Ransomware continues to grow in both frequency and scope of damage. By the end of 2019, global ransomware events are projected to cost $22,184 per minute. Even between Q1 and Q2, the average ransom payment increased 184%—from $12,762 in Q1 to $36,295 in Q2.
In addition to the staggering financial impact of ransomware in recent years, it’s also important to note that ransomware attacks are particularly common in specific industries and subsectors. For instance, Verizon’s 2019 Data Breach Investigations Report found that of the different kinds of malware that affect the healthcare industry, 85% of infections are ransomware. And according to cybersecurity provider IntSights, more than 25% of all malware attacks have hit banks and other financial firms—more than any other industry.
Because these industries handle information that is carefully regulated and highly valuable, it’s no wonder bad actors target them with ransomware attacks. Organizations that handle financially sensitive files or data governed by strict HIPAA laws have a vested interest in the security and privacy of the information they manage. Accordingly, ransomware attacks that encrypt these files or threaten to make them public pose a particularly debilitating—and increasingly common—threat to such public and private organizations.
One dimension of ransomware that makes it so common is that it’s easy for cybercriminals to lean on existing ransomware variants to execute their attacks. There are even opportunities for bad actors to use prefabricated ransomware software. This means cybercriminals ranging from amateurs to the most experienced often see ransomware as a low-risk, high-reward option. As one might expect, this has led to a digital environment rife with ransomware attacks—both sophisticated and simple.
How Does a Ransomware Attack Work?
While the specific attack vectors will differ depending on what vulnerabilities bad actors are trying to exploit, most ransomware shares the same goal: to deny users access to their files and extort payment from them for the (potentially false) promise of returning that access. At the most basic level, cybercriminals carry out ransomware attacks by using encryption software to encrypt files and bar traditional access to them. The only way to decrypt them is to use complex mathematical keys only the encrypter knows.
For those wondering how ransomware spreads, it relies on various modes of infiltrating networks and gaining access to sensitive files. Although each ransomware variant has its own methods, all ransomware relies on similar social engineering tactics to trick legitimate network users into unknowingly granting bad actors access.
Once this has happened, ransomware software will use whatever access has been granted to locate sensitive proprietary information and encrypt it. Users then receive some kind of alert warning them access to their files has been blocked and directing them to a portal where they must pay—usually in cryptocurrency—for the files to be decrypted. It’s important to note not all ransomware will present itself as such. Some attacks will masquerade as government agencies, such as the Department of Justice, and claim that a user’s files have been locked for breaking the law and they must pay a fine in order to reaccess them.
In the same vein, cybercriminals may attempt to extort victims using other forms of intimidation rather than demanding payment in return for reaccess. For example, a specific variant of ransomware known as leakware or doxware involves bad actors infiltrating a user’s device, encrypting files, and then threatening to make that information public unless payment is received. Leakware can have particularly high stakes for image-conscious organizations or those who deal with especially sensitive information, like healthcare companies and government agencies.
While email is the most common way ransomware attacks are carried out, it’s not the only method. Ransomware software can be delivered via social media messaging platforms, untrustworthy domains, and drive-by-download attacks. Frighteningly, advanced cybercriminals have developed ransomware—such as NotPetya—that can infiltrate networks, exploit vulnerabilities, and access sensitive information without social engineering tricks that try to get users to grant access themselves.
Can You Remove Ransomware?
It’s possible to remove ransomware once it’s affected your device, but the extent to which you’ll be successful depends on the kind of malware you’re dealing with. Additionally, it’s important to acknowledge that removing ransomware will not necessarily decrypt files that have already been encrypted. Instead, you’ll be working to restart and restore your device to an earlier, uninfected setting. This means you’ve accepted the reality you will not be regaining access to the files in question.
If you’re facing relatively basic ransomware, for example, you can attempt to neutralize the attack by entering your computer’s safe mode and deploying antivirus software. However, if you’re up against a kind of ransomware that has locked your screen and barred you from starting other programs and applications, Windows users can try System Restore to return their device to an earlier state. Beyond that, you may be facing the prospect of a complete restore, although most ransomware won’t require you to go quite this far.
After this, you can begin an inventory of your files. If you’re not seeing your typical icons and shortcuts, for example, the ransomware you’re dealing with may have just hidden them. This can be fixed by checking on hidden files in your File Explorer window. If your files aren’t just hidden, there’s a good chance they’ve been successfully encrypted by ransomware. At this point, you should begin looking at previous backups, scanning them for viruses and malware, and restoring them. There are also ransomware decryption tools on the market that may be able to help you unlock your files without paying the ransom fee.
How Can You Defend Against Ransomware?
While it’s possible to remove ransomware once it’s already affected your computer, it’s better for users to know how to prevent ransomware from infiltrating devices in the first place. To do so, MSPs need to take a proactive approach to malware defense rather than solving crises only as they occur. By doing this, they can help themselves and their customers stay ahead of the most recent ransomware developments.
For example, it’s critical you keep operating systems and other important software up-to-date with the most recent security patches. Doing so will help ensure devices and networks are not vulnerable to new types of malware. Users should also be careful about what programs they give administrative access to, which can help stymie potential attack vectors. Similarly, you and your customers should be backing up your files as frequently as possible. This will put you in a better position if you do face an attack, allowing you to preserve your files without having to pay the ransom.
Beyond that, MSPs should invest in cybersecurity applications capable of protecting organizational devices and networks from the full range of digital threats. Ideally, the right software will be able to provide the kind of security monitoring you need to exercise visibility over your digital environment, detect threats as they occur, and connect you with the tools necessary to act.
With SolarWinds® Threat Monitor, MSPs can do just that. Threat Monitor leverages cloud technology to provide MSPs with powerful control over complex managed networks. Threat Monitor is a security information and event management (SIEM) tool that uses threat intelligence, network and host intrusion detection systems, and other monitoring tools to deliver better visibility across managed networks. And with centralized security monitoring, this near-comprehensive solution makes it possible to exercise this kind of control from a single central command.