Ransomware attacks are on the rise, especially against businesses. To ensure ransomware protection, make sure to do the following:
- Train your employees to recognize, avoid and report ransomware.
- Reduce the attack surface.
- Prepare an IT response plan.
- Push out regular network patches.
- Use anti-ransomware solutions (VPNs, behavior detection, antivirus, decryption tools, and patch management).
For VPNs, we recommend NordVPN since it has security tools such as threat protection, which wards off malware, and double VPN, which encrypts your traffic twice.
Read the full article as we explain everything about ransomware, from understanding how ransomware attacks work to what do do after a ransomware attack.
Ransomware attacks have moved from spray-and-pray tactics to sophisticated and targeted strikes. The Ransomware Taskforce reports that 70% of all ransomware attacks in 2021 were directed at small businesses. This means that your business could easily be in the crosshairs of the next ransomware attacker if you don’t take steps to prevent ransomware.
With ransomware attacks constantly evolving, it can be difficult to know if your organization is ransomware-proof. In this guide to preventing a ransomware attack, we’ll explain in layman’s terms all you need to know about what ransomware is, how it operates, and how to protect against ransomware attacks. Let’s delve in.
What is Ransomware?
Cybercriminals use ransomware to first hijack computer systems and then hold your sensitive files hostage. Afterward, they extort money from users, asking for a “ransom” so that you can regain access to your files or your device.
Ransomware is often disguised as a legitimate file or program, so even eagle-eyed users can install ransomware by mistake. Unfortunately, once you click or download ransomware, hackers will be able to access your system.
Ransomware can come in the form of computer worms, spyware, computer viruses, and trojans.
When ransomware attackers invade your system, they either encrypt your files so you can’t open them or lock you out of your device altogether.
How common is ransomware?
Below, we’ll share key statistics that demonstrate how big a threat ransomware is to businesses, as well as share what cybersecurity experts have to say about the state of ransomware.
Ransomware is growing at an alarming rate
- 66% of organizations suffered a ransomware attack in 2022, up from 37% in 2020. (Sophos)
- Ransomware attacks have increased by 13%, more than the last five years combined. (Verizon)
- Ransomware is projected to attack one organization every 2 seconds by 2031, up from every 11 seconds in 2021. (Cybersecurity Ventures)
Ransomware attackers are focusing on businesses
The FBI reports that ransomware hackers are targeting small and medium-sized businesses.
In 2021, the FBI recorded 3,729 ransomware attacks. More than 50% of those attacks were targeted at small to medium-sized organizations. The FBI indicates that small and medium-sized businesses have become soft targets for attackers, as large businesses improve their cybersecurity.
“Businesses are vulnerable because ransomware attacks are becoming easier to execute, with financial incentives and benefits for RaaS operators. All businesses are increasingly dependent on their data to conduct business operations. Ransomware impacts data integrity and availability and impedes the organization’s ability to effectively operate.“
— Vaishnav Vijayakumar, Building Security & Cyber Resilience Solutions at Google
The education, government, and healthcare sectors suffered the most attacks in 2022
Of all the sectors that suffered ransomware attacks in 2022, the education sector topped the list. From Centralia College in Washington to the University of Neuchâtel (UniNE) in Switzerland, various schools and school districts were hit by ransomware.
Coming in second are government agencies and counties, while hospitals and healthcare organizations comprised of the third most attacked sector.
These sectors are often targeted by ransomware because they have large amounts of data, hence the likelihood of higher payouts.
Here’s a breakdown of the industries with the most attacks globally, according to Blackfog’s State of Ransomware 2022 report:
- Education (58)
- Government (54)
- Healthcare (53)
- Technology (38)
- Manufacturing (35)
- Services (30)
- Retail (26)
- Utilities (14)
- Finance (9)
Ransomware payouts have increased
Ransomware attackers focus on organizations that can pay big bucks. According to data gathered from Sophos’s State of Ransomware report, here’s what you should know about ransom payments:
- Ransom payments of more than $1 million have increased threefold since 2020.
- The average ransom payment is $812,360, up nearly five times from 2020.
- The highest ransom payments were in the manufacturing, production, energy and oil, and gas industries.
It’s also worth mentioning that the largest payout on record is by US travel services company CWT, which paid $4.5 million in Bitcoin to hackers.
Warning:
We don’t recommend paying out ransoms when you experience an attack. Rather, contact the relevant agencies for help, such as the CISA and the IC3 in the U.S. and the Dutch Data Protection Authority in the Netherlands.
How Do Ransomware Infections Work?
A typical ransomware infection occurs in four stages.
1. Attack campaign
Hackers can deploy ransomware in a number of ways, including:
- Exploit kit: This is an automated program that takes advantage of vulnerabilities in a victim’s system. For instance, if you browse on a compromised website, an exploit kit can target vulnerabilities and download malware on your device.
- Malvertising: Hackers buy legitimate ad space and infect it with an exploit kit. If you click on the ad, the exploit kit attempts to take advantage of vulnerabilities in your system.
- Social engineering: With this method, hackers pose as technical support, customer reps, new employees or business leaders to gain access to systems.
- Drive-by-downloads: This occurs when users visit a malicious website, and the malware automatically installs on their systems.
- Remote desktop protocol: Attackers find a computer with exposed ports and use that to infiltrate the system.
However, the most common method of spreading ransomware is through phishing attacks. For example, you might receive an email with malware-ridden attachments. Downloading the attachments will get your device infected.
2. Infection and staging
Once you open the email and download the files, your device will be infected with ransomware. The ransomware will send a message to the hacker’s control server and generate encryption keys to lock the system.
3. Scanning and encryption
The malware scans the victim’s computer to determine which files are worth encrypting. This process can take several hours, depending on the complexity and number of items in the victim’s system. Afterward, the ransomware will encrypt the target files and possibly lock the user out of the system.
4. Payday
The hacker will notify the user, indicating that their system has been compromised. This message also includes the amount of money the user has to pay and where to send it. In most cases, hackers demand the ransom payment in Bitcoin, since it’s anonymous and difficult to track.
Types of Ransomware
Knowing the different kinds of ransomware will help you know how to prevent ransomware attacks. Ransomware is constantly evolving, but we have grouped the different kinds into five broad categories.
Kind of Ransomware | Description | Example |
---|---|---|
Encrypting ransomware | This kind of ransomware focuses on encrypting sensitive files on a user’s computer, including documents, videos and pictures. However, it doesn’t lock out users from their devices altogether. | Locky ransomware |
Locker ransomware | As the name suggests, locker ransomware prevents users from being able to access their systems. It also encrypts users’ files, but the goal is to keep them out of their systems entirely. For businesses, this will result in significant downtime and affect productivity. | WannaCry, a Locker ransomware, affected over 230,000 devices in 150 countries back in 2017. |
Scareware | Scammers use scareware to inform users that their systems have been infected or compromised, although that’s not the case. Frightened users often pay fines only to realize that their systems were fine all along. Scareware is often used to attack individual systems. | A hacker used the Minneapolis Star Tribune’s website to push scareware and swindle users of several thousands of dollars. |
Ransomware as a service (RaaS) | RaaS is a business model that involves selling or leasing out ransomware to criminals (affiliates). This subscription-based model allows virtually any malicious actor to get into ransomware, even with little technical knowledge. For an in-depth look, read our deep dive into ransomware as a service (RaaS). | RYUK, an RaaS, was used to disrupt the operations of the Los Angeles Times in 2018. |
Doxware/Leakware | Doxware is a ransomware variant with an insidious twist: hackers threaten to make your data public unless you pay a fine. This kind of ransomware attack is common among businesses that hold sensitive customer data, including financial and retail services. | In 2014, hackers compromised Sony’s systems and released confidential documents using doxware. |
How to Prevent Ransomware Attacks
Thankfully, there are several actions you can take to avoid being at the mercy of ransomware attacks. Here are six best practices to protect against ransomware.
1. Train your workers to detect, avoid and report ransomware
The overwhelming majority of ransomware attacks are caused by human error. Regardless of your security systems’ robustness, one employee’s mistake can give ransomware a field day. That’s why ransomware training is a no-brainer. It’s particularly important if your run a bring-your-own-device (BYOD) model or remote working.
Your training should cover the following:
- Identifying ransomware vectors (especially phishing attacks)
- Using only company-approved devices and networks for work
- Password training
- Regularly updating your operating system, applications, and firmware
- How to respond and react to threats
- Simulating spearphishing attacks
As a rule of thumb, ransomware prevention training should be scheduled periodically. For instance, you can have thorough training once every couple of months to keep up with evolving threats.
You can schedule emergency training if you notice that workers are not following your cybersecurity standards. Also, constantly remind employees to go over your cybersecurity playbook.
2. Schedule frequent and automated off-site backups
Even if you pay the ransom, there’s no guarantee that the attackers will restore the stolen data. Having backup files is the best way to recover from a ransomware attack.
We recommend that you regularly back up your system off-site. That way, in the event of a ransomware break-in, the hackers won’t have access to it.
You can also use cloud storage options as they come with high-level encryption and multiple-factor authentication. We recommend MEGA as it topped all our security tests.
As we mentioned earlier, locker ransomware completely shuts you out of your system. To avoid this standstill, be sure to maintain updated “gold images” and backup hardware of your key systems. That way, you can rebuild your system.
“One of the most important things businesses can do is ensure that their systems and data are properly backed up. This way, even if their files are encrypted by ransomware, they’ll still have access to a clean copy to restore. It’s also crucial to update every software, as many ransomware strains exploit known vulnerabilities in outdated programs. By patching these gaps, companies will make it much harder for attackers to gain a foothold on their network.“
— Morten Kjaersgaard, CEO at Heimdal
3. Reduce the attack surface
As a business or IT leader, your job is to minimize the points of ransomware attacks:
- First, conduct a sweeping audit of your company’s security architecture and discover the security vulnerabilities. Next, implement security strategies to reduce the chances of a ransomware attack succeeding.
- Apply the least-privilege principle to ensure workers only have access to the systems and services they need to do their job. For example, limit the number of people who can install and run certain software. Also, get rid of redundant accounts and groups and limit root access.
- Install phishing scam filters to weed out malicious emails, links and sites before they can wreak any havoc. Multi-factor authentication is also a must-have, especially for accessing critical accounts.
With these steps, you’ll make it harder for malicious actors to break into your system and prevent ransomware in the long run.
4. Prepare an IT response plan
“Have an incident response plan that is tested, updated and effective. Run a cyber tabletop exercise with senior management to ensure understanding and good communication 360 degrees.“
— Dan Lohrmann, Internationally recognized cybersecurity leader
A good IT response document spells out specific steps and processes to take when a malware attack occurs. This ensures that there’s no confusion or knee-jerk reactions when responding to threats.
The U.S. Department of Commerce’s National Institute for Standards and Technology (NIST) has a helpful framework to guide organizations in developing an IT plan. It covers four key stages, as shown in the table below.
Step | Key Actions |
---|---|
Preparation | This step includes preparing an accident response team, usually composed of IT managers, legal counsel,and communication officers). It also outlines who to contact and what to do with various software and hardware resources. |
Detection, analysis and reporting | This stage involves investigating the attack to understand where it’s coming from, the extent of damage and the best course of action. At this level, the organization must report to the regulatory agencies and stakeholders. |
Containment, eradication and Recovery | At this stage, the incident response team implements strategies to deal with the attack and recover all lost files. This may include restoring backups, rebuilding systems, and tightening security. It also involves gathering evidence in case you want to take legal action. |
Post-incident activity | After recovering your network and files, you need to sit back and consider the lessons learned from the attack. What vulnerabilities did the attacker exploit? Did your containment and recovery strategy work? What can you do to forestall future attacks? |
5. Push out regular network patches
Ransomware attackers are constantly coming up with new variants to outwit systems. If you’re running an out-of-date or old system, you’re vulnerable to all kinds of threats. Ensure that you regularly update all your operating systems and software applications. These updates often have robust security patches that can contain ransomware.
Instead of manually updating your devices and networks, configure them to update automatically. That way, you don’t miss out on any important security patches, and you get ransomware protection while at it.
6. Use anti-ransomware security solutions
There are a handful of cybersecurity tools that can help ensure ransomware protection. Here’s a quick look at some of them and what they do:
- Antivirus software: Scans your system and contains threats
- Backup software: Keeps copies of your files and documents safe
- VPN tools: Encrypts and anonymizes your traffic, keeping you safe on even vulnerable networks like public WiFi
- Password managers: Manages and keeps track of your passwords
- Patch management tools: Regularly updates computers in your network
- Anonymous browsers: Obscures your traffic while browsing
If you can’t use all these security tools, we recommend a VPN as the barest minimum. NordVPN is the best anti-ransomware VPN, thanks to its suite of robust security and privacy features. It has a feature called Threat Protection, which protects you from ransomware, phishing attacks, and other malicious software. Plus, it enables you to encrypt your traffic twice using its double VPN feature.
“At the very least, an organization must have implemented MFA, patch management, version control, BCDR and a strong security awareness campaign. Even then, organizations must recognize that ransomware attacks can, and probably will happen. I’m aware that many people will talk about the need for 24/7 real-time monitoring of one’s network. However, these sorts of services are very expensive, and the majority of the SME industry cannot maintain these sorts of services. And as such, they will remain the easiest targets. for ransomware attacks.“
— Nadeem de Vree, Global Chief Information Security Officer at PPG
What to Do After a Ransomware Attack
As we already mentioned, you need to analyze and report ransomware when developing an IT response plan. Here are specific steps on how to actually do that:
1. Define the threat level
The first step to handling a ransomware attack is determining the extent of the breach. That way, you can use your energies and resources judiciously. In general, you can group threats into three levels:
- Low-level threat: Minimal impact on business systems, and the organization can still provide all services to clients. Adware falls under this category.
- Medium-level threat: Some aspects of the organization’s services and valuable data have been affected, and certain systems are down.
- High-level threat: The business’s critical services are impacted, and it can’t provide services to users.
2. Isolate the attack surface to reduce infection
Remove any interconnected devices or applications when you detect any ransomware. This ensures the malware infection doesn’t spread and takes over all your devices. Also, scan your networks to check the extent of the ransomware spread. That way, you can fish out dormant ransomware.
3. Inspect and identify the type of ransomware
Not all ransomware are created equal. They differ in how they affect systems and how much damage they can do.
For instance, the Petya ransomware overwrites the master boot program of operating systems, making it difficult to override. On the other hand, the Jigsaw variant encrypts files and displays a countdown timer. The ransomware deletes some files as the countdown goes on. Then at the end of the countdown, it deletes all files.
Knowing the kind of ransomware you’re confronted with helps you know which remediation measures to implement. It can also help you gauge the target files and what the malware intends to do.
4. Start tracing the attack vector
The next step is to trace the attack vector and find out where it originated. Once you identify its entry point, you have a higher chance of stopping it in its tracks. If there’s no clear point of origin, go back to your audit logs and observe the last modified user account.
You can learn more about the source of the attack vector by researching it on search engines and incident databases. A site like ID Ransomware is a good place to start.
5. Report the attack
When you experience a ransomware attack, be sure to alert the right regulatory and law enforcement agencies.
If you’re in the U.S., immediately alert the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI’s Internet Crime Complaint Center (IC3).
Report the situation to your local law enforcement, as well.
If you’re in the Netherlands, send a report to the Dutch Data Protection Authority within 72 hours.
You can also inform the following scam reporting websites to help with the war against ransomware:
- United States: Report Fraud
- United Kingdom: Action Fraud
- Canada: Canadian Anti-Fraud Centre
- Germany: Bundesamt für Sicherheit in der Informationstechnik
Steps to Take for Ransomware Recovery
It’s hard to know which course of action to follow when recovering from a ransomware attack. Below are a few helpful tips to give you a headstart.
1. Attempt ransomware removal
“Sites such as No More Ransom may be able to help as they can match some ransomware with free tools to remove it. Alternatively, they may try your antivirus software or search online, using a smartphone and cellular data. After this, they’ll be resetting all credentials, safely wiping the infected systems, and reinstalling the operating system.“
— Jane Frankland, Award-Winning Cybersecurity Leader
To get rid of ransomware from your system and access the encrypted files, you need a decryptor. Thankfully, the National High Tech Crime Unit of the Netherlands’ police, Europol’s European Cybercrime Centre, Kaspersky and McAfee have joined forces to create No More Ransom.
This website contains decryption tools for a wide range of ransomware. Simply enter the name of the malware and check if there’s a decryptor available.
2. Restore a clean backup
A backup can restore data in the event of a ransomware attack. Be sure to restore a clean backup, from before the ransomware attack. Scan your backup and image files thoroughly with an antivirus/malware scanner to ensure there are no suspicious files.
3. Seek advice before paying a ransom
Paying a ransom should be the last resort. There’s no guarantee that when you pay a ransom, the hacker will restore all your files and give you access to your system.
According to the Sophos State of Ransomware 2022 report, only 4% of organizations that paid ransom got their data back. However, 99% got some encrypted data back.
We recommend that you consult law enforcement, regulatory agencies, and your IT partners before deciding to pay a ransom.
4. Notify your customers and stakeholders
It’s important to alert your customers and all relevant stakeholders about any ransomware breach. That way, you can explain the situation and reassure customers that you’re working to resolve the issue.
Furthermore, you have to notify regulatory authorities in a timely manner; otherwise, you risk facing penalties. For instance, the European Union’s General Data Protection Regulation (GDPR) regulations require attacks to be reported within 72 hours. If you don’t meet this deadline, you’ll have to pay a fine.
Conclusion: Take Steps to Prevent Recurring Ransomware Infections
When it comes to ransomware, prevention is better than cure. Rather than wait to react after an attack, make your devices and systems resistant to cyber threats. Always keep an eye on the world of ransomware to understand the trends and prepare for such attacks.
Here are a few articles that can help you foolproof your business’s devices and systems:
- A Beginners Guide to Cybersecurity for Small Businesses
- 10 Cyber Security Tips to Keep Your Small Business Safe
- What Is Business Email Compromise (BEC)? Tips for Prevention
- Everything You Need to Know About Insider Threats in 2024
If you still have a few questions about ransomware, this FAQ section might help you. Simply click on a question to reveal the answer.
You can prevent ransomware deployment by using secure and updated systems. Also, take advantage of ransomware protection tools like anti-virus software, VPNs, password managers, and backup software. Above all, have an IT policy document that spells out best practices and train your employees to abide by them. Learn more prevention tips in our ransomware prevention guide.
The best way to prevent ransomware attacks is to train your employees to identify, avoid, and report any suspicious activity. Also, be sure to regularly backup your systems and data. It’s also vital to use a combination of anti-ransomware tools, including an antivirus, strong passwords, VPNs, and multi-factor authentication. You’ll find more details about stopping ransomware in our complete ransomware prevention guide for businesses.
You can stop ransomware by ensuring that your systems are secure and constantly updated. Employee mistakes are a common way hackers exploit systems so train them to practice good cyber hygiene. Furthermore, use anti-ransomware software, such as VPNs and antivirus software. We dig deeper into all these tips and more in our ransomware prevention guide for businesses.
Ransomware is commonly caused by:
- Phishing attacks
- Poor user practices and lack of training
- Weak access management systems
In our ransomware prevention guide, we explain how to ensure your business doesn’t fall victim to ransomware attacks through the above-mentioned ways and weaknesses.