What is ransomware?
Ransomware is a type of malware – or malicious software – designed to infect computer systems and lock files in order to extort money from business owners. It’s what cyber criminals sometimes use to profit from disruption. As the name suggests, this type of cyber attack involves holding data and devices to ransom.
As well as putting pressure on system owners to part with their hard-earned cash, hackers may threaten to compromise the security of sensitive data or even shut down systems entirely. This can harm your reputation and client relationships as well as your finances.
There are several ways ransomware can infect a computer – the most common is a phishing attack, which involves clicking a malicious link or downloading a malicious attachment. Occasionally, criminals also pose as security officials asking the victim to pay a ‘fine’ to regain access.
A user is typically presented with a message stating that their files have been encrypted, alongside instructions for how to transfer money in exchange for a decryption key.
Here, we answer key questions about this common type of attack and outline best-practice steps to prevent ransomware infection.
Online quote in 5 minutes
Get a quote
Is ransomware malware?
Yes, ransomware is a type of malware. It is malicious software that may lock device or data access, allowing the attacker to demand a ransom. This malware may be used to:
- Steal data
- Delete or encrypt data
- Take control of your accounts and systems
- Use services that cost your organisation money.
There are other types of malware, however. Adware, which displays unwanted advertising, and spyware, which mines sensitive data.
Sometimes, malware may present as ransomware but fail to release files once a ransom is paid, so file backups can be an important part of cyber defence.
How ransomware works
A ransomware attack generally works via social engineering, a technique cyber criminals use to lure users into opening a link or downloading an attachment. This might happen as part of a phishing campaign. The aim is to manipulate an employee to unknowingly download the malware.
The malicious software can also be installed after hackers gain access to organisation’s systems, such as through vulnerabilities and incorrectly configured software exposed to the internet. Another technique is ‘malvertising’, whereby devious adverts entice users into downloading malware disguised as legitimate software.
The software quickly locks devices or encrypts files, before demanding a ransom, which can amount to thousands of pounds. Ransomware attackers typically ask for payments in Bitcoin or another cryptocurrency, since these are less traceable.
Why ransomware is used
Ransomware is primarily used by criminals who wish to extort money from businesses and other institutions. With your precious data or essential systems out of use, the criminal is at liberty to demand money in return for their restoration.
Ransomware attacks present a catch-22 situation for businesses that rely on digital files, since the cost of losing access entirely may be high.
Beyond financial gain, the purpose of a ransomware attack might be to spy on your work or hinder it. Malicious groups might have ulterior motives for stealing your sensitive data, such as espionage or causing general disruption.
How ransomware affects Windows, Mac and phones
How ransomware works can depend on the operating system you’re using. Though initially commonplace on Windows devices, ransomware is no longer a concern reserved for PC users.
The first mobile ransomware attacks arrived in 2014. These are typically delivered through deceitful apps and see the entire device locked.
Apple devices can also fall prey to ransomware. The first attacks aimed at Macs were recorded in 2016. Complex techniques allowed harmful files to run in the background for several days to circumvent Apple’s built-in XProtect system.
History of ransomware attacks
Cyber attacks are almost as old as computers themselves. In fact, the first known ransomware attack came in 1989. Evolutionary biologist Joseph Popp (external link) distributed floppy discs to AIDS researchers across the world, claiming the disc contained a research questionnaire. Malware was hidden alongside the research materials – and after 90 restarts, a message demanding $189 appeared.
This first attack was known as the AIDS Trojan, which drew on topical concerns to motivate a download.
Ransomware rose to prominence in the mid-2000s, and has since transformed into an advanced toolkit for criminals. By the late 2010s, ransomware-as-a-service programmes such as CryptoLocker were traded on the dark web. Today, this means criminals can target businesses without any coding knowledge.
Ransomware techniques are ever-changing. For example, a 2020 wave of scams took advantage of uncertainty surrounding the Covid-19 pandemic.
Key statistics illustrate the real threat ransomware can pose to businesses, charities and other organisations:
- Ransomware currently accounts for just 4% of cyber attacks and breaches, according to the UK Government’s Cyber Security Breaches Survey 2022 (external link). Despite this low number, many organisations cite ransomware as a major threat. Some 56% of businesses rule out paying ransoms to cyber attackers.
- Ransomware can cost organisations as much as $100,000, according to our 2022 Cyber Readiness Report. This was the highest ransom payment featured in the survey.
- 19% of businesses and 27% of charities don’t have a clear policy on ransom payment, according to the Cyber Breaches Survey 2022.
What are the main types of ransomware?
There are several types of ransomware, which vary greatly in terms of the techniques used and harm caused. They do have one characteristic in common, though – all variants demand payment in exchange for releasing hijacked files or computer systems. There are four main ways that ransomware gangs seek to cause harm to extort a ransom payment.
Crypto ransomware uses strong encryption, preventing victims from accessing their files. Without a decryption key, businesses faced with this type of attack can permanently lose access to their data. In some cases, ransomware groups may never release decryption keys upon payment.
Exfiltration ransomware involves searching company data and downloading it to their own systems. The data collected is generally personal data on intellectual property from customers and employees, financial records and more. Hackers demand a ransom in order for them to prove that they deleted the organisation’s data; if unpaid, they auction it off or release it to the public. Organisations can never be sure that the data was truly deleted.
Double extortion ransomware
For the more sophisticated ransomware gangs this method inflicts more harm. It is a combination of both encryption and exfiltration, whereby they can demand more money from organisations.
Locker ransomware targets devices, such as PCs, Macs and smartphones, by rendering them unusable. Locker ransomware can sometimes be resolved without paying a ransom but defeating crypto-ransomware tends to be more difficult.
The Lockbit group operates as a Ransomware as a Service (RaaS) operation, where affiliates sell their access to organisations to groups on dark web market places for a fee. Affiliates are threat actors who are autonomous to ransomware groups; they use various exploits such as phishing to gain persistent access to an organisation.
Lockbit has few issues acquiring access brokers due to their sophisticated ransomware, which encrypts 1TB in 45 minutes, and exfiltrates 1TB in 3 hours 18 minutes. Lockbit has made continuous improvements to their ransomware and is now on Lockbit v3.0. Its encryption can take place at such a pace, that large volumes of data can be encrypted overnight, without security teams noticing.
Conti uses its strong affiliations to botnet groups, TrickBot and BazarLoader, which they commonly use to gain remote access to organisations. The botnet groups are spread to different machines through phishing emails with links to malicious documents. If clicked on, a computer is a part of a botnet, comprised of many other compromised machines. Conti uses these compromised machines to load their own ransomware that encrypts data and downloads it to Conti's servers.
PSYA usually gains unsanctioned access to targeted networks via either phishing methods or Remote Desktop Protocol (RDP). Then using tools to withdraw files from the network of the victim, and then encrypt all connected devices and data from Windows or Linux. This makes vital files, backup systems, virtual machines, apps and databases unavailable.
Hive is a ransomware-as-a-service (RaaS) operation. Several mechanisms are used to jeopardise the networks of their victims. This includes harmful attachments in phishing emails, disclosed VPN details, and taking advantage of vulnerabilities on assets. Hive uses a double extortion technique, whereby they both encrypt organisations’ data and download it to their servers.
The Karakurt group targets organizations using single-factor VPN (Virtual Private Network) servers with legitimate access credentials. It is unknown how the group obtains these credentials; however, it is likely that they obtain these through social engineering techniques such as phishing or by paying off insiders. Rather than encrypting the data, Karakurt focuses solely on data exfiltration and subsequent extortion, by threatening to auction off data or release it to the public if ransoms are not paid.
WannaCry stops users from being able to access documents on Microsoft Windows operating systems by encrypting files. It can also lock the user out of their computer altogether. WannaCry manifests as a cryptoworm – this is malware that’s able to self-replicate and spread.
What was the WannaCry ransomware attack?
The notorious 2017 WannaCry ransom attack shut down hundreds of thousands of computers (external link) around the world. In what is widely considered the worst-ever global cyber-attack, WannaCry brought together the cryptocurrency payment systems and encryption technology first seen in CryptoLocker.
WannaCry targeted Windows computers using tools stolen from the US Government, which meant the malware no longer needed to rely on slow direct mail campaigns.
WannaCry was an early cryptoworm, so the malware could clone itself and infect more computers. The result was exponential growth impacting organisations in 150 countries, including the National Health Service in Britain (external link), which lost £92m (external link).
How to prevent a ransomware attack
With technology changing so rapidly, it’s not always possible to prevent ransomware attacks. The extent to which you can protect your business depends on how sophisticated an attack is and whether it requires phishing. Many of the ways to prevent ransomware attacks are related to phishing awareness.
That said, other best-practice cyber security techniques can help your business, data and operations to stay protected. Here are some precautionary measures businesses can take to help prevent a ransomware attack:
- Update your devices. Many of the organisations worst-hit by WannaCry were using older devices and outdated operating systems, so investing in new machines every couple of years can help to reduce the risk
- Install security software. Cyber security software not only makes it harder for malware to take control of your device and encrypt files within it but can stop it once it starts encryption or exfiltration. At a minimum, you should use virus scans and firewalls, but more advanced options include endpoint detection and advanced threat solutions
- Patch and update software. Keep your software strong and protective by running all the recommended updates, since each new version fixes security holes. The idea is to always remain one step ahead of hackers
- Set up multi-factor authentication. To properly secure a device, you need more than just a strong password. Multi-factor authentication checks your identity via phone call or text message, making it much harder for hackers to gain access to your accounts. The more steps required to authenticate your identity when logging in, the better
- Back up your files. Since it isn’t always possible to eliminate ransomware attacks, the second-best scenario is having no need to pay the ransom. Regularly backing up your files externally can stand you in great stead should a hacker encrypt files on your main drive
- Protect your personal information. Malicious groups often use personal information – including passwords, answers to security questions and date of birth – to gain access to accounts. Make sure everyone in your organisation follows protocol on protecting their personal information, including senior management, who may be targeted by whaling campaigns (a type of phishing attack)
- Consider cyber security training. Reduce the likelihood of falling prey to a phishing attack by training your employees in cyber security and awareness. The Hiscox CyberClear Academy provides complimentary training with every cyber insurance package.
What if I get a ransomware email?
What does it mean if you receive a ransomware email – and what should you do? If the worst should happen and you were to discover your systems had been compromised, it’s important to stay calm and avoid making rash decisions.
Receiving such a message usually means your systems have already been compromised, but the following steps can help you to minimise the damage.
If you get a ransomware alert:
1. Contact your insurer
Contact your cyber insurance provider to inform them of the ransomware attack. Depending on your policy, your insurer may cover the cost of ransom payments and system recovery, as well as indirect costs, such as those related to reputation management.
2. Establish the type of attack
Determine whether you have been hit by crypto ransomware, exfiltration ransomware, double extortion ransomware or locker ransomware. The distinction is important, since locker-style attacks which don’t encrypt your files are often easier to resolve. The best ways to prevent the worst effects of ransomware depend on how you’ve been targeted.
If you can’t get past the ransom note pop-up on your screen, it’s likely locker ransomware. If you can browse your computer but can’t open files, you’ve probably been struck by encrypting malware.
3. Disconnect your device
Disconnect your machine from the network and unplug any other devices or external drives. This can help to restrict the impact of a ransomware infection.
4. Collect evidence
Take a picture of the ransomware note with details of the ransom’s value and payment instructions. You’ll need this information to pass to the relevant authorities.
5. Attempt data recovery
Investigate the type of ransomware you’ve been hit with. In some cases, it’s possible to recover your data using recovery and decryption software. You can access this through your IT department or a trusted cybersecurity firm.
6. File a police report.
They might not be able to help just yet, but you’ll need evidence of reporting the incident to file an insurance claim or lawsuit.
Further ransomware attack tips from the National Cyber Security Centre
The UK’s dedicated cyber security agency has a few tips to prevent the worst impacts of ransomware threats.
According to the NCSC (external link), if you face a ransomware attack, you should:
- Consider turning off Wi-Fi and disabling core network connections to help stop the malware spreading
- Reset passwords, especially for administrator accounts – but be careful to avoid locking yourself out in the process
- Wipe infected devices and reinstall the operating system software from a clean network
- Check all devices and backups are malware-free before you reinstall data
- Run antivirus software, then reconnect to your network
- Keep a sharp eye on your network by running antivirus scans in the coming days.
 WannaCry cyber-attack cost the NHS £92m after 19,000 appointments were cancelled | UK Healthcare News (nationalhealthexecutive.com)
Tell us about your business – we’ll build your business insurance quote and help you explore any other insurance needs.Start my quote
Related guides & FAQs
What is cyber insurance?
Interested in learning more about cyber insurance and how it can help prepare your business for any eventuality? Read our FAQ guide to cyber insurance to find out what’s covered.
What is a SQL injection attack?
SQL stands for structured query language, which is a tool that hackers use to gain access to databases. Read about how it works and the key types with our SQL injection attack FAQs.
What is a phishing attack?
Phishing is a major cause of ransomware attacks – but how much do you know about suspicious links? Read our phishing FAQs to learn more about this type of cyber threat.