All about ransomware

All about ransomware: targets, attack methods and prevention

The number of ransomware attacks has multiplied in recent years, and the trend is still rising. For companies as well as MSSPs, system houses and IT service providers, prevention and defence against ransomware attacks have top priority in their IT security strategy.

How does ransomware work, and what do you have to consider in order to protect yourself against it? We provide an overview of the answers to the most frequently asked questions.

What is a ransomware attack?

The purpose of a ransomware attack is to digitally extort money from victims. The target can be a private individual with only one end device or a company with an extensive network infrastructure.

The extortion software is infiltrated into the victim's system and encrypts data stored there or blocks access to essential systems. Finally, a ransom is demanded, after which the victims are supposed to regain access to the hijacked data and system components. The payment has to be made in a cryptocurrency, which means that the criminals leave no traces.

Why do cybercriminals use ransomware?

For cybercriminals, a ransomware attack is a powerful lever, because the victims can hardly counter it. Decryption of the data that has been encrypted by ransomware is only possible to a very limited extent and is rarely successful.

The pressure of suffering on the part of the victims is therefore extremely high. If they are unprepared for a ransomware attack, this means losses and high costs for them. The attackers are aware of this, which is why they set the amount of the ransom comparatively low.

Since payment initially seems like the easiest solution, the victims' willingness to pay it – and thus the criminals' chances of success – is very high. Whether the victims really regain access to their data, however, is not guaranteed.

The advantages of ransomware attacks for criminals are obvious:

• Digitisation and networking offer a growing pool of targets for attack

• The costs for creating and distributing the software are low

• High success rate even with broad-based ransomware campaigns

• Ransom payments cannot be processed in a traceable manner

In the majority of cases, ransomware attacks are mass-produced goods for criminals. They make their profit from the sum of small ransom amounts from successful attacks.

What damage is caused by ransomware attacks?

Ransomware is extremely feared because a successful attack can cause massive damage on various levels. The immediate consequences of a successful attack are obvious:

• Irreplaceable loss of company data

• Business interruption and loss of revenue due to blocked critical IT systems

• Costs for restoring or re-setting up IT systems

Depending on the case, there may be additional consequences:

• Legal consequences in the event of loss of sensitive customer data, and even penalties

• Media attention and negative headlines

• Damaged corporate image and loss of trust among customers

Why is ransomware a persistently severe threat?  

Among cybercriminals, ransomware is an extremely lucrative business model. In order to make more profit from it, they have improved it in recent years and organised their capacities efficiently. This has given rise to a criminal market with specialised services that is experiencing sustained growth and whose development is worrying: 

• Low prices: The cost of a ransomware campaign has fallen due to mass availability. Distribution is possible with amounts as low as a few hundred euros.  

• Ransomware-as-a-service: Work steps for ransomware attacks are available as a service. Developers rent their software to "affiliates" who carry out the campaigns. They share the extortion money generated. Other service providers offer rentable botnets for the automated distribution of malware via emails.

• Easy recruitment of new recruits: Powerful attack tools can simply be bought in, which represents a low barrier to entry into this type of crime.

The ransomware scene is therefore highly competitive. Its players are under pressure to constantly improve their services in order to be able to make profits in the future. Due to this progressive professionalisation, ransomware will continue to be a serious attack vector for companies in the future.

How does one become a victim of ransomware?

It is rather the exception that a single company is targeted for a ransomware attack. As a rule, these are mass campaigns that are spread in various ways:

Phishing emails and social engineering.

Social engineering exploits typical human emotions, such as curiosity, helpfulness, fear, insecurity, boredom or shame, in the hope that victims' judgement will be restricted based on their emotional response. Cybercriminals try to appeal to victims' feelings in the email text – for example, by sending them supposed job applications – in order to immediately trigger a desired action.

If the recipients fall for the e-mail bait and click on the link provided or open the prepared e-mail attachment, the attackers have been successful. The malware (payload) is reloaded, and the ransomware can spread in the system via the end device.

Drive-by downloads and malvertising

For drive-by infections, cybercriminals compromise the websites of serious providers. Accessing the website ensures that the ransomware injected there is downloaded and executed in the background. Malvertising works similarly, where criminals place an infected digital advertisement. All that is needed to execute the malicious code is either a click on the ad or a visit to the website where it is placed.

In order to be able to act effectively and increase the chances of success of their ransomware campaigns, cybercriminals are increasingly using exploit kits. Exploits refer to vulnerabilities in firmware and software that can be misused for malicious purposes. The exploit kits distributed via phishing, drive-by downloads or malvertising are programmes that automatically search for a multitude of vulnerabilities in a system.

Once they have discovered one or more of the vulnerabilities they are looking for, they reload the malware. The purpose of exploiting vulnerabilities is to allow cyber criminals to gain widespread access to the IT system as quickly as possible and to avoid early detection by antivirus software.

How do you protect yourself from ransomware?

Vulnerabilities in IT systems can determine whether one falls victim to ransomware or not. For companies as well as IT service providers, MSPs, MSSPs and system houses, the best prevention is to increase the resilience of IT systems. This requires them to take action on several levels:

Prepare for an emergency

Developing recovery plans can significantly reduce vulnerability even in the event of a successful attack. As the last line of defence in the event of an emergency, contingency plans should cover the following areas:

• Measures to contain the spread and protect systems not yet affected.

• How should back-ups be carried out and secured to ensure that they are quickly available in the event of an emergency?

• Under what conditions does a recovery make sense, and how should it proceed?

• How do you save traces for later forensic analysis?

Careful cyber hygiene

In everyday IT life, it is important to design the circumstances and processes of the IT system in such a way that the attack surface for ransomware remains as small as possible. Best practices in prevention include:

• Segmented and isolated network topographies.

• Use of a network detection and response (NDR) solution

• Regular back-ups

• Immediate application of available updates to all system components

• Renewal of software and hardware with expired security support

• Systematic patch and vulnerability management

• Access control management

• Two-factor authentication for cloud and web services

• Disable unnecessary maintenance connections

• Allow-listing of applications

• Regular IT security training

Is the ransomware protection sufficient? Lywand checks!

The ongoing professionalisation of cybercrime means that the attack vectors are becoming increasingly specialised. Vulnerabilities that currently have little relevance for IT security can soon be exploited.

Maintaining an overview and being able to assess the extent to which security measures against ransomware are sufficient is becoming increasingly difficult. Lywand supports companies, IT service providers, MSPs, MSSPs and system houses in reliably auditing IT environments.

Lywand's security audit platform has a separate rating category of ransomware protection. The rating scale of A-F represents at a glance the susceptibility of the IT environment to a ransomware attack.

New category ransomware

For this purpose, technical properties such as the up-to-dateness of installed software and antivirus protection, the state of the firewall, web traffic and email security as well as macro security are automatically checked.

Non-technical requirements, such as back-up routines and security awareness, are collected via questionnaires and are included in the assessment.

From this, the platform develops an individual catalogue of measures with which the IT security situation can be improved and the protection against ransomware attacks can be increased.

You want to know more?

In a demo session, we will give you a live tour of the lywand security audit platform. We will show you the most important features and discuss with you which application scenarios arise for you and how you can optimally benefit from lywand.