What is ransomware?

Ransomware is a type of malware that cybercriminals use to infect a device or network with malicious software, which then encrypts files and converts valuable data to unreadable code. This data is then held at ransom by these cybercriminals, who will only decrypt it once they are paid a fee.

Many people ask, is ransomware a virus? The answer is no. Ransomware and viruses are both forms of malware that have different methods of attack – a virus infects files, whereas ransomware encrypts them.

Organizations can fall victim to a ransomware attack through phishing emails, where an email will be sent with ‘bait’ that lures in victims, or drive-by downloading, where a user visits an infected website and inadvertently downloads the malware.

What is corporate ransomware?

Corporate ransomware is defined as a ransomware attack on a business or organization. Most ransomware attacks are on enterprise corporations, as they promise the greatest reward for cybercriminals, but the specifics vary from target to target.

There is a reason why cybercriminals tend to attack companies and not individuals – this has a lot to do with how ransomware spreads and the potential value of the crime. So, how does it spread? The malware is downloaded to a device when someone opens an email and/or clicks on a questionable URL - generally, a larger organization with more staff members (hence, more people clicking) presents more opportunities for ransomware to take hold. However, larger corporations may have stronger security operations in place, due to this higher attack risk, and since they also often have a bigger budget.

Bigger companies are also more at risk of a ransomware attack due to the value of their data. They are likely to have larger quantities of more sensitive data, so any disruption comes with greater operational costs. With this in mind, these corporations could be more likely to pay the ransom fee and pay a larger demand. For example, a ransomware attack on a hospital would likely garner a bigger ransom payment for a cyberthief than if they attacked a local florist.

Ransomware history

By most accounts, the history of ransomware begins in 1989 with a virus known as the ‘AIDS Trojan.’ In an attack orchestrated by biologist Joseph Popp, 20,000 disks containing a trojan virus were distributed at a World Health Organization’s AIDS conference. Once a machine was compromised, a ransom note demanding $189 to be sent to a PO box in Panama would appear on the screen.

Since the 80s, technology has advanced and cybercriminals no longer need to use a PO box to receive their fees. Ransoms are now requested in Bitcoin, and the malware is being adapted to become more dangerous and disruptive – including gaining worm-like qualities and innovating their infection techniques. Ransomware protections are also adapting to better defend networks against these increasingly sophisticated attacks.

Types of ransomware

There are several types of ransomware – with attacks targeting small and medium-sized businesses to large-scale corporations and government-run healthcare providers. The size of the ransom can vary as well, from hundreds of dollars to millions.

Cryptolocker ransomware

Cryptolocker has been around since 2013 and is thought to be the first example of ransomware following the original 1989 attack. With the introduction of cryptocurrencies in the 2010s, cybercriminals were able to demand ransoms via an untraceable payment method. Cryptolocker was the first ransomware attack that used advanced encryption and included a ransom note with directions to pay with Bitcoin.

The malware sustained an attack from September until the following May, in which it infected 250,000 devices, and the criminals collected at least $3 million. Cryptolocker is detectable by the ransom note that appears on the screen.

Ryuk ransomware

Ryuk ransomware originated in 2018 and was based on an existing Trojan horse program, Hermes, that was first knowingly used in 2017. While Hermes was used in an attack by a North Korean state-sponsored cybercrime group, it is now widely believed that the malware was developed in Russia.

In 2021, a new “worm-like” variant of Ryuk, one that can automatically travel across multiple devices as the program spreads copies of unique versions of itself, was detected.

WannaCry ransomware

Knowing your device has been infected by WannaCry ransomware is easy – you’ll see the line “Oops, your important files are encrypted.” The attack was first used in 2017, when more than 230,000 computers were infected in a day.

In each attack, cybercriminals charge $300 in bitcoin for the decryption of their files, with the ransom doubling if demands are not paid in time. WannaCry is also a worm-based malware that can automatically travel across networks.

Sodinokibi ransomware

Sodinokibi is a family of ransomware that targets Windows devices. When infected by Sodinokibi ransomware, also known as REvil, you will see a ransom note appear on the screen, demanding bitcoin to decrypt all your files. This malware targets everything on a device except what is listed in its configuration file. The malware was first used in 2019.

Dharma and Phobos ransomware

Also known as CrySiS, Dharma ransomware is known for attacking small to medium-sized businesses and demanding smaller ransoms to increase the likelihood of victims paying

The ransomware usually attacks via Remote Desktop Protocol and was first detected in 2016. The malware was the basis for the creation of Phobos ransomware, which works similarly.

Petya ransomware

Petya ransomware has to encrypt files to function, and while other malware may encrypt specific critical data, Petya can target your entire hard drive and prevent your device from turning on. The ransomware was first used in 2016 but made a name for itself in 2017 with a new variant known as GoldenEye.

Cerber ransomware

Cerber is an example of ransomware-as-a-service (RaaS), based on the software-as-a-service model. The malware creators license Cerber to other cybercriminals and in exchange, get a cut of the ransom payment. Once infected, a device will show the Cerber ransom note with the demands on the screen. The malware can also encrypt files on any unmapped network shares.

Locky ransomware

First detected in 2016, Locky ransomware spreads via emails. It is known for targeting an LA-based hospital and demanding $17,000. This was followed by attacks on numerous other healthcare organizations. However, there have been no high-profile attacks using Locky since that initial wave.

Ransomware case studies

Ransomware has had a huge impact on the digital world, having extracted billions of dollars from victims throughout the years. Let’s take a look at some of the biggest examples of the most disruptive and expensive ransomware attacks:

• September 2013, Cryptolocker: The Cryptolocker malware was released as the first ransomware to be called as such, following the AIDS Trojan in 1989. To stop this ransomware, the FBI and Interpol got involved.
• May 2017, NHS: During a global WannaCry attack, the UK’s National Health Service became victim to one of the most disruptive ransomware examples in the country. With the systems down, appointments were canceled and staff resorted to pen and paper. In total, the WannaCry attack infected 200,000 computers across 150 countries, costing $4 billion – £92 million ($120 million) for the NHS.
• March 2018, the city of Atlanta: This Georgian city’s government came under attack from SamSam ransomware in 2018. The government spent more money responding to the attack ($2.6 million) than the actual cost of the ransom (around $50,000).
• May 2019, the city of Baltimore: Hackers targeted the city of Baltimore in 2019 with a ransomware named RobbinHood, which attacked most of the city government’s computers. The criminals asked for 13 bitcoin ($76,280), saying the price would increase if not paid in four days, or all data would be permanently deleted after 10 days. Systems were eventually restored without the city paying the ransom.
• June 2020, the University of California San Francisco: The college paid $1.14 million after a month-long struggle with Netwalker ransomware. The initial ransom was $4 million, but the university negotiated the price down.
• September 2020, DUC: The Ryuk attack on Germany’s healthcare provider, Düsseldorf University Clinic, led to the death of a patient who was unable to access their required care.
• April 2021, Quanta: The recent ransomware attack using Sodinokobi saw the Macbook manufacturer Quanta face a ransom fee of $50 million. The company refused to pay the demand and the cybercriminals released Macbook information to the public.

The costs of a ransomware attack

Falling victim to a ransomware attack is bad news for your business’s finances - not just from the ransom itself, but you could also face fines from data privacy regulators or lose business due to the negative impact on customer trust.

According to Cybersecurity Ventures, the cost of global ransomware attacks alone is estimated at $20 billion in 2021, and a business is thought to be attacked by malware every 11 seconds. On top of that, European businesses are facing additional GDPR fines for poor security operations. In 2020, British Airways was faced with a £20 million ($26 million) fine from the regulator – however, the initial fine was £183 million ($239 million).

If loss of money isn’t enough, many businesses struggle with recovery – especially the smaller ones. Around 60% of small businesses close after falling victim to a data breach. In 2020, The Heritage Company, an Arkansas-based telemarketing firm closed following its 2019 ransomware data breach. Whether it’s the cost of managing the attack, the recovery operations, or the loss of clients, ransomware recovery can take its toll on a business.

How does a business get ransomware?

When a business lacks effective security measures, it becomes vulnerable to cyberattacks.

Lack of staff training is a key vulnerability for businesses. If employees don’t know how to spot a suspicious email, detect ransomware, and report an issue, they run the risk of infecting devices and the entire network. Staff may not be aware that their devices are susceptible to attacks, or the risks of ransomware for Macs or Linux ransomware. While these two operators may have reputations for stronger built-in security than Windows, they are still at risk of a cyberthreat.

Third-party apps can also be an entry point from which cybercriminals can penetrate your network. They may find it easier to access an app than your system, and use this opening to infect your devices with malware.

While staff may create vulnerabilities, a secure business will have a functioning antivirus tool in place that can protect against potential malicious software when accidentally downloaded. Software needs to be regularly updated (or ‘patched’) to fix bugs and address vulnerabilities – unpatched software could lead to cracks in your defenses.

How to prevent a ransomware attack

There are many effective ways to protect your business against a ransomware attack, and avoid becoming a target. As with many cyberattacks, criminals gain access to a network due to bad IT practices. These include:

• Insufficient staff training
• Weak credentials
• Granting too much access to third-party apps
• A lack of effective firewalls
• Not using an antivirus
• Not updating or patching software

This is why operational security is vital. Training staff and thorough credentials go hand-in-hand. Staff must be trained on how best to access the network, especially when working remotely, as well as how to spot phishing emails, report suspicious activity, and create strong passwords. All this should be outlined in a business continuity plan – and while prevention is better than cure, it also helps to have plans for IT disaster recovery and business continuity in place. Other key measures to prevent a ransomware attack include:

Signs your business has been hit by ransomware

There are many tell-tale signs that a computer has been compromised by ransomware – the most obvious one being the ransom note. Here are some other common indicators:

• Receiving spear-phishing and spoofing emails are a sign you’re being targeted by cybercriminals
  • Being victim to small-scale test cyberattacks that may not seem concerning could be cybercriminals finding vulnerabilities in your system before a large-scale attack is executed
• Your antivirus alerts you to suspicious activity
• You are notified of suspicious login attempts that you don’t recognize
• Noticing the appearance of new software on your network
  • Software removal programs, such as GMER, PC Hunter, and Process Hacker, are often used by cybercriminals to remove, for example, your Windows 10 ransomware protection
  • Applications such as Microsoft Process Explorer and MimiKatz can be used to steal credentials.

What to do if you are attacked

If you’ve been subject to a ransomware attack, here are the key steps to take:

1. Report the attack.Ensure that staff know how to recognize and alert the team to a cyberattack
2. Understand the situation at hand and detect the malware. Try to detect the malware that has infected your system so you best know how to protect yourself and/or act to remove it
3. Shut down the source of the infection. Source the device that was the initial point of attack and disconnect it from the network to reduce the risk of the malware spreading
4. Contain the attack. Disconnect any other devices on the network that could be vulnerable to the attack to stop the ransomware from spreading further
5. Attempt to decrypt the data and remove the ransomware. This should only be attempted by a confident security team or you could run the risk of making the situation worse
6. Use a third-party. A third-party specialist may be able to help recover your files so you don’t have to pay the ransom