Ransomware is everywhere. This nefarious attack vector is starting to dominate the cybercrime landscape, wreaking havoc and racking up massive damage across the globe.
According to the “State of Cybersecurity: 2023 Trends,” 48% of organisations view ransomware as the top attack vector concern, and that concern comes with cause, as 42% of organisations suffered a ransomware attack in the past year.
The price of ransomware is also increasing, which will only encourage more cybercriminals to get in on the act. According to the “2023 Arctic Wolf Labs Report,” the median initial ransom demand, across industries, topped $500,000 USD in 2022. The industry breakdown highlighted higher amounts, with technology reaching $1.1 million USD, shipping and logistics reaching $900,000 USD, and education and nonprofit reaching $874,000 USD.
Ransomware can take many forms, and each attack is different, but as the data shows, it’s becoming the go-to attack vector for cybercriminals, so it’s critical that organisations understand it and learn how to defend against it.
Common Forms of Ransomware
The basic form a ransomware attack takes is a threat actor gaining access to a network, system, or internal data, and holding that component of the environment hostage until a ransom is paid. There are examples of hackers holding operational technology for ransom, personal data for ransom, and even whole systems for ransom. The scope and details of the attack varies depending on the individual attackers.
In recent years however, as ransomware has spread, it’s also become more complex and diabolical.
Two other types of ransomware attacks are:
1. Double-extortion attack.
While a standard ransomware attack involves extortion — the encryption of data and subsequent demand of payment for data release — there is also double extortion. In this version of the attack, threat actors not only encrypt the data, but exfiltrate it as well. This allows the attackers to release or sell the data if the victims seem reluctant or refuse to pay the ransom, thereby incentivising them to pay. This tactic, along with triple-extortion, is becoming more common among ransomware gangs (groups of cybercriminals or nation-state actors working together on multiple attacks), who have the technical abilities and personnel to escalate attacks.
2. Triple-extortion attack
A triple extortion attack is similar to a double extortion attack, but this kind of attack takes things a step further, allowing threat actors to expand their attack scope and increase their payday. In a triple-extortion attack, the attackers contact people whose personal data has been stolen, like customers or clients of the breached organisation, and threaten to release their personal data if a payment isn’t made. Triple extortion is a newer tactic, originating with a 2020 attack against a mental healthcare provider in Finland.
Ransomware-as-a-Service Helps Ransomware Proliferate
Another newer, rising component of the ransomware ecosystem is ransomware-as-a-service (RaaS). RaaS participants offer resources such as encryption software, leak sites, and branding to independent affiliates who then carry out the ransomware attack. The proceeds of these attacks are commonly split between affiliates and the operators, but some organisations employ cyber criminals long term, so they may get a flat fee, a percentage cut, or a payment akin to a salary.
While in the past, ransomware was conducted primarily by highly skilled threat actors, this model has opened the playing field by dividing responsibilities. It allows less technical cybercriminals to execute attacks while also shielding the identities of the individuals involved.
How a Ransomware Attack Happens
What happens during a ransomware attack? It’s broken up into three stages.
Stage 1: The threat actor gains access to a network.
This could happen through social engineering, through a vulnerability, through malware, or another method, but access is the first step.
Stage 2: The threat actor moves laterally, gaining access to critical operational technology or valuable data.
The access could include — as in the infamous Colonial Pipeline attack — digital operational technology and IT technology, or the personal identifying information (PII) contained within healthcare systems, as is common with the currently active Royal ransomware gang.
Stage 3: The hackers encrypt the data or technology, and then demand payment for access to the decryption key.
This is where the ransom part of the attack happens. Organisations are often motivated to pay because of the price of downtime or the value of the encrypted data.
It’s important to note an attack could contain more stages, especially if it’s a double– or triple– extortion attack.
While ransomware incident response will differ from attack to attack, the first step is to isolate where the attack is and shut down any relevant, affected areas. This will prevent the attack from spreading while the organisation is able to come up with a response plan. It’s important to note that the FBI does not recommend paying the ransom, as it will only motivate cyber criminals in the future.
The next step should be for the breached organisation to contact their incident response and cyber insurance providers. These teams are the experts and can assist the organisation in next steps and ultimate restoration.
Arctic Wolf® Incident Response utilises an elastic framework to help organisations secure, analysse, and restore their systems. Arctic Wolf Incident Response is also the preferred partner to cyber insurance companies, due to the one-hour SLA, elastic response, post-response security posture strengthening, and remediation guidance.
To see Arctic Wolf Incident Response in action, view the ransomware response timeline.
Understand the threats ransomware poses with “Why Ransomware Remains a Major Threat for 2023.”