In the early days of December 2022, a French hospital got busy for a different reason. The André-Mignot teaching hospital had just suffered ransomware attacks, forcing them to drastically change their routines. It had to move some of its critical patients to other hospitals. It also stopped accepting walk-ins and canceled some surgeries. Patients had no choice but to reach out to their primary care physicians on where to go and what to do.
Ransomware is no different from kidnapping, only that it happens in cyberspace and involves intangible assets.
It is the process of “freezing” or forcefully withholding assets, which can range from money to data, to extort a ransom in exchange for their release.
Nobody knew when it actually began, although the first known attack occurred not in tech and was executed not by an IT expert. Joseph Popp was a PhD AIDS researcher in 1989 when he distributed over 15,000 floppy disks to his colleagues in 90 countries.
He claimed that these disks contained a program that could help them evaluate the risks of individuals contracting the disease. It turned out that it only introduced malware that remained dormant until someone rebooted the infected PC 90 times.
On the 91st start, the malware became active, held the PC hostage, and started asking for $189 as payment and almost $400 for software lease.
Since then, ransomware has become one of the most common cybercrimes worldwide. In 2022 alone, nearly 236 million attacks were recorded, according to Statista. Over 75 new families or kinds were also discovered.
The basics of ransomware involved:
- Getting hold of the data, software, system, or network
- Asking for a ransom payment or any form of exchange in return for the hostage assets
- Providing codes or steps to users to access the assets once again
That’s the gist, but Max M. North and Ronny Richardson of Kennesaw State University also shared at least two types of ransomware attacks:
1. Locker Ransomware
The concept is simple: lock an application or network until someone pays up. In the early days of ransomware attacks, this was the preferred method. It was quick to execute, and people still didn’t know how to resolve the problem without paying the perpetrators.
However, as security options caught on and IT experts learned more about ransomware, they discovered that a company, for example, could bypass the lock. They could simply remove the hard drive and move it to an uninfected PC.
For this reason, locker ransomware became less effective, and criminals had to devise a more foolproof way of stealing information or money. This brings us to the second type.
2. Crypto Ransomware
Crypto ransomware infects the network, encrypts the data with ransomware viruses, and locks the system. Unlike locker ransomware, where information or software remains untouched, this one prohibits users from accessing the data even after removing the malware or paying the ransom (or both). The only salvation is that it doesn’t hurt critical files all the time.
How does ransomware end up in someone’s computer? There are different scenarios:
- The attack may be an inside job. For instance, a disgruntled employee may use his access to the company network to place a ransomware virus.
- Another attack vector is phishing emails, which may contain malicious links or attachments that install malware once someone clicks them.
- Criminals may exploit known vulnerabilities in software, especially if they don’t patch the security holes regularly.
Most notorious ransomware attacks involved the last two entry points. Take, for example, CryptoLocker.
The attack, which ran from September 2013 to May 2014, planted a trojan to Windows PCs via email attachments and a botnet (a network of computers infected with malicious software).
Meanwhile, the 2017 WannaCry ransomware that spread in 150 countries and crippled the NHS for a week took advantage of OS vulnerability. At this time, Windows has already ended its support for XP, which the UK’s health trust used for its networks.
During the early days of ransomware attacks, the bad actors were individuals. Joseph Popp was a perfect example.
Eventually, organizations, which were usually syndicates or groups of highly trained cybercriminals, took over the landscape. This gave rise to ransomware-as-a-service (RaaS).
In hindsight, RaaS is a business model involving the developers of ransomware viruses, ransomware software, and other types of malware and then their affiliates.
Cybercriminal groups develop software, variants, and other materials needed to perpetrate an attack. They also come up with payment gateways such as Bitcoin wallets or bank accounts where ransom payments are sent.
And then, they look for affiliates or partners who can spread the ransomware over a wide geographical area and target more victims in less time. This business model also provides a commission to its affiliates once successful transactions have been made.
RaaS attacks have become more prevalent due to the ease with which individuals can obtain and use ransomware. In the past, creating a ransomware program required a certain level of technical expertise. However, with the advent of RaaS, even individuals with little to no technical knowledge can purchase and use a ransomware program to carry out attacks.
One of the reasons RaaS is so appealing to cybercriminals is the potential for high profits. In a typical RaaS attack, the cybercriminal who created the ransomware program takes a cut of the ransom payment, while the individual or organization carrying out the attack receives most of the funds. This means that both parties can potentially profit from the attack.
During the early years of ransomware, the payment method was rudimentary. The attacker might send a note via text or have an on-screen message with instructions to wire the ransom money through Western Union.
These tactics proved less secure for criminals since they often left crumbs or money trail. Thus, it is no longer the standard.
Instead, perpetrators now tapped cryptocurrency, such as Bitcoin or Ethereum, giving another meaning to crypto ransomware.
How does it work?
The cybercriminal sends the victims a message with instructions on how to pay. It usually includes a Bitcoin address where the victim can send the amount due (in BTC).
Once they send the money, the attacker issues a decryption key, allowing the victim to regain access to their data and remove the malware from their computer.
Cryptocurrency works to the perpetrators’ advantage in many ways:
- It is decentralized, meaning that it cannot be tracked or traced back to the attacker.
- Transactions are anonymous.
- The currency can be converted into cash quickly, allowing the criminal to remain anonymous and move money more easily.
With nearly 35 years since the first recorded ransomware attack, it isn’t surprising that we’ve encountered huge breaches. These include:
CryptoLocker was first detected in September 2013. The total ransom was $3 million.
CryptoLocker was particularly effective because it used a combination of strong encryption and social engineering to convince victims to pay the ransom. Many victims, fearing the loss of their important files, chose to pay the amount to regain access to their data.
Despite its effectiveness, CryptoLocker was eventually shut down by law enforcement agencies. In May 2014, the United States Department of Justice announced that it had seized control of the servers.
However, the mastermind, Evgeniy Mikhailovich Bogachev, remains at large with an FBI bounty of, interestingly, $3 million.
The Colonial Pipeline attack affected the US’s largest refined products pipeline. The hackers, who are believed to be from Russia, gained access to the pipeline’s network by exploiting vulnerabilities in their computer systems.
The target was the billing component of the business. But Colonial Pipeline still decided to stop the operations, believing that cybercriminals could get hold of customer information.
The shutdown was devastating because it impacted fuel supply across greater parts of the United States, filling gas station shelves with empty containers and frustrating motorists trying to fill up. It also delayed or canceled many flights.
Eventually, many believed the business paid around $5 million worth of Bitcoins to receive the decryption tool.
This attack was particularly significant for two reasons. First, it happened in June 2020 at the height of the COVID-19 pandemic. Second, it was believed to be one of the successive attacks on healthcare facilities, particularly those connected to educational institutions.
In this instance, the Netwalker gang penetrated the medical IT sector of the university. Fortunately, the criminals didn’t access patient records. However, since they also paralyzed medical servers that contained student research, the school eventually paid the gang a handsome ransom of over a million dollars.
As more devices become interconnected, the risk of becoming a victim of ransomware increases. Organizations and even individuals can take proactive steps to minimize their exposure:
One of the best ways to prevent ransomware infections is to ensure that your operating system and all the software you use are up-to-date with the latest security patches. Consider setting updates automatically to avoid missing out on them.
Along with this, create a software-patched management plan. This document includes:
- People or roles authorized to update the applications
- Schedules to perform the updates
- Monitoring and verification of the patch installation process
- Updated statuses of every asset
Firewalls act as a barrier between your computer or network and the internet, stopping hackers from accessing your system without permission. Ensure you configure your firewall correctly and install updates as soon as they are released.
Your employees should be aware of the dangers posed by ransomware and understand their key roles in helping protect your business from infection. Provide regular cyber security awareness training to all staff — with emphasis to recognizing phishing emails, malicious links, and suspicious websites.
Develop bring-your-own-devices (BYOD) and IT security policies that employees should know during the onboarding process. Lastly, update their knowledge as soon as new information is available or if a threat is present.
Back up your data regularly and store the backup offline, as some ransomware variants can encrypt or corrupt stored backups. Having a backup also means you won’t be pressured into paying a ransom if your systems are infected with ransomware.
Multi-factor authentication (MFA) is a security system that requires users to present two or more credentials to gain access. It creates an additional layer of security and makes it harder for hackers to get into your system.
Some examples include using a code sent to a mobile number, using a USB security key, or scanning your fingerprint.
Monitoring network activity helps you detect signs of ransomware attacks quickly and take the necessary steps before data is compromised. Use a SIEM (Security Information and Event Management) system to monitor your network in real time. It can help you identify suspicious activities, including brute-force attacks or malicious traffic coming from known harmful IP addresses.
Ransomware protection software is designed to detect, block, and remove ransomware from your system. It uses signature- and behavior-based techniques to recognize hostile activities, like malware downloads or drive encryption. Investing in this type of software can help you protect your data proactively and significantly reduce the risk of an attack.
Email is one of the most common vectors for ransomware attacks, so it’s important to be careful when opening email attachments. Delete the email immediately if you receive an unexpected attachment from someone you don’t know or an attachment with a suspicious-looking file extension.
Sometimes, the attached file is an image, which could work since some can bypass spam filters. In this case, it is recommended that you scan the file before downloading it.
The “zero-trust approach to security” is based on the principle of never trusting anyone or anything. This means that all users, devices, and services must be authenticated and authorized for each transaction. Implementing this approach can help protect your systems from ransomware by ensuring that only authenticated users can access your network.
Having a well-defined incident response plan is one of the most important steps you can take to protect your business against ransomware attacks. This plan should include measures for detecting, responding to, and recovering from a ransomware attack. Establish clear roles and responsibilities for each team member.
Getting the authorities involved is important if your business has been affected by ransomware. Doing so can help you get timely support and advice on responding, recovering, and mitigating the damage caused by a ransomware attack. You should also consider notifying customers or other individuals who may have been impacted.
Ransomware is a serious threat that can devastate organizations of all sizes. Adopting the strategies outlined in this article will help you protect your business from ransomware attacks and ensure that it remains secure. Implementing these strategies now can save you time and money in the long run.