What Is Ransomware?

What is ransomware?

Ransomware is a form of malware that, once installed on a computer, locks up access to your hard drive until you pay a ransom. Victims see an on-screen message alerting them the computer has been locked or the data encrypted. They are told to pay a specific ransom to regain access to their systems. Usually, the payment is required in bitcoin, a popular cryptocurrency, which complicates the situation further. 

The cost to get your data back varies depending on the target. A private individual may be required to pay $500 while a company might have to pay $500,000. Businesses are the main targets but not the only ones ― ransomware has wreaked havoc on supply chains, utilities and schools.

Ransomware has grown in popularity over recent years as cybercriminals have become more sophisticated. With victims willing to pay, cybercriminals have all the incentive they need to deploy ransomware aggressively.

“As with any industry, it is a supply and demand business,” said Daniel Clayton, vice president of cybersecurity operations at Expel. “If we continue to pay ransomware, we will continue to be attacked. It’s not unusual to see a company get hit once and then again, sometimes by the same group.”

How does ransomware work?

There are several ways hackers can pull off a ransomware attack. Cybercriminals obtain access to a business’s computer network via phishing emails that contain malicious links or attachments. These emails aim to trick users into visiting websites that download the malware behind the scenes. Then, the malware gets ahold of employees’ credentials for a company network. Instant messaging apps on social media can also spread malware.

“The main ways they come in is through phishing emails or clicking on a link,” said Raj Samani, senior vice president at cloud cybersecurity platform, Rapid7. “Some of the big game hunters and even lower operators are looking for a chink in the armor.”

In the past, hackers targeted specific companies with ransomware, but that, too, has changed. Now their strategy is volume. “The groups going after the big game are quite small in number as opposed to the volume attacks. There are millions of them, which impact everybody,” said Samani.

What are the types of ransomware?

Ransomware comes in many flavors, but the end goal is usually to make money. Hackers use some of the following tactics to achieve success:

• Crypto ransomware: This is the most popular method and the most costly for small business owners. Hackers break into your network and encrypt your files and data. You won’t be able to access any of it without a decryption key, which you have to purchase from the hacker via cryptocurrency.
• Doxware or leakware: While many cybercriminals threaten to wipe your data, others say they will publish sensitive or private information online if the ransom is unpaid. If data contains your customers’ email addresses, the cybercriminals may threaten to contact them directly to tell them that their data has been compromised. Such an occurrence could lead to a potentially significant and permanent loss of client trust.
• Locker malware: Instead of encrypting your files, this type of ransomware locks you out of your network. To regain access, you have to pay the ransom. This line of attack doesn’t target your essential files, it aims to keep you out of your computer.
• Mobile ransomware: This type of ransomware attack specifically targets mobile devices like smartphones and tablets. As with desktop, laptop and server attacks, the software can lock users out of their system and encrypt their data. Cybercriminals may threaten to disable or lock a phone permanently if a ransom is not paid.
• Master boot record ransomware (MBR): With this type of attack, the hackers infiltrate the MBR, the part of the hard drive that enables the operating system (OS) to start. When you try to turn on your computer, the software will not boot up. Instead, a message demanding ransom will appear on your screen.
• Scareware: Users are tricked into visiting a website that downloads malicious code. A warning, which appears to be from an antivirus software company, pops up claiming files have been infected. Users are directed to purchase software to fix the problem. Instead of a fix, they receive malware aimed at stealing their credentials.
• Ransomware as a service: Some professional hacker groups launch ransomware attacks on behalf of cybercriminals in exchange for a cut of any proceeds.

Who is susceptible to ransomware attacks?

From a criminal’s point of view, there is a lot of value in targeting SMBs. Small businesses often lack the technical and financial resources required to defend themselves properly. That’s because they often work with outdated and unpatched software and their staff typically aren’t trained on how to spot a potential cyberattack.

SMBs are also less likely to diligently and regularly back up their data. If their data is wiped, they may be forced out of business. Larger firms are more likely to back up their data so, although a ransomware attack is still serious, the threat of hackers wiping their company’s data is not an existential threat.

Broadening out from SMBs, certain types of business come under attack more than others. Key targets include:

• Manufacturing: Manufacturing companies, especially in high-tech sectors, are often cash-rich thanks to continual venture capital investment. They also may possess valuable intellectual property. If cybercriminals get deep enough into their computing system, they may be able to halt production lines to extort cash.
• Professional services: Law firms, business consultants, accounting firms and other professional agencies hold and work with sensitive corporate and personal data. Although data loss is a cause for concern, not being able to do business properly for a prolonged period because their system is locked will damage their reputation and disrupt their clients’ businesses.
• Healthcare: There is a large black market online for medical records and patient data. While the connectedness of healthcare systems makes treatment more efficient and effective, it also leaves it more vulnerable to attempted theft from cybersecurity attackers. [Related article: How Health Insurance Portability and Accountability Act Laws Impact Employers]
• Financial services: There has been a digital revolution in financial services which has made it a prime target for criminals. Although payment systems are hard to access, there is, as with healthcare, a vast market of black market players ready to buy banking and credit/debit card data.
• Energy and utilities: Often a target of state actors looking to cause maximum disruption to foreign enemies, energy and utility firms come under regular attack because they may be willing to pay large sums to avoid the costs and political damage service outages would bring.
• Retail and e-commerce: These firms are favored targets for cybercriminals since they may pay higher sums to ensure that their business is not disrupted, causing a loss of sales. Losing client data could also severely affect customer trust and the value of their brands. 

“Ransomware is that category where they are targeting companies big and small,” Clayton said. “Unfortunately, it’s something everyone should be concerned about.”

What impacts can ransomware have on a business?

“It can have a devastating effect on small business owners who don’t have the funds for security equipment or cybersecurity insurance for if and when they have a ransomware issue,” Jen Miller-Osborn, special projects technical liaison at NetWitness, told business.com. “They can be in a tough spot if they don’t have the money to pay for ransomware or the technical capabilities to restore their data.”

The impacts of ransomware vary depending on the cost associated with recovering your data or unlocking your network. The major negative impacts of ransomware are:

• Temporary or permanent loss of your business’s critical data.
• A shutdown of operations if you are locked out or can’t access the data needed to run the business.
• A hit to your company’s reputation.
• High expenses associated with restoring your network.
• The confidence of your information technology (IT) staff is shaken.
• Your business is more susceptible to future attacks, particularly if you paid the ransom.

How can you prevent and manage ransomware attacks?

Ransomware isn’t completely avoidable, but there are steps you can take to reduce the likelihood you’ll be a victim. Here are four steps you can take to help prevent ransomware attacks.

Step 1: Assess your situation.

The longer it takes to recover your data, the longer your business isn’t operational. But if you already have a data recovery and continuity plan in place, you can better manage a ransomware attack. That is why a cybersecurity risk assessment goes a long way in prevention.

“Ask yourself if my systems were no longer accessible could my business continue to run,” Samani said. If the answer is no, it’s time to plan for the unthinkable.

Step 2: Give your employees cybersecurity chops.

Educating employees on how to stay safe online is extremely important, particularly if you offer remote access to employees working from home or outside the office. Clicking on a phishing link in an email or visiting a questionable website are still common ways to infect a network, which is why employees need to know what to be on the lookout for. It’s also important to require strong passwords and multifactor authentication when logging in to the network. Miller-Osborn said conducting phishing tests of your staff periodically won’t break the bank and will help identify any areas where further training is necessary.

Step 3: Fortify your network.

Ransomware attackers treat their operations as a business, focusing on targets that are easy to infiltrate. As a result, Clayton said one of the best defenses is making your company too expensive for hackers to attack. That means keeping systems up to date and patched, ensuring antivirus and antimalware software are set to update and run scans automatically and backing up your data regularly. It also means putting in place a business continuity plan if your data is held for ransom.

“You want the attackers to have to jump through as many hoops as possible,” Clayton said.

Step 4: Consider cyber liability insurance.

Many leading insurance companies offer what is known as small businesses cyber insurance. For under $2,000 per year, you can get protection from ransomware and other attacks. That is the case with many of the best insurance providers. Consider the providers below:

• AIG: AIG offers cyber insurance either as a stand-alone policy or as part of wider insurance coverage. Its CyberEdge product covers third-party claims for financial loss if you suffer a network breach or can’t protect clients’ confidential information. Depending on your policy, you can also cover costs associated with investigations by regulators, legal defense costs, Payment Card Industry Data Security Standard assessments and public relations. They also offer to reimburse any ransoms you pay to end a cybersecurity attack. 
• Chubb: Chubb is the largest provider of cybersecurity insurance in the country. They offer a pick-and-mix approach meaning that you can select just the features that are most suitable for your business. You can choose to include products like cyberattack detection and response, vulnerability management and security awareness training for your staff.
• Thimble: Thimble’s policies start from $100 and provide first-party coverage to help you pay for costs related to data breaches and third-party insurance for any legal defense you choose to mount. The first-party policies also include help toward the costs associated with cyber extortion, reputation repair, system failure and regulatory fines.

How do you remove ransomware?

Despite your best efforts, you may still fall victim to ransomware. It is possible to remove ransomware from your system and restore everything to how it was before the attack. However, it’s quite complicated so you might want to call in an IT expert to help you.

To remove ransomware from your network and then recover your data and systems, you or your IT expert will need to take the following steps:

• Isolate: Find which device has been infected on your system and remove it from your wider network. Many ransomware programs propagate from terminal to terminal so disconnecting it will stop it from spreading and causing further damage. 
• Identify: With the rest of your system protected, find out which type of ransomware program has infected your device. Excellent online resources that can help you do this include The No More Ransom Project, ID Ransomware and Kaspersky’s Ransomware Decryptor Tool.
• Remove: For most types of ransomware, standard antimalware and anti-ransomware software will hunt out and delete the malicious code. Manual removal is possible but you’ll almost certainly need an expert for that. Be aware that some ransomware deletes itself once they’ve encrypted the files on a device so this will need a different methodology. Whatever your approach, run a scan on your device afterward to make sure there are no remnants of the program.
• Recover: With the ransomware app now totally gone, use your OS’s system restore tools to return your device to how it was prior to the attack. If you’ve backed up data in the cloud, you can start the process of downloading any data you also hold locally. Change all your passwords and update your firewall and antimalware software so that they’re up to date.

You should alert your customers, investors and other critical constituents about the breach. They have a right to know, and you don’t want them to sue you for sitting on an attack. The more forthcoming and transparent you are, the more your clients will trust you.

Ransomware is scary and costly, but it doesn’t have to mean the end of your business. If you follow the above tips and back up your data on a regular basis, you should be able to survive a ransomware attack.

Donna Fuscaldo contributed to this article. Source interviews were conducted for a previous version of this article.