Ransomware has been one of the scariest topics in cybersecurity for years – and for good reason.
Living up to its name, ransomware is a type of malware where a bad actor blocks access to data or applications until payment is received. In other words, it turns hackers into kidnappers of your information. And much like a kidnapping, there is no guarantee that paying the ransom will result in a happy ending.
It may sound like paranoia or something out of an episode of Black Mirror – and yes, they have done a ransomware episode.
But the truth is, these attacks have cost billions of dollars for organizations around the world. They often target organizations with sensitive data, such as governments, hospitals, and law firms. Any organization with an online presence should be aware of how ransomware works.
How do hackers use ransomware?
The first documented example of ransomware was the PC Cyborg trojan in 1989. It was an elaborate scheme involving a ludicrous amount of floppy disks, denying access to machines, and mailing cash to a PO Box in Panama. It may not have been the most efficient plan, but does show extortion has been on the mind of hackers for decades.
Modern ransomware uses the same kind of infection strategies as standard malware, including phishing, social engineering, and application security flaws. Another common installation technique is using malspam or malvertising. With malspam, the payload is disguised as an email. Malvertising has the bad actor injecting malicious code into advertisements on legitimate websites.
Once ransomware is installed, the bad actor can begin to reap their payoff. The exact strategy of ransomware varies, but it usually falls in one of these categories:
- Crypto Malware – The bad actor will encrypt files, folders, and drives. The victim will not be able to access their files until paying the ransom.
- Lockers: Hackers will block access to a device or application for ransom.
- Doxware: In this case, the bad actor has copied files and is threatening to share them. The victim may still have access to their files, but does not want sensitive content revealed.
Ransomware as a Service (RaaS)
Ransomware attacks may be a collaboration between a bad actor and a hacker working for a cut of the bounty. We call this Ransomware as a Service (RaaS).
In this case, the bad actor may have already gained access to an environment, but needs a third party to execute the malware campaign. They may not know how to pull off the ransomware attack on their own, or they need a tailored attack. Regardless, these collaborations often occur within threat actor groups.
Getting rid of ransomware
A ransomware attack is tricky. A victim is likely to face the difficult decision of paying off hackers to get their data back.
Even then, there is no guarantee the hacker will follow through on their word. Like any extortion attempt, there is no easy solution. The point of the attack is to put the victim in a difficult position that only a payoff can solve.
If your website was defaced by a ransomware campaign, the first you should do is try to apply backups. In the best case scenario, you’ll have off-site backups of your database and website going back at least one week. If the backups are good, make sure to change all your credentials after restoration. Then, consider working with a malware prevention company.
But if backups are not an option, you’re unfortunately not in a great position. You could pay, but as noted, there is no guarantee the bad actors will comply. You’ll need to consider the type of affected data. Depending on the sensitivity, you may want to contact a professional or law enforcement for help.
Preventing ransomware infection
Because ransomware can be difficult to remove, ongoing prevention is the best protection. Following general best practices for security can help prevent ransomware infection. The U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency recommends these precautions:
- Keep any applications and operating systems up to date.
- Never click on links or open attachments in unsolicited emails.
- Make regular off-site backups of data.
- Follow safe browsing practices on the internet – including using secure passwords.
On top of that, it is also good to look into any administrator privileges. Follow the practice of “least principle.” Remove admin privileges from any users who do not need them. This can help prevent malware attacks, including ransomware.
For more tips on protecting your website, check out our Website Security Guide.
While it is not recommended to pay the ransom, it is what happens in most large scale attacks. As ProPublica reported in 2019, insurers often prefer to pay the ransom, and cyber insurance is an estimated $7 billion- to $8 billion-a-year market in the U.S. alone. Despite claims that payouts make ransomware more enticing, the insurance business is booming.
As long as they are profitable, ransomware attacks are likely to continue. In the first quarter of 2019, the SamSam ransomware collected an estimated $1 million – and that’s just one type.
Hardening security helps to prevent ransomware attacks from succeeding. But depending on the sensitivity of the data on your website, you may want to consider further protection such as a Web Application Firewall (WAF).