Over the last few years, the rate of cyberattacks has continued to hit record growth, taking advantage of individuals or businesses with poor cybersecurity practices. These attacks have affected healthcare, government, finance, and major businesses around the world. Of these cyberattacks, ransomware consistently ranks at the top of the most common cyber threats list, with an estimated 623 million incidents worldwide in 2021.
It’s important to understand how ransomware can infect a system so that you can minimize your attack surface. Having strong information security can significantly reduce the risk of becoming a victim of ransomware. In this post, we discuss some of the most common ways systems get infected by ransomware and outline defense strategies to help you avoid becoming a victim.
What is Ransomware?
Ransomware is a type of malware aimed to steal and encrypt files, sensitive data, or personally identifiable information (PII) to prevent victims from accessing those files until a fee or ransom is paid. Ransomware attackers use extortion tactics to force victims into making ransom payments, and they commonly target those with poor security practices or unpatched vulnerabilities. Once hackers gain access to a network, they can inject malicious software containing the ransomware payload into the victim’s computer or mobile device.
Without a decryption key, it’s nearly impossible to recover files that have been encrypted with ransomware. Ransomware infections can be especially devastating for businesses that depend on encrypted data to maintain their daily operations. If the ransom is not paid by a specified time, files can be permanently lost or even exposed to the public.
Today, many cybercriminals will demand cryptocurrency like Bitcoin as a ransom payment, a decentralized payment system known for its ability to hide financial activities. Though tracking down ransom payments on the cryptocurrency blockchain is difficult, it’s certainly not impossible.
Identifying Different Types of Ransomware
Although there are many different forms of ransomware, this cyber threat can be divided into four primary categories:
- Crypto/Encryptors - Encryptors are the most common type of ransomware, encrypting all target data and requiring a decryption key to unlock.
- Lockers - Instead of preventing access to files or applications, Lockers prevent the use of the entire device. Typically a lock screen will display details of the ransom note with a timer to create urgency.
- Scareware - Scareware fakes an issue on computers, such as detecting viruses or malware. The software will then direct the user to a page to “resolve” the problem and steal their credit card or other personal information.
- Doxware/Leakware - Doxware often tries to scam the user or company into paying by threatening to release sensitive information online, like confidential files or intellectual property.
Ransomware has become increasingly popular amongst scammers in recent years. Hackers have begun to sell their services to those who don’t have the time or capability to create their own malware. This is known as Ransomware-as-a-Service (RaaS), a ransomware software subscription service similar to a Software-as-a-Service (SaaS) model.
How Do You Get Infected By Ransomware?
There are a few different ways that you can get infected by ransomware. By understanding the various attack vectors that cybercriminals use to inject malware, you can build better security awareness and avoid becoming the latest in a line of ransomware victims.
1. Phishing Emails
Phishing attacks are the leading cause of ransomware infections. In Cisco’s 2021 Cybersecurity Threat Trends report, they found that phishing accounted for about 90% of all successful data breaches, leading to billions of dollars in damages.
Users can get infected by a phishing email in two ways:
- Opening or downloading malicious email attachments (PDFs, .exe applications, Word documents, .zip files, and more)
- Clicking on infected links that lead to malicious websites (spyware, Trojans, keylogging)
Recently, a variant of phishing has surfaced, called “smishing.” Smishing involves scammers attempting to trick you into exposing personal information through a series of SMS text messages. These automated text messages will typically contain an image or link that will direct you to a website to enter sensitive information or download executable malware files directly onto your phone.
2. Infected Webpages
Users must also practice safe web surfing since infected URLs are commonly used to distribute ransomware. Clicking on one of these links, whether through an email or an unverified website, can automatically trigger a ransomware download to your hard drive, also known as a “drive-by download.” Just visiting the site without even downloading anything can lead to a ransomware attack.
Many decoy websites mimicking legitimate businesses can be identified through incorrect spellings in the URL. Always double-check the URLs by hovering over the link before clicking. Keep in mind that some advanced phishing attacks are very difficult to identify. If you’re ever in doubt, don’t click the link!
Malvertising is a form of malware that falsely promotes an ad in a legitimate ad space. Even on big-name legitimate websites, malvertising can look like an actual banner. The ad seems like a typical advertisement, but it triggers a ransomware download or malware attack as soon as you click on the image.
Similar to malicious websites, malvertising is linked to an exploit kit, which will scan your system for vulnerabilities and install malicious code.
Be careful of ads that show:
- Free offers for a product or service
- Pending message notifications
- Videos or animations
- Adult images
4. Remote Desktop Protocol (RDP) Attacks
RDP is a function installed on Microsoft Windows operating systems that allows users to remotely connect to another network or server. An RDP attack is when a hacker infiltrates the system, attempting to steal data or install ransomware. Once they are inside the network or system, they can delete data, override security software, and download malware.
Prime targets include users with poor password protection or endpoint security and unsecured networks. Since over 90% of the world uses Microsoft Windows, there are plenty of opportunities for criminals to steal data, particularly from small businesses.
5. Social Engineering
Social engineering is the practice of tricking unsuspecting individuals into accidentally revealing private or sensitive information to use against them. In many cases, scammers pose as legitimate parties to exploit the user, such as pretending to be law enforcement or IT support and asking for personal information.
This form of cybercrime can manifest through emails, text messages, online chat rooms, phone calls, and even social media. After the cybercriminals obtain the necessary information, they can use that to launch massive cyberattacks, especially if the information involves network log-ins or other important credentials.
How To Prevent Ransomware Attacks in 2023
Despite the growing number of ransomware attacks, there are plenty of ways to protect yourself. Learn more here by following the best ransomware prevention practices.
- Backup your data - ALWAYS keep a backup of your most important data on an external hard drive or cloud server. Follow the 3-2-1 rule by keeping 3 separate copies of the data on 2 different storage types and keeping 1 copy somewhere offline.
- Keep systems and applications updated - One of the biggest reasons users and businesses get infected with ransomware is that they use outdated systems or applications with old security protocols. Without the newest updates to protect your email servers or operating systems, hackers can easily take advantage of vulnerabilities.
- Install antivirus software and firewalls - Antivirus and anti-malware software are the most common ways people use to fight cyber threats. These technologies typically include phishing and ransomware protection technology and can respond to threats in real-time on an infected computer. Firewalls are also important to set up since they are the first line of defense against external attacks.
- Secure all endpoints - Endpoints are extremely important to secure because one vulnerable endpoint can potentially infect an entire network. Look to install endpoint protection platforms (EPP) or endpoint detection and response (EDR) on your computer.
- Network segmentation - One technique to prevent cyber attacks is implementing network segmentation. Many large corporations should incorporate segmentation into their networks to limit the spread of ransomware should they become infected. Multiple smaller networks mean that it’s much harder for cybercriminals to perform a clean sweep of the company.
- Least privilege principle & zero-trust model - User privileges should be continually reviewed to limit unauthorized access to sensitive data. Least privilege only gives users the exact permissions they need to work and nothing more. The zero-trust model assumes that any user, especially third parties, cannot be trusted.
- Regular security testing - Because the cybersecurity landscape is constantly changing, it’s important to keep up with new technology as well as run tests on your security measures. Companies often hire penetration testers to find potential vulnerabilities so that they can patch them quickly.
- Cybersecurity awareness training - Having a strong awareness of potential security breaches is one of the easiest and most important things anyone can do. It’s often the most basic practice like creating secure passwords, recognizing malicious attachments in emails, or not sending confidential data over public Wi-Fi that keeps users safe.
What To Do if You’re Infected by Ransomware
If you’ve been compromised by ransomware, follow these steps immediately.
- Do NOT pay the ransom. Paying encourages criminals to continue their work.
- Report the attack to the proper law enforcement agencies, like the FBI.
- Disconnect your device or computer from all Wi-Fi or Bluetooth immediately.
- Identify the entry point of the ransomware.
- Alert the company and other users on the same network.
- Wipe computer clean and install backups.
- Use a ransomware decryption tool.
Famous Ransomware Attacks
- WannaCry - WannaCry is one of the biggest worldwide ransomware attacks in history. This 2017 attack crippled major companies around the world, including Taiwan Semiconductor Manufacturing Company, FedEx, Honda, Renault, and various Indian governments. According to a report by Kaspersky, the shutdown took place over four days and caused an estimated $4 billion in damages.
- CryptoLocker - CryptoLocker was ransomware that ran primarily from September 2013 to May 2014. It used a Trojan to target Windows computers and searched for cloud files to encrypt using an asymmetric encryption key. Ultimately, CryptoLocker successfully extorted over $3 million from victims.
- Petya/NotPetya - Petya is a locker ransomware, restricting access to the entire hard drive. This malware initially spread through Ukrainian organizations until it spread throughout Europe and eventually the US. The total damages were an estimated $10 billion.
- Locky - Locky was ransomware attached to Microsoft Word documents sent through email. Once you opened the document, it prompted a message to download macros. If approved, the macros quickly swept through the system to encrypt files for ransom. It infected over 400,000 users in just the first week, including Hollywood Presbyterian Medical Center, who paid 40 Bitcoin (~$17,000) to get their files back.
- Ryuk - Ryuk is another large-scale ransomware that has targeted Microsoft-based systems since 2018. The ransomware hid under spoofed emails and Word documents. Some high-profile companies that were affected include Los Angeles Times, Tribune Publishing, and various hospitals in the US, UK, and Germany.