The Ransomware Playbook for 2022 and Beyond

How ransomware has evolved

Ransomware represents the industrialization of hacking tools. Early efforts date back to the late ’80s when an enterprising hacker physically mailed a rudimentary encryption trojan on floppy disks to around 20,000 attendees of a major AIDS medical conference. This trojan purported to be a survey about the conference, and the hacker demanded a $189 payment to recover their data.

With the arrival of business networks connected to the internet, ransomware became a more viable proposition. By 2004, early phishing emails and malicious website links were used to spread GPCode and other ransomware in a burgeoning criminal effort. GPCode ransomware encrypted users’ files and demanded a ransom fee between $20 and $200. 

Over the years, the encryptions for ransomware have become more robust, making it harder to circumvent and the fees have rocketed as enterprises became the primary target. And, as business IT defenses became more robust, many hackers have used brute force methods, sending out millions of attack emails and chat messages or using other methods. Other hackers have become more selective, using fakery and manual methods to convince workers that an urgent email, Excel or Word document or other file comes from a colleague or partner business/client.

How do ransomware attacks occur?

Ransomware attacks typically occur when a worker opens an infected file that arrived as a convincing email attachment, or they opened a link to a criminal’s website. When triggered, the ransomware inspects the local network, identifies useful business-critical or operational data to encrypt and informs its command and control server that it has identified a useful target.

When the dreaded “you’ve been hacked, please pay xx Bitcoin to restore your data!” message appears on screens, with a convenient link to a payment method (often with instructions on how to buy Bitcoin), the business faces several immediate and dangerous impacts.

Initially, in the drive to restore operations, there’s the need to understand how current any data backups are. Were they affected by the ransomware too? And what will the impact be to wipe and restore systems, eradicate the ransomware and recover all the business data?

If the recovery cost and delay seem exorbitant, the business might pay the ransom, with no guarantee of getting all their data back.

Longer-term impacts are the financial and reputational damage the event will cause, with the risk of fines if sensitive or customer data is leaked. The IT security team will also need to understand how the breach occurred to prevent future attacks, as ransomware criminals are more than happy to repeat their attacks on victims they know will pay.

What is the current state of ransomware?

Ransomware is now a major criminal enterprise, effectively its own industry with hacker teams functioning like modern startup businesses. They use well-defined operational roles and strategies to maximize their return on investment, research high-value targets and leverage the latest types of ransomware or develop new tools. All of this makes for some depressing statistics as the volume and value of attacks increase.

In 2021:

• Ransomware attacks almost doubled compared to 2020, up 92.7% according to the 2021 Annual Threat Monitor report
• Ransomware incidents made up 65% of all attacks since the COVID pandemic triggered a spike in hacking efforts
• Phishing is the most common method of ransomware delivery, followed by a range of IT vulnerabilities, with social engineering efforts, likely for high-value targets making up the rest
• North America is the primary target, the focus of some 53% of attacks, with Europe facing 30%
• 16% of businesses responding to Fortinet’s 2021 Ransomware Survey Report had been attacked three or more times
• Some 11% of victims paid ransoms of over $1 million in 2021 according to Sophos, with the average payment now over $800,000
• The majority of hackers are based in Russia, (claiming 74% of revenue according to the BBC) while nations like North Korea and Iran use ransomware as a valuable source of crypto and western currency

60% of IT leaders say they’re prepared to spend between $100,000 and $1,000,000 on IT security in the coming 12 months. To protect against ransomware, secure web gateways (52%), virtual private networks (49%) and network access control (47%) are the leading areas of IT investment, with newcomers such as zero-trust access gaining rapidly.

The different types of ransomware

With such a broad threat landscape, there are many different types of ransomware as hackers try to vary their attacks or create stronger products. These include:

Crypto ransomware

The most common type will encrypt your data across business networks and demand a release fee for its return, causing huge disruption.

Locker ransomware

This takes a different approach and locks the computer, making access impossible until the ransom is paid or the system is reformatted. Ransoms tend to be smaller, encouraging individuals to pay up rather than face embarrassing revelations.

Scareware

Scareware appears as websites, pop-ups or emails offering software that will “cure” your computer of a virus, hoping to lure unwitting or untrained users. However, the file contains the ransomware payload and will demand a fee to restore the system.

Double extortion ransomware

Here, the hackers make a remote copy of your data and threaten to release it to customers, rivals or on black market databases to encourage the victim to pay up. It also increases the risk of future extortion attempts.

Ransomware as a Service (RaaS)

Ransomware is a growth industry with creators happy to sell their products to other criminals rather than become involved in deeper criminal activity themselves, while still collecting a percentage of any ransoms. RaaS provides novice hackers or smaller groups with access to devastating tools, increasing the risk to all businesses.

Ransomware examples

While ransomware attacks are devastating, the news coverage they generate at least helps raise awareness among businesses and computer users. Here are some prime examples of ransomware and the stories they generated.

• 2022, Conti: Conti is a Russian organization that specializes in global disruption, notably bringing Costa Rica’s import/export finance system to a halt and causing a national emergency. It followed that up with an attack on Costa Rica’s healthcare system, and who knows where they could strike next.
• 2021, Darkside (Colonial Pipeline): Russia and China take a great interest in American infrastructure, creating a constant IT battle between security and hackers. The Colonial Pipeline hack using Darkside ransomware was one of the most devastating examples of an IT failure. The only positive was the recovery of around half of a $4.4 million ransom and a fresh US government effort to drive up security standards.
• 2020, REvil: Targeting schools, stores, businesses and institutions around the world, REvil demanded $70 million for a release fee that would unlock the collective data of potentially thousands of corporate victims, infected by a compromised supply chain application. The gang is estimated to have made over $100 million, attacking brands like laptop vendor Acer among others.
• 2019, RobbinHood: The infrastructure for the city of Baltimore, Maryland was the victim of this attack, with the perpetrators live-tweeting their discussion with the Mayor’s office to restore its data, something that ended up costing $18 million when they refused to pay the modest $70K ransom.
• 2018, SamSam: Know your market is a business maxim, and the SamSam team focused on the US health sector, netting at least $6 million. It triggered during the night when most admins were out-of-office and charged a ransom in the tens of thousands of dollar range to encourage prompt payment.
• 2017, WannaCry: This ransomware swept the world in 2017 and cost UK firms some £96 million, affecting hospitals, for whom cyber-security is rarely at the top of many pressing issues, despite their growing reliance on data and digital medical records.
• 2017, NotPetya: Similar to WannaCry, this ransomware caused record infections with UK pharma company Reckitt Benckiser losing some £107 million due to production disruption and lost sales, plus recovery costs.
• 2016, HDDCryptor: A nasty ransomware that would encrypt whole hard drives, this hit various businesses, notably San Francisco’s transit authority, forcing them to give free rides while systems remained down.

How to recognize ransomware attacks

Ransomware can arrive within your organization through a wide range of sources and can appear in front of any user, tempting them to trigger the payload. A strong approach is needed to block and defeat ransomware including a multi-layered IT defense of next-generation firewalls, intrusion tools, zero trust and specific ransomware detection techniques.

This and regular user training (plus a frequently updated disaster recovery plan) are key to defeating the ransomware threat. Technologies to focus on to limit the impact of ransomware include:

Signature-based detection

As threats are identified, a known signature is generated to allow IT security tools to identify the same or similar attacks, reducing the effectiveness of established ransomware tools.

Behavior-based approaches

These scan unknown software processes and identify their behavior as benign, suspicious and worth investigating or dangerous, which halts the process immediately to prevent malicious activity.

Deception

Deception practices create diversions or honeypots to attract ransomware and malware that breaches other defenses, leaving the real network secure. The ransomware can be monitored to see what it attempts to do, allowing IT to gain knowledge through malware analysis. These services help to secure the business, and provide security vendors with data to meet new threats.

How to prevent ransomware attacks from harming your organization

As business networks broaden and more applications are used, companies face a growing threat landscape from which ransomware can emerge. Enterprises will already have dedicated security teams focused on applications, patching and backups, but every business, no matter how small, needs dedicated staff focused on protecting IT and users. In order to prevent ransomware attacks and improve business awareness, follow these best practices:

• Keep investing in IT: Old security tools are not up to the job of defending against ransomware
• Educate and train employees: Teach staff about threats from day one, how to identify them, when to be suspicious and use as-live training with convincing phishing emails and pop-ups to keep them alert
• Don’t let backups drift: It can be the most boring task in IT, but automating backups and performing regular validity checks are a key part of your security, as is checking they remain distinct from your networks so they can’t be disrupted by the hackers
• Hone and practice your disaster plan: Consider the worst has happened and try to rebuild your organization as a practical exercise

How to respond and recover from ransomware attacks

Everyone in the business needs to know what to do in the event of a ransomware attack. That means understanding the following steps and procedures, when seconds count.

1. Pull the networks. Pull physical cables or turn off WiFi around the initially infected device.
2. Identify the ransomware, see if there are cheap and quick ways to bypass or mitigate it.
3. Launch your ransomware incident response plan.
4. Remove the ransomware and use security tools to check it hasn’t spread across the network.
5. If it has spread, start checking backups on isolated systems and start the plan to relaunch business critical services.
6. Use anti-malware tools to remove infections and recover the network.
7. Learn the lessons of what went wrong and put tech and training in place to avoid a repeat. Improving endpoint security should be the first step.

Why you should hire hackers

Not all hackers are bad; many in the security industry hack to identify weaknesses so that they can be fixed by the vendor, often with the reward of bug bounties. Sometimes, they engage in battle with the malicious hackers, exposing their secrets and fixing the mess they’ve created with brand new malware, or explaining how to reduce their impact.

White hat hackers, penetration testers and other roles are specialists who can protect your business by identifying weaknesses before the hackers find them. They use automated tools or personal knowledge to highlight weak spots by scanning clouds, networks, websites and other vulnerabilities.

Being flexible when it comes to IT security is just as important as being well-read on the topic. Learning what the good hackers are up to, keeping up with breaking ransomware developments and ensuring your business is using the right tools is all part of a security team’s responsibilities.

Final thoughts

Just one click by a distracted or untrained employee can trigger a ransomware event that has massive consequences for a business, even bankruptcy. Travelex is just one example of a firm that was put into administration after REvil struck it in 2021, despite the company paying $2 million in ransom.

Learn more: How a Ransomware Attack Shut Down a 157-Year-Old College

This highlights that there is no good outcome from a ransomware attack – only varying levels of damage that executives, security leaders and teams should spend sleepless nights working out how to prevent and mitigate. The good news is that the technology is improving to protect businesses and workers are becoming more aware of the risks, but one click is all it takes to bring large or small companies crashing down.

Further reading:

• The State of Enterprise Security in 2022 [Infographic]
• The 2021 Ransomware Survey Report
• How to Prevent Ransomware from Becoming a Cyber Disaster