What is ransomware?

Yes, ransomware is a type of malware. It is malicious software that may lock device or data access, allowing the attacker to demand a ransom. This malware may be used to:

• Steal data
• Delete or encrypt data
• Take control of your accounts and systems
• Use services that cost your organisation money.

There are other types of malware, however. Adware, which displays unwanted advertising, and spyware, which mines sensitive data.

Sometimes, malware may present as ransomware but fail to release files once a ransom is paid, so file backups can be an important part of cyber defence.

A ransomware attack generally works via social engineering, a technique cyber criminals use to lure users into opening a link or downloading an attachment. This might happen as part of a phishing campaign. The aim is to manipulate an employee to unknowingly download the malware.

The malicious software can also be installed after hackers gain access to organisation’s systems, such as through vulnerabilities and incorrectly configured software exposed to the internet. Another technique is ‘malvertising’, whereby devious adverts entice users into downloading malware disguised as legitimate software.

The software quickly locks devices or encrypts files, before demanding a ransom, which can amount to thousands of pounds. Ransomware attackers typically ask for payments in Bitcoin or another cryptocurrency, since these are less traceable.

Why ransomware is used

Ransomware is primarily used by criminals who wish to extort money from businesses and other institutions. With your precious data or essential systems out of use, the criminal is at liberty to demand money in return for their restoration.

Ransomware attacks present a catch-22 situation for businesses that rely on digital files, since the cost of losing access entirely may be high.

Beyond financial gain, the purpose of a ransomware attack might be to spy on your work or hinder it. Malicious groups might have ulterior motives for stealing your sensitive data, such as espionage or causing general disruption.

How ransomware affects Windows, Mac and phones

How ransomware works can depend on the operating system you’re using. Though initially commonplace on Windows devices, ransomware is no longer a concern reserved for PC users.

The first mobile ransomware attacks arrived in 2014. These are typically delivered through deceitful apps and see the entire device locked.

Apple devices can also fall prey to ransomware. The first attacks aimed at Macs were recorded in 2016. Complex techniques allowed harmful files to run in the background for several days to circumvent Apple’s built-in XProtect system.

Cyber attacks are almost as old as computers themselves. In fact, the first known ransomware attack came in 1989. Evolutionary biologist Joseph Popp (external link) distributed floppy discs to AIDS researchers across the world, claiming the disc contained a research questionnaire. Malware was hidden alongside the research materials – and after 90 restarts, a message demanding $189 appeared[1].

This first attack was known as the AIDS Trojan, which drew on topical concerns to motivate a download.

Ransomware rose to prominence in the mid-2000s[2], and has since transformed into an advanced toolkit for criminals. By the late 2010s, ransomware-as-a-service programmes such as CryptoLocker were traded on the dark web. Today, this means criminals can target businesses without any coding knowledge.

Ransomware techniques are ever-changing. For example, a 2020 wave of scams took advantage of uncertainty surrounding the Covid-19 pandemic.

Key statistics illustrate the real threat ransomware can pose to businesses, charities and other organisations:

• Ransomware currently accounts for just 4% of cyber attacks and breaches, according to the UK Government’s Cyber Security Breaches Survey 2022 (external link)[3]. Despite this low number, many organisations cite ransomware as a major threat. Some 56% of businesses rule out paying ransoms to cyber attackers.
• Ransomware can cost organisations as much as $100,000, according to our 2022 Cyber Readiness Report. This was the highest ransom payment featured in the survey.
• 19% of businesses and 27% of charities don’t have a clear policy on ransom payment, according to the Cyber Breaches Survey 2022.

There are several types of ransomware, which vary greatly in terms of the techniques used and harm caused. They do have one characteristic in common, though – all variants demand payment in exchange for releasing hijacked files or computer systems. There are four main ways that ransomware gangs seek to cause harm to extort a ransom payment.

Crypto ransomware

Crypto ransomware uses strong encryption, preventing victims from accessing their files. Without a decryption key, businesses faced with this type of attack can permanently lose access to their data. In some cases, ransomware groups may never release decryption keys upon payment.

Exfiltration ransomware

Exfiltration ransomware involves searching company data and downloading it to their own systems. The data collected is generally personal data on intellectual property from customers and employees,  financial records and more. Hackers demand a ransom in order for them to prove that they deleted the organisation’s data; if unpaid, they auction it off or release it to the public. Organisations can never be sure that the data was truly deleted.

Double extortion ransomware

For the more sophisticated ransomware gangs this method inflicts more harm. It is a combination of both encryption and exfiltration, whereby they can demand more money from organisations.

Locker ransomware

Locker ransomware targets devices, such as PCs, Macs and smartphones, by rendering them unusable. Locker ransomware can sometimes be resolved without paying a ransom but defeating crypto-ransomware tends to be more difficult.

Lockbit

The Lockbit group operates as a Ransomware as a Service (RaaS) operation, where affiliates sell their access to organisations to groups on dark web market places for a fee. Affiliates are threat actors who are autonomous to ransomware groups; they use various exploits such as phishing to gain persistent access to an organisation.

Lockbit has few issues acquiring access brokers due to their sophisticated ransomware, which encrypts 1TB in 45 minutes, and exfiltrates 1TB in 3 hours 18 minutes. Lockbit has made continuous improvements to their ransomware and is now on Lockbit v3.0. Its encryption can take place at such  a pace, that large volumes of data can be encrypted overnight, without security teams noticing.

Conti

Conti uses its strong affiliations to botnet groups, TrickBot and BazarLoader, which they commonly use to gain remote access to organisations. The botnet groups are spread to different machines through phishing emails with links to malicious documents. If clicked on, a computer is a part of a botnet, comprised of many other compromised machines. Conti uses these compromised machines to load their own ransomware that encrypts data and downloads it to Conti's servers.

Psya

PSYA usually gains unsanctioned access to targeted networks via either phishing methods or Remote Desktop Protocol (RDP). Then using tools to withdraw files from the network of the victim, and then encrypt all connected devices and data from Windows or Linux. This makes vital files, backup systems, virtual machines, apps and databases unavailable.

Hive

Hive is a ransomware-as-a-service (RaaS) operation. Several mechanisms are used to jeopardise the networks of their victims. This includes harmful attachments in phishing emails, disclosed VPN details, and taking advantage of vulnerabilities on assets. Hive uses a double extortion technique, whereby they both encrypt organisations’ data and download it to their servers.

Karakurt 

The Karakurt group targets organizations using single-factor VPN (Virtual Private Network) servers with legitimate access credentials. It is unknown how the group obtains these credentials; however, it is likely that they obtain these through social engineering techniques such as phishing or by paying off insiders. Rather than encrypting the data, Karakurt focuses solely on data exfiltration and subsequent extortion, by threatening to auction off data or release it to the public if ransoms are not paid.

WannaCry

WannaCry stops users from being able to access documents on Microsoft Windows operating systems by encrypting files. It can also lock the user out of their computer altogether. WannaCry manifests as a cryptoworm – this is malware that’s able to self-replicate and spread.

The notorious 2017 WannaCry ransom attack shut down hundreds of thousands of computers (external link) around the world[4]. In what is widely considered the worst-ever global cyber-attack, WannaCry brought together the cryptocurrency payment systems and encryption technology first seen in CryptoLocker.

WannaCry targeted Windows computers using tools stolen from the US Government, which meant the malware no longer needed to rely on slow direct mail campaigns.

WannaCry was an early cryptoworm, so the malware could clone itself and infect more computers. The result was exponential growth impacting organisations in 150 countries, including the National Health Service in Britain (external link)[5], which lost £92m (external link)[6].

With technology changing so rapidly, it’s not always possible to prevent ransomware attacks. The extent to which you can protect your business depends on how sophisticated an attack is and whether it requires phishing. Many of the ways to prevent ransomware attacks are related to phishing awareness.

That said, other best-practice cyber security techniques can help your business, data and operations to stay protected. Here are some precautionary measures businesses can take to help prevent a ransomware attack:

• Update your devices. Many of the organisations worst-hit by WannaCry were using older devices and outdated operating systems, so investing in new machines every couple of years can help to reduce the risk
• Install security software. Cyber security software not only makes it harder for malware to take control of your device and encrypt files within it but can stop it once it starts encryption or exfiltration. At a minimum, you should use virus scans and firewalls, but more advanced options include endpoint detection and advanced threat solutions
• Patch and update software. Keep your software strong and protective by running all the recommended updates, since each new version fixes security holes. The idea is to always remain one step ahead of hackers
• Set up multi-factor authentication. To properly secure a device, you need more than just a strong password. Multi-factor authentication checks your identity via phone call or text message, making it much harder for hackers to gain access to your accounts. The more steps required to authenticate your identity when logging in, the better
• Back up your files. Since it isn’t always possible to eliminate ransomware attacks, the second-best scenario is having no need to pay the ransom. Regularly backing up your files externally can stand you in great stead should a hacker encrypt files on your main drive
• Protect your personal information. Malicious groups often use personal information – including passwords, answers to security questions and date of birth – to gain access to accounts. Make sure everyone in your organisation follows protocol on protecting their personal information, including senior management, who may be targeted by whaling campaigns (a type of phishing attack)
• Consider cyber security training. Reduce the likelihood of falling prey to a phishing attack by training your employees in cyber security and awareness. The Hiscox CyberClear Academy provides complimentary training with every cyber insurance package.

What does it mean if you receive a ransomware email – and what should you do? If the worst should happen and you were to discover your systems had been compromised, it’s important to stay calm and avoid making rash decisions.

Receiving such a message usually means your systems have already been compromised, but the following steps can help you to minimise the damage.

If you get a ransomware alert:

1. Contact your insurer

Contact your cyber insurance provider to inform them of the ransomware attack. Depending on your policy, your insurer may cover the cost of ransom payments and system recovery, as well as indirect costs, such as those related to reputation management.

2. Establish the type of attack

Determine whether you have been hit by crypto ransomware, exfiltration ransomware, double extortion ransomware or locker ransomware. The distinction is important, since locker-style attacks which don’t encrypt your files are often easier to resolve. The best ways to prevent the worst effects of ransomware depend on how you’ve been targeted.

If you can’t get past the ransom note pop-up on your screen, it’s likely locker ransomware. If you can browse your computer but can’t open files, you’ve probably been struck by encrypting malware.

3. Disconnect your device

Disconnect your machine from the network and unplug any other devices or external drives. This can help to restrict the impact of a ransomware infection.

4. Collect evidence

Take a picture of the ransomware note with details of the ransom’s value and payment instructions. You’ll need this information to pass to the relevant authorities.

5. Attempt data recovery

Investigate the type of ransomware you’ve been hit with. In some cases, it’s possible to recover your data using recovery and decryption software. You can access this through your IT department or a trusted cybersecurity firm.

6. File a police report.

They might not be able to help just yet, but you’ll need evidence of reporting the incident to file an insurance claim or lawsuit. 

For more information on cyber security and how small business owners can stay in-the-know, read our Cyber Readiness Report and other FAQ guides on commercial cyber security.

Further ransomware attack tips from the National Cyber Security Centre

The UK’s dedicated cyber security agency has a few tips to prevent the worst impacts of ransomware threats.

According to the NCSC (external link), if you face a ransomware attack, you should:

• Consider turning off Wi-Fi and disabling core network connections to help stop the malware spreading
• Reset passwords, especially for administrator accounts – but be careful to avoid locking yourself out in the process
• Wipe infected devices and reinstall the operating system software from a clean network
• Check all devices and backups are malware-free before you reinstall data
• Run antivirus software, then reconnect to your network
• Keep a sharp eye on your network by running antivirus scans in the coming days.

[1] https://edition.cnn.com/2021/05/16/tech/ransomware-joseph-popp/index.html

[2] https://digitalguardian.com/blog/history-ransomware-attacks-biggest-and-worst-ransomware-attacks-all-time

[3] https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2022/cyber-security-breaches-survey-2022

[4] https://techcrunch.com/2019/05/12/wannacry-two-years-on/

[5] https://www.nao.org.uk/report/investigation-wannacry-cyber-attack-and-the-nhs/

[6] WannaCry cyber-attack cost the NHS £92m after 19,000 appointments were cancelled | UK Healthcare News (nationalhealthexecutive.com)

Disclaimer:

Our FAQ pages provide general information and background around the topic covered. FAQ pages are reviewed and monitored periodically by our insurance experts. But the content is not intended to be read as advice and any material is for general information purposes only. If you would like advice for any content, please seek professional assistance.