are things you can do to protect yourself. 

  1. Keep your operating systems and software up to date. An up-to-date corporate network is less vulnerable to attack.
  2. Install antivirus and whitelisting software. Whitelisting software will prevent unauthorized apps from executing, stopping ransomware before it has a chance to start.
  3. Train employees to never install unknown software and practice safe internet browsing. Don't visit unsecure sites, and don't give employees administrative access to install software.
  4. Train your team to surf safely and instruct them not to open unknown attachments or deceptive-looking emails. Remind them that ransomware may be present even if they know the email sender. Be wary of compressed files or messages that seem out of character.
  5. Keep current on the latest ransomware threats so you know what to look for, whether it's a fake Adobe Flash update, phishing campaign or some other scam.
  6. Back up files and databases automatically with a near-zero RPO. Backups won't prevent an attack, but it can help you recover from one that much faster.
     

Detect, Protect, Recover: 
How Modern Backup Applications Can Protect You From Ransomware


Garter shares how modern backup solutions can protect you from ransomware. Learn how to detect attacks, protect backup repositories, and accelerate recovery.

Gartner, Detect, Protect, Recover: How Modern Backup Applications Can Protect You From Ransomware, Nik Simpson, Ron Blair, 6 January 2021 GARTNER is a registered trademark and service of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.

What to Do If It Happens

In the event of a ransomware attack, there are actions you can take to mitigate the damage, but you'll need to act fast. At the first sign of an attack, you need to isolate the device. Take it off the network and remove any attached drives. Then, search your business's network for any other devices that are acting suspiciously. Isolate them as well. 

Turning off the WiFi at this point is a good idea. You'll also want to shut off all wireless connectivity, or Bluetooth functionality, throughout the network. If possible, lock shares on all your files as well. Doing so will stop the encryption process in its tracks. 

After you've blocked the ransomware from spreading, you'll want to assess the damage. Look for encrypted files that won't open or have strange names. Then, create a list of all the affected systems, including network storage devices, external hard drives, laptops, smartphones, and cloud storage. 

Once that's complete, you can search for the source of the infection. It may be the device you first noticed acting suspiciously, but it also could be coming from somewhere else. Remember, ransomware works quickly, so finding patient zero can be tricky. 

Start by checking for any alerts from your antivirus software. Then, ask your team about their internet activities. Did anyone open a strange email recently? Or click on a pop-up that didn't make sense? You can also look at the affected devices themselves. If one has more open files than usual, it's probably patient zero. 

Once you know the source, you can identify the strain of ransomware using a site like No More Ransom. Just scan one of the encrypted files, and the site will help identify the variant. In some cases, it may even be able to provide a free decryption key. 

Once you know the variant, you'll know exactly how this strain of ransomware behaves. You can then inform everyone left on the network what to look for, so they don't end up infected. 

Finally, you'll want to report the attack to the local authorities. The FBI encourages victims not to pay the ransom. Instead, call and work with your local law enforcement to help bring the perpetrators to justice. In some cases, law enforcement and government agencies can even help you recover data by obtaining the decryption key from the attackers. 

After that, you can start the recovery process by using the latest clean backup or, if you're lucky, the decryption key. Unfortunately, some ransomware targets backups, making them unusable, so you may be out of luck entirely. If that's the case, you'll have to move on. The data, unfortunately, is gone.

Recovering from Ransomware

Fortunately, there are programs available that can keep your backups safe and provide instant recovery from attacks. 

Rubrik Instant Ransomware Recovery is one way to ensure your business can recover fast. It provides instant recovery in just a few clicks. And, thanks to immutable backups, Rubrik ensures an attack won't leave you without your data by keeping your backups 100% protected and resilient.

Rubrik also offers Radar which can quickly pinpoint files affected by ransomware. That makes recovery far faster and helps you analyze the attack's total impact quickly. Rubrik also offers Sonar which helps discover and track personally identifiable information (PII) on your network.

Rubrik can even protect data across multi-cloud environments. Rubrik's data protection services provide immutable snapshots, as well as encryption at-rest and in-transit. Together, these services make recovery faster, even if a ransomware attack occurs.

Frequently Asked Questions
 

Final Thoughts

Ransomware is a common and growing problem that costs victims millions every year. There are things you can do to try and prevent it, but in truth, the problem isn't going anywhere. As cybercriminals become more sophisticated, there's no doubt that the attacks will too. That means you need ransomware protection at the point of data. 

As a leader in data management and protection, Rubrik can help ensure your data stays protected. And in the event of an attack, we can ensure recovery happens fast. 

Whatever you do, don't leave your business unprotected. Ransomware is costly, and it can be detrimental. Use the tips above to keep your data safe and if an attack occurs, be sure to reach out to law enforcement right away.