Tap to email Tap to Call
Tap to email Tap to Call

Ransomware 101 

Ransomware 101 

Posted: December 3, 2021

Written by: Dennis Webb

Rarely does a week go by without hearing about another organization that has been hit by a ransomware attack.  The number of ransomware attacks continues to grow around the world, and they are not just limited to corporations.  Small businesses, government agencies, school districts, healthcare providers, and many other sectors have also been hit hard.  In 2021 alone, the following is a short list of the major organizations hit so far: 

  • Colonial Pipeline (oil and fuel transporter) 
  • JBS (world’s largest meatpacking plant) 
  • Metropolitan Police Department in Washington, DC 
  • Brenntag (chemical distribution) 
  • Ireland’s Health Service Executive (healthcare and social services 
  • Accenture (technology consulting) 

The more knowledgeable and vigilant organizations are regarding ransomware, the better the chances that an attack can be avoided. 

What is Ransomware? 

Ransomware can be defined as an evolving form of malware designed to encrypt files on a device and deny access until a sum of money or ransom is paid.  In the directory where the now-encrypted files reside, there are often two files left behind by the cybercriminals – one detailing that the files have been taken ransom and a second on how to pay the ransom and decrypt the files.  Ransomware actors often target and threaten to sell or leak exfiltrated data or authentication information if the ransom is not paid.  Some of the consequences of ransomware attacks include financial loss, system downtime, data loss, public relations nightmares, and intellectual property theft. 

Why do Cybercriminals deploy Ransomware? 

Money.  Ransomware has become a profitable business, and those profits are only increasing.  Colonial Pipeline paid a ransom of $4.4 million.  JBS paid $11 million.  Brenntag paid $4.4 million.   

Who are the Ransomware Cybercriminals? 

The days of script kiddies and defacing web pages are long gone.  Ransomware has become its own industry.  The ransomware cybercriminals of today are organized in gangs.  Some of the more well-known are REvil, Conti, and DarkSide.  These gangs are well organized and even offer ransomware-as-a-service: for a percentage of the ransom received, they outsource to affiliates who then carry out the attacks.  Some even go as far as offering a customer service department.   As long as it remains profitable, the gangs will continue to operate research and development efforts to stay ahead of the security industry attempts to detect and remove the ransomware malware. 

How does Ransomware work? 

Ransomware is a form of malware. As with all other malware, the majority of all malicious breaches occur due to social engineering (primarily phishing), unpatched software, and misconfigured devices.  By far, it’s the system users that are the conduit for the attack.  Users continue to click on harmful links in emails, which results in malware being installed on their computers, and cybercriminals continue to exploit the human weakness.  Organizations continue to leave vulnerabilities on their systems by not patching known applications defects, thus leaving open doors for the bad guys.  Once ransomware is installed on the systems, cybercriminals can find and identify the most valuable data on the network and start exfiltrating data, passwords, emails, and other information.  Once enough information has been gathered, the ransomware is executed, and the organization’s data is encrypted and rendered useless.  The intent is to cause as much critical service disruption as possible to induce the organization to pay the ransom.  Threatening emails are usually sent with promises to leak sensitive information or sell valuable data on the dark web unless the ransom demands are met.  The ransom itself is to be paid in untraceable Bitcoin. 

How do I recover from Ransomware? 

The only way to recover the encrypted files is either restoring from backups or paying the ransom.  Each of these options poses its own risks.  To restore from backups, the backups themselves must be good.  It is not uncommon for organizations to turn to their backup systems that run without error every day, only to find that the backups do not contain any data.  Also, ransomware is usually present in an environment for quite some time before it is activated.  If this is the case, it could be reactivated immediately and create a constant restore cycle.  Paying the ransom does not always result in getting the decryption keys.  The cybercriminals could turn around and ask for more money, or the decryption keys could be defective. 

How do I protect my environment from Ransomware? 

The first step an organization should consider is how to prevent an attack to begin with.  This includes: 

  • Review your security controls and procedures currently in place. 
  • Keeping security software up to date (antivirus, spam filters, firewalls, etc.). 
  • Concentrate on educating your employees to avoid social engineering. 
  • How to identify bad URLs 
  • Good security habits 
  • Continue to update/patch all software applications and operating systems. 
  • Implement MultiFactor Authentication (MFA) where possible. 

An organization should also be prepared in the event of an attack.  This includes: 

  • Review your current data and system backup methods and procedures.   
  • Test data restoration from your backups. 
  • Create and test a Ransomware incident response plan. 
  • Although it doesn’t add protection against ransomware, investigate if Cybersecurity Insurance is right for your organization to protect against the financial damage and attack could cause. 

The reality is that organizations must stay vigilant with their cybersecurity efforts and stay up to date with what attack trends are going on in the world.  Users are still the key to the prevention of all malware.  They need to be educated on their role within the organization’s cybersecurity defense.  Ignorance is not acceptable. 

Let us help! 

The world of cyber security is constantly changing as organizations and cyber criminals try to stay one step ahead of one another. Momentum has consultants who are experts in cyber security who can help you review your prevention and response tactics and train employees to be the front line of defense. Contact us today! 

Written by Dennis Webb 

Dennis has over 33 years of progressive Information Technology and management experience. He is recognized for his ability to work with executive management and technology experts to translate business goals into effective IT strategies and architectures. He is particularly effective in seeing strategies implemented through project planning and management, team leadership, client communications, and hands-on technical work.  

Like Dennis’ work? Check out his other blog – Users Play a Critical Role in Preserving Security.

Contact Us

    What Our Clients Say:

    “Momentum completed a project that has not been successfully completed by any other team tasked with the same responsibilities before it. ”

    What Our Employees Say:

    “I would have to say that my position at Momentum is probably the best job I ever had.”

    What Our Partners Say:

    “Love working with Momentum.  Very responsive, put together a great proposal product, and always have good consultants.”
    View All Testimonials

    2120 Market Street, Suite 100
    Camp Hill, PA 17011
    Phone: (717) 214-8000
    Email: info@m-inc.com