Ransomware

What is ransomware?

Ransomware, by definition, is a type of malware that cyberattackers use for monetary gains by blocking access to data or systems until the owner of the data or systems pays the ransom fee demanded. Increasingly, cybercriminals also threaten to publish or otherwise expose sensitive data unless owners pay, which is commonly known as data exfiltration or the double-extortion ransomware scheme. There are several types of ransomware, but the most common—and disastrous—is when malware encrypts files using cryptoviral extortion. This means files can’t be decrypted without a mathematical key held by the attacker. Even a security expert would not be able to unlock the files. Victims are typically notified about the encryption and asked for a ransom fee to be paid in an untraceable currency such as Bitcoin. Ransomware prevention, detection and recovery strategies that boost an organization’s cyber resilience are growing in popularity as experts predict a ransomware attack on an organization every 2 seconds by 2031.

What are the different types of ransomware?

Individuals, groups, and even nation states create and launch ransomware that targets people and organizations worldwide. In addition to traditional ransomware attacks, cybercriminals are also launching double extortion ransomware schemes (the demand for two ransoms: payment to decrypt data and/or backups and payment not to leak the stolen or exfiltrated data) and triple extortion ransomware (the demand for not only the targeted organization to pay ransom twice, but also the demand for a ransom payment from clients of the victimized organization).

Some of the most common ransomware types get their names for how the malware operates, and include:

• Crypto — This type of ransomware encrypts data and files before the attacker demands a ransom payment from the victim in exchange for a key to decrypt the information. Well-known examples include WannaCry and Petya.
• Locker — This type of ransomware is designed to lock people out of systems and applications, making them unusable. A well-known example is Locky.
• Ransomware as a service (RaaS) — This type of ransomware is available from a professional or professional organization (typically on the dark web) in an on-demand model that provides not only the code but also the information needed to successfully extract a payment from a victim in exchange for a percentage of the ransom. A well-known example is REvil.

There are other types of malware attacks, for example scareware and leakware, that cybercriminals launch in conjunction with phishing emails to get a user or company to pay to avoid being overwhelmed by pop-ups or having sensitive data released online.

What are the dangers of ransomware?

Ransomware attacks have become increasingly popular, sophisticated, and costly to remediate. The target is data, which is both an organization’s most valuable asset and most vulnerable one, if cybercriminals set their sights on it. Attackers tend to choose organizations with troves of sensitive data that they need for daily operations—think financial firms, healthcare institutions, or government agencies, among others. Because more people than ever are working remotely, ransomware threats are rising and attackers are demanding higher fees to unlock data.

As the blast radius of ransomware has continued to expand, the dangers of ransomware have grown:

A successful ransomware attack is dangerous because it can be tremendously costly to organizations in terms of:

• Lost revenue: Ransomware attacks force their victims to pay a ransom.
• Lost productivity: A ransomware attack can block access to critical systems and data—leading to operational downtime and reduced efficiency.
• Loss of brand reputation: Attacks using ransomware can harm a company’s standing with stakeholders and consumers.
• Loss of customer and partner trust.

How does ransomware work?

Today’s business success depends on robust digital capabilities. Cybercriminals  exploit organizations’ dependency on data by launching ransomware attacks. This type of malware is often released into organizations by way of phishing attacks that get users to click on compromised links and through existing system software vulnerabilities. In each case, ransomware encrypts or locks up data and then attackers demand payment for the digital keys to decrypt or unlock it. The money organizations pay, often in the form of crypto-currency, is called ransom, giving the malware the name ransomware. Moreover, cybercriminals are inventive, continually creating new types of malware to penetrate and encrypt systems for financial gain. Because attackers seek big paydays, in addition to attacking the production system and data, cybercriminals target backup data and infrastructure, too.

When it comes to ransomware, here’s what organizations need to know:

• Cybercriminals are now aggressively targeting backup data to gain full control of data, or worse, destroy it and interrupt business operations. They understand what teams often consider to be an insurance policy—backups—can also be a liability.
• As legacy backup products collect and store more data across silos, data fragmentation creates an expanding attack surface that exposes more infrastructure to ransomware attacks.
• A legacy backup solution offers no immutability against ransomware attacks, and at times is the first to fall victim to cybercriminals.
• Early detection can help limit the damage caused by ransomware. Vigilance against external attackers includes using modern data security and data management with artificial intelligence and machine learning (AI/ML) to detect bad behaviors, spot anomalies in near-real time, and notify immediately using alerts.
• Should the worst case happen, teams will need to recover backups quickly but with assurances that restored data is clean. Before restoring, backups are typically decontaminated in clean room environments where malware, vulnerabilities and other threats are identified before the recovery of backup data. This ensures that threats can not immediately relaunch after restoration.
• Long backup and recovery cycles add to ransomware pain. If all data can not be recovered, missing data must be reentered/recreated and can significantly impact full return to operations.

No matter when or by whom, a successful ransomware attack is a no-win situation. Organizations will suffer some operational impact, and if it’s not taken care of early reputational damage, whether or not they pay the ransom—and expert advice is not to pay because in many cases organizations don’t get all of their data back anyway.

A good example of how ransomware works and how it was countered is the Sky Lakes Medical Center experience.

How does ransomware spread?

Like the famed Trojan horse enabling soldiers to penetrate the fortress, ransomware allows hackers to take over another computer, server, or device. Once ransomware is in an IT environment, like a virus, it can quickly spread laterally—with east-west traffic—to other systems.

Cybercriminals count on people to make mistakes. That’s why the primary way ransomware infects a system is through email phishing attacks. Emails that contain ransomware, a form of malware, typically contain malicious attachments or a link to a compromised website where infected software is downloaded and installed onto a person’s system or device without that user’s consent or even knowledge. Once into a network, the ransomware can spread through exploited systems, across networks, and even to other companies—an attack mode now referred to as “island hopping.” In this scenario, the organization already penetrated by ransomware unknowingly launches the malware from its internal systems into its customer or partner systems, effectively “hopping” to another organization. This approach brings cyber attackers a new victim—without launching a new attack.

Unfortunately, lightning-fast changes in how and where malware appears now make it impossible for enterprises to combat each potential new attack which is why they need a comprehensive, modern data security and data management solution to defend against ransomware.

How common is ransomware?

By most accounts, ransomware is the fastest growing type of cybercrime, growing exponentially year over year. Ransomware in healthcare and financial services is particularly prevalent because the data contained in the systems of those industries is sensitive, and thus, considered more valuable to nefarious actors considering selling it on the dark web or elsewhere.

According to Cybersecurity Ventures predictions, ransomware will attack a business, consumer, or device every 2 seconds by 2031. The estimated high cost—rising to $265B annually by 2031—of successful attacks includes downtime financial losses as well as productivity and reputational damage.

Can ransomware attacks be avoided or prevented?

Organizations can take proactive measures to avoid and prevent ransomware attacks from crippling operations.

More specifically, ransomware prevention strategies marry Zero Trust security principles and advanced threat intelligence and detection to safeguard data from cyberattackers. Ransomware prevention includes both protecting data and detecting cyber threats to avoid the need to rapidly recover data in the event of a successful attack.

Since it’s now widely recognized that it’s not if, but when, an organization experiences a ransomware attack, how long and impactful a ransomware incident is on the business can depend heavily on how its backups are architected.

Effective ransomware prevention strategies include the:

• Protection of backup data and systems — Organizations will want to invest in a modern backup and recovery solution that is designed to deliver global visibility into data. It should include Zero Trust security principles, for example least privilege and segregation of duties with immutable snapshots, data encryption, write once, read many (WORM), configuration auditing and scanning, and fault tolerance capabilities as well as flexible data isolation features to balance demanding recovery time objectives (RTOs) and recovery point objectives (RPOs) with security requirements to proactively prevent ransomware attacks.
• Reduction of unauthorized access — Organizations can cut data theft and loss by limiting access to data through modern data security and data management solutions with ransomware prevention capabilities. These features include multi-factor authentication (MFA), monitored modification or four-eyes on changes, granular and role-based access control (RBAC).
• Detection of attacks — Organizations with a modern backup and recovery solution can also take advantage of new, built-in ransomware prevention capabilities powered by artificial intelligence and machine learning (AI/ML). These emerging technologies for anomaly detection with threat intelligence and scanning can help teams quickly determine whether a ransomware attack is underway and then automatically alert teams. Additionally cyber vulnerability detection capabilities in modern data security and data management platforms help counter ransomware attacks.
• Security posture strengthening via APIs — Leading security vendors are teaming to stop ransomware by creating pre-built and customizable technology integrations. Moreover, a smaller footprint, yet extensible data security and data management platform can help reduce the attack surface.

Can ransomware be detected?

Ransomware detection is becoming an effective way to stop cybercriminals from enjoying large paydays. Organizations with a robust data security and data management solution can better detect a ransomware attack than those without one. Anomaly detection in near real time using AI/ML technology coupled with automated alerting empowers teams to detect a ransomware attack by quickly discovering abnormal data and system behaviors and patterns that are different from normal behavior and letting IT professionals know about them.

Early ransomware detection is important because it helps organizations:

• Avoid paying ransom
• Prevent data loss
• Limit downtime and data loss
• Meet SLAs

Can ransomware be removed?

Ransomware removal, or getting rid of malicious code written with the express goal of gaining a ransom payment, is possible for organizations that have undertaken ransomware prevention measures, including adopting modern backup and recovery infrastructure. It’s also possible to remove ransomware for those that agree to pay ransom—although surveyed organizations that were breached admit they did not successfully get all of their data back, even after paying ransom.

Ransomware removal processes typically include:

• Isolating the breached system or systems from internal and outside networks
• Scanning and forensics to investigate the severity
• Getting the decryption tool
• Recovering and restoring from backup
• Adopting robust backup and recovery that has built in ransomware recovery capabilities

Can ransomware be countered?

Yes. Organizations can pay the ransom to attackers, as many do, and get the “key” to unlock their data. But this is costly and does reputational harm. Alternatively, IT teams can choose to thwart attackers and not pay ransom if they have a modern data security and data management platform with ransomware protection, detection and recovery capabilities built in to safeguard their data from becoming an attack target.

A powerful ransomware recovery solution allows teams to successfully recover data as they stand up clean systems free of ransomware. It includes immutable, read-only state backup snapshots that keep data safe by ensuring backup data is never directly accessible—nor mounted for external applications. The best ones prevent ransomware from infecting the immutable snapshot. Write-once read-many (WORM) and other Zero Trust security capabilities for backup also allow certain roles to set unchangeable DataLock policies on selected jobs. Each has a time-bound setting, enforcing data protection that cannot be deleted.

How to recover from a ransomware attack?

Organizations looking to recover from a ransomware attack can use a modern data security and data management solution’s immutable, or unchangeable, snapshots or isolated data to restore large volumes of unstructured data, virtual machines (VMs), and databases at scale to any time and location.

Ransomware recovery is imperative to a cyber resilience strategy because it is the way in which an organization regains access quickly and flexibly to data that cyberattackers have encrypted and stolen for payment.

How much does ransomware cost?

Cybersecurity Ventures estimates the cost of ransomware will be $265B annually by 2031. These damage estimates include downtime financial losses such as e-commerce revenue as well as negative operational productivity and reputational harm. Because of the high costs of an attack, organizations are now preventing ransomware with next-gen data management solutions.

Ransomware attack examples

Ransomware attackers typically create malware with a specific signature that becomes known. Ransomware attack examples include: ​​REvil/Sodinokibi, Hades, DoppelPaymer, Ryuk, Egregor, BadRabbit, BitPaymer, Cerber, Cryptolocker, Dharma, GandCrab, Locky, Maze, MeduzaLocker, NetWalker, NotPetya, Petya, SamSam and WannaCry.

Cohesity’s modern approach to ransomware recovery

Cohesity data security and data management boosts cyber resilience and helps organizations avoid paying ransom.

Cybercriminals are increasingly targeting and exfiltrating data in backups. Cohesity has a modern, multilayered way to prevent backups and data from being victims of ransomware. Cohesity’s immutable architecture with Zero Trust principles ensures that backup data cannot be encrypted, modified, or prematurely deleted. Using AI/ML technologies, Cohesity provides visibility and continuously monitors for anomalies in data. If the worst case happens, Cohesity helps teams locate a clean copy of data across a global footprint—including multiclouds—to instantly recover access and minimize downtime.

Protect — The immutable backup snapshots, combined with DataLock (WORM), RBAC, virtual data isolation, fault tolerance, and multifactor authentication prevent backup data from becoming a target

Detect — AI-ML-driven intelligence establishes patterns and automatically detects and reports anomalies

Rapidly recover — Simple search and instant recovery at scale to any point in time gets teams back in business fast. Cohesity’s unique instant mass restore quickly recovers volumes of unstructured data, hundreds of virtual machines (VMs) and large databases to reduce downtime

Download the Ransomware Readiness Guide to learn more.