What is ransomware?
Ransomware is malicious software designed to block access to a computer system or files until a sum of money is paid. It encrypts the victim’s files, making them inaccessible, and threat actors can then demand a ransom for the decryption keys.
How does ransomware work?
Ransomware typically infiltrates a system through phishing and social engineering, infostealer malware, or unpatched vulnerabilities. Once inside, it encrypts the user’s files and displays a ransom note demanding payment for the decryption key. The encryption is often strong, making it nearly impossible to regain access to the files without the unique key.
What are the different types of ransomware?
Some common types of ransomware include:
- Crypto Ransomware: Encrypts valuable files and demands a ransom for the decryption key.
- Locker Ransomware: Locks the victim out of their device, demanding a ransom to unlock it.
- Doxware: Threatens to release sensitive information unless a ransom is paid.
- Scareware: Fakes a threat and tricks the user into paying to remove it.
- Ransomware-as-a-Service (RaaS): A malicious software model in which a bad actor manages the entire spectrum of the attack, including ransomware distribution, payment collection, and access restoration, in exchange for a share of the illicit gains.
What is the difference between ransomware and malware?
While all ransomware is malware, not all malware is ransomware. Malware is a broad term for any malicious software designed to harm or exploit computers and networks. According to SpyCloud research, infostealer malware infections, in particular, can be an early warning sign of an impending ransomware attack. Bad actors use infostealer malware to exfiltrate authentication data, including stolen session cookies, that they can then use to carry out a full-blown ransomware attack.
Ransomware itself is also malware – categorized by its ability to encrypt or lock files or systems and so bad actors can then demand a ransom for restoration.
What are the latest ransomware trends?
SpyCloud conducts extensive research on ransomware trends each year and has several recent findings:
- A positive trend noted in SpyCloud’s 2023 Ransomware Defense report is that organizations are less likely to pay ransoms than in the past (48% compared to 65% the previous year). However, ransom payments themselves are rising, reaching over $1 million in 39% of reported attacks over the past 12 months.
- The same report found that ransomware continues to be a top threat for the majority of organizations across sectors, with 81% of organizations affected in some way by ransomware at least once in the past 12 months.
- There’s increasing evidence that North American and European victim companies experience infostealer infections prior to a ransomware attack.
- Session hijacking is also emerging as a go-to tactic for cybercriminals for gaining access to systems. Last year, SpyCloud researchers recaptured 22 billion stolen cookie records. Ransomware operators can use session hijacking to bypass passwordless authentication methods to infiltrate systems.
What are the signs and symptoms of a ransomware attack?
Ransomware attacks and data extortion share some of the same symptoms as other malware infections, such as slower system performance, installation of unauthorized software, and virus protection alerts.
Other signs to look out for are:
- A spike in phishing attempts could indicate that threat actors are looking to or have successfully planted malware
- Creation of new accounts with privileged access, serving as a backdoor for the hackers
- Unsuccessful attempts to gain entry to shared network resources or applications integral to the system’s infrastructure.
What should I do if I am infected with ransomware?
- Isolate the infected device: Immediately disconnect the infected device from the internet to prevent the ransomware from spreading to other devices.
- Identify and try to remove the ransomware: Removing the ransomware is not always possible depending on its type.
- Restore data: Use data backups to minimize business downtime.
- Report the incident: Report the incident to the appropriate law enforcement agencies. Consider reaching out to cybersecurity firms like SpyCloud for professional assistance.
The FBI recommends ransomware victims not to pay ransoms, as it doesn’t guarantee the victim organization will get their data back.
How does SpyCloud help prevent a ransomware attack?
With more than 30% of North American and European ransomware victim companies experiencing an infostealer infection prior to a subsequent ransomware attack in 2023, organizations need to prioritize malware remediation as part of their ransomware defense strategy. In our 2023 Ransomware Defense Report, however, only 19% of respondents said they’re prioritizing improved visibility and remediation of exposed credentials and malware-exfiltrated data, which leaves the door wide open for follow-on ransomware attacks.
For security teams that want to outmaneuver ransomware attackers, SpyCloud’s Enterprise Protection solution offers automated detection of malware infections across devices (including unmanaged, undermanaged, and third-party devices) and fuels remediation workflows powered by fresh, actionable data.