What Is Ransomware?

What is ransomware and a ransomware attack?

Ransomware is a form of malware that, once installed on a computer, locks access to a hard drive until a ransom is paid. In a ransomware attack, victims see an on-screen message alerting them that their computer or network has been locked or their data encrypted. They are told to pay a specific ransom to regain access to their systems. Typically, payment is required in bitcoin, a popular cryptocurrency, which further complicates the situation. 

The cost of retrieving your data varies depending on the target. A private individual may be required to pay $500, while a business could face demands of hundreds of thousands or even over $1 million. Businesses are the primary targets — but not the only ones. Ransomware has wreaked havoc on supply chains, utilities and schools.

Ransomware has grown in popularity over recent years as cybercriminals have become more sophisticated. With victims willing to pay, bad actors have all the incentive they need to deploy ransomware aggressively.

“As with any industry, it is a supply and demand business,” said Daniel Clayton, strategic operations and cybersecurity leader at F5. “If we continue to pay ransomware, we will continue to be attacked. It’s not unusual to see a company get hit once and then again, sometimes by the same group.”

How does ransomware work?

In a ransomware attack, cybercriminals slip into a company’s network through various methods, including phishing emails with malicious links or attachments. These emails are designed to trick someone into clicking, which can quietly download malware in the background. Once it’s in, the malware uses employee login credentials to move through the system.

“The main ways they come in [are] through phishing emails or clicking on a link,” explained Raj Samani, senior vice president at cloud cybersecurity platform Rapid7. “Some of the big game hunters and even lower operators are looking for a chink in the armor.”

In the past, hackers targeted specific companies with ransomware. Now, their strategy is volume. “The groups going after the big game are quite small in number as opposed to the volume attacks. There are millions of them, which impact everybody,” Samani warned.

Here’s a look at some of the most common ways ransomware enters a business’s network:

• Email phishing: Victims receive an email with a link or file containing malicious code. Once they click it, the malware is deployed.
• RDP weaknesses: Hackers use brute-force attacks or purchase credentials to access a company’s network via the Remote Desktop Protocol (RDP). Once in, they unleash ransomware.
• Software holes: Hackers exploit weaknesses in outdated or unpatched software.
• Drive-by downloads: Malware installs itself when someone visits an unsafe or compromised website, even if they don’t click anything.
• Malvertising: Infected ads on legitimate websites can silently download malware when users click on them.
• USB devices: Plugging in an infected USB drive can automatically trigger a ransomware installation.
• Social engineering: Hackers impersonate IT support and trick employees into sharing passwords or granting network access.

What are the types of ransomware?

Cybercriminals use various ransomware methods to infiltrate systems and extort money. Here are some of the most popular flavors of ransomware:

• Crypto ransomware: In this widespread scheme, hackers break into your network and encrypt your files and data. You can’t access anything without a decryption key, which you must purchase from the hacker using cryptocurrency.
• Doxware or leakware: Instead of locking you out, this type of ransomware threatens to publish sensitive or private information online if the ransom isn’t paid. In some cases, hackers may even contact your customers directly to tell them their data has been compromised, which can seriously damage your brand reputation and erode customer trust.
• Locker malware: This variety locks you out of your entire system. You can’t use your devices until you pay the ransom.
• Mobile ransomware: Specifically targeting mobile devices, such as smartphones and tablets, this ransomware can lock users out and encrypt their data. Hackers may even threaten to permanently disable or lock the phone if a ransom isn’t paid.
• Master boot record ransomware (MBR): In this attack, hackers target the MBR — the part of your hard drive that helps start the operating system. When you power on your computer, it won’t boot. Instead, a ransom message appears on your screen.
• Scareware: This malware tricks users into downloading it by posing as a legitimate antivirus tool. A fake pop-up claims your files are infected and urges you to buy software to fix the issue; however, instead of a fix, it installs malware designed to steal your credentials.
• Ransomware-as-a-service (RaaS): In this growing model, professional hacker groups launch attacks on behalf of others in exchange for a cut of the ransom.
• Wiper malware: Wiper attacks don’t lock or encrypt your data — they delete it. The twist? Even if you pay, the hacker may still wipe your data, as they never intended to return it in the first place.
• IoT ransomware: Hackers target internet-connected devices that are often less secure, such as printers or security cameras. They render these devices unusable until you pay the ransom. 

Who is susceptible to ransomware attacks?

Businesses, organizations and individuals are all vulnerable to ransomware attacks. However, targeting SMBs can be especially lucrative — particularly those that lack the technical and financial resources to defend themselves properly.

That said, the following industries and business types are often top ransomware targets:

• Manufacturing: Manufacturing companies, especially in high-tech sectors, are often cash-rich thanks to continual venture capital investment. They may also hold valuable intellectual property. If cybercriminals gain deep access to their systems, they can halt production lines to demand payment.
• Professional services: Law firms, business consultants, accounting firms and other professional agencies work with sensitive corporate and personal data. Data loss is a serious concern, but the greater threat may be operational disruption. If these firms can’t access their systems, they may be unable to serve clients, which can damage both their reputation and their clients’ businesses.
• Healthcare: There’s a thriving black market for electronic health records and other sensitive patient data. While the connectedness of today’s healthcare systems makes care more efficient, it also opens the door to cyberattacks that can put sensitive information at risk. [Read related article: How Do HIPAA Laws Impact Employers?]
• Financial services: The shift to online and mobile banking has made financial companies even more of a target for cybercriminals. Even with all the right security measures in place, stolen banking and credit card data is still in high demand on the black market.
• Energy and utilities: Often targeted by state-sponsored actors seeking to cause large-scale disruption, these firms may be more likely to pay up to avoid outages, political fallout and public backlash.
• Retail and e-commerce: These businesses rely on uninterrupted online operations to maintain sales and customer trust. Disruptions can lead to lost revenue, reputational damage and a loss of customer data, all of which make them attractive targets for ransomware. 
• Government agencies: Federal, state and local departments are often vulnerable due to outdated software and legacy systems. For example, the Oregon Department of Environmental Quality was hit with a $2.7 million ransom demand, as were the Hamilton County Sheriff’s Office, DuPage County and the Arizona Federal Public Defender’s Office.
• Logistics and transportation: Shipping, logistics and transport operators rely on complex software to stay on schedule. A ransomware attack can cause serious delays, missed deliveries and stranded shipments.

“Ransomware is that category where they are targeting companies big and small,” Clayton said. “Unfortunately, it’s something everyone should be concerned about.”

What impacts can ransomware have on a business?

Ransomware can have serious consequences for businesses, especially those without strong cybersecurity protections in place.

“It can have a devastating effect on small business owners who don’t have the funds for security equipment or cybersecurity insurance for if and when they have a ransomware issue,” said Jen Miller-Osborn, special projects technical liaison at NetWitness. “They can be in a tough spot if they don’t have the money to pay for ransomware or the technical capabilities to restore their data.”

The fallout from a ransomware attack often depends on the cost of recovering your data or unlocking your systems, but the damage extends far beyond financial losses. Here are some of the biggest risks:

• Temporary or permanent loss of critical business data
• Disruptions or shutdowns that prevent normal operations
• Reputational harm that erodes trust with customers or partners
• Expensive recovery costs to restore access and rebuild systems
• Shaken confidence among your IT team
• Greater risk of future attacks, especially if the ransom is paid

How can you prevent and manage ransomware attacks?

Ransomware isn’t completely avoidable, but there are proactive steps you can take to reduce your risk — and to soften the blow if the unthinkable happens. Taking the right precautions now can help you protect your business from cybercrime and bounce back faster.

Here are four smart steps to help you prepare for and manage a potential ransomware attack.

Step 1: Assess your situation.

The longer it takes to recover your data, the longer your business may be out of commission. But if you already have a data recovery and continuity plan in place, you’re in a much better position to respond.

“Ask yourself, if my systems were no longer accessible, could my business continue to run?” Samani said. If the answer is no, it’s time to plan for the unthinkable.

An effective way to start is to create a list of your most valuable systems, data and apps so you can prioritize what to restore after an attack. Performing a cybersecurity risk assessment will help you identify potential vulnerabilities and ensure you routinely test your backup systems to confirm you can restore your essential data quickly. If you only discover after an attack that your backups don’t work, it’s too late.

Step 2: Give your employees cybersecurity chops.

Educating employees on how to stay safe online is crucial, especially when offering secure remote access to employees working from home or on the go. Clicking on a phishing link in an email or visiting a questionable website are still common ways to infect a network, which is why employees need to know what to watch for. 

It’s also important to require strong passwords and multifactor authentication when logging into the network. Miller-Osborn pointed out that running periodic phishing tests on your staff is a budget-friendly approach that helps identify areas where additional training may be needed.

Provide your employees with clear instructions on safe online habits, such as avoiding public Wi-Fi without a secure VPN and never plugging in unknown USB drives to company devices.

Step 3: Fortify your network.

Ransomware attackers treat their operations like a business, focusing on targets that are easy to infiltrate and exploit. As a result, Clayton said, one of the best defenses is making your company too expensive for hackers to attack. That means:

• Keeping systems up to date and patched
• Ensuring antivirus and antimalware software is updated and runs scans automatically
• Backing up your data regularly
• Creating a business continuity plan in case your data is held for ransom

“You want the attackers to have to jump through as many hoops as possible,” Clayton advised.

Additionally, consider data minimization — storing only the data necessary to run your business and limiting employee access to only what is required for their jobs. Invest in advanced threat detection software that can flag suspicious network activity and quarantine it until you have a chance to investigate.

Step 4: Consider cyber liability insurance.

Many of the best business insurance providers offer cyber insurance policies that protect against ransomware and other cyberattacks, often for less than $2,000 per year. Consider the following top options:

• AIG: AIG offers cyber insurance either as a standalone policy or as part of broader coverage. Its CyberEdge product covers third-party claims for financial losses resulting from a network breach or failure to protect clients’ confidential information. Depending on your policy, it may also cover the costs of regulatory investigations, legal defense, PCI DSS assessments and public relations support. AIG can also reimburse ransom payments made to end a cybersecurity attack. 
• Chubb: Chubb offers three primary enterprise risk management products: Cyber, for companies that handle sensitive information; DigiTech, for businesses that offer off-the-shelf or customized software solutions; and Professional, for firms with cyber, media and related liability exposures. 
• Thimble: Thimble’s cyber insurance policies start at around $100 and include first-party coverage to help pay for costs related to data breaches, as well as third-party coverage for any legal defense you choose to mount. First-party coverage also includes assistance with costs related to cyber extortion, reputation management, system failures and regulatory fines.
• The Hartford: The Hartford’s cyber insurance policy helps companies cover financial losses related to cybersecurity risks. It also covers regulatory fines, lost income, ransom payments to recover locked files, and lawsuits brought by customers or employees.
• Hiscox: Hiscox offers a wide range of coverage with its cyber policies, including costs related to data breaches and recovery, cybercrime, cyber extortion (including ransomware), privacy protection and business interruption. 

How do you remove ransomware?

Despite your best efforts, you may still fall victim to ransomware. The good news is that it’s possible to remove ransomware from your system and restore everything to its original state before the attack. However, the process is quite complicated, so you might want to call in an IT expert to help you.

Here are the steps:

• Isolate: Find the infected device on your system and remove it from the wider network. Many ransomware programs spread from one terminal to another, so disconnecting devices will help prevent further damage.
• Identify: With the rest of your system protected, determine the type of ransomware you’re dealing with. Helpful resources include The No More Ransom Project, ID Ransomware and Kaspersky’s Ransomware Decryptor Tool.
• Remove: Standard antimalware or anti-ransomware software can often detect and delete malicious code. Manual removal is possible, but it typically requires expert help. Be aware that some ransomware deletes itself after encrypting files, so a different approach may be needed. Whatever your method, run a full scan afterward to ensure nothing is left behind.
• Recover: Once the ransomware is removed, use your operating system’s built-in restoration tools to restore your device to its pre-attack state. If you’ve backed up your data to the cloud, begin downloading local copies as needed. Be sure to change all passwords and update your firewall and antivirus software.

You should also notify customers, investors and other key stakeholders about the breach. They deserve to know, and failing to disclose could lead to legal trouble. Being transparent can also help preserve trust.

Ransomware is scary and costly, but it doesn’t have to be the end of your business. With the right preparation and regular data backups, you can survive and recover from an attack.