According to Veeam’s 2022 Ransomware Trends Report, less than 69% of data stolen during ransomware attacks in 2021 was ever recovered. Ransomware is big business for bad actors. In 2021, the average ransom demand was $247,000, up 45% higher than the previous year. Considering that 76% of the victim organizations surveyed admitted to paying the ransom, it’s likely that the total cost of ransomware to businesses globally was in the billions.

What is ransomware?

Ransomware is malware that encrypts a victim’s files and then demands a ransom, usually in a cryptocurrency, to decrypt the files. Once the victim pays the ransom, the attacker provides a key that restores access to the files. If the victim doesn’t pay, the files may be permanently lost, or the attacker may threaten to release sensitive data publicly.

Ransomware attacks have been on the rise in recent years, partly due to the growth of cryptocurrency and the anonymous nature of the internet. In addition, ransomware attacks can be very lucrative for attackers, which motivates them to continue to evolve their methods.

There are many types of ransomware, but some of the most common include:

  • Crypto-ransomware. The most common type of ransomware. It encrypts files using robust encryption algorithms, making them inaccessible to the victim. The victim is then presented with a ransom demand to decrypt the files, usually for payment in cryptocurrency.
  • Locker ransomware. Less common but can be more devastating. It doesn’t encrypt certain files but instead totally blocks access by locking the screen or login page. The victim is then presented with a ransom demand to unlock their system.
  • Scareware. Bad actors attempt to frighten people into downloading malware or paying a ransom. It usually takes the form of a pop-up message or email that appears to be from a legitimate source, like a government agency or well-known company. The message may claim that the victim’s computer is infected with a virus or that their personal information has been compromised.
  • Leakware. Also known as doxware, is a type of ransomware that threatens to release sensitive information publicly if the victim doesn’t pay a ransom. The attacker may claim to have access to the victim’s files, like photos or emails, or sensitive business data.
  • Ransomware as a service (RaaS). RaaS providers give access to their ransomware software, for a price, to anyone who wants to use it, often providing support and customer service. Unfortunately, RaaS has made it easier for people with little to no technical skills (aka “Script Kiddies”) to launch ransomware attacks, which is credited with the rise in attacks in recent years.

How do ransomware attacks work?

Ransomware attacks usually start with a phishing email or a malicious website. The email may contain a malicious attachment or link that, when opened, downloads and installs the ransomware on the victim’s computer. Once the ransomware is installed, it will start encrypting files.

Sometimes, the victim’s computer will be locked, and a message will be displayed on the screen with instructions on how to pay the ransom and unlock the computer. In other cases, a dialog box pops up on the screen with a ransom demand and instructions on how to pay.

Your Guide to Selling Managed Network Services

Get templates for network assessment reports, presentations, pricing & more—designed just for MSPs.

Ebook cover - The Ultimate Guide to Selling Managed Network Services

Once the victim pays the ransom, the attacker will provide the key to decrypt the files. However, there is no guarantee that the attacker will provide the key, and there is a risk that the victim’s files will be lost forever.

According to the 2022 Ransomware Trends Report from Veeam, 24% of the organizations that paid the ransom were still unable to recover their data.

Keep in mind that ransomware attacks are not just limited to computers. Ransomware can also target mobile devices and servers. In some cases, attackers have even been able to hold entire networks hostage. That’s why having a robust network monitoring and management solution is critical to protecting your organization from ransomware attacks.

How does ransomware differ from phishing?

Now that you’ve learned the answer to the question “what is ransomware?”, let’s look at how it differs from phishing.

While phishing is often the conduit for delivering ransomware, the two terms are not interchangeable. Phishing is a broad term that describes any malicious email designed to trick the recipient into taking some action, such as clicking on a link or opening an attachment.

“Less than 69% of data stolen during ransomware attacks in 2021 was ever recovered.”

Veeam’s 2022 Ransomware Trends Report

Ransomware is malware that specifically encrypts files and demands a ransom for the decryption key. It is just one of many types of malware that can be delivered via phishing emails.

Unfortunately, phishing is one of the most common ways bad actors can gain access to company systems, according to 44% of the survey respondents in the Veeam report. It shows how insider risk should not be overlooked in any organization’s security strategy.

Essential layers of ransomware defense

No silver bullet exists that will protect your organization from all ransomware attacks, so it’s important to have multiple layers of defense. Some of the essential layers of protection against ransomware include:

  • Education and training. Your employees need to know what ransomware is, how it works, and what to look for in phishing emails. They also need to know what to do if they think they may have been the victim of a ransomware attack.
  • Effective asset management. You need to know what assets you have and what data is stored on each asset. This includes knowing what systems are connected to your network and each user’s permissions. Network monitoring and management tools, like Auvik, can help you automatically track your assets and monitor for suspicious activity.
  • Network security. A firewall is critical to your network security, but it’s not the only thing you need. You must also have intrusion detection and prevention systems (IDS/IPS) and effective network segmentation.
  • Email security. Email is one of the most common ways ransomware is delivered, so it’s essential to have a robust email security solution. This should include spam filtering, malware scanning, and phishing protection.
  • Endpoint security. A security solution that will protect your endpoint devices from ransomware and other threats is critical. This includes having anti-virus and anti-malware software installed on all endpoint devices.
  • Backup and recovery. Even with all the other defense layers in place, there is always a risk that ransomware will get past your defenses. That’s why it’s critical to have a robust backup and recovery solution. If you fall victim to a ransomware attack, you can quickly restore your data from the automated backup.
  • Disaster recovery. In the event of a significant ransomware attack, you need to have a disaster recovery plan in place. This should include having a backup site that can be used to restore critical systems and data. Also, consider making arrangements for alternate infrastructure options, such as cloud-based solutions, that can be used if your on-premises systems are unavailable.

By implementing these essential layers of defense, you can significantly reduce the risk of a successful ransomware attack and ensure that you can recover quickly if an attack does occur.

What to do if you are the victim of a ransomware attack

Even when you know what ransomware is, and have all the security in place, you can still become the victim of a ransomware attack. If this happens, you must stay calm and act quickly. Your first reaction might be to give in and pay.

However, the FBI and other law enforcement agencies worldwide have consistently advised against paying a ransom to ransomware attackers. This is because there is no guarantee that you will receive the decryption key even if you pay the ransom. In addition, paying a ransom only encourages this type of criminal activity.

So, what should you do?

  1. Disconnect from the network. If you are still connected to the network, disconnect immediately to prevent the spread of the ransomware and give you time to assess the situation.
  2. Assess the damage. You need to assess the damage and determine what systems and data have been affected. Once you have a list of what has been affected, you can start to plan your next steps.
  3. Report the incident. Once you have disconnected from the network, report the incident to the proper authorities in your country. For example, in the United States, the FBI recommends organizations contact their local FBI field websites.
  4. Inform your service provider. Your service provider is supposed to have security in place to protect your data. If you have been the victim of a ransomware attack, inform your service provider so they can take steps to improve their security and help prevent other customers from being affected.
  5. Contain the malicious code. Once you have taken steps to protect your data, it’s vital to contain the malicious code to prevent it from spreading (see point #1).
  6. Restore from backups. If you have a robust backup solution, you can use it to restore your data. This is the quickest way to get your systems up and running again.
  7. Record as much information as possible. Ensure you keep a record of all communication with the ransomware attackers, which might help law enforcement track them down. In addition, keep a record of all the steps you have taken to contain and clean up the attack. This will be helpful if you need to provide information to your insurance company or file a lawsuit.
  8. Inform customers, vendors, and investors. If the ransomware attack has affected your business operations, inform your customers, vendors, and investors. This will help them understand the situation and what steps you are taking to resolve it.
  9. Review your security procedures. Once the immediate crisis has passed, take some time to review your security procedures. Identify what went wrong and what you can do to improve your security in the future. This will help you reduce the risk of another attack.

Ransomware attacks are becoming more and more common. While there is no guaranteed way to prevent an attack, you can take steps to reduce your risk. And if you find yourself the victim of an attack, there are ways to recover.

Remember, it is crucial to consider the risks and implications if you are ever asked to pay a ransom. There is no guarantee that the attackers will honor their end of the bargain. And even if they do, paying a ransom only encourages them to target other businesses in the future.


Leave a Reply

Your email address will not be published. Required fields are marked *