How To Deal With A Ransomware Attack
This blog post was updated on November 14, 2024
It was originally published on March 1, 2020
Ransomware is a particularly dangerous type of malware designed to extort money by taking control of your data. Once this malicious software installs itself on your device, it encrypts files or restricts access to critical systems, holding them hostage until you pay a ransom. The attacker promises to send a decryption key or restore access—if you pay up before the deadline. Failure to pay within the set timeframe often means you lose access to your data permanently.
But paying the ransom is only a part of the cost. The true price of a ransomware attack can be staggering, especially when you consider the damage beyond the ransom itself:
Hiring cybersecurity specialists: Often, you'll need a cybersecurity lawyer and a ransomware recovery expert.
Forensic analysis: To understand how the breach occurred and how to prevent a repeat.
Operational downtime: Systems may be unusable for days or even weeks.
Data loss: Not all ransomware attacks allow for full data recovery.
Loss of productivity and reputation: Downtime and data loss can erode customer trust and disrupt workflow.
Small and medium-sized businesses are frequent targets, with ransomware ranking as the second most common type of malware they face. Given the massive financial and operational impact of an attack, ransomware prevention should be a top priority in any cybersecurity plan.
Knowing the enemy is key to mounting a strong defense. In the following sections, we introduce you to the four major types of ransomware:
1. Encrypting ransomware
Encrypting ransomware is the most infamous type of ransomware, and it operates exactly as the name suggests: it encrypts your data, making it unreadable. This type often infiltrates systems through a phishing email or by exploiting vulnerabilities in network security. Once installed, it scrambles your data using a unique encryption key known only to the attacker.
Victims are left with instructions on how to pay the ransom, typically in cryptocurrency like Bitcoin, to receive the decryption key. Payments range from hundreds to even millions of dollars, as seen in high-profile cases like the 2017 WannaCry attack, which affected over 200,000 computers worldwide.
2. Non-encrypting ransomware
Unlike encrypting ransomware, non-encrypting ransomware doesn’t alter your files—it simply blocks access to your device or specific applications. This type of ransomware often displays pop-ups or other images that hijack the screen, rendering the device unusable until you pay the ransom.
One infamous example is the FBI MoneyPak scam, where users saw a fake FBI warning on their screens, demanding payment to unlock their computers. Though less destructive than encrypting ransomware, non-encrypting ransomware can still disrupt operations, especially on mobile devices.
3. Leakware (or Doxware)
Leakware flips the typical ransomware script by threatening to release your sensitive data publicly if you don’t pay. Unlike traditional ransomware, leakware attackers don’t prevent you from accessing your files; instead, they steal sensitive information and use it as blackmail. Leakware is particularly devastating for businesses because it exposes confidential data, such as trade secrets, customer information, and financial records.
For example, in 2020, a ransomware group targeted a prominent law firm and threatened to release sensitive client data unless they paid a ransom. This incident highlighted the growing trend of data theft-based ransomware, which can lead to reputational harm, lost customers, and regulatory penalties.
4. Mobile ransomware
Ransomware isn’t limited to computers. Attackers have increasingly targeted mobile devices, especially those running Android, which allows installation from third-party sources. Mobile ransomware usually works as a locker type, blocking access to apps by displaying a pop-up that can’t be closed. In severe cases, it locks the entire device, requiring a ransom to regain control.
The Fusob ransomware, one of the most notorious Android ransomware strains, mimics law enforcement and demands a “fine” from victims to regain control of their devices. While iPhones are generally more secure, they are not entirely immune; attackers have found workarounds, such as hijacking Apple ID accounts to lock devices remotely.
Ransomware typically infiltrates systems through phishing emails, one of the most common and dangerous forms of cyberattacks. These emails are crafted to look as if they’re from trusted sources, like colleagues, popular service providers (e.g., Google Docs, Dropbox), or even your bank. Through social engineering, they prompt you to download an attachment or click a link. Once you do, the malware silently installs itself on your computer, ready to encrypt your files.
But phishing isn’t the only way ransomware can gain access. Ransomware can also be installed by:
Visiting infected websites: Some websites contain malicious ads or compromised links that trigger a ransomware download without your knowledge.
Downloading pirated media: Illegal downloads, such as movies or software, often hide ransomware or other types of malware.
Using untrustworthy browser extensions: These can introduce ransomware, especially if they come from unofficial sources.
Connecting infected disks or USB drives: An infected drive can spread ransomware across multiple devices.
Compromised web servers and network devices: In some cases, hackers exploit vulnerabilities in your network, such as unprotected routers or weak passwords, to deploy ransomware. Once they gain access to one device, they can use it as a gateway to your entire network.
In more severe attacks, hackers can exploit network vulnerabilities to deploy ransomware across multiple systems in an organization, potentially crippling operations. Businesses need to be especially vigilant, as a single point of vulnerability can compromise an entire network, making ransomware protection a priority.
While ransomware tactics have evolved, many of today’s attacks are based on earlier, notorious variants. Here’s a look at some high-profile ransomware cases:
Bad Rabbit (2017)
Bad Rabbit targeted organizations in Russia and Ukraine, notably spreading through fake Adobe Flash updates on compromised websites. Once downloaded, it encrypted files and demanded payment in Bitcoin for decryption. Bad Rabbit was notable for targeting critical infrastructure, including government agencies, causing widespread disruption in a matter of hours.
CryptoLocker (2013–2014)
CryptoLocker was one of the first ransomware strains to gain mainstream attention. It spread via email attachments disguised as legitimate files from trusted companies. Once activated, it encrypted specific types of files and displayed a ransom note demanding payment. Even if victims paid, there was no guarantee their files would be restored. The ransomware’s destructive reach highlighted the importance of cautious email handling and regular data backups.
CryptoWall (2014)
CryptoWall, a successor to CryptoLocker, initially appeared in Australia and rapidly spread to other regions. It often arrived via email, with messages purportedly from government offices, such as notifications of failed package deliveries. Infected users were directed to a website to complete a CAPTCHA code, which downloaded the malware. CryptoWall’s success in evading detection by email filters illustrated the sophistication of phishing tactics used in ransomware attacks.
Fusob (2015)
Fusob primarily targeted Android devices, using scare tactics to extort payments. Disguised as a video player, it locked users’ devices and displayed fake messages from government authorities, demanding a “fine” for supposed legal violations. Fusob was prevalent in the U.S., Germany, and the U.K., demonstrating how ransomware could affect both personal and mobile devices and the risks associated with downloading unverified apps.
Petya (2016)
Petya introduced a new level of damage by targeting the master boot record (MBR) of Windows computers. By encrypting the MBR, Petya rendered the entire operating system inaccessible. Victims saw only a ransom demand displayed on the screen, which required payment in Bitcoin. Notably, Petya exploited the EternalBlue vulnerability, which allowed it to propagate across networks. This attack emphasized the need for regular system updates to protect against known vulnerabilities.
NotPetya(2017)
Initially mistaken as a variant of Petya, NotPetya surfaced in 2017 and caused major disruptions in Europe and the U.S. While it resembled ransomware, NotPetya was actually a wiper—a malware designed to destroy data permanently. Even if victims paid the ransom, they couldn’t recover their data. NotPetya demonstrated how ransomware-style malware could be used for political or destructive purposes, rather than mere financial gain.
One of the most infamous ransomware attacks, WannaCry struck in May 2017 and affected hundreds of thousands of computers globally, including hospitals, government agencies, and private companies. Like Petya, WannaCry spread using the EternalBlue exploit. Although Microsoft had already released a patch to counter this vulnerability, many organizations either hadn’t applied it or were using outdated systems. WannaCry highlighted the dangers of neglecting updates and the catastrophic consequences of ransomware for organizations worldwide.
Ransomware attacks can be terrifying and confusing, especially since antivirus software may not catch the threat until encryption is already underway. If ransomware is detected early, it might be possible to stop the process before encryption is complete. In some cases, removing the malware immediately can save unencrypted files, but data that has already been encrypted may be unrecoverable without the decryption key.
Here are essential steps and best practices to help you respond to a ransomware attack effectively:
The first thing to do when you suspect ransomware is to immediately disconnect the infected device from the network. This step is crucial because ransomware can rapidly spread to other systems and storage locations across a network. By isolating the infected computer, you can contain the malware and prevent a network-wide disaster.
In some cases, disconnecting quickly may even stop the ransomware before it reaches its command-and-control server, which might prevent the encryption from progressing. Acting quickly here can make a significant difference.
While it’s natural to feel pressured to pay up quickly, hold off on making any payments. Some ransomware attacks are actually “scareware” rather than true ransomware. Scareware typically relies on fear tactics to trick you into paying, often by displaying hard-to-close pop-ups or countdown timers that cause panic. With scareware, your files aren’t encrypted at all—the hackers are simply banking on your fear to coerce you into paying.
Moreover, not all ransomware strains even have decryption functionality. Paying the ransom provides no guarantee that you’ll get your files back, as some attackers take the money and vanish without providing the decryption key. Avoid acting out of panic; paying the ransom might be futile and could even incentivize more attacks. Take time to confirm the nature of the attack before considering payment.
Ransomware recovery is complex and often requires expertise in identifying the malware type, understanding its spread mechanism, and cleaning infected systems. In many cases, your IT support team or a cybersecurity specialist will have tools and techniques for analyzing the ransomware and safely recovering data.
Starting the recovery process too early—before the malware is fully contained—can lead to further issues. For instance, if you begin data restoration without eliminating the ransomware, there’s a risk that the malware will infect your backup files as well. This scenario has led some companies to unwittingly encrypt even their clean backups, making recovery impossible.
One common error is rebooting the infected computer too soon. For example, Petya ransomware took advantage of rebooting by encrypting the master boot record (MBR) and file tables upon startup, causing a complete lockout of the system. Some ransomware even relies on rebooting to bypass permissions and gain deeper access to files, so avoid restarting your computer unless advised by an expert.
The best course of action is to reach out to your IT team or a cybersecurity expert as soon as possible. They can guide you on how to proceed, minimizing irreversible damage.
Ransomware variants like Petya don’t just encrypt files; they also gather IP addresses and login credentials as part of their spread. If ransomware has infiltrated your system, assume that your credentials have been compromised and immediately change all user and administrator passwords. This step is essential to prevent attackers from using stolen credentials to re-enter your network or gain root access to servers, putting sensitive data and critical systems at risk.
Be thorough here—ensure that all accounts, including email, network, and cloud storage accounts, have new passwords that are both complex and unique. Changing your credentials can help stop the ransomware from spreading and protect your organization’s data from further compromise.
Ransomware Recovery: Challenging but Essential
Recovering from a ransomware attack is not just about stopping the malware; it’s about restoring confidence and security across your organization. Even with preventive measures in place, handling a ransomware infection can be stressful, time-consuming, and costly. And yet, prevention remains the best defense. By following best practices for security and ensuring your team knows how to respond to potential threats, you’ll be much better prepared to handle these incidents.
The cornerstone of ransomware prevention is a solid investment in cybersecurity tools and practices that provide real-time protection. This includes identifying and blocking threats, as well as proactively securing known vulnerabilities before attackers can exploit them. Ransomware prevention isn’t just about technology; it’s also about consistent practices and awareness.
Here’s how you can strengthen your defenses against ransomware:
Block Unauthorized Downloads: Set up robust security policies and software to prevent unauthorized or unknown downloads from executing on your network. This step prevents malicious files from getting a foothold on your system in the first place.
Adopt the 3-2-1 Backup Strategy: Regular backups are essential, and the 3-2-1 strategy is a proven method. This approach means keeping three copies of your data—two stored locally but on different devices, and one copy stored offsite, ideally in a secure cloud. Backups give you peace of mind, knowing you can restore data even if ransomware encrypts your files.
Use Legitimate Antivirus and Anti-Malware Software: Install up-to-date security software on all devices, including mobile and remote devices. These programs help detect and block potential ransomware attacks, often before they gain control over your files.
Create a Data Backup and Recovery Plan: For businesses, an organized backup and recovery plan is crucial. It should outline steps for regularly backing up data, testing recovery processes, and ensuring backups are safe from network threats.
Keep Browsers and Extensions Updated: Ensure that your web browsers are always up to date, as attackers often exploit browser vulnerabilities. Use only legitimate browser extensions designed to provide added security, such as ad blockers and anti-phishing tools.
Install Only Licensed Software: Using licensed software means you’re eligible for critical security updates, patches, and support. Pirated software often lacks updates, leaving your system vulnerable to new types of ransomware attacks.
Apply Security Patches Promptly: Enable automatic updates to ensure that all software, including operating systems, antivirus, and applications, receive the latest security patches. Hackers frequently target unpatched systems, so prompt updates are crucial.
Cultivate Good Cyber-Hygiene: Good habits among employees can greatly reduce ransomware risk. Encourage the use of strong passwords, cautious link-clicking, and healthy online behavior.
Provide Cybersecurity Training for Employees: Employees are your first line of defense. Regular training sessions on recognizing phishing emails, avoiding suspicious downloads, and safe browsing habits help create a vigilant, security-conscious workforce.
By implementing these practices, you can significantly lower the likelihood of a ransomware infection. Remember, the goal is not only to protect against ransomware but also to foster a proactive security culture.
Final thoughts on ransomware detection and prevention
In this guide, we’ve covered everything you need to understand ransomware, recognize its types, and take steps toward effective prevention. We discussed how ransomware spreads, from phishing emails to infected websites, and detailed the measures to help you detect and prevent these attacks.
Knowing how ransomware works empowers you to be proactive in your approach to cybersecurity. If an attack occurs, having a response plan in place will help you remain calm and prevent unnecessary losses. Prevention always beats cure, and when it comes to ransomware, every precaution you take can make a difference.
So, remember: stay alert, keep your software up to date, back up your data regularly, and educate everyone in your organization. In a world where ransomware threats evolve daily, vigilance and preparation are your best defense. If you keep these best practices in mind, you’ll be well-equipped to prevent and respond to any ransomware threats that come your way.
If you liked the blog, please share it with your friends