Ransomware

What is ransomware?

Ransomware is malicious software designed to block access to a computer system or files until a sum of money is paid. It encrypts the victim’s files, making them inaccessible, and threat actors can then demand a ransom for the decryption keys.

How does ransomware work?

Ransomware typically infiltrates a system through phishing and social engineering, infostealer malware, or unpatched vulnerabilities. Once inside, it encrypts the user’s files and displays a ransom note demanding payment for the decryption key. The encryption is often strong, making it nearly impossible to regain access to the files without the unique key.

What are the different types of ransomware?

Some common types of ransomware include:

• Crypto Ransomware: Encrypts valuable files and demands a ransom for the decryption key.
• Locker Ransomware: Locks the victim out of their device, demanding a ransom to unlock it.
• Doxware: Threatens to release sensitive information unless a ransom is paid.
• Scareware: Fakes a threat and tricks the user into paying to remove it.
• Ransomware-as-a-Service (RaaS): A malicious software model in which a bad actor manages the entire spectrum of the attack, including ransomware distribution, payment collection, and access restoration, in exchange for a share of the illicit gains.

What is the difference between ransomware and malware?

While all ransomware is malware, not all malware is ransomware. Malware is a broad term for any malicious software designed to harm or exploit computers and networks. According to SpyCloud research, infostealer malware infections, in particular, can be an early warning sign of an impending ransomware attack. Bad actors use infostealer malware to exfiltrate authentication data, including stolen session cookies, that they can then use to carry out a full-blown ransomware attack.

Ransomware itself is also malware – categorized by its ability to encrypt or lock files or systems and so bad actors can then demand a ransom for restoration.

What are the latest ransomware trends?

SpyCloud conducts extensive research on ransomware trends each year and has several recent findings:

According to the annual Identity Threat Report, ransomware remains one of the top cybersecurity threats, with 85% of organizations reporting at least one incident in the past year — and an overwhelming 31% reporting 6-10 incidents.

From the same report, it’s important to note that data captured in phishing attacks is fueling the ransomware problem. Phishing was cited as the entry point for 35% of ransomware attacks.

Furthermore, exposed APIs and session hijacking via stolen cookies have also emerged as primary ransomware entry points.

The upside? Organizations are prioritizing proactive defense strategies, with improving improving ransomware prevention and response as the second-highest security priority for the next 12–18 months.

What are the signs and symptoms of a ransomware attack?

Ransomware attacks and data extortion share some of the same symptoms as other malware infections, such as slower system performance, installation of unauthorized software, and virus protection alerts.

Other signs to look out for are:

• A spike in phishing attempts could indicate that threat actors are looking to or have successfully planted malware
• Creation of new accounts with privileged access, serving as a backdoor for the hackers
• Unsuccessful attempts to gain entry to shared network resources or applications integral to the system’s infrastructure.

What should I do if I am infected with malware, leading to a ransomware attack?

1. Isolate the infected device: Immediately disconnect the infected device from the internet to prevent the ransomware from spreading to other devices.
2. Identify and try to remove the ransomware: Removing the ransomware is not always possible depending on its type.
3. Restore data: Use data backups to minimize business downtime.
4. Enhance incident response playbooks: Identifying and wiping the device is not enough when the data is already exfiltrated and circulating the dark web. Adding post-infection remediation steps into your existing IR workflows can help prevent the opportunity for ransomware attack from malware-infected machines.
5. Report the incident: Report the incident to the appropriate law enforcement agencies.

The FBI recommends ransomware victims not to pay ransoms, as it doesn’t guarantee the victim organization will get their data back.

How does SpyCloud help prevent a ransomware attack?

For security teams that want to outmaneuver ransomware attackers, SpyCloud’s Enterprise Protection solution offers automated detection of malware infections across devices (including unmanaged, undermanaged, and third-party devices) and fuels remediation workflows powered by fresh, actionable data.