Ransomware 101

definition

What is Ransomware?

Ransomware emerged in the late 1980s and has since become one of the biggest threats facing businesses worldwide.  
 
Ransomware evolved from infected floppy disks to include many flavors, but in general, ransomware is a type of malware designed to prevent access to data or systems until some sort of payment – or ransom – is received. The digital extortion technique often damages files and leaks data, but in some cases, it simply blocks access, until the ransom is paid. Ransomware often encrypts files on the endpoint, threatening to erase the files – with one report saying up to 43% of data is unrecoverable after a ransomware attack. Some ransomware cases include threats to leak confidential company, customer, employee, or partner data that has been extracted and gathered as a result of the attack.  
 
Consider just a few of these statistics: Ransomware has forced some 25% of businesses to shutter, costs approximately $11,600 per minute of downtime, and results in 70% of customers saying they will no longer do business with a brand. In all cases, companies want to avoid falling victim to ransomware at all costs – but that is unlikely as its prevalence continues to grow. The next best approach is a thorough ransomware recovery plan to get businesses back online and data secured. 

how to mitigate the risk

Ransomware 101: Mitigating the Risk of Today’s Ransomware Reality

Ransomware is an unfortunate reality for modern digital businesses, but there are tools, technologies, and best practices to help security organizations avoid falling victim to bad actors – and to minimize damage when they do suffer an attack. 
 
What keeps security leaders up at night? The list could be infinite, but in 2024, ransomware likely tops the lineup of the most feared attacks on an enterprise organization.  
 
Ransomware not only restricts access to necessary systems, but it also demands payment and leaks data. Security leaders must protect their environments against these malicious attacks – and more importantly, devise a recovery strategy that restores the business to a known secured state.  
 
Ransomware has been wreaking havoc on computer systems for some 35 years, and the malicious software created by bad actors driving attacks against businesses, organizations, and individuals shows no signs of slowing down as environments become more sophisticated and the world becomes more connected than ever.  
 
According to a SANS Institute report using data from eCrime.ch, ransomware attacks increased at a rate of nearly 73% from 2022 to 2023, with a total of 4,611 cases reported in 2023. Industry watchers estimate the worldwide damage costs of ransomware to scale to $265 billion by 2031, and while 80% of organizations were struck by ransomware in 2021, 60% of security decision makers declared that ransomware is as serious as terrorism. The severity of the attacks can cripple or destroy a business either financially or through brand damage – and even have life-threatening implications when healthcare providers are targets. 

Prevention

How to Prevent an Attack

 
Keeping pace with rising and ever-evolving cyber threats is more than a full-time job; it is everyone’s job in the organization. As bad actors and vulnerabilities become more sophisticated, so should security leaders, IT organizations, employees, and end users.  
 
Preventing ransomware attacks begins with information and education. There are several best practices that should be communicated across organizations to help reduce the risk of unintentionally allowing ransomware to run in an environment. Cross-functional teams across an organization should be created to communicate the best practices and train participants on what not to do. 
 
Never click on unknown or unsafe links: Clicking on links in emails or on websites could kick off an automatic download of ransomware that will infect the computer and the network to which it is connected. 
 
Do not disclose personal information: Sharing personal information with an untrusted third party via the telephone, email, or text message could inform a bad actor with enough information to devise a phishing scheme that incorporates ransomware. 
 
Never open suspicious email attachments: Opening an attachment from an untrusted or unknown source could launch ransomware. Do not open attachments that prompt macros be run because often that is a bad actor gaining access to the system.  
 
Avoid unknown USB sticks: Connecting storage media to a computer from an unknown source could infect the computer and the environment. 
 
Inspect downloads from websites: Downloading files from unsecured site can result in a ransomware infection. Websites with https rather than http indicate they are secure, and a shield or lock symbol in the address bar also conveys security.  
 
Use VPN services on public networks: Working with public Wi-Fi can leave a system vulnerable. Be certain to use secure VPN services when accessing public Wi-Fi. 
 
Keep operating systems updated: Neglecting to update programs will result in system vulnerabilities. Be certain to apply any necessary operating system updates as well as security patches to avoid exposing systems to attacks.  
 
Harden endpoints: Configuring systems with security in mind will limit an organization’s threat surface and close security gaps left over from default configurations. 
 
Review port settings: Considering whether an organization needs to leave ports open can limit connections to only known trusted hosts. Review settings for both on-premises and cloud environments, and disable unused Remote Desktop Protocol (RDP) ports.  
 
Implement IDS: Deploying an intrusion-detection system to look for malicious activity will alert an organization to potential attacks when it detects malicious activity. 
 
Security leaders and IT organizations should communicate to end users and business stakeholders the importance of applying these best practices across a connected environment to avoid attacks. Yet cybercriminals will remain persistent and continue to lay traps that makes ransomware in the modern digital world a fact of doing business. The next best approach to avoidance is rapid recovery. 

recover

How to Recover Quickly with Minimal Damage

 
A ransomware attack is meant to inflict pain on an organization and garner financial gain for the bad actor. To more quickly recover from an attack, ransomware victims should have an incident response plan in place.  
 
An incident response plan will help an organization prepare for, respond to, and recover from a ransomware incident. Security leaders should provide guidance on key activities and responsibilities to accelerate total time to recovery and data is restored. Recovery time from an attack can last from a few days to several months, with the average being about three weeks.  
 
A few key steps of a ransomware recovery plan include: 
 
Secure the perimeter: At the first sign of an attack, be sure to lock systems down. It’s estimated that a ransomware attack window is 84 minutes, and that’s how long before data is bricked, exfiltrated, or destroyed. Close all entry and access points to the business by knowing what assets exist, what they access, and how to shut them all down.  
 
Assess the damage: When the environment is secure, assess the damage of the attack. Identify what data was exposed or leaked, and determine the impact in terms of industry, state, federal, and international regulations. Understand the disclosure obligations and communicate across teams about how to best meet those requirements.  
 
Determine the cause: It is critical to understand how or why the organization fell victim to a ransomware attack. Was the perimeter unsecured? Were the right controls in place to quickly detect the attack? Did the organization conduct enough cybersecurity awareness training to prevent phishing attempts? Is there a data protection plan in place that will secure customer information? Understanding how the ransomware attack was able to happen in an organization will go a long way to preventing future breaches.  
 
Recover data: Restore the necessary data from an older backup, that precedes the ransomware infection. It is important to identify a restoration point pre-infection and to initially restore in a sandbox environment so that the ransomware is not reintroduced into the production environment.  
 
Communicate to stakeholders: Be transparent with critical stakeholders. CEO and C-Suite leaders need to know as soon as possible and alert your Board of Directors. But the most important people are those impacted by the breach, such as customers, partners, or employees, who must be notified as soon as possible. 
 
Perform post-attack analysis: Conduct a security audit to spot weaknesses and review policies, endpoint protections, security controls, and configurations. Identify vulnerabilities and areas for improvement to help the organization more effectively in the future and build resilience against future attacks.  
 
For many companies, ransomware is an inevitability. It is critical to create an incident response plan to protect the environment from attacks, educate employees and end users on how to avoid triggers, and respond quickly to avoid damage and recover data. Without proper ransomware readiness, companies are more likely than not to fall victim to attacks – experiencing data loss, security threats, and expensive business downtime in an era when users and businesses require their data accessible and available around the clock.  

Resources

Explore more data protection insights