According to a report from Malwarebytes, 2023 saw global ransomware attacks reach an all-time high. While the US saw the highest volume of all attacks worldwide, the UK emerged as the second-most targeted nation with several groups carrying out multiple attacks each month.
Some of the UK’s most well-known institutions suffered major disruption following ransomware attacks, including the BBC, British Airways, the British Library, The Guardian, Royal Mail, outsourcing firm Capita and several regional police forces.
As the ransomware threat continues to evolve and with as many as 85% of businesses reporting such attacks last year. As well as having the right controls and procedures in place to lower their ransomware risk, it is essential that organisations are able to respond and recover effectively if they are attacked.
In this article we’ll explain what ransomware is and what an attack looks like, who the perpetrators are and their motivations, and provide tips and advice on how you can protect your business from ransomware attacks.
What is ransomware?
Ransomware is a type of malicious software that prevents users from accessing their data or devices, usually by encrypting their files with a secret key. The attackers demand a ransom from victims, promising to decrypt the data and restore access if they pay a certain amount of money, often in untraceable cryptocurrencies.
Ransomware attacks can cause significant damage and disruption to individuals, businesses and public services, as they may lose access to important or sensitive data, such as personal documents, financial records or health information.
Ransomware can infect devices through various methods, such as phishing emails that trick users into opening malicious attachments, malicious downloads from compromised websites or network vulnerabilities that allow the malware to spread automatically.
Ransomware attacks have become more sophisticated and prevalent in recent years, as attackers have developed new techniques to increase their chances of success and profit.
There are several types of ransomware used by cyber-criminals. The most well-known are crypto ransomware, which encrypts files in situ leaving them unreadable and inaccessible, and locker ransomware, which locks victim devices and prevents access to the operating system of affected machines. Examples of these include Cryptolocker and WannaCry.
Ryuk is a prevalent strain of double extortion ransomware, which both exports data and encrypts it on the victim’s systems. Even if a victim can restore their systems from backups, the attackers threaten to publish the stolen information unless a ransom is paid.
Leakware, also known as doxware, is a kind of ransomware designed to target and exfiltrate data from the victim’s network but does not encrypt or lock any files. Attackers threaten to publish the stolen information, which is often highly sensitive, unless the victim pays a ransom.
Over the last three years, Ransomware attacks have become more sophisticated, and many are driven by business-like operations with tools sold via Ransomware-as-a-Service (RaaS). The cybercrime groups behind some of the UK’s biggest cyber-attacks of last year – Cl0p, LockBit and BlackCat – sell ransomware tools, often packaged with other malware including info stealers, to affiliates in exchange for a share of any profits.
Ransomware attacks can be driven by several incentives including financial gain, both from ransom payments and for the sale of stolen data; disruption or harm of individuals, political groups or affiliated companies driven by political or social reasons as a form of hacktivism; and state-sponsored attacks, where ransomware is used in espionage and to sabotage or coerce adversaries.
How ransomware attacks work
A ransomware attack typically involves several stages:
- Delivery and infection: The attackers breach the victim’s network or devices, usually via phishing emails or malicious attachments, or by exploiting vulnerabilities in the victim’s network or website. During this phase, malware such as info stealers may be used to harvest access credentials required for later stages of the attack. The malware will also establish a connection with its command-and-control server(s) (C2) so it can receive instructions and exfiltrate data.
- Encryption and data theft: The ransomware moves laterally through the victim’s systems, encrypting files as it goes. If the attackers use double-extortion tactics, it will copy and exfiltrate the data via its C2 server.
- Ransom demand: The attackers will demand a ransom from the victim for the decryption key, usually by displaying them on victim workstations, threatening to delete the files or expose them online (in a double-extortion attack) if the organisation does not comply.
- Payment: The victim organisation must then decide whether to pay the ransom. Typically, ransoms demand payment using cryptocurrencies such as Bitcoin, for the lack of traceability of these transactions and the anonymity they offer to the attackers.
- Decryption: Following payment, the attackers may provide a decryption key enabling the organisation to recover their data and regain access to their systems. However, there is no guarantee that organisations will receive a working decryption key or that all other malware will be removed from the victim’s systems even if they meet the attacker’s demands.
How ransomware attacks hurt
The harms caused by a ransomware attack extend far beyond the costs of any ransom demand. Businesses are advised not to pay ransom demands; however, in 2023, ransomware payments exceeded $1bn for the first time, although the average ransom demand fell to $1.7m compared to a high of $21.9m in 2021.
The recovery costs in the aftermath of an attack are often significant, and include restoring encrypted data, repairing or upgrading affected IT systems, hiring external experts and paying legal fees.
As businesses typically suffer 7–21 days downtime following an attack, the subsequent loss of revenue during this period can be substantial. Meanwhile, attackers are increasingly targeting backup repositories to further inhibit organisations from recovering their systems after an attack. According to Veeam, 75% of businesses lost at least some of their backups during the attack and more than a third lost all backups, leaving them unable to restore their systems.
Legal and compliance costs, fines and penalties associated with violations of data protection and contractual obligations further add to the financial impact of a ransomware attack.
The impact of a ransomware attack can be catastrophic, ultimately forcing some business to close down as a result.
How to respond to a ransomware attack
In the UK, the Information Commissioner’s Office (ICO) and the National Cyber Security Centre (NCSC) have issued guidance to organisations about what to do if they suffer a ransomware attack. Below is a summary of the key steps you should take if you become a victim of a ransomware attack:
- The NCSC recommends that organisations do not pay any ransom demands. Doing so does not secure the return of encrypted or stolen data and feeds the cybercrime cycle. Instead, report any ransomware incidents to the NCSC, who can provide technical assistance and liaise with law enforcement agencies.
- The NCSC’s guide, Mitigating malware and ransomware attacks, provides clear guidance on what business should do in the event of a ransomware incident, advising them to:
- Disconnect affected systems from the network
- Reset administrator and system credentials where possible
- Wipe and reset affected devices, rebuilding them from the operating system up
- Restore from backups, after ensuring that backups are free of any malware
- Install, update and run antivirus software
- Reconnect clean devices to the network
- Monitor systems for any signs of reinfection
- The ICO has issued separate guidance explaining how ransomware attacks may constitute a personal data breach under UK and European data protection law, and that organisations must report a ransomware incident to them within 72 hours.
How businesses can fight back
There are several steps organisations can take to protect themselves against ransomware attacks and ensure they can respond if they do become a victim. These include:
- Staff training – Educate and train the staff on how to recognise and avoid phishing emails, malicious attachments or compromised websites, which are the main vectors of ransomware infection.
- Access controls – Implement and enforce a strong password policy and use multi-factor authentication for accessing the network, devices and system/administrator accounts, which can prevent unauthorised access by attackers.
- Antivirus – Install and update antivirus software, firewalls and other security tools, and scan the network, devices and files regularly for malware, which can detect and remove ransomware before it encrypts the data.
- Patch management – Maintain systems and devices so that they run up-to-date software versions and patch known vulnerabilities, which can be exploited by attackers to access corporate networks.
- Backups – Backup data frequently and securely, storing backups offline or in the cloud isolated from operational environments, which can enable the recovery of the data in case of ransomware encryption or deletion.
- Test incident response – Develop and test an incident response plan with clear roles and responsibilities. Ransomware response testing should include recovery of business systems from backups, which can help the organisation to respond quickly and effectively to a ransomware attack.
How ransomware is here to stay
Ransomware is a highly disruptive form of malware that encrypts or steals company data and is a growing threat to businesses of all sizes, across all sectors. According to the NCSC, the ransomware threat is set to rise still further as artificial intelligence (AI) lowers the barrier to entry for cyber-criminals and cybercrime groups.
Ransomware attacks can have a significant impact on a company’s business, sales and ability to operate. The costs of recovering from a ransomware incident are substantial, comprising both direct and indirect costs, as well as contractual penalties and legal action. The loss of access to or theft of personal data in a ransomware attack constitutes a data breach reportable to data protection authorities, such as the ICO in the UK, and may be subject to further fines and costly remediation action.
Amid this destructive and growing cyber-threat, organisations must ensure they have the right technical and procedural controls in place to defend themselves, as well as the ability to respond to and recover from a ransomware incident.
Blackfoot’s Ransomware Protection Assessment provides a detailed assessment of the critical technical and procedural controls you need to protect your business from ransomware attacks. Our expert team can guide you through a ransomware exercise, ensuring your business can respond to and recover from an attack. Get in touch to find out more.