Ransomware Attacks: Held Hostage by Code

Data is among the most valuable assets for companies, making it a prime target for malicious actors. Ransomware attacks that seize data and demand a price for its return have become a significant concern for businesses and individuals. According to the Verizon 2024 Data Breach Investigations Report, about one-third of all breaches involved ransomware or another extortion technique. Here’s everything you need to know about ransomware and how to prevent a successful attack. 

What Is Ransomware? 

Ransomware encrypts a victim’s files or locks them out of their system, demanding a ransom to restore access. These cyberthreats can disrupt operations, compromise sensitive data, and result in substantial financial losses—either in ransom payments or recovery costs. 

The Process of a Ransomware Attack

Ransomware attacks typically follow a series of steps: 

1. Infection: Cybercriminals deliver ransomware to the victim’s system through malicious email attachments, infected websites, or other phishing tactics. 
2. Execution: Once executed, the ransomware begins encrypting files on the victim’s system or locking them out entirely. 
3. Ransom Demand: After the systems are locked, the attacker will demand a ransom payment, promising to provide a decryption key to unlock the system. To ensure the attacker’s anonymity, they usually require that payments be made in cryptocurrency. 

Ransomware Types

There are several types of ransomware, each with its own debilitating characteristics: 

• Crypto-ransomware encrypts files on the victim’s system, making them inaccessible without a decryption key. 
• Locker Ransomware locks victims out of their entire system, preventing access to any files or applications. 
• Scareware uses fake threats and alarming messages to trick victims into paying a ransom, although no actual harm is done to the system. 
• Extortionware threatens to publish sensitive data if the ransom is not paid, putting victims’ reputations and privacy at risk.
• Wiper Malware destroys or deletes data entirely, often as a distraction while the attackers carry out other malicious activities.
• RaaS (Ransomware-as-a-Service) is a ransomware delivery model in which non-technical criminals rent access to a ransomware strain to carry out attacks. 

The Ransomware Ripple Effect

In 2023, Las Vegas MGM experienced a significant ransomware attack from the BlackCat ransomware group. The attack shut down several key systems within MGM’s infrastructure, causing widespread disruption throughout its resorts and casinos. Guests reported issues with room access, reservations, casino machines, and even basic services like payment processing throughout the MGM properties. Additionally, the breach potentially exposed the personal information of thousands of customers, heightening concerns about identity theft and financial fraud. Though MGM chose not to pay the ransom, the incident reportedly cost the company over $100 million to restore their systems.  

Recently, automotive SaaS provider CDK Global fell victim to a major ransomware attack orchestrated by the BlackSuit cybercrime gang. The attack compromised the company’s critical systems, leaving thousands of dealerships unable to carry out day-to-day operations and resorting to using paper and pen to complete some transactions. As a company serving over 15,000 dealerships and auto manufacturers, the impact stretched beyond CDK itself to its clients and their customers. Dealerships experienced significant downtime, leading to lost sales, disruptions to repair services, and customer dissatisfaction.  

Proactivity is the Best Prevention

Preventing ransomware attacks requires a proactive approach using various security measures. Here are some best practices: 

• Conduct Frequent Backups: Regularly back up important data to a cloud storage service. These backups should not be accessible on the same network, ensuring they won’t also be encrypted during a ransomware attack. 
• Monitor Endpoint Detection and Response (EDR) with a SIEM: Integrating EDR data into a SIEM enables organizations to gain a holistic view of their security posture. This integration helps correlate events from various sources, enhancing the ability to monitor, detect, and analyze patterns indicative of ransomware activity. A SIEM provides timely alerts that enable swift incident response and mitigation by identifying anomalies such as unusual file encryption processes or interactions with known malicious servers. 
• Train Employees: Conduct regular phishing awareness training to ensure employees recognize the signs of phishing and avoid clicking on suspicious links or attachments. Learn more about the signs of phishing. 
• Have a Plan: Develop and regularly update an incident response plan to address and mitigate ransomware attacks quickly. 

Safeguard Your Data

Ransomware is a pervasive and evolving threat that requires a proactive and multi-layered approach to prevention. Business leaders and IT professionals must stay informed about the latest trends and implement robust security measures to prevent cybercriminals from using data as a bargaining tool for ransom payments. 
To learn more about how you can best protect your data, reach out to our team.