Ransomware 101

Imagine getting settled at your desk for work one morning. You log into your laptop, but instead of seeing the files, apps and systems you expect, you see something that looks like this:

An example of a ransomware attack popping up on a computer screen.

Maybe you haven’t had your coffee yet, so it takes a couple seconds to click. What’s going on here? And then it dawns on you. You’re a victim of a cyberattack.

You’re certainly not alone: Cybersecurity Ventures, a leading cybercrime researcher, predicts cybercrime will cost the world $10.5 trillion annually by 2025. That’s more than the GDP of every country in the world except the U.S and China, extorted and filtered through the dark web.

But commonality is cold comfort when the fate of your entire organization is at stake. You panic.

What exactly is going on? Who did this? Why is this happening to us? How did this happen to us? What do we do now?

Now take a step back from this imaginary scenario.

By putting safeguards in place today, you’re less likely to ever end up in that terrifying, helpless position. The first key to preventing a ransomware attack is understanding the answers to those four questions above. The second is putting that understanding into action before it’s too late. When you understand the motivation behind a behavior, you can do a better job of fending it off. So, let’s start by skimming the who, what, why and how of ransomware.

What is ransomware?

Ransomware is a form of malware that sneaks into your network, accesses your systems and files, then propagates. As it spreads across your company’s network, it attempts to encrypt every file, piece of data and app it touches. Via asymmetric encryption, ransomware renders the critical, sensitive data across your network completely inaccessible. That’s your classified documents, financial reports, personally identifying information on your customers and employees and the data you need to perform day-to-day operations.

All of it, completely scrambled, and you have no decoder ring. Your only chance at recovering your information lies in the hands of an unknown malicious entity. And if you want it back, you have to pay. A lot.

Who is behind a ransomware attack?

Cybercriminals program, orchestrate, initiate and execute ransomware attacks. At an individual level, the criminal nature of their actions means their identities stay under wraps. But we do know that in 2021, a well-executed ransomware attack won’t be coming from an individual sitting in a basement somewhere. Instead, it will likely come from a sophisticated firm of talented, knowledgeable IT security experts, developers and engineers. And those firms see no reason to keep their missions a secret.

One high-profile group of cybercriminals, for example, is known as DarkSide. DarkSide announced the development of its Ransomware as a Service (RaaS) in 2020 and led the highly publicized attack against Colonial Pipeline (to name just one) earlier this year.

DarkSide says it doesn’t tend to attack schools, hospitals, non-profits or government entities … but not for noble reasons. It’s because those organizations are usually less able to pay the sums they’re after. Instead, they target large corporations. They do due diligence on the financial health of an organization before going in for the attack, so the better your company is doing, the more at risk it is.

Once DarkSide is holding an organization’s data hostage, the people behind the attack become surprisingly helpful and cooperative. Their ransomware even comes with web chat support. After all, they want to make it as easy as possible for you to pay the ransom they’re asking.

How does ransomware take your data hostage?

Ransomware can infect an organization through a variety of entry points. Commonly, it’s delivered as an email with a malicious attachment or hyperlink using some form of social engineering tactic to personalize and sensationalize whatever the content is. You’ve probably heard this referred to as phishing. The hope is that some individual employee will go against their better judgment and click that link, not realizing the repercussions — that they have just unleashed malware that is prepped to spread across entire unsecured networks and devices.

Ideally, nobody would ever click these links or perform whatever other action that allows ransomware into the network. That’s where corporate training protocols come in. But humans are fallible, and mistakes are made. That’s why it’s crucial to have multiple additional layers of defense against a security breach in place: To stop ransomware before it can get to your sensitive data. (Spoiler alert: Come back for the second and third posts in this series for advice on your best methods of defense.)

Worst case scenario, your organization doesn’t have these layers of protection in place. The ransomware begins to run amok. It will begin its propagation silently and sneakily, just seeing what it can find on the network. Think of this as the malware “casing the joint.” If it reveals its hand too soon, your security team might be able to identify it and abort its mission.

While it stays undiscovered, the ransomware will attempt to identify all network storage locations. These attackers and hackers know most modern enterprises have network storage backups and could potentially just restore their files from there instead of having to pay the ransom. So they program their malware to actively target and encrypt the backups, preventing the company from being able to restore data themselves.

From there, more and more endpoints become encrypted. File systems get corrupted, data becomes lost. Once the attacker is sure of its foothold in the network, it reveals itself. This generally takes the form of a screen displaying a bitcoin wallet address. You might see a chatbot or other form of contact information. Again, once the attackers have you where they want you, it’s in their best interest to make it easy for you to pay for the return of your files.

Why would an organization be a ransomware target?  

There are four primary reasons organizations become targets for ransomware:

  1. Access to sensitive data. In some cases, an organization may be in possession of data that is valuable on its own.
  2. Espionage. The intent here is not access to the organization’s own data, but that of its clients and customers. If you have a trusted relationship with a “more valuable” organization, an attacker may exploit that trust by using your network as a proxy into your customer’s.
  3. Vulnerability. Remember the due diligence mentioned earlier? In some cases, a ransomware attack is simply a crime of opportunity. The attackers sense weakness in your defenses and know they can exploit it. Let’s say, for example, your organization is selling off a division or acquiring a new company. This is prime opportunity for technical limitations and gaps. This is the most preventable reason for attack, and what we’ll focus on later in this series.
  4. Money. Ransomware is a means of extortion. A way for an attacker to make money off your organization by demanding payment (that’s the ‘ransom’ in ‘ransomware’) in exchange for the safe return of your information. Maybe the extortion is successful and the attackers receive their cryptocurrency payment, or maybe it isn’t and they sell off the valuable data they now possess. Maybe the attacker or one of their cybercrime peers attack again a few months later, knowing the organization hasn’t had time to fully implement a solution to stop them.

What should you do if you’re a victim of ransomware?  

Want your files back? If you’re lucky, you had just recently performed an extensive backup of your data and have it stored somewhere entirely disconnected from your network. In this case, you may be able to restore some of what’s lost, but the process won’t be quick, easy or comforting. You’re still facing a significant business disruption. Otherwise, if you don’t have a backup, paying the requested ransom is usually the best way to recover your information, but the recovery is not immediate and the speed of the decryption process can take weeks or months, depending on the volume of your data and type of encryption that the attacker used — further disrupting business processes while you wait.

The financial blow of paying ransom on your own data is tough to swallow in the first place, but you also have to consider the implications: By paying the attackers, you’ve just provided funds for the criminals’ next attack.

Fortunately, there are ways of preventing ransomware from taking hold of your network. It starts with your people and continues with agile, unparalleled protection of your information — protection that’s nearly impossible to implement and maintain on your own.

Stay tuned for part two of this series, where we’ll talk about how to gauge how vulnerable your network is and the first steps you can take toward strengthening your cybersecurity.

Dylan Border is Hyland’s corporate Cyber Security Director. He is responsible for leading the Cyber Security team and facilitating the secure operations of Hyland’s enterprise networks and systems. Dylan has been in the IT field for over 15 years, with experience in the higher education and healthcare industries before coming to Hyland. He’s passionate about all things security and enjoys the ever-changing aspects of solving today’s toughest cyber security challenges. In his free time, Dylan’s favorite activities include vintage car restoration, kayaking and long-distance motorcycling.
Dylan Border
Latest posts by Dylan Border (see all)

Dylan Border

Dylan Border is Hyland’s corporate Cyber Security Director. He is responsible for leading the Cyber Security team and facilitating the secure operations of Hyland’s enterprise networks and systems. Dylan has... read more about: Dylan Border