Ransomware

What is ransomware?

Ransomware is malicious software designed to block access to a computer system or files until a sum of money is paid. It encrypts the victim’s files, making them inaccessible, and threat actors can then demand a ransom for the decryption keys.

How does ransomware work?

Ransomware typically infiltrates a system through phishing and social engineering, infostealer malware, or unpatched vulnerabilities. Once inside, it encrypts the user’s files and displays a ransom note demanding payment for the decryption key. The encryption is often strong, making it nearly impossible to regain access to the files without the unique key.

What are the different types of ransomware?

Some common types of ransomware include:

• Crypto Ransomware: Encrypts valuable files and demands a ransom for the decryption key.
• Locker Ransomware: Locks the victim out of their device, demanding a ransom to unlock it.
• Doxware: Threatens to release sensitive information unless a ransom is paid.
• Scareware: Fakes a threat and tricks the user into paying to remove it.
• Ransomware-as-a-Service (RaaS): A malicious software model in which a bad actor manages the entire spectrum of the attack, including ransomware distribution, payment collection, and access restoration, in exchange for a share of the illicit gains.

What is the difference between ransomware and malware?

While all ransomware is malware, not all malware is ransomware. Malware is a broad term for any malicious software designed to harm or exploit computers and networks. According to SpyCloud research, infostealer malware infections, in particular, can be an early warning sign of an impending ransomware attack. Bad actors use infostealer malware to exfiltrate authentication data, including stolen session cookies, that they can then use to carry out a full-blown ransomware attack.

Ransomware itself is also malware – categorized by its ability to encrypt or lock files or systems and so bad actors can then demand a ransom for restoration.

What are the latest ransomware trends?

SpyCloud conducts extensive research on ransomware trends each year and has several recent findings:

According to the annual Malware and Ransomware Defense Report, Ransomware remains the top cybersecurity threat, with 75% of organizations reporting multiple incidents in the past year — a significant increase from 61% the previous year.

From the same report, it’s important to note that infostealer malware continues to fuel ransomware attacks, as 61% of breaches were malware-related, leading to the theft of over 343 million credentials and increasing the risk of follow-on attacks.

Furthermore, session hijacking via stolen cookies has emerged as a leading ransomware entry point, with more than half (57.5%) of security teams routinely terminating open sessions on infected devices to combat this threat.

The upside? Organizations are prioritizing proactive defense strategies, with improving visibility and remediation for compromised credentials and malware-exfiltrated data ranking as the second-highest security priority for the next 12–18 months, just behind ransomware prevention capabilities

What are the signs and symptoms of a ransomware attack?

Ransomware attacks and data extortion share some of the same symptoms as other malware infections, such as slower system performance, installation of unauthorized software, and virus protection alerts.

Other signs to look out for are:

• A spike in phishing attempts could indicate that threat actors are looking to or have successfully planted malware
• Creation of new accounts with privileged access, serving as a backdoor for the hackers
• Unsuccessful attempts to gain entry to shared network resources or applications integral to the system’s infrastructure.

What should I do if I am infected with malware, leading to a ransomware attack?

1. Isolate the infected device: Immediately disconnect the infected device from the internet to prevent the ransomware from spreading to other devices.
2. Identify and try to remove the ransomware: Removing the ransomware is not always possible depending on its type.
3. Restore data: Use data backups to minimize business downtime.
4. Enhance incident response playbooks: Identifying and wiping the device is not enough when the data is already exfiltrated and circulating the dark web. Adding post-infection remediation steps into your existing IR workflows can help prevent the opportunity for ransomware attack from malware-infected machines.
5. Report the incident: Report the incident to the appropriate law enforcement agencies.

The FBI recommends ransomware victims not to pay ransoms, as it doesn’t guarantee the victim organization will get their data back.

How does SpyCloud help prevent a ransomware attack?

For security teams that want to outmaneuver ransomware attackers, SpyCloud’s Enterprise Protection solution offers automated detection of malware infections across devices (including unmanaged, undermanaged, and third-party devices) and fuels remediation workflows powered by fresh, actionable data.