Understanding Ransomware, its Impact, and Prevention Techniques

In today’s business landscape, ransomware has emerged as one of the most pervasive and harmful cybersecurity threats. This particular attack is one of the most profitable tactics for cybercriminals, with a recent report from At-Bay finding that the average ransom demand in 2023 was $1.26 million. This article will delve into the intricacies of ransomware, its historical evolution, the impact it has on individuals and organizations, and, most importantly, effective prevention techniques.

What Is Ransomware?

Ransomware is a type of malicious software (malware) designed to block access to a computer system or encrypt its data until a ransom is paid. Unlike other forms of cyberattacks, ransomware directly targets companies by holding their most valuable data hostage. Ransomware sometimes involves data extortion, where cybercriminals threaten to publicly release or sell stolen data unless a ransom is paid.

How Ransomware Works

Ransomware can infect endpoints — any device that connects to a company’s network —  through a variety of ways, including phishing emails, malicious email attachments, infected websites, software vulnerabilities, or social engineering. 

Once malware is installed, attackers scan your device for important files and documents, then encrypt these files, rendering them inaccessible. Attackers will then display a ransom note on your screen informing your company that your systems and files are locked until a payment is made. This message may include instructions on how to pay the ransom, which is often done using cryptocurrency. Sometimes attackers will also steal troves of sensitive data, more commonly referred to as exfiltration.

Are Ransomware Threats Growing?

Ransomware is unfortunately on the rise, as cybercriminals are constantly developing methods to target individuals and organizations alike. Ransomware didn’t just grow in the United States in 2023, it evolved, with the frequency of ransomware claims jumping 64% when compared to 2022. The potential financial rewards for attackers make ransomware a very lucrative business, and companies’ increased reliance on technology, data, and the internet makes them more vulnerable to these attacks.

Examples of Recent Ransomware Attacks

Unfortunately, there are thousands of successful attacks to share as examples. Here are two that illustrate the sky-high risk of ransomware:

Attack on CNA Financial Exposes Personal Information of 75,000 People

One of America’s biggest insurance companies paid a $40 million dollar ransom — currently the largest ever — to resolve a ransomware attack in 2021 after attackers stole troves of sensitive data and blocked access to company networks.

Despite calling in both law enforcement and security experts, CNA Financial saw no alternative and began negotiating with the attackers about a week after the attack in order to obtain the decryption key. This and so many other examples highlight the deep financial damage of ransomware and the intense pressure on businesses to pay the ransom.  

City of Atlanta Spent $2.6M to Recover From Ransomware Attack

When threat actors demanded a $51,000 ransom payment (in Bitcoin) from the city of Atlanta in 2018, government officials refused to pay. They decided it was better to spend money on recovering the city’s computer systems from an attack than to pay ransom. In order to restore the stolen data and get critical systems back online, the city spent over $2.6 million on consultants and emergency services. 

That still wasn’t enough to fix things — decades of digital records were lost forever. Ransom payments are expensive and keep growing, but as Atlanta shows, they are not the only or even the largest expense associated with a ransomware attack.

Are There Different Types of Ransomware?

There are many different ransomware variants because cybercriminals continuously evolve their tactics to stay ahead of cybersecurity measures and maximize their profits. By developing new variants, they can exploit previously unknown vulnerabilities, bypass existing security protocols, and evade security software. 

This constant evolution also helps attackers tailor attacks to specific targets, industries, or regions, increasing the likelihood of success. Additionally, different variants can employ varied techniques, such as encryption, exfiltration, or a combination of the two, to coerce victims into paying the ransom. The proliferation of Ransomware-as-a-Service has also contributed to ransomware’s growth, as it enables cybercriminals with varying levels of technical expertise to create and distribute customized ransomware through a commercialized model.

What is Ransomware-as-a-Service? 

Ransomware-as-a-Service (RaaS) is a business model where cybercriminals provide ransomware tools and services to other malicious actors, known as affiliates, for a share of the profits. Much like legitimate Software-as-a-Service (SaaS) platforms, RaaS operations offer simplified interfaces and support, making it easy for individuals with little technical expertise to launch ransomware attacks. 

These services often include the ransomware malware, distribution methods, payment processing, and even victim negotiation support. By lowering the barrier to entry, RaaS significantly increases the number of potential ransomware attackers, leading to a proliferation of ransomware incidents. This model has expedited the spread of ransomware by enabling customized attacks, disrupting businesses of all sizes across various industries. 

How Can Ransomware Impact a Business? 

Ransomware attacks have far-reaching consequences that extend beyond the immediate loss of access to critical data. The financial, operational, and reputational impacts can significantly disrupt an organization’s ability to function and maintain trust with its stakeholders.

Financial Losses

The financial impact of ransomware can be devastating. Ransom payments can range from a few hundred thousand to tens of millions of dollars. Businesses also suffer from significant downtime and data loss, which can cripple operations and lead to further monetary losses. There will also be money needed to resume operations, with incident response experts brought in to rebuild systems, fix associated issues, and help businesses through the remediation process. 

Operational Disruption

Businesses and government institutions are particularly vulnerable due to the urgent need for continuous operations. Ransomware attacks lead to operational disruptions, loss of productivity, and potential brand damage. This downtime can cripple productivity, causing delays in projects, missed deadlines, and failure to meet service-level agreements. The recovery process can be prolonged and costly, as IT teams work to restore systems, verify data integrity, and implement stronger security measures to prevent future incidents

Reputational Impact

When an organization’s data is compromised, it can erode trust among clients, customers, and partners who may view the incident as a failure to safeguard sensitive information. Negative media coverage and public outcry can make the situation worse, casting a long shadow over a business’s credibility and market position. The perception of poor security practices can also lead to loss of future business opportunities and customer attrition, as customers or partners may prefer to work with organizations known for being more secure.

What Types of Businesses Are Targeted By Ransomware?

Ransomware groups often target a wide range of businesses, with a particular focus on those that rely heavily on access to critical and sensitive data for their daily operations. 

• Healthcare organizations are frequent targets due to the high value of patient data and the operational urgency to restore access, making them more likely to pay ransoms quickly. 
• Financial institutions, which handle vast amounts of sensitive financial data and transactions, are also prime targets due to the potential for significant financial gain. 
• Educational institutions, from K-12 schools to universities, store a plethora of personal and academic data, making them attractive targets as well. 
• Government agencies, including local municipalities and state departments, have been increasingly targeted because people’s dependency on their services pressures them to recover swiftly from disruptions.
• Small and medium-sized businesses are not immune either, as they often have fewer security resources, making them easier targets for cybercriminals. 

In essence, any business with sensitive data, critical operations, and lack of access to robust cybersecurity defenses is at risk of a ransomware attack.

Does Ransomware Impact Different Operating Systems?

Yes, ransomware can impact different operating systems. While historically, ransomware has predominantly targeted Microsoft Windows due to its widespread use and vulnerabilities, other operating systems such as macOS, Linux, and even mobile platforms like Android and iOS are not immune. Cybercriminals adapt their ransomware codes to exploit specific weaknesses in each operating system.

How to Prevent Ransomware Attacks

Organizations can significantly reduce their risk and mitigate the consequences of a ransomware attack through diligent preventive measures.

Keep Software up to Date

This includes your operating system, security software, and web browser. Updates often contain security patches to address vulnerabilities exploited by ransomware. 

At-Bay’s Active Risk Monitoring helps companies do this by pushing alerts when our experts are aware of a vulnerability. It has led to policyholders patching 2X faster than the general population.

Deploy Multi-Factor Authentication (MFA)

If deployed correctly, with sufficient environment saturation across business accounts, MFA is extremely effective and efficient in reducing the likelihood of a ransomware attack.

Beware of Phishing Attempts

Phishing emails try to trick you into revealing personal information or clicking on malicious links. Be skeptical of emails that call for immediate action or create a sense of urgency. 

One of the best ways to guard against phishing is by using a Secure Email Gateway (SEG). An SEG is able to strike the balance between protecting inboxes from malicious content and ensuring all legitimate emails still get delivered, while also constantly evolving to keep up with threat actors. 

Back up Company Data and Test Backups Regularly

Having a recent backup of your important files allows for restoration in case of a ransomware attack, as long as that backup is regularly tested to ensure it will work when you need it. Consider cloud storage or external hard drives for data backups. 

At-Bay’s research found that backups can help reduce the severity of claims — both in terms of the cost of a claim and any downtime the business suffers. Effective backups decreased the severity of a ransomware claim by 41%. 

Use a Reputable Endpoint Detection and Response Tool

Endpoint Detection and Response (EDR) software can help detect and block ransomware before it infects your device. For businesses that do not have an in-house team to manage and maintain that software, Managed Detection and Response (MDR) services provide a stellar option for thwarting ransomware. 

MDR services help businesses stay secure and reduce cyber risk at a fraction of the cost and hassle of hiring an in-house team. And, we know it works. At-Bay data shows that over 50% of cyber insurance claims in the past two years could have been mitigated by an MDR solution.

It’s critical that an EDR solution is up to date, is deployed with 100% saturation, and is managed by either someone in your organization with expertise or by an MDR provider. If your EDR solution is not updated, it won’t be able to fight off a modern attack. If it’s not deployed in 100% saturation of the environment, there are holes through which a threat actor can enter and steal critical data under the radar. An MDR service can monitor an EDR tool around the clock, allowing them to isolate the network and systems to prevent a threat actor from gaining entry.

Invest in Cyber Insurance

Cyber insurance provides a financial safety net that can help cover the costs associated with a ransomware attack, including ransom payments, recovery efforts, and legal fees. Additionally, having a policy often grants access to expert resources and support services, which can enhance your organization’s resilience and response capabilities if an attack does occur. 

At-Bay takes this a step further by providing InsurSec, which includes industry-leading prevention and detection technology, the expertise of cyber professionals, and the backing of an insurance company, to protect businesses from ransomware in a way that neither of these solutions could do alone.

What Should I Do If I’m Hit With Ransomware?

If you are hit by ransomware, it is crucial to take immediate and strategic action to mitigate damage and begin the recovery process. That said, the steps you take depend on whether or not you have an EDR solution in place. 

Here’s how to react depending on whether you do or don’t have EDR in place.

With an EDR Solution

A properly configured and managed EDR tool can prevent the spread of ransomware if your system is targeted. For an EDR (or MDR) service to be effective at stopping ransomware aimed at your environment, it must be deployed with 100% saturation, up to date, and managed by someone with expertise, either internally or by an MDR provider. If this is the case, no further action is required when your business is targeted by ransomware. 

Without an EDR Solution

If you don’t have a managed, up-to-date, properly deployed EDR service, you face significantly higher risk of damage from ransomware attacks. Here are the steps to follow in the case of a ransomware attack:

1. Isolate your systems and seek professional help: Notify your IT or security team. Immediately disconnect the infected device from the network to prevent the spread of the ransomware infection. Then call your insurance company, as they can guide you to a team that specializes in expert guidance and assistance in safely restoring your systems after an attack.
2. Document everything: Keep a detailed record of the attack, including the ransom note, any communications with the attackers, and steps taken for recovery. This information is valuable for investigations, data breach notifications, and improving your cybersecurity defenses.

With the help of professional services like a defensive vendor, claims counsel, and breach counsel, these are additional steps you can take at their direction to help recover from an incident after the two steps above. Do not take these steps unless at the direction of DFIR or claims professionals:

1. Restore from clean backups: Use recent, clean backups to restore your data and systems. Ensure backups are unaffected by ransomware before proceeding.
2. Identify and report: Identify the ransomware variant to find potential decryption tools and report the attack to law enforcement and relevant cybersecurity authorities.
3. Strengthen security: Thoroughly clean your systems, remove any remnant malware, and enhance your security measures to prevent future attacks, including updating software and improving backup routines.

Be Proactive Against Ransomware

Understanding ransomware, staying informed about evolving threats, and implementing a robust cybersecurity strategy can safeguard your valuable data and minimize the threat of falling victim to a ransomware attack. For smaller businesses, partnering with an InsurSec provider like At-Bay can combat cyber risk without diminishing budget or overextending employees. With the right tools, insights, and some expert assistance, businesses can avoid ransomware attacks and stay running smoothly — and securely.

See how At-Bay Stance™ MDR, provided by At-Bay Security*, combines sophisticated endpoint protection with 24×7 expert monitoring, helps businesses gain visibility and peace of mind against ransomware.

All statements for At-Bay, Inc. companies. 

*At-Bay Security, LLC is a wholly owned subsidiary of At-Bay, Inc., providing cybersecurity services including MDR and incident response. At-Bay Security, LLC does not provide insurance services.