What is Ransomware? How Do Ransomware Attacks Work?

Ransomware represents a form of malicious software (malware) that targets critical data belonging to organizations. Cybercriminals gain unauthorized access to the victim's data and covertly encrypt it, rendering it inaccessible to the organization. The cybercriminals then demand a ransom payment in exchange for the decryption key needed to restore access. Ransomware attacks can inflict severe damage on organizations, leading to complete loss of access to crucial databases, applications, files, and other essential resources necessary for efficient operation.

How does ransomware work?

Ransomware attacks begin when a bad actor gains access to the data through an employee or network vulnerability. They typically involve three main stages: initial data access, data encryption, and ransom demand. In the first stage, cybercriminals gain unauthorized access to the victim's data. Once inside, they proceed to encrypt the data, rendering it inaccessible to the affected user or organization. Finally, the attackers demand a ransom payment in exchange for providing the decryption key. Although specific ransomware attacks may exhibit variations, these three steps form the common framework behind such malicious incidents.

Gaining access to data

Cyber criminals use various types of vectors to gain access to critical information in a company. While there are numerous types of vectors, the most common vector used in ransomware attacks is phishing. Phishing is a malicious email spam campaign sent to employees with an attachment or download to click on. If the recipient falls for the phishing, the cyber criminal gains access to their computer.

Encrypting data

Once the cyber criminal gains access to the data they want, they move onto the encryption stage. At this point in the process, cyber criminals start blocking the data from the owner. They normally will select certain files, encrypt them, create a decryption key, and then delete the original files that are not encrypted or any backups the company may have.

Demanding ransom

Soon after the encryption process is complete, the attacker will often leave a note or message of some kind to the computer user demanding a ransom. Normally this message will be displayed on the computer’s screen where it is easily seen from the computer user. The ransom will demand an amount, usually using crypoccurrecy, to have sent to them within a certain time span. This time span is usually within 48 hours or less. If the ransom amount is not paid within the given time frame, the ransom amount may increase or the data being held will be deleted completely and the company may never be able to get it back.

Why are ransomware attacks spreading?

Statistics show that over two thirds of organizations with 500 employees or more dealt with ransomware attacks in the last 12 months. This percentage rises up to 80% with organizations that have 3,000-4,999 employees. There are multiple factors encouraging the spread of ransomware attacks, but one of the most prevalent is the increase of remote work. The outbreak of COVID-19 was a great thing for ransomware attackers. Companies were forced to shift all work to remote work as soon as possible. Because of the instant shift, there were many holes left in the cyber security of organizations. These holes left openings for attackers to insert their ransomware.

Ransomware-as-a-Service (RaaS)

Another cause for the ransomware attack surge is the ransomware marketplace, also known as Ransomware-as-a-Service (RaaS). Knowing technology is no longer necessary to hack into organizations' systems. The rise of Ransomware-as-a-Service (RaaS) means that ransomware is available to more people than ever. It is possible to purchase malware software and pay the developer a percentage of the ransomware earnings. Individuals who want to participate in ransomware now have access to malware strains created by malware developers. Since you no longer need to be a coder to launch a ransomware attack, this widens the pool of people with the capabilities to become bad actors.

Malware developers often distribute their ransomware tools freely, asking only for a percentage of the gains. Because of this system, the developers have little to no risk, making it enticing to produce malware. 

Examples of ransomware attacks

• WannaCry
  • WannaCry uses an exploit called EternalBlue to attack Microsoft Windows operating systems. There was a WannaCry outbreak back in 2017 attacking organizations and demanding Bitcoin as payment. There was a software update available to protect against WannaCry but unfortunately many companies did not update their security software and were therefore exposed to the attack.
• CryptoLocker
  • CryptoLocker is a Trojan horse that spreads a virus through unknown attachments in employee emails. This malware strand uses encryption to block users from accessing the data. Microsoft Windows users are at risk with CryptoLocker, Mac users are not targeted. A countdown timer will begin as soon as your files have been encrypted.
• Bad Rabbit
  • Bad Rabbit is a malware similar to WannaCry and Petya that began in 2017. The difference between the malwares is that Bad Rabbit can infect a computer through clicking on a website. If there is a compromised website, as soon as it’s clicked, the virus will block access to all files and demand a ransom, usually in Bitcoin.
• Ryuk
  • Ryuk is one of the most dangerous ransomwares out there. This is due to the amount the ransom requires. Some Ryuk attacks demand millions of dollars in order to get access back. Ryuk works like most malware, through phishing. Once it’s infected the system, it begins its work of shutting down processes on your computer.
• Maze
  • Maze is a tricky malware. While it does the same as all others, encrypting files and demanding a ransom, it takes it one step further. Once files have been encrypted and random is demanded, this form of ransomware makes copies of all data to sell on the Dark Web, and creates backdoors so hackers can continue to harass the establishment.
• REvil (Sodinokibi)
  • REvil, also known as Sodinokibi, is a ransomware-as-a-service (RaaS) malware that targets businesses. REvil is one of the most widespread ransomware attackers out there in recent years. REvil has had so much success that even Presidents Joe Biden and Vladimir Putin have talked about it.
• Lockbit
  • Lockbit, also known as the ABCD virus, began attacking government organizations and businesses in September 2019. Lockbit is a global ransomware that functions as a ransomware-as-a-service (RaaS). This ransomware is unique in its ability to self spread. Unlike other malware, this strand has the ability to spread without manual assistance, making the attack and infection quicker.
• DearCry
  • DearCry is a ransomware that attacks Microsoft Exchange servers that have not used patches to update their network. While DearCry seems to be created by an inexperienced hacker, it can still be dangerous to an organization.
• NotPetya
  • NotPetya is considered to be the most devastating attack yet. In 2017, NotPetya leveraged EternalBlue, the same vulnerability from WannaCry, to spread quickly throughout Ukraine government offices, businesses, and banks. While NotPetya posed as ransomware, it technically is a wiper and not ransomware. This is because no way to decrypt the data was built into the system.
• Double Extortion
  • Many ransomware attacks now feature double or even triple extortion. In double extortion, a bad actor exports the sensitive data in addition to encrypting it. Then they threaten to release that information.  In triple extortion, attackers take this information and contact the individual customers or third parties for ransomware payments in exchange for keeping their personal information secret. Venafi has found that 83% of successful ransomware attacks feature double or triple extortion.

How to prevent ransomware attacks

Employee education and trainings

The best thing an organization can do to defend against ransomware attacks is organization training on prevention. Employees are the key targets for the attacks, so it’s important they understand what to look out for. Since phishing is the top way malware is used, make sure each employee knows what those emails and attachments look like, so they can report it to the company and authorities.

Segment your network: zero trust

As cloud usage increases, network segmentation becomes increasingly crucial, particularly in multi-cloud and hybrid cloud systems. Criminals typically use compromised credentials to escalate privileges and traverse systems and networks laterally.

To eliminate implicit trust, network segmentation is a crucial element of a Zero Trust strategy. Organizations segment their networks based on the criticality of their systems and data and allow access based on the status of the verified identity - human or machine. Each request for network access is evaluated and inspected based on the requestor's current trust status. This is highly useful for preventing the lateral migration of threats within the network if attackers manage to penetrate it.

Backup your data

Backing up your files is a crucial step to take in order to mitigate damage. If the attacker steals your information but you still have access to it all, they have no hold on you. But, be sure to secure those backups, because the attacker will know to look for backups to erase. A recommendation is to put your backup into the cloud or a hard drive so it is harder to access.

Invest in security software

Defending your organization requires the necessary security software made to prevent ransomware attacks. Get software that protects from phishing emails and provides safe web browsing.

Secure your digital certificates

Digital Certificates are like a computer identity, and are a way for a company network to communicate safely without being compromised. These digital certificates are used as a way to authorize devices in a system to safely send messages and other vital information. There are two keys with each digital certificate, the public and private key. The public key is what encrypts the data, and you can only gain access by using the private key.

Require all macros to be code signed

Code signing has been used for several decades to guarantee that the code of a macro, program, or software download has not been corrupted or tampered with after it was signed by the sender. When someone needs to send their work, they use a public/private key pair to keep it secure. This is a way to verify the authenticity of the certificate, proving the software was not affected during the send. If the original key given matches the one received, it’s safe.

Keep security software up to date

One important thing to keep in mind is to always have your security software up to date. Each software update includes patches to the previous version. Patching is crucial to keep attackers at bay.

Develop policies and plans

Unfortunately, sometimes even the best precautions cannot stop a determined adversary prepared to commit the time and effort required to disrupt a business. 

Create an incident response plan so that your IT security staff is prepared. The strategy should specify the roles and communications that will be shared during an assault. Having at least one person who will oversee the incident handling process will aid in the coordination of incident response operations. You should also include a list of contacts, including any partners or vendors who must be contacted. Due to the numerous moving pieces involved in an incident, communication is crucial.

Having recovery procedures in place enables businesses to quickly resume full operations, minimizing downtime, financial loss, and brand damage. Enterprises should conduct routine, spontaneous drills on the incident response plan to provide the best possible outcomes in the event of a genuine incident.

Logging is also essential for a business to effectively respond to an incident. Establishing a process is the first step in log management. In the event that an enterprise is breached, logs will be required for incident response in order to pinpoint the origin of an attack and offer evidence for legal proceedings.

Enforce code signing policies

Code signing is the procedure for digitally validating software. This verifies the identity of the individual or organization who created the code. This procedure guarantees that the code or program has not been altered after the developer signed it.

Attackers might potentially steal code signing certificates from legitimate developers, granting them the opportunity to release code under a trusted creator's name and enabling them to distribute malware to a greater number of victims.

Abuse of code signing can occur in a variety of different ways.

• Key Theft: When digital certificates or keys are improperly managed and kept, threat actors have the opportunity to steal the private keys of trusted users. Using these keys, they are able to sign code under the guise of another identity, obtain certificates in the name of a trusted identity, and then misuse that certificate inside the network.
• Coding Mistakes: It is also possible for code signing to be abused if the signed software contains flaws. Even though the code is signed, attackers can exploit these weaknesses to spread ransomware on target devices.
• System Compromise: If a system is infiltrated and software is being signed on that compromised system, the code can be altered prior to the actual signing. This permits malware payloads to be concealed without the developer's knowledge. Code signing was misused in this way in the recent SolarWinds attack.
• Use of Revoked or Expired Certificates: If a Certificate Authority (CA) does not check the validity of a compromised key or expired certificate, the certificate might be used to sign malicious software code.

There are a number of different code signing best practices that can be followed to ensure your code signing process is secured. The National Institute of Science and Technology (NIST) has released several recommendations on certificate and code signing best practices for users to implement. These include:

• Secure associated private keys on  HSMs  (Hardware Security Modules)
• Control the code signing process
• Validate code at every stage of the DevOps pipeline
• Use dedicated systems for code signing
• Check the validity of the code signing certificates
• Establish a strong certificate lifecycle management plan

Venafi CodeSign Protect encrypts code signing secret keys, automates approval workflows, and tracks code signing activity. 

• Keep private keys safe by storing them on the secure Venafi platform or in HSMs and restrict access to approved users and use cases. 
• Automate certificate issuance and revocation to enforce code signing policies across development teams. Software managers can define code-signing roles and approvers. 
• Integrate smoothly into build workflows to provide local, quick code signing without modifying build scripts by offering code signing as a DevOps service. 
• Keeps track of all code signing certificates and signed software by creating an inventory of development environments and visualizing all code signing projects in the enterprise.

How to prevent ransomware attacks

Employee education and trainings

The best thing an organization can do to defend against ransomware attacks is organization training on prevention. Employees are the key targets for the attacks, so it’s important they understand what to look out for. Since phishing is the top way malware is used, make sure each employee knows what those emails and attachments look like, so they can report it to the company and authorities.

Backup your data

Backing up your files is a crucial step to take in order to mitigate damage. If the attacker steals your information but you still have access to it all, they have no hold on you. But, be sure to secure those backups, because the attacker will know to look for backups to erase. A recommendation is to put your backup into the cloud or a hard drive so it is harder to access.

Invest in security software

Defending your organization requires the necessary security software made to prevent ransomware attacks. Get software that protects from phishing emails and provides safe web browsing.

Secure your digital certificates

Digital Certificates are like a computer identity, and are a way for a company network to communicate safely without being compromised. These digital certificates are used as a way to authorize devices in a system to safely send messages and other vital information. There are two keys with each digital certificate, the public and private key. The public key is what encrypts the data, and you can only gain access by using the private key.

Require all macros to be code signed

Code signing has been used for several decades to guarantee that the code of a macro, program, or software download has not been corrupted or tampered with after it was signed by the sender. When someone needs to send their work, they use a public/private key pair to keep it secure. This is a way to verify the authenticity of the certificate, proving the software was not affected during the send. If the original key given matches the one received, it’s safe.

Keep security software up to date

One important thing to keep in mind is to always have your security software up to date. Each software update includes patches to the previous version. Patching is crucial to keep attackers at bay.

How to respond to a ransomware attack

Swift action is key when a ransomware attack is discovered. Make sure your organization has a ransomware response policy in place before an attack occurs. If your organization is the victim of a ransomware attack, be sure to involve the authorities and report the incident.

Slow the spread

If you suspect a device has been infected with malware, disconnect it from the network and other devices as quickly as possible. This will stop the ransomware from spreading further throughout your network. Since ransomware moves so quickly, it is likely that other devices will have already been infected. Disconnect all suspicious devices from the network and shut down wireless connectivity.

Identify the source

Check for alerts in your antivirus or Endpoint Detection & Response (EDR) software. Also ask your employees if they have received any suspicious emails. Also see if you can discover what type of ransomware you are working with. Then alert all unaffected employees as soon as possible with the signs they should look for to see if they have been infected.

Assess your backups

See if the information that has been encrypted is backed up and if you still have access to that backup. Then deploy an antivirus solution to wipe the devices clean of malware. If you don’t have backups,  No More Ransom is a great source to find free decryptors and applications that could possibly help. While there is no guarantee, it is possible that you will find a decryption key that will work to restore your files.

Should I pay the ransom?

Never pay the ransom to get your files back. A 2020 ruling by the U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC) and the Financial Crimes Enforcement Network (FinCEN) declares that most cases of paying a ransom are illegal.

There is no guarantee that the attackers will actually share the description key and you will be funding criminal activities. The same attackers may attack you again in the future since they know you will pay.

Never pay the ransom to get your files back. There is no guarantee that they’ll actually give you the decryption key, and you’ll be funding criminal activities. Paying will also make you a recurring target. Now that the ransomware criminals know they can get money from you, they’ll continue infecting your devices in the future.

The business impact of ransomware

Ransomware has a devastating impact on the productivity and reputation of a business. Your business may need to partially shut down while attempts are made to recover business-crucial data. In the case of the Colonial Pipeline attack, the company shut down its operations leading to gas shortages.

If confidential customer information is leaked as part of the attack, your reputation could plummet. You also may be subject to regulatory fines in the case of a data breach.

How Venafi can help

Venafi can help protect against malicious software through automated detection and remediation of risks. With proper machine identity management, you can get a comprehensive view of all machine identities, maintain active control over machine identities, maximize threat detection in encrypted traffic, and centralize your machine identity governance.

Secure your digital certificates with Venafi’s Control Plane and protect the identity of each machine from compromise. Having visibility into your digital certificates not only protects against ransomware and cyberattacks but also eliminates certificate-based outages. To secure your code signing private keys, automate approval workflows, and maintain an irrefutable record of all code signing activities, check out CodeSign Protect.

Interested how InfoSec leaders are responding to the ransomware crisis? Download our Global Security Report to learn what security controls you need to stop the ransomware kill chain and prevent attacks on your organization.

(This post has been updated. It was originally published on Sep 9, 2022.)

Related posts

• Understanding How Code Signing Impacts Your Organization
• What Is the Difference Between a Public Key and a Private Key?
• Ransomware Group Steals Nvidia Code Signing Certificates: How to Protect Yourself