What is ransomware — definition, examples, and prevention

Today’s companies and organizations are gathering and working with tremendous amounts of data, making it one of the most valuable commodities on the market. This does not escape the attention of various cyber criminals; attacks meant to damage or leak data are common. A ransomware infection is one of the most popular methods of attacking a company’s database. In this article, you will learn how ransomware works, some common examples, and how to improve ransomware security in your IT structures.

What is ransomware?

A ransomware attack attempts to encrypt the user’s data, often targeting large amounts of crucial files by encrypting them with a unique key. When the infected file or link is opened, many of the user’s files become encrypted (meaning they are unusable until decrypted). Like a regular kidnapping, the user is presented with a ransom note. Practically all ransomware attacks require human error on the user’s side; the attackers get entry most often via phishing by disguising their e-mail, links, or attachments as legitimate services.

Ransom notes often include a short introduction explaining what is happening to the user and, most importantly, the details regarding the ransom. The note includes details on performing the desired transaction via cryptocurrency to receive the key. Using cryptocurrency for this payment makes the receiver virtually untraceable, allowing them to receive the money and transfer the key in exchange.

Most of the ransomware viruses also include a timer. This commonly means that if the ransom isn’t paid within a certain time, the encrypted files get permanently deleted, or the ransomware proceeds to encrypt more files. This exerts pressure on the infected users, giving them little time to figure out a solution.

Ransomware can be dangerous to single users as well as cloud databases. Although most ransomware attacks are directed at on-site data, if a user connects an infected endpoint to a cloud, it can further spread the infection, encrypting data stored within that cloud environment. This makes ransomware a very dangerous method of extorting money. It can also be very effective; over the last couple of years, there has been a significant increase in the money earned via ransomware infections. In 2021 the attackers have managed to steal a total of $20 billion.

Ransomware as a Service

The reason behind this rise in the popularity of ransomware attacks is that while ransomware security is constantly improving, so are the ransomware methods. Not only are the attacks now more intricate than ever, one of the reasons that they have increased in popularity is due to a new method of ransomware distribution — RaaS.

Ransomware as a Service, RaaS for short, is a new method that allows criminal organizations to ‘rent out’ their ransomware software to other users. They can often sign-up via forums on the darknet, often with a hefty fee incurred in cryptocurrency. The RaaS market right now offers a very sophisticated set of options to its users, with most new ransomware subscriptions including easy-to-use interfaces and even 24/7 customer support. The attacker can simply enter the details of the

Victims want to be hit with ransomware and wait for the effects. Owners of the ransomware service most often also take a cut of the payment for transactions.

Nowadays, there is a wide selection of different ransomware methods, giving potential attackers a wide range of maneuvers. Some of the most infamous ransomware include:

  • RYUK ransomware

Commonly attributed to the WIZARD SPIDER hacker group, RYUK ransomware has wreaked havoc in some of the most important organizations in the world. Responsible for attacking governmental and health organizations, but also big companies such as New York Times or Wall Street Journal, RYUK remains one of the most notorious ransomware examples active today. RYUK ransomware had earned around $150 million from various attackers, making it one of the more lucrative cyber-attack methods.

Upon executing the infected file or clicking the link, RYUK shuts down all the processes and services which could prevent its work and proceeds to encrypt various kinds of data with a double encryption key. With remote encryption and a double encryption key, RYUK ransomware will likely remain a significant danger.

  • Petya ransomware

Petya began spreading on the internet around 2017 and was offered as a RaaS, making it a fairly new ransomware method. Petya mostly attacks various businesses through their HR departments. The attackers send a phishing e-mail containing a link to a drop box that supposedly holds a candidate’s resume. Upon executing the infected file, Petya ransomware shuts down and reboots the computer. Upon restart, the users are greeted by skulls and crossbones, after which they are presented with a demand. The ransom generally starts at around $400 and increases incrementally over time.

Petya ransomware is very dangerous and constantly in development, increasing its deadliness. In May 2017, it even got its backup ransomware — Mischa. If the security settings prevent the original infected file from installing Petya ransomware, it installs Mischa instead, which requires only very basic clearance to encrypt the data. This allows Petya ransomware to infect your files, even if you proceed with the appropriate security measures.

  • WannaCry

Perhaps the most infamous on this list, WannaCry, made mainstream news when it wrecked chaos among users in May 2017. A security patch released by Windows for their EternalBlue included an exploit that allowed WannaCry to encrypt the data of infected users. Although this exploit was later fixed, WannaCry ransomware preyed upon all the users who did not update their Windows software.

WannaCry ransomware managed to infect over 200 000 computers in just hours before a kill switch was discovered, severely slowing down the ransomware spread. Although this has reduced the possible threat from WannaCry, the ransomware still causes issues up to this day.

Unlike the other types of ransomware, WannaCry contains a worm component, meaning it can propagate without human action. The ransomware can encrypt but also delete the infected files, giving it a wide range of possible damage inflicted. When a user becomes infected,

they lose access to the files and are greeted with a pop-up window explaining what is happening and how to retrieve them.

How to avoid ransomware?

One of the dangers of ransomware is the difficulty in its removal. Ransomware removal is very difficult or even impossible when a computer becomes infected. Due to how most keys are encrypted, even with a proper decryption tool, it can be difficult to manage under the time the attackers give.

Paying the attackers is not a good idea either. Although most attackers claim that you will receive the key immediately after a successful transaction, there is, in fact, no certainty that attackers will keep their end of the bargain. In many cases, there were reports of people never receiving the key, even after transferring a large sum of money via cryptocurrency. Also, organizations, once targets of ransomware attackers, often experience future attacks.

Ransomware removal can prove challenging when your database has been encrypted. Because of this, the best way of avoiding ransomware is simply not to get infected in the first place. If you want to increase your data’s security, consider these two methods:

  • Educate your team

Most of the ransomware infections happen due to human error. This includes accidentally typing in your login credentials on a fake phishing site or clicking an infected link or an attachment. Keeping your team updated on cyber security matters can greatly improve your overall safety and give your employees the knowledge to avoid falling victim to ransomware attacks.

  • Backup your data regularly

If a successful attack occurs, it can be impossible to decrypt ransomware and retrieve any of the files in a worst-case scenario. If your data gets infected with ransomware, the only surefire way to retrieve your data is to restore a backup. Performing a regular data backup improves the overall safety of your organization’s IT structures and allows you to simply restore the encrypted data if an attack happens.

To sum up

Ransomware poses a serious threat to any organization storing significant amounts of data. Despite that, there are simple methods to avoid having your files encrypted against your will, even if ransomware methods become more developed over time. Adhering to basic security measures should ensure your data remains safe from a ransomware attack.

Storware Backup and Recovery provides critical support to administrators in their battle against ransomware attacks. With its comprehensive backup capabilities, Storware ensures that organizations have reliable and up-to-date copies of their data stored separately from production systems. This separation creates a robust barrier against ransomware threats, as attackers cannot easily manipulate or encrypt backup data. In the unfortunate event of a ransomware attack, administrators can confidently initiate a swift recovery process using Storware’s efficient and granular recovery options. By restoring clean, uncorrupted data from backups, organizations can quickly resume operations, minimizing downtime and potential financial losses.

If you are interested in testing Storware in your company – get the free Trial or contact us if you need a one-on-one demo.

text written by:

Paweł Piskorz, Presales Engineer at Storware