What are ransomware attacks, and why are they on the rise?

The number of cyberattacks increases every day. Most notably, ransomware attacks are continuously on the rise: not a day goes by or a new ransomware attack and data breach are mentioned in the press. But what is ransomware exactly, and which types are there? How do these ransomware attacks happen, and what can you do to prevent them? In this blog post, we’ll formulate an answer to all of these questions.

What are ransomware attacks?

Ransomware is a type of malicious software (malware), that is used by cybercriminals to encrypt a (portion of a) device’s data, rendering it no longer accessible. To regain access, criminals will demand a big ransom payment before they will give the decryption key or deactivate the lock screen. But, of course, it’s better to mitigate your chances of getting attacked to begin with – rather than paying the ransom. To put more pressure on the victims regarding the ransom demand, the hackers can use specific ransomware software to not only encrypt files but also search for sensitive data and send this information back to the hacker. During this type of malware attack, ransomware groups often spend much time unnoticed in the operating system, while searching for the most valuable data to exploit. If organizations then do not want to pay the ransom, the malware attacker often threatens to publish the stolen data online, which has disastrous consequences.

Who are ransomware attack targets?

In general, anyone can become the target of ransomware attacks. However, looking at the most recent data breaches in 2022 alone, it’s clear that hackers will focus on organizations that work with a lot of personal files and sensitive data, big user groups, and possibly smaller IT teams (such as in education or healthcare). Furthermore, they also tend to target industrial players as disruptions in their IT processes pose prominent problems for the company’s supply chain.

Which types of ransomware attacks are there?

A wide range of ransomware variants are being used, but let’s take a look at the most common ones:

• Crypto ransomware or ‘encryptors’: This type of malware is perhaps the most famous one. A cybercriminal will encrypt files and to keep the decryption key, for which you will have to pay ransom. Notable examples are CryptoLocker, GoldenEye, WannaCry, …
• Locker ransomware: This ransomware variant will block your basic computer functions. You won’t have access to your device and you’ll only see one lock screen or popup with the message that your files and applications are inaccessible and that you need to pay a certain amount of money before gaining access again.
• Scareware: A type of malware designed to scare or manipulate people into visiting website pages or downloading malware-infested software. This is done by using social engineering tactics and popup ads. The goal is to make users believe they need to buy or download software (which is actually malicious). Some examples of scareware are: PC Protector, SpySheriff, Antivirus360, …
• Doxware: With this term, we refer specifically to ransomware that is used to get personal data. They compromise the privacy of the employees by getting access to photos and sensitive files, after which they will threaten to release the data. Often attackers will deliberately target specific victims for this type of attack.
• Ransomware as a service (RaaS): This is a business model for cybercriminals. Anyone, even without knowing how to code, can buy tools on the black market and use them for carrying out ransomware attacks. The tools are hosted and maintained by hacker collectives. Well-know RaaS providers are REvil, DarkSide, Maze, …

How do ransomware attacks happen?

Ransomware operators try to gain access to the company’s network or system via different techniques. Very often, they will try to do this via individuals in the organization, but they can also attempt to infect systems directly. The following list highlights some of the most common ways ransomware attacks happen.

• Phishing: Criminals send employees of your organization an email that contains a malicious link or malicious attachments. It could be that the link goes to a website hosting a hostile file or code, or that the attachment has a download functionality built in. If one of the people at the company clicks on or opens the content of the phishing emails, malicious software could be installed and the ransomware infects the systems.
• Insufficiently protected network: If you’re acting proactively in securing your network, cybercriminals can attempt to exploit multiple vulnerabilities and attack vectors to get in and let their malicious software do its thing.
• Open RDP: Using RDP without any security measurements is something cybercriminals like to see, as they can exploit its weaknesses. That way they get access to the company’s system. Researchers found 25 vulnerabilities (!) in some of the most popular RDP clients (FreeRDP, Microsoft’s built-in RDP client, …) used by businesses in 2020.
• Insecure VPN connections: VPN tunnels directly from your employees’ devices to your network. Together with RDP, the UK National Cyber Security Centre identified VPN as one of the largest risk factors for a ransomware attack, because malicious software from the client device can enter your corporate network remotely.

Examples of major ransomware attacks in 2022

Every day, another major organization is the victim of a ransomware attack. Some recent victims were:

• Government systems in Costa Rica (May 2022): Cyberattack targeting systems from tax collection to importation and exportation processes through the customs agency. Furthermore, they also got access to the social security agency’s human resources system and the Labor Ministry. The Conti cartel has been demanding a lot of money for the attack. In the meantime, they have been starting to publish stolen information as they were tired of waiting for the ransom.
• Florida International University (April 2022): Data breach that impacted the sensitive information of students and faculty. BlackCat was behind the attack.
• The Scottish Association for Mental Health (March 2022): The health organization was targeted by a ransomware gang that impacted the IT systems. More than 12GB of personal and sensitive data was leaked online. Behind the attack was RansomEXX ransomware gang.
• KP Snacks (February 2022): The hackers of the Conti gang were able to steal many sensitive documents like samples of credit card statements, spreadsheets including employee personal data, and confidential agreements, … They published even more of these data online after not receiving the ransom in time.
• Moncler (January 2022): At the beginning of the year, the luxury Italian fashion giant became the victim of a data breach following an attack by ransomware gang BlackCat. Afterward, the company explained that various data had been impacted. The data was not only related to customers, but also to current and previous employees, as well as to suppliers, and business partners.

These are only a handful of thousands of (publicly known) examples. Ransomware attacks are not limited to certain verticals or countries. Without the right security measures in place, everyone can become a ransomware victim.

Why are ransomware attacks rising?

Shift to hybrid and remote working

Ransomware attacks are on the rise as ransomware groups are continuing to adapt their techniques in this changing digital world. With the acceleration of remote working and shift to hybrid working, malicious actors are not only focusing on organizations in general but are also targeting individuals to gain access to the operating systems, files, and applications of companies.

More and more people are working outside the office networks. A lot of companies have set up a remote working solution in a quick way as they were surprised by the worldwide pandemic. However, in multiple cases businesses chose insecure solutions to do this (e.g. via opening RDP endpoints or facilitating ‘naked’ VPNs). The result was that they created gaps in their cybersecurity defense, which makes them an easy target for malware.

Financial benefits for ransomware group

Another reason for the rise is that more criminal groups see the benefit of ransomware attacks as companies tend to (in most times) pay the ransom. It can be a quick money win for them. Stealing and threatening to leak the data has been working well for these ransomware gangs, so we see a clear shift from denial of data to data extraction. Let’s take a look at how you can prevent making them rich.

Best practices to prevent ransomware attacks and spreading

Nobody wants to pay the ransom or wants to have encrypted files and encrypted data, right? So how can organizations prevent such ransomware attacks? How can you defend yourself? We’ve listed some best practices of ransomware protection for you:

• Inform and train your employees:
  • IT admins shouldn’t click on unknown links or open malicious mail attachments, and should always use strong passwords with MFA enabled.
  • Facilitate security awareness training for your employees. The above is more difficult to enforce on your employees, so it is fundamental that you make them aware and train them in cybersecurity hygiene.
  • Phishing emails and social engineering attacks are still very popular techniques with cybercriminals to target individuals to make them the gateway into the organization’s computer system. Make sure your employees are aware of these practices so that they can recognize and counter them when they face an attempt.
• Data backup:
  • Backup files and applications regularly.
  • Make sure to secure your offline data backups as well, and check that they are not connected permanently to the computers and networks that they are backing up.
• Network segmentation:
  • If you have an infected system, make sure that malware cannot spread to another computer system by segmenting production and general-purpose networks.
  • That way, if somebody is using an infected computer and infects one of the smaller networks, you can try to isolate the ransomware before it spreads further.
  • This also gives the IT team more time to remove ransomware without it spreading throughout the entire organisation.
• Review port settings:
  • Open RDP ports are one of the most common ways ransomware attacks are initiated. Using ‘naked’ RDP port 3389 to give employees remote access is opening the door for hackers and saying: “Welcome, this way please!”
  • Another port that is often targeted is Server Message Blocked port 445.
• Limit user access privileges:
  • To block ransomware from entering, define the permissions of users thoroughly.
  • Set limitations to which applications, desktops, and files they have access.
  • Add security layers in line with the Zero Trust model as you can not trust anyone, even if it’s an authorized employee. Make sure you have control over what each user or user group can access or do.

What to do if you’re a victim of a ransomware attack

What can you do if you are the victim of a ransomware attack? Let’s check out the most common ways to recover from a ransomware infection.

• Do not make a ransom payment: Firstly, stay calm and don’t rush into paying the ransom. It will only encourage criminals to keep on doing this. (And how can you be sure that the ransomware attackers will give your data back after you paid?)
• Identify the source of the ransomware: Try to find out what the point of entry of the ransomware was. Talk with your users to find out who experienced the first signs of the attack.
• Isolate the infected machines: You don’t always know how fast the ransomware could be spreading, but disconnect all devices from the network as soon as possible. This may help reduce the impact of a company-wide ransomware infection.
• Report the attack to the authorities: This is a crime, and you should report it to the police. They could also be able to help you as they have access to more powerful resources for this type of crime.
• Restore your data: If you have been taking regular backups of your data, you can use those off-site or cloud backup files to restore your data. This is why you should have a backup data strategy so you can move forward quickly without losing too much time. However, be careful as some ransomware may have been for months in your systems and therefore in your backups as well. You should always run an anti-malware solution on your backups first to check.

How can Awingu help with ransomware prevention?

Awingu is a unified workspace that makes it possible for a company to enable secure remote access to file servers, applications, and desktops for its employees. Our customer use it as an extra protection layer to secure ‘naked’ RDP, as well as to provide a secure alternative to VPNs. Users can access the workspace via the browser and nothing needs to be installed on the device. So even if they are using an infected device, there is no direct connection to the company’s network, so you don’t have to fear a ransomware infection. Awingu comes with various built-in security capabilities that will help you secure the access:

• Browser-based workspace
• Built-in MFA
• Anomaly detection and monitoring in the dashboard
• SSL encryption
• No local data on the end-user device
• Granular usage control
• Context-awareness
• …

If you want to learn more about how Awingu can help you protect your organization against ransomware attacks, click here!