Products +

Services +

Customers +

Partners +

Resources +

The Biggest Questions About Ransomware Answered

We go deep into what ransomware can and cannot do — jumping into misconceptions and myths about ransomware attacks and revealing the truth behind those notions.

Update: This blog has been updated with statistics on ransomware for 2021, including a new world record for ransom paid.

The number of ransomware attacks has seen a steady increase in 2021. Correspondingly, ransoms demanded by hackers have seen an upward trend. Ransomware attacks are also becoming more sophisticated, and there are now even services like Ransomware-as-a-Service (RaaS) which allow threat actors with minimal technical skills to launch a ransomware attack!

Threat actors are also exploiting the COVID-19 pandemic to target industries that have become more vulnerable, such as healthcare services providers, municipalities, and educational institutions. In addition, personal and mobile devices have become new attack surfaces with more employees working from home.

New Ransomware

Besides WannaCry and NotPetya, new ransomware that have been discovered include:

  • Netwalker allows hackers to rent access to malware code in exchange for a percentage of the funds they received.
  • Darkside is a ransomware group that launched their Ransomware-as-a-Service (RaaS) in August, 2020, and are today known for their professional operations and demanding large ransoms.
  • Conti utilizes a double-extortion technique to encrypt data on infected machines.
  • REvil, also known as Sodin and Sodinokibi, has gained a reputation for extorting larger ransom payments than their competitors and for promoting underground cybercrime forums.

Useful Statistics on Ransomware for 2021

  • Ransomware attacks are estimated to occur every 11 seconds in 2021
  • Phishing emails have increased by 600% due to the COVID-19 pandemic
  • The average ransom demanded has increased to US$200,000 in 2020 from US$5,000 in 2018.
  • A new world record for the amount of ransom paid was set in March 2021, when CNA Financial, one of the largest insurance companies in the U.S., paid US$40 million to regain control of its network after a ransomware attack.
  • The most common tactics used to carry out ransomware attacks are email phishing campaigns, RDP vulnerabilities, and software vulnerabilities.
  • Remote workers will be the main targets throughout 2021, and hackers now prefer to target WFH workers since personal devices are easier to hack than office hardware.

Knowing the common cyber threats and web vulnerabilities is the first step. Even with a basic understanding of how to protect your organization against ransomware, there may still be questions you have about the extent of this disruptive crippling attack. Below is a compilation of some of these questions and corresponding suggestions on what your organization can do to mitigate the damage from ransomware.

1. Can ransomware spread through a network?

Yes, like any other virus attacks, ransomware can proliferate through a computer network, infecting and locking unprotected endpoints — including network servers. To maximize the impact of an attack, ransomware is designed to actively seek connections to other computer systems. In order to resume business operations, the affected organization will then be cornered into paying the hacker.

Similar to how one would treat a viral attack, it is critical that organizations quickly isolate and quarantine the affected endpoints. This means prompt identification of an attack and disconnecting those systems from the network so that the attack is contained.

2. How did ransomware come into existence?

One of the earliest examples of ransomware was the AIDS Trojan written by Joseph Popp in 1989. This ransomware hid files on a hard drive and encrypted their names using symmetric cryptography. It then showed the victim a message claiming that a certain piece of the user’s software had an expired license. The victim was asked to pay US$189 to the entity known as PC Cyborg Corporation.

By 2006, ransomware experienced an explosive rate of propagation with trojans such as Archiveus, Cryzip, TROJ.RANSOM.A, and Gpcode. As ransomware’s prominence grew, the encryption behind them slowly increased in strength, as well.

3. Can ransomware be detected?

The impact of ransomware hinges heavily on the first mover advantage, thus it is not expected of typical anti-virus software to have prior knowledge of a new virus. But keeping your anti-virus software up to date is certainly a way to mitigate a significant amount of risk.

Early threat detection systems that leverage User and Entity Behavior Analytics (UEBA) may give organizations the ability to identify potential ransomware attacks, and email clients like Gmail are built with security controls that warn users whenever an attachment or sender appears to be illegitimate. Perhaps the hardest form of ransomware to detect is when it is the case of a business email compromise (BEC).

Because there is no foolproof way for detecting all types of ransomware attacks, organizations should instead be proactive about how they manage potential attacks, such as having security policies that can automatically isolate infected endpoints from the network. Employees must also be trained to be vigilant about the emails they receive. Simulated phishing attacks are one such way to raise organizational vigilance.

4. Can ransomware encrypt an encrypted drive?

Yes. Ransomware does not bother with the contents of your file or if your drive is already encrypted. It simply encrypts over your encrypted drive and demands a ransom from victims to decrypt their layer of encryption.

5. Can ransomware steal data?

Yes. How ransomware works is hackers make a copy of the stolen files, encrypt them and delete the original files. The stolen data are now files under the hackers’ control. If victims do not pay the ransom, hackers will delete the version of their files forever. Wannacry and NotPetya are two of the more prominent major attacks.

6. Can ransomware infect backups?

Yes. Ransomware programs such as WannaCry and the newer version of CryptoLocker delete the shadow copies created by the Windows operating system. Hackers are increasingly targeting backup copies to increase the likelihood of victims paying the ransom since they have no backup copy to restore. Keep your backups off your core network, whether in physical hard drives or in a separate cloud network, but nonetheless, ensure you take appropriate security measures.

7. Can ransomware be removed? If not, should I pay the ransom?

If you’ve managed to identify and isolate the infected computer systems, it is possible to do a factory reset on those systems to remove the ransomware.

While it can make sense cost-wise to pay the ransom, we at Horangi never recommend that you pay it. Paying the ransomware demand makes your organization a repeatable target, and communicates to other attackers in the know to attack you again.

Instead, opt to put together a comprehensive incident response plan that your organization can follow whenever a security incident such as a ransomware attack occurs. Such a plan can include protocols such as which security partner to call, the steps you take to isolate the attack, and to document the attack logs that will be critical in forensics.

Above all, we recommend that you have a robust backup management program, constantly assessing your risks so you know you have a backup of your business-critical data.

What else can you do?

With ransomware attacks becoming more sophisticated and easy access to RaaS services, the question every organization should be asking is no longer IF but WHEN they will experience a ransomware attack.

The good news is that solutions and services for ransomware defense are also getting more sophisticated. Horangi's Ransomware Defense Assessment helps you in assessing your organization's readiness against a ransomware attack. Find out more about our Ransomware Defense Framework and how it can contribute to your defense against and recovery from ransomware attacks.

Mark Anthony Fuentes

Mark Fuentes has over a decade of experience in the cyber security field highlighted by roles in organizations such as Verizon, The International Monetary Fund, and The United States Department of Homeland Security. Mark is an avid consumer of technology trends and threat intelligence and seeks out new applications of tech and research to combat cyber crime.

Subscribe to the Horangi Newsletter.

Be the first to hear about Horangi's upcoming webinars and events, up-and-coming cyber threats, new solutions, and the future of cybersecurity from our tech experts.