Ransomware Overview: What it is and how to mitigate

What is Ransomware?

Ransomware is a type of malware that locks the victims file by encryption. The attacker then demands a ransom in the form of money to be able to access the victim’s files. Ransomware attacks businesses which typically target vulnerabilities on endpoint, exploiting organizations that are not fully up to date in their security patches. It is an expanding problem that most organization from small to large face at this day and age. This malware regularly steals most headlines as one of the notable problems in the IT security world.


Ransomware attacks started in 1980 when attacker utilized floppy disks to deliberately and intentionally install malicious software on their unsuspecting targets. From then on, Ransomware attacks have increased in number with more enhanced way of attacking and simplicity of delivery due to the advancement of the internet. According to European Police, the European backed organizations combatting major crimes and terrorisms has crowned Ransomware the second most dangerous threat online to businesses and organizations worldwide with no signs of slowing down.

Key Players

According to Splunk multiple key-players have risen through the years from2017-2019:

2017 –NotPetya, WannaCry, CrySis, Nemucod, Spora, Crytomix, BadRabbit, Scrab.

2018 –SamSam, Ryuk, LockCrypt, Petya, GrandCrab, Zenis, Blackheart,Satan.

2019 –GrandCrab, HiddenTear, Buran, MegaCortex, RobbinHood, LockerGaga, Sodinokibi/REvil/Sodin, PureLOcker, MedusaLocker.

How does Ransomware infect a system?

Ransomware creators have grown more sophisticated in the way they attack a system undetected. Email has been a popular vector of attacking a system because it can exploit social engineering which creates an urgency to the recipient, with attachments disguised as files or links to download a software. Upon download, the malware starts infecting the system rendering it unusable. Drive-by-download, this form of infection occurs upon visiting a compromised website, typically an older browser, plug-ins or unpatched third-party applications which runs an exploit kit looking for vulnerabilities. Remote Desktop Protocol (RDP), exposed RDP sessions are also a common vector of infecting a computer. Sessions that are remotely logged-in to Windows allows user to securely control the device. Skilled hackers enforce Brute force attacks compromising these exposed computers. Free software, always comes in handy to the human desire for acquiring somethingfree to get past firewalls. Upon download, the so-called Free-download starts infecting the computer.

Usual targets

In 2018, 81% of Ransomware attacks have been more focused on businesses. The most common infiltration vector is via email. In 2019, Attackers have increased their focused-on government agencies, schools, hospitals and other healthcare providers. Ransomware attackers have increased their efforts on compromising critical systems, intimidating businesses by demanding large amounts of money. Deciding not to pay the demand would mean starting all over again which leaves organizations with difficult business decisions. Most organizations would find it more cost-saving is to pay the ransom to acquire data back.

Ransomware as a Business (RAAB)

The dark web has been marketing Ransomware with 230,000 new sites and 350,000 new malicious software programs which is predicted to grow continuously. GranCrab is offering a RAAS by marketing an affiliate model which provides the technology to cybercriminals splitting the ransom between criminals and GrandCrab 60/40 or 70/30 for major affiliates. This business model by GranCrab has allowed even script kiddies to inflict infections to targets, customize it and deploy.

Ransomware enablers

Risk management specialists has raised growing concerns as to the rapidly growing rate of ransomware attacks to both small-and large-scale businesses. Although authorities have notified organizations not to fall into the demands of attackers, there is a strongbelief that cyber insurance plays a huge role in attracting criminals to pursue their intentions. These insurance companies’ rewards organizations to pay the demands because it is less expensive faster and easier than recovering all that can be lost as a result of the malware.


A few years ago, payments were limited due to the fact that ransom payouts can be traced by asking banking institutions to trace movement of money around the globe. Today, with the rise of cryptocurrency as a mode of payments making it difficult and virtually untraceable. According to an article by Newsround (5/2/2021), Bitcoin, often described as a cryptocurrency, a virtual currency or a digital currency -is a type of money that is completely virtual. It’s like an online version of cash. You can use it to buy products and services, but not many shops accept Bitcoin yet and some countries have banned it altogether. Each bitcoin is a computer file stored in a digital wallet stored in a device allowing users to send and receive the currency. Is it secure? yes, this form of crypto currency is secure but untraceable making it more flexible than traditional forms of payment. According to Splunk, While Bitcoin is the best-known cryptocurrency, industry analysts are taking noteof Monero, which is being heavily used on Dark Web marketplaces and is becoming a new payment method of choice for ransomware demands because of its privacy features. The potential for cryptocurrency to enable ever bigger cybercrime is hard to assess, butextortion attempts taking place are now skyrocketing.

Ransomware trend in 2021

Ransomware trend in 20212021 is the year of many breakthroughs and sadly this includes threats roaming around the web. Advanced Persistent Threat (APT)are targeted and personalized attacks that are designed to subvert, bypass, and breach all current and ongoing safeguards and cybersecurity protocols. The more cybercriminals invest in APTs, the more advanced tools they develop (E.Forbes).

Other trends include:

Sodinokibi (aka REvil) continued to top the list most common ransomware variants. Several RaaS operations focusing on developing encryption modules for Unix and Linux. Small businesses still disproportionately affected by ransomware attacks. Businesses in the Professional Services industry (more specifically: law firms) have been heavily targeted by ransomware attackers, followed by organizations in the public sector and healthcare. Ransomware incident duration / average days of downtime has expanded to 23 days. RDP compromise is,once again, the most common attack vector, followed by email phishing and exploitation of a software vulnerability (Z. Zorz).

By the numbers

In the first quarter of 2021 the ransom payments have increased to $220,298 which is a 43% rise compared to Q1 of2020. The average payments during the same period are between $49,450 -$78,398. According to E. MrKonjic, there are over 6000 victims of ransomware every day. A ransomware attack happens every 14 seconds. The cost of ransomware attacks is estimated at $20 billion in 2020. The most ransomware attacks, over 638 million, happened in 2016. Nearly half of all ransoms are paid in Bitcoin. Up to 85% of attacks are directed at Windows users. 25% of executives would pay over $20,000 to get their data back. Government agencies are most often targets of ransomware, with 15.4% of all attacks.

Ransomware defense

The following are the most effective methods in combatting ransomware include (A. Velimirovic):

Set Up a Firewall

A firewall is the first software-based line of defense against ransomware. Firewalls scan the incoming and outgoing traffic for potential risks, allowing the security team to monitor for signs of malicious payloads

Use Immutable Backups

An immutable backup operates like any data backup, but it does not allow anyone to change or delete information. This type of backup is the ideal protection against data corruption, whether malicious or accidental.

Segment You Network

Once ransomware enters your system, the malware needs to move laterally through the network to reach target data. Network segmentation prevents intruders from moving freely between systems and devices.

Build Staff Awareness

Employees are the most vulnerable attack surface for a ransomware attack. Organize regular security awareness training that explains the role staff plays in preventing ransomware.

Run Regular Security Tests

Vulnerability assessments enable you to check a systems for weaknesses. These tests inspect the IT environments for potential exploits.

Whitelist Applications

While blacklisting is effective in specific scenarios, whitelisting is a more efficient method of preventing ransomware. Whitelist apps employees can install on their computers to prevent someone from accidentally installing an infected program. You can also whitelist websites for further security control.

Set up a Sandbox

Sandboxes are isolated environments that can run programs and execute files without affecting the host device or network. While typically a part of software testing, a sandbox can also help cybersecurity teams test potentially malicious software. Using a sandbox for malware detection adds another layer of protection against different cyberattack types, including ransomware.

Enforce Strong Password Security

Remember that ransomware attacks often start by exploiting loose employee behavior. Ensure all employees have strong passwords they update regularly. Otherwise, attackers can breach your system with a simple brute-force attack. Also, consider using multifactor authentication that requires users and employees to verify identities in multiple ways before accessing a system.

Timely Software Patches

Ransomware often exploits security loopholes and bugs within the company’s software, whether for initial infection or lateral movement. Keep software up to date with the latest updates and patches to ensure optimal protection.

Email Security

Email security best practices are crucial to countering phishing and other social engineering traps. Your mail server should: Filter out incoming emails with files that have suspicious extensions, such as .vbs and .scr, automatically reject addresses of known spammers and malware, Technologies you can use to protect your company emails are: Sender Policy Frameworks (SPFs), Domain MessageAuthentication Reporting and Conformance (DMARC), DomainKeys Identified Mail (DKIM), Consider also deploying a third-party email scanning tool for additional protection, this tool helps discover and isolate ransomware attempts before the file reaches the employee.

Employ the Principle of Least Privilege

All your users and employees should only have the level of access they require to perform their roles. Restricted access limits the damage of a potential ransomware attack. If an intruder compromises one of your employees, the stolen credentials will not allow the attacker to move between systems.

Set Up Ad Blockers

Ensure all employee devices and browsers have plug-ins and extensions that automatically block pop-up ads. Malicious marketingis a common ransomware source, and blocking ads is a simple way to limit the attack surface.

Block Script Executions

A common tactic ransomware hackers use is to send .zip files with malicious JavaScript code. Another popular strategy is to pack a .vbs (VBScript) file into a .zip archive. Prevent this vulnerability by disabling Windows Script Host and remove the devices’ ability to execute scripts.

Display File Extensions

Ransomware hackers often disguise the malicious payload within a file name such as Paychecks.xlsx, hoping to trick the user into clicking the attachment. If employees set their device to display file extensions, they would see that the file’s real name was Paychecks.xlsx.exe. Ensuring all employees can see file extensions reduces the chance of accidentally opening a corrupt payload that starts an attack.

Use a CASB

If your team uses cloud services, a cloud access security broker (CASB) is an excellent counter to ransomware. A CASB is either an on-prem or cloud-based software that acts as anintermediary between cloud users and data. This tool is essential to cloud security and has multiple purposes, including: Securing data flows between in-house setups and cloud environments, monitoring all cloud activity, enforcing security policies, Ensuring compliance.

Credits: Eugene Reamico

Leave a Comment

Your email address will not be published. Required fields are marked *