Ransomware attacks are utterly terrifying. And now ransomware is more common than ever before.
Back in the 2000s when I worked in remote tech support, consumers were the primary ransomware target. In a typical shift, I and my coworkers would regularly receive phone calls from panicked Windows home users:
“There’s this message on my screen that says I have to give them my credit card number to charge $200, or I'll never see my files ever again!”
Cryptocurrency such as Bitcoin didn’t exist yet, so cybercriminals would typically demand Visa or MasterCard payment. We’d plead with our customers over the phone:
“No! Don’t give them your credit card number! We can help you!”
As the years went on, ransomware attacks evolved to be more sophisticated and frequent. Consumers are still hit by ransomware sometimes. But these days, businesses are the primary target of ransomware cybercriminals. A ransomware attack to your business can be completely devastating, destroying your data, grinding your operations to a halt, and possibly costing your company millions of dollars. I’ll explain what you need to know in order to protect your organization.
Ransomware is a very destructive type of malware, software that’s designed to do harm. If ransomware infects your company’s computers and computer networks, it will encrypt your crucial, sensitive data with an encryption key your business won’t have access to. You won’t be able to use your data, it will be held hostage. A ransom note will appear on your screen as a text file, webpage, window, or in some other form. Cybercriminals will make sure you can read it. They will demand a lot of money in order to decrypt your data and get your files back. Sometimes cybercriminals will lie about giving you your data back if you pay the ransom.
Cryptocurrency has existed since 2009, and cryptocurrency transactions are much more difficult for law enforcement to trace than credit card, debit card, or payment service (PayPal, Stripe, Venmo, etc.) transactions. So cryptocurrencies such as Bitcoin, Monero, or Ethereum are now their payment method of choice.
PurpleSec’s 2021 Trends report reveals some devastating data about how ransomware is impacting businesses worldwide:
The estimated global cost of ransomware skyrocketed in the past few years, from $8 billion USD in 2018 to $20 billion USD in 2020.
Ransoms can cost anywhere from thousands to millions of dollars. But sometimes company network downtime is the greatest ransomware expense. The average downtime cost from ransomware per business was $46,800 USD in 2018. But the average downtime cost in 2020 was $283,000 USD.
The individual ransom of 1,400 clinics, hospitals, and other healthcare organizations in the United States varied from $1,600 to $14 million USD per attack.
Ransomware is now a greater threat to businesses worldwide than it has ever been before. But ransomware has been around a lot longer than many people assume.
From Becker’s Hospital Review:
“In 1989, Joseph Popp, PhD, an AIDS researcher, distributed 20,000 floppy disks to fellow AIDS researchers in 90 countries, saying the disks contained a computer-based application that gauges a person's risk of contracting AIDS based on a questionnaire. However, Dr. Popp had infected the disks with malware with what became known as the digital version of the AIDS virus, according to a report from cybersecurity company Palo Alto Networks.
The malware at first lay dormant in the computer. It was activated after the computer was turned on 90 times, displaying a ransom note on the screen demanding between $189 and $378 for a ‘software lease,’ according to the report.
While Dr. Popp's ransomware attack now appears rudimentary (retrospective analysis indicates the malware had many flaws), it created the foundation for the more sophisticated attacks that occur today.”
Before internet use started to become common in the 1990s, removable media such as floppy disks were the most common means of malware distribution. Since then, most malware, ransomware included, comes from the internet.
From the dawn of ransomware to 2021, there have been thousands and thousands of varieties of ransomware, targeting Windows, Mac, Linux servers, and mobile devices. But three major strains of ransomware have come to define the evolution of ransomware attacks; CryptoLocker, WannaCry, and REvil. Each major ransomware threat was more destructive than the last.
CryptoLocker ransomware first appeared online on September 5th, 2013 and infected over a quarter million Windows XP, Vista, and 7 PCs by the end of the year. Also by the end of 2013, consumers and businesses collectively paid about $27 million USD worth of Bitcoin to CryptoLocker’s cyber attackers. CryptoLocker continued its massive global spread until June 2nd, 2014, when a coordinated effort between the FBI, Interpol, and other law enforcement agencies managed to isolate CryptoLocker and shut down its botnet.
WannaCry ransomware emerged in May 2017, and caused so much harm to businesses and institutions worldwide that it made top mainstream news headlines. I was a cybersecurity journalist when it happened, and it was a very busy time for me. Thousands upon thousands of organizations of all sizes in multiple industries worldwide lost access to their data and incurred massive downtime expenses. One of the many major institutions that were impacted was the NHS, the UK’s public healthcare system. WannaCry exploited a Windows SMB vulnerability called EternalBlue, through the RDP protocol. In response, Microsoft developed a patch to mitigate this vulnerability. In an unprecedented move, they even released a patch for Windows XP, a client operating system they stopped supporting. By May 22nd, cybersecurity researcher Marcus Hutchins deployed a “killswitch” to stop WannaCry attacks worldwide. In the end, WannaCry was estimated to have affected more than 200,000 computers across 150 countries, costing possibly a collective billions of dollars worldwide in downtime, lost business, and ransom payments.
REvil is a cybercrime group that recently emerged, and ransomware is their favorite way to make money. Through the Dark Web, they let other cybercriminals distribute their ransomware, and all the bad guys involved get a share of the profits. It’s believed that REvil has existed since 2019. They first got attention by demanding a $42 million USD ransom from then US President Donald Trump. They went on to extort pop star Lady Gaga. Those are interesting targets!
The REvil group spread ransomware to enterprises worldwide from 2020 to 2021, and also threatened to breach very sensitive data. Their major victims include hardware manufacturer Acer, Apple’s sensitive research and development data, meat processor JBS S.A., and US power generator Invenergy. But July 2021 may have been REvil’s most destructive month ever. They struck thousands of businesses by infecting one Managed Service Provider. But interestingly enough, all signs of REvil’s operation vanished from the internet by July 13th. Will they ever come back? I think it’s a possibility.
Some of the conventional wisdom for preventing the harm from ransomware attacks is this:
Keep up-to-date antivirus all throughout your corporate network.
Implement more effective intrusion detection systems, firewalls, network logging, and SIEM (security information and event management) systems.
Backup as much of your company’s data as possible. Preferably in different locations, including on data storage drives that are isolated from your network most of the time.
Employee security awareness so people know when they are being targeted by phishing (entry point for most ransomware).
Deploy and monitor endpoint security detection systems.
But there are two new problems that businesses often encounter. Sometimes organizations cannot recover data from their backups quickly enough to resume their business operations. Also, newer strains of ransomware from 2019 to today, including but not limited to REvil, often threaten to breach sensitive corporate data if a ransom isn’t paid on time. Backups cannot prevent your data from being breached! Due to these reasons, companies have often made the difficult decision to pay the ransom anyway. That’s a sad reality because paying ransoms encourages the cybercrime market. But enterprises shouldn’t be shamed for paying ransoms because often it’s the only choice they have.
HTB Academy for Business has lots of courses that will teach your employees the various attack vectors and techniques that can open the door to ransomware attacks, so your business will be better prepared to prevent them. From OSINT (open source intelligence), to exploiting Windows Active Directory, to privilege escalation, we recommend exploring our diverse and interactive content. And we’re always adding new courses!