Table of Contents
Ransomware is a type of malicious software (malware) that threatens to publish or blocks access to data or a computer system, usually by encrypting it, until the victim pays a ransom fee to the attacker. In many cases, the ransom demand comes with a deadline. If the victim doesn’t pay in time, the data is gone forever or the ransom increases.
Ransomware attacks have become all too common. Major companies in North America and Europe alike have fallen victim to it. Cybercriminals attack any consumer or business in any industry.
Several government agencies, including the FBI, advise against paying the ransom to keep from encouraging the ransomware cycle, as does the No More Ransom Project. Furthermore, half of the victims who pay the ransom will likely suffer from repeat ransomware attacks, especially if it’s not cleaned from the system.
Cybersecurity Education and Training Begins Here
Here’s how your free trial works:
- Meet with our cybersecurity experts to assess your environment and identify your threat risk exposure
- Within 24 hours and minimal configuration, we’ll deploy our solutions for 30 days
- Experience our technology in action!
- Receive report outlining your security vulnerabilities to help you take immediate action against cybersecurity attacks
Fill out this form to request a meeting with our cybersecurity experts.
Thank you for your submission.
History of Ransomware Attacks
Ransomware can be traced back to 1989 when the “AIDS virus” was used to extort funds from ransomware recipients. Payments for that attack were mailed to Panama, at which point a decryption key was sent back to the user.
In 1996, Columbia University's Moti Yung and Adam Young introduced ransomware known as “cryptoviral extortion.” This idea, born in academia, illustrated the progression, strength, and creation of modern cryptographic tools. Young and Yung presented the first cryptovirology attack at the 1996 IEEE Security and Privacy Conference. Their virus contained the attacker’s public key and encrypted the victim’s files. The malware then prompted the victim to send asymmetric ciphertext to the attacker to decipher and return the decryption key—for a fee.
Attackers have grown creative over the years by requiring payments that are nearly impossible to trace, which helps cybercriminals remain anonymous. For example, the notorious mobile ransomware Fusob requires victims to pay using Apple iTunes gift cards instead of standard currencies, like dollars.
Ransomware attacks began to soar in popularity with the growth of cryptocurrencies, such as Bitcoin. Cryptocurrency is a digital currency that uses encryption techniques to verify and secure transactions and control the creation of new units. Beyond Bitcoin, there are other popular cryptocurrencies that attackers prompt victims to use, such as Ethereum, Litecoin, and Ripple.
Ransomware has attacked organizations in nearly every vertical, with one of the most famous viruses being the attacks on Presbyterian Memorial Hospital. This attack infected labs, pharmacies and emergency rooms, highlighting the potential damage and risks of ransomware.
Social engineering attackers have become more innovative over time. The Guardian wrote about a situation where new ransomware victims were asked to have two other users install the link and pay a ransom to decrypt their files.
Types of Ransomware
The growing prevalence of ransomware has brought about increasingly complex ransomware attacks.
- Scareware: This common type of ransomware deceives users by displaying a fake warning message claiming malware has been detected on the victim's computer. These attacks are often disguised as an antivirus solution demanding payment to remove the nonexistent malware.
- Screen lockers: These programs are designed to lock the victim out of their computer, preventing them from accessing any files or data. A message is typically displayed that demands payment to unlock it.
- Encrypting ransomware: Also called “crypto-ransomware,” this common ransomware encrypts the victim's files and demands payment in exchange for a decryption key.
- DDoS extortion: A Distributed Denial of Service extortion threatens to launch a DDoS attack against the victim's website or network unless a ransom payment is fulfilled.
- Mobile ransomware: As the name suggests, mobile ransomware targets devices like smartphones and tablets and demands payment to unlock the device or decrypt the data.
- Doxware: While less common, this sophisticated type of ransomware threatens to publish sensitive, explicit, or confidential information from the victim's computer unless a ransom is paid.
- Ransomware-as-a-Service (RaaS): Cybercriminals offer ransomware programs to other hackers or cyber-attackers that use such programs to target victims.
These are just some of the most common types of ransomware. As cyber criminals adapt to cybersecurity strategies, they pivot to new and innovative ways to exploit vulnerabilities and breach computer systems.
Examples of Ransomware
By learning about the major ransomware attacks below, organizations will gain a solid foundation of their tactics, exploits, and characteristics. While ransomware codes, targets, and functions continue to vary, attack innovation is typically incremental.
- WannaCry: A powerful Microsoft exploit was leveraged to create a worldwide ransomware worm that infected over 250,000 systems before a kill switch was tripped to stop its spread. Proofpoint was involved in identifying the sample used to find the kill switch and deconstructing the ransomware. Learn more about Proofpoint’s involvement in stopping WannaCry.
- CryptoLocker: This was an early current-generation ransomware requiring cryptocurrency for payment (Bitcoin) and encrypted a user’s hard drive and attached network drives. CryptoLocker spread via an email with an attachment claiming to be FedEx and UPS tracking notifications. A decryption tool was released for this in 2014. But various reports suggest that upwards of $27 million was extorted by CryptoLocker.
- NotPetya: Considered one of the most damaging ransomware attacks, NotPetya leveraged tactics from its namesake, Petya, such as infecting and encrypting the master boot record of a Microsoft Windows-based system. NotPetya targeted the same vulnerability as WannaCry to rapidly spread payment demands in Bitcoin to undo the changes. Some have classified it as a wiper since NotPetya cannot undo its changes to the master boot record and renders the target system unrecoverable.
- Bad Rabbit: Considered a cousin of NotPetya, using similar code and exploits to spread, Bad Rabbit was a visible ransomware that appeared to target Russian and Ukrainian media companies. Unlike NotPetya, Bad Rabbit did allow for decryption if the ransom was paid. Most cases indicated that it was spread via a fake Flash player update that impacted users via a drive-by attack.
- REvil: REvil is authored by a group of financially-motivated attackers. It exfiltrates data before encryption to blackmail targeted victims into paying if they choose not to send the ransom. The attack stemmed from compromised IT management software used to patch Windows and Mac infrastructure. Attackers compromised the Kaseya software used to inject the REvil ransomware onto corporate systems.
- Ryuk: Ryuk is a manually-distributed ransomware application mainly used in spear-phishing. Targets are carefully chosen using reconnaissance. Email messages are sent to chosen victims, and all files hosted on the infected system are then encrypted.
- According to Sophos’s The State of Ransomware 2022 report, ransomware attacks affected 66% of organizations in 2021, a dramatic year-over-year increase of 78% compared to 2020.
- Proofpoint’s 2023 State of the Phish report found that 64% of organizations surveyed said they were affected by ransomware in 2022, and more than two-thirds of this group reported multiple incidents. In turn, experts speculate that the actual number of incidents and associated losses last year were much higher than reported.
- The healthcare industry continues to be the most targeted by ransomware, with a ransom payment rate of 85%. However, educational institutions have experienced the greatest increase (28% in 2021) in ransomware attacks, according to BlackFog’s 2022 Ransomware Report.
- Windows systems represented the vast majority of systems affected, accounting for 95% of ransomware malware attacks, according to Google's VirusTotal service.
- According to Cybersecurity Ventures, ransomware attacks are expected to cost victims over $265 billion in annual damages by 2031.
Aligned with the latest statistics, ransomware trends continue to evolve. Some of the most compelling trends worth noting include:
- Increased globalized threats
- More targeted and sophisticated attacks
- Growth in multistage extortion techniques
- Higher frequency of ransomware breaches
- Ransom prices plateau as security postures strengthen
Government intervention is another major trend that could shift how ransomware attacks are handled. Gartner predicts 30% of global governments will likely enact ransomware payment legislation by 2025.
The average discount on ransomware payments appears to be increasing as well. Based on the latest ransomware trends, victims can expect between 20% to 25% discount on ransom payments, with some seeing discounts of up to 60%.
How Ransomware Works
Ransomware is a type of malware designed to extort money from its victims, who are blocked or prevented from accessing data on their systems. The two most prevalent types of ransomware are “encryptors” and “screen lockers.” Encryptors, as the name implies, encrypt data on a system, making the content useless without the decryption key. Screen lockers, on the other hand, simply block access to the system with a “lock” screen, asserting that the system is encrypted.
Figure 1: How Ransomware tries to trick a victim into installing it
Victims are often notified on a lock screen (common to both encryptors and screen lockers) to purchase a cryptocurrency, like Bitcoin, to pay the ransom fee. Once the ransom is paid, customers receive the decryption key and may attempt to decrypt files. Decryption is not guaranteed, as multiple sources report varying degrees of success with decryption after paying ransoms. Sometimes victims never receive the keys. Some attacks install malware on the computer system even after the ransom is paid and the data is released.
While initially focused on personal computers, encrypting ransomware has increasingly targeted business users, as businesses often pay more than individuals to unlock critical systems and resume daily operations.
Enterprise ransomware infections or viruses typically start with a malicious email. An unsuspecting user opens an attachment or clicks on a malicious or compromised URL.
At that point, a ransomware agent is installed and encrypts critical files on the victim’s PC and any attached file shares. After encrypting the data, the ransomware displays a message on the infected device explaining what happened and how to pay the attackers. If the victims pay, the ransomware promises they’ll get a code to unlock their data.
Who Is at Risk?
Any device connected to the internet risks becoming the next ransomware victim. Ransomware scans a local device and any network-connected storage, which means a vulnerable device makes the local network a potential victim. If the local network is a business, the ransomware could encrypt important documents and system files that could halt services and productivity.
If a device connects to the internet, it should be updated with the latest software security patches, and it should have anti-malware installed that detects and stops ransomware. Outdated operating systems such as Windows XP that are no longer maintained are at a much higher risk.
Ransomware’s Impact on Business
A business that falls victim to ransomware can lose thousands of dollars in productivity and data loss. Attackers with access to data blackmail victims into paying the ransom by threatening to release data and expose the data breach. Organizations that do not pay fast enough could experience additional side effects such as brand damage and litigation.
Since ransomware stops productivity, the first step is containment. After containment, the organization can either restore from backups or pay the ransom. Law enforcement gets involved in investigations, but tracking ransomware authors requires research time that delays recovery. Root-cause analysis identifies the vulnerability, but any delays in recovery impact productivity and business revenue.
Why Is Ransomware Spreading?
With more people working from home, threat actors have increased their use of phishing. Phishing is a primary starting point for ransomware infection. The phishing email targets employees, both low- and high-privileged users. Email is inexpensive and easy to use, making it convenient for attackers to spread ransomware.
Documents are generally passed in email, so users think nothing of opening a file in an email attachment. The malicious macro runs, downloads ransomware to the local device and then delivers its payload. The ease of spreading ransomware in email is why it’s a common malware attack.
The availability of malware kits has also contributed to widespread ransomware attacks. These exploit kits scan devices for software vulnerabilities and deploy additional malware to further infect a device, producing malware samples on demand. Malware-as-a-service trends have fueled the popularity of these kits.
Who Are the Malicious Actors?
Sophisticated attacks might use ransomware with authors who build their own versions. Variants use the codebase from an existent ransomware version and alter just enough of the functions to change the payload and method of attack. Ransomware authors can customize their malware to perform any action and use a preferred encryption cipher.
Attackers are not always authors. Some ransomware authors sell their software to others or lease it for use. Ransomware can be leased as malware-as-a-service (MaaS), where customers authenticate into a dashboard and launch their own campaign. Therefore, attackers are not always coders and malware experts. They are also individuals who pay authors to lease their ransomware.
Why You Shouldn’t Pay Ransomware
After ransomware encrypts files, it displays a screen to the user announcing files are encrypted and the ransom amount. Usually, the victim is given a specific period of time to pay or the ransom increases. Attackers also threaten to expose businesses and publicly announce that they were victims of ransomware.
The biggest risk of paying the ransom is never receiving the cipher keys to decrypt data. Most experts advise against paying the ransom to stop perpetuating the monetary benefits to attackers, but many organizations have no choice. Ransomware authors require cryptocurrency payments, so the money transfer cannot be reversed.
- Determine which systems are impacted. You must isolate systems so that they cannot affect the rest of the environment. This step is part of containment to minimize damage to the environment.
- Disconnect systems and power them down if necessary. Ransomware spreads rapidly on the network, so any systems must be disconnected by disabling network access or powering them down.
- Prioritize the restoration of systems. This ensures that the most critical ones are returned to normal first. Typically, priority is based on productivity and revenue impact.
- Eradicate the threat from the network. Attackers might use backdoors, so eradication must be done by a trusted expert. The expert needs access to logs to perform a root-cause analysis that identifies the vulnerability and all impacted systems.
- Have a professional review the environment for potential security upgrades. It’s common for a ransomware victim to be a target for a second attack. Undetected vulnerabilities can be exploited again.
A primary cause for the increase of threats using ransomware is remote work. The pandemic introduced a new way of working globally. An at-home workforce is much more vulnerable to threats. Home users do not have the enterprise-level cybersecurity necessary to protect from sophisticated attacks, and many of these users comingle their personal devices with work devices. Since ransomware scans the network for vulnerable devices, personal computers infected with malware can also infect network-connected business machines.
Ransomware Prevention and Detection
Prevention for ransomware attacks typically involves setting up and testing backups as well as applying ransomware protection in security tools. Security tools such as email protection gateways are the first line of defense, while endpoints are a secondary defense. Intrusion Detection Systems (IDSs) can detect ransomware command-and-control to alert for a ransomware system calling out to a control server. While user training is critical, it's just one of several layers of defense to protect against ransomware. It typically comes into play after the delivery of ransomware via email phishing.
In case other ransomware preventative defenses fail, a fallback measure is to stockpile Bitcoin. This is more prevalent where immediate harm could impact customers or users at the affected organization. Hospitals and the hospitality industry are at particular risk of ransomware, as patients’ lives could be affected or people could be locked in or out of facilities.
How to Prevent Ransomware Attacks
- Defend your email against Ransomware: Email phishing and spam are the primary ways ransomware attacks are distributed. Secure Email Gateways with targeted attack protection are crucial for detecting and blocking malicious emails that deliver ransomware. These solutions protect against malicious attachments, malicious documents, and URLs in emails delivered to user computers.
- Defend your mobile devices against Ransomware: When used with mobile device management (MDM) tools, mobile attack protection products can analyze applications on user devices and immediately alert users and IT to any applications that might compromise the environment.
- Defend your web surfing against Ransomware: Secure web gateways can scan users’ web surfing traffic to identify malicious web ads that might lead them to ransomware.
- Monitor your server and network and back up key systems: Monitoring tools can detect unusual file access activities, viruses, network C&C traffic and CPU loads in time to block ransomware from activating. Keeping a full image copy of crucial systems can reduce the risk of a crashed or encrypted machine causing a critical operational bottleneck.
How to Remove Ransomware
- Call federal and local law enforcement: Just as someone would call a federal agency for a kidnapping, organizations must contact the same bureau for ransomware. Their forensic technicians can ensure systems aren’t compromised in other ways, gather information to better protect organizations going forward, and try to find the attackers.
- Learn about anti-ransomware resources: No More Ransom portal and Bleeping Computer provide tips, suggestions, and even decryptors for selected ransomware attacks.
- Restore data: If organizations have followed best practices and kept system backups, they can restore their systems and resume normal operations.
Ransomware Survival Guide
Ransomware attackers collected, on average, $115,123 per incident in 2019, but costs soared to $312,493 in 2020. One recorded event cost an organization $40 million. In addition to the ransom itself, these attacks can exact a heavy cost: business disruption, remediation costs, and a diminished brand.
Is Ransomware a Virus?
Ransomware and viruses are both forms of malware, but ransomware is not a virus. Ransomware is considered a category of malware, but it does not self-replicate like a virus. Viruses and ransomware damage files but act differently once the payload is delivered.
What Is the WannaCry Ransomware Attack?
The WannaCry ransomware used a Microsoft Windows vulnerability to spread quickly across the internet and encrypt files to hold them hostage. It encrypts files with cryptographically secure algorithms so that targeted victims are forced to pay the ransom in Bitcoin to obtain the private key or recover from backups. The files could not be decrypted, so many organizations were forced to pay the ransom.
What Is DarkSide Ransomware?
The hacking group known as DarkSide created the DarkSide malware that works as ransomware-as-a-service (RaaS). The malware double extorts its targets by first requiring payment to decrypt files and then requiring payment for the exfiltrated sensitive data. It targets servers hosting the Remote Desktop Protocol (RDP) and brute forces the password to gain access to the machine’s local files.
How Long Does It Take to Recover From Ransomware?
The time it takes varies wildly depending on the extent of the damage, the efficiency of the organization’s disaster recovery plan, response times, and the containment and eradication timeframes. Without good backups and disaster recovery plans, organizations could stay offline for days, which is a severe revenue-impacting event.
Related Ransomware Resources
Subscribe to the Proofpoint Blog