Advanced phishing

Ransomware explained: What you need to know

by Egress
Published on 6th Aug 2021

Ransomware regularly appears in the news when it affects huge companies or large numbers of people. But is it a problem which ordinary businesses have to worry about?

What is ransomware?

Ransomware is a specific kind of malware: a malicious file installed on a computer or server by a bad actor. A malware attack either steals user information or allows a bad actor to control a system remotely. Ransomware may incorporate both functions, but it does something extra.

Specifically, ransomware finds important files and encrypts them, so it’s no longer possible to execute them. That means users can’t access the files they need to do their work, and most times, it’s no longer possible to run vital operating system functions.

After a ransomware attack, you’ll most likely find a ransom note on your computer—either flashed on the screen or sitting in a folder full of previously usable files. The note directs you to pay a ransom (anywhere from a few hundred to a few hundred thousand dollars of cryptocurrency) to receive a decryption key and get your files back.

How does ransomware work?

Ransomware is most effective when it spreads widely, affecting not just a single computer but also all the computers and servers associated with a single network.

With that said, ransomware usually starts with just a single endpoint. Usually, a user receives a phishing email containing a viral payload disguised as an innocuous PDF or word document. Once the payload executes, it usually begins by downloading the ransomware module itself.

Once downloaded, the ransomware moves laterally inside the target network’s perimeter. In other words, it uses its access to scan other machines and file systems, identifying targets for encryption.

Finally, the ransomware will encrypt its target. Ransomware sometimes copies itself to other systems to perform encryption, but it can also perform encryption using the initially infected endpoint. That means the endpoint downloads a file, encrypts it, uploads it to its original location, and deletes the unencrypted copy.

Why is ransomware such a threat?

Ransomware is lucrative. The average ransomware payment is now over $300,000—an increase of 171% from 2019. Victims have strong incentives to pay ransoms, and attackers have strong incentives to create more effective malware to ensure victims keep paying.

Ransomware groups are continuously innovating their malware to increase the odds of success. That includes stronger encryption methods, stealthier malware, and “ransomware as a service.” That is when a ransomware group licenses its malware to a criminal, and provides technical support and custom software engineering, in exchange for a portion of the ransom.

If ransomware attacks your business, it usually shuts everything down until you can recover your files, either by paying a ransom or finding a security professional who can help you. You won’t be able to reach out to new customers, serve existing customers, access or edit your records, make payments, receive payments, or conduct any normal business operations.

In short: if a ransomware group targets you, the attackers have very good odds of succeeding because of their technical prowess. If they succeed, you could accrue vast monetary and reputational damage, just like the other companies recently hit.

Recent ransomware examples

If you’ve been following the news, you’ll know ransomware has mushroomed over the last few months. Ransomware attacks on Colonial Pipeline, meat supplier, JBS, and managed services provider, Kaseya, have caused massive problems for companies and their downstream customers.

Each of these attacks is in its own way unique. The Colonial Pipeline attack was one of the largest ransomware attacks ever to involve physical infrastructure, indirectly causing gasoline shortages up and down the East Coast. Meanwhile, the JBS attack involved one of the largest ransomware payments ever made, at roughly $11m.

Last, the Kaseya ransomware attack is particularly disturbing. It involved what’s known as a supply chain attack, where a cyberattack starts at one company but then moves on to its customers and vendors. Here, an initial ransomware infection started with Kaseya and then spread to over 1,500 clients. The attacking group, REvil, went dark shortly after the attack—meaning many victims couldn’t restore their files even by paying the ransom.

How to stop ransomware

It’s clear that ransomware affects many ordinary companies—ask any of the 1,500 victims in the Kaseya attack. Since it can be tough to recover after an attack occurs, your best bet is to mitigate ransomware before it takes root.

There are three places where you can stop ransomware that’s delivered via email—during the phishing email stage, during the scanning and reconnaissance phase, or during the encryption itself. Stopping ransomware during the phishing stage is best. Phishing attacks have telltale signifiers that advanced security software can detect. It is much more difficult to detect ransomware when it’s currently scanning your network or actively encrypting your files.

Egress Defend interrupts the ransomware kill chain, preventing it from infecting even a single endpoint. For more information about how to protect your business from this critical threat, schedule a demo today.

Related articles

Accounttakeoverdanger555x300

Why are account takeover attacks so dangerous?

Learn what makes account takeover so dangerous compared to other email-based cyberattacks.
Whaling

What is whaling?

Learn about whaling attacks, their impact on an organization, and how to effectively defend against them.
Goalbec555x300

What's the goal of business email compromise (BEC)?

Learn what makes business email compromise such a lucrative form of phishing for cybercriminals. 
Guide to spear phishing hack code 600x400 15kb

What is spear phishing?

Spear phishing is when a cybercriminal sends a fraudulent email pretending to be from a known contact or organisation to trick the recipient into sharing confidential information.