FAQ: Know Thy Enemy – The Anatomy of a Ransomware Attack

Security Magazine says in early 2023, businesses experienced a significant uptick in ransomware attacks. It seems we’re far from in the clear, particularly in the manufacturing industry, where an early 2023 attack surge put these companies at the top of the ransomware target list.

What’s going on? And how can companies protect themselves? How does ransomware work? The more you and your employees know about this malware threat, the better. Knowledge is power in cybersecurity circles, and this is particularly true here because just a few preventative steps can stop these attacks cold.

Here’s what you should know about ransomware, how it works, and how to stop these attacks.

Understanding Ransomware

How does ransomware work?

Ransomware is malicious software (malware) designed to encrypt a victim’s files or lock their computer system, holding it hostage until the company or individual pays a ransom.

What happens during a ransomware attack?

Ransomware typically begins with the initial compromise, where the malicious software enters the victim’s system, often through a phishing email.

Then, the ransomware executes its code, launching a payload that encrypts the victim’s files, rendering them inaccessible. A ransom note appears on the affected devices, demanding payment for the decryption key. If the victim agrees to pay, they follow the instructions provided; the ransomware is usually paid off through cryptocurrency transactions.

Alternatively, data extortion may occur, where valuable information is stolen and held hostage. Recovering from an attack involves removing the malware, restoring files from backups, and addressing the breach’s aftermath.

What are the stages of a ransomware attack?

Businesses typically experience these ransomware attack stages:

  • Delivery: Ransomware can be delivered in various ways, including malicious email attachments, infected websites, software vulnerabilities or compromised IT networks.
  • Execution: When the ransomware gains access to a system, it executes its code, initiating the encryption. Some ransomware strains may also perform other actions, such as disabling security software or establishing a persistent, lingering presence on the infected system.
  • Encryption: The ransomware scans the victim’s files, encrypting and rendering them inaccessible without a decryption key.
  • Ransom note: The ransomware typically displays a ransom note on the victim’s screen. This note informs the victim about the encryption and provides instructions on how to pay the ransom.
  • Payment and decryption: If the organization pays the ransom, the attackers may provide a decryption key to restore the encrypted files. However, there is no guarantee that the attackers will uphold their end of the deal or that the decryption process will be successful.

How do hackers do ransomware attacks?

Hackers continually evolve their techniques for delivering ransomware malware. Some of the most typical delivery mechanisms today include:

  • Phishing emails: Hackers send deceptive emails disguised as legitimate messages. These emails contain a malware file or links to malware. When victims open these attachments or click the link, the ransomware opens and downloads into their computer. If the computer connects to a network, the virus can spread.
  • Exploit kits: Attackers can take advantage of vulnerabilities in software, operating systems or web browsers to deliver ransomware. Automation tools called exploit kits scan across the web for weaknesses that allow them unauthorized access into the victim’s system.
  • Remote Desktop Protocol (RDP) attacks: RDP software give hackers remote access to computers. Weak or compromised RDP credentials allow this access, and once inside, the cybercriminal unleashes the ransomware payload.
  • Malvertising: Malicious advertising occurs when hackers insert code into legitimate online ads. When end-users click the ads, they redirect to an infected website that delivers ransomware.
  • Remote File Inclusion (RFI) attacks: Cybercriminals can infect legitimate websites with malicious code that downloads and installs ransomware. These techniques are also called watering hole attacks or drive-by downloads.

How much ransom do companies typically pay?

It varies. According to a 2021 report, the average ransom demand was $750,000. A 2022 report puts that number much higher, at $4.7 million.

Why was my business targeted for ransomware?

Ransomware targets the vulnerable. Small businesses are the targets of 82% of ransomware incidents. Hackers may target specific industries with the potential for capturing a high ransom. Or companies with valuable business data can make them a target.

A ransomware hacker looks for companies with fragile cybersecurity measures such as outdated software, weak passwords, unpatched systems or lacking regular employee training.

Who is behind ransomware attacks?

Ransomware attacks are orchestrated by various threat actors, from organized cybercriminal groups and state-sponsored actors seeking political gain. Some ransomware launches from so-called “hacktivists,” are motivated by ideological causes. Individual hackers may be seeking income. Finally, insider threats, such as a disgruntled employee, can launch a ransomware attack. (Read more: Internal IT Threats: How to Protect Your Business)

How does ransomware usually get into your computer?

The perfect storm for a ransomware attack is a phishing email and a computer or IT system without the latest security upgrade. Ransomware is a malicious file. In most cases, an individual must click on a file link to download the malware. Every employee in your organization creates the potential for ransomware risk.

What to Do During a Ransomware Attack

After it’s downloaded, how does ransomware spread?

The behavior of ransomware varies depending on its design. Some ransomware may focus just on encrypting files without further propagating itself. Other ransomware may target specific file types, spreading laterally across a network or focus on shared drives to infect remote devices. Ultimately, ransomware spreads by exploiting our vulnerabilities.

How should companies handle ransomware?

The first step in handling a ransomware attack is to isolate and contain the affected systems so the virus will not spread further. Time is of the essence as you assess the scope and severity of the attack. Reporting the breach to stakeholders, including marketing and PR teams, is essential for controlling messaging around the security incident.

If you lack the security resources, reach out to cybersecurity experts that specialize in ransomware. Ransomware is a crime; you should also report the attack to law enforcement. Finally, mitigate the damage by recovering and restoring files. As part of this process, consider what the organization has learned from the attack to shore up defenses moving forward.

What is the first thing to do in a ransomware attack?

In a ransomware attack, the first thing to do is take immediate action to isolate and disconnect the affected system from the rest of your network. This step is critical to stopping the damage quickly before it spreads. It gives you time to focus on ransomware removal within a smaller area of damage within your IT infrastructure.

How should we remove ransomware?

Ransomware removal from an infected system is a complex process that requires cybersecurity expertise. Some of the general steps necessary to remove ransomware include:

  • Isolate (and stop) the spread of the infection.
  • Identify the ransomware variant (which helps identify potential decryption tools).
  • Scan the infected system with antivirus or antimalware software.
  • Update software to ensure coverage from the latest security patches.
  • Disconnect external devices to prevent reinfection.
  • Restore data from backup files.
  • Improve security measures, including training staff on how to avoid ransomware.

Should you pay the ransom?

Law enforcement agencies say you should not pay the ransom. The reality is that, even if you pay, there is only a small likelihood you’ll get your data back. Only 8% of companies get their data back, even after paying the ransom.

Related: Do you need cyberinsuranace?

Life After Ransomware

How long do ransomware attacks last?

The duration of a ransomware attack depends on its complexity, the type of malware and the effectiveness of your response. The time it takes to detect the ransomware attack is essential in how long it lasts and how far the damage spreads. Your ability to isolate infected systems and implement remediation can limit the attack’s duration.

After you remove the ransomware, the time for recovery depends on whether you have clean, recent backups to restore files or if you must rebuild data from scratch. Even your decision on whether to pay the ransom can affect the length of the process.

If an organization decides to negotiate and pay the ransom, the logistics will affect your recovery time.

What happens after a ransomware attack?

It can take weeks for the dust to settle after a ransomware attack, even for a small business. If you pay the fine, you will only recover about 65% of your data, on average. The data restoration process and the investigation and analysis of what went wrong take time, as do the steps for enhancing your organizational security processes.

Communication and reporting to internal and external stakeholders are also necessary to share your progress. While small companies may worry less about a public relations nightmare caused by a ransomware attack, larger organizations, such as hospitals or local government institutions, often face negative public scrutiny. Above all, organizations must clearly define how they will prevent similar ransomware incidents, even as they try rebuilding.

Preventing Ransomware

What are the best ways to stop ransomware?

The best way to stop ransomware is to prevent an attack from occurring in the first place. While no method can provide 100% protection, implementing security measures can significantly reduce your risk. For example:

  • Maintain regular backups of critical data and ensure they are stored offline or in a secure location. Regularly test the backup restoration process.
  • Keep operating systems, software and applications up-to-date with the latest security patches. Enable automatic updates whenever possible.
  • Train employees to recognize and avoid phishing emails, suspicious attachments and malicious links. Promote strong password hygiene, use of multi-factor authentication and encourage reporting of suspicious activities.
  • Install reputable and up-to-date antivirus and anti-malware software on all systems. Perform comprehensive system scans to detect and remove potential threats.
  • Employ application whitelisting, which allows only authorized and trusted applications to run on systems.
  • If Remote Desktop Protocol is necessary, ensure it is securely configured with strong passwords, limited access rights and enabled network-level authentication. Regularly monitor RDP logs for suspicious activities.
  • Implement network segmentation to isolate critical systems and limit the lateral movement of ransomware within the network.
  • Conduct vulnerability assessments and penetration testing to identify and address security weaknesses. Promptly patch or mitigate vulnerabilities.
  • Develop and test an incident response plan that outlines the steps to take in the event of a ransomware attack. Establish a business continuity plan to ensure minimal disruption and swift recovery.

Related: 7 Cybersecurity Controls to Defend Against Emerging Cyberattacks in the New Threat Landscape

Worried about ransomware? The Sikich cybersecurity team is expert in mitigating the risk of ransomware and other threats to your business. Contact us to discuss your options.

This publication contains general information only and Sikich is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or any other professional advice or services. This publication is not a substitute for such professional advice or services, nor should you use it as a basis for any decision, action or omission that may affect you or your business. Before making any decision, taking any action or omitting an action that may affect you or your business, you should consult a qualified professional advisor. In addition, this publication may contain certain content generated by an artificial intelligence (AI) language model. You acknowledge that Sikich shall not be responsible for any loss sustained by you or any person who relies on this publication.

About the Author