Over the past few years, ransomware attack rates and ransom amounts have climbed so significantly that the cyber attack has broken out of the IT and security community to capture headlines around the world. In early May 2021, a suspected Russian hacking group took Colonial Pipeline — which provides 45% of the East Coast’s supply of gasoline, diesel fuel, and jet fuel — offline for more than three days in an attack that made ransomware a household word. One year later, a ransomware attack crippled the government of Costa Rica, forcing the country to declare a state of emergency. In 2023, a ransomware attack struck MGM Resorts, costing the hospitality giant approximately $100 million in lost bookings and another $10 million in recovery costs. Because of attacks like these, nearly everyone with a computer has become aware of the dangers posed by ransomware.
Yet, while organisations recognise the threat and have acted to harden their environments and close gaps in their attack surfaces, ransomware persists. According to recent research, 45% of organisations admitted to being the victim of a ransomware attack in the last 12 months, with nearly all of those attacks including data exfiltration. Ransomware-as-a-service (RaaS) operators have lowered the bar for entry, meaning more cybercriminals than ever have access to the nefarious tools and services needed to help them extort money from organisations.
With increasing, evolving attacks now the norm, it’s essential to understand where ransomware sits in the modern threat landscape. That means clearly defining what it is as well as where it falls in the larger category of malware, understanding how it works, and assembling the best tools and solutions to stop it.
What Is Ransomware?
Ransomware is a type of cyber attack that freezes a system or data, usually via encryption, and prevents user access. The idea behind the attack is to hold the systems or assets for ransom — promising to only decrypt them once a certain amount has been paid.
Ransomware has existed since the 1980s , with the first recorded attack occurring in 1989. This inaugural attack was known as the AIDS Trojan virus and was released via floppy disk at the World Health Organization’s AIDS Conference, also making it one of the first instances of major hacktivism. Once the user popped in the disc, they were greeted with a lock screen. If the user tried to re-boot their computer, the disk would count that reboot and once 90 reboots occurred, the malware would encrypt files, demanding payment for the key.
The rise of the Internet allowed ransomware to evolve, with attacks in the 00s leveraging RSA encryption for the first time. But it was the launch of Bitcoin, which stands now as the world’s chief cryptocurrency, that most accelerated the growth of ransomware. Because cryptocurrency is distributed and decentralised, threat actors can obfuscate the payments and make them difficult to track while helping them evade law enforcement.
Soon, ransomware-as-a-service emerged in the threat landscape, with ransomware strain developers selling their software to cybercriminals in exchange for a flat fee or percentage of the ransom.
Ransomware has been increasing exponentially over the years, with attack rates rising nearly 73% year-over-year from 2022 to 2023. The costs associated continue to climb as well, with the median initial ransom demand associated with incidents investigated by Arctic Wolf® Incident Response growing to $600,000 USD in 2023 — a 20% increase over 2022’s figure of $500,000.
Learn more about the ransomware ecosystem.
What Is Malware?
Malware is any software or program that is designed to disrupt and damage a system or network. It is often employed by hackers to purposefully attack an organization’s network.
Malware can work in a variety of ways to achieve the specific goal of causing damage and disrupting a system. Common kinds include:
- Viruses
- Spyware
- Bots
Malware can be installed in several ways, including tricking a user into downloading malicious software. This can be accomplished through phishing, via a Trojan Horse virus, or through other social engineering measures. If an attacker was able to steal credentials previously or purchase them off the dark web, they could access the target system and install the malware themselves, bypassing this social engineering step. Another principal way malware enters an environment is through the exploitation of existing vulnerabilities, making a robust risk management program an essential part of a proactive security posture.
Once the malware is installed it spreads and does what it was coded to do. This action again depends on the kind of malware that was installed. For example, spyware monitors and sends information back to the bad actors (activity logs, credential usage, etc.) so they can then execute a more complicated attack, and bots take over devices to execute a coordinated attack (such as a DDoS attack) on an organisation.
Discover the 13 most common types of malware and how you can defend against them.
Is Ransomware a Type of Malware?
As ransomware is a form of malicious software designed to disrupt business operations by blocking legitimate users from accessing networks, endpoints, and applications, it falls squarely into the definition of malware. However, the major difference between the two is their end goal. While malware disrupts operations to steal or damage the target’s data, ransomware disrupts operations to extort funds from the target.
Over the years, malware has evolved, and ransomware has followed suit. While the first ransomware attack arrived via floppy disk, both malware and ransomware have evolved to include fileless variations. Unlike traditional malware, which uses executable files to infect devices, fileless malware doesn’t directly impact files or the file system. Instead, this type of malware uses non-file objects like Microsoft Office macros, PowerShell, WMI, and other system tools. Because there’s no executable file, it is difficult for antivirus software to protect against fileless malware.
The ransomware-as-a-service (RaaS) model — which allows the developers of a ransomware variant to recruit affiliates that exclusively use their ransomware in targeted attacks on organizations — has become a preferred method for threat actors, with many cybercriminals relying on specialised services and offerings to conduct intrusions. This innovation first appeared in 2012 with Reveton ransomware, which impersonated local law enforcement, threatening victims with arrest or criminal charges if they did not pay a ransom. The Reveton operators would sell the malware to third parties as a service, innovating the RaaS model seen frequently today.
RaaS has allowed ransomware to spread exponentially, but it isn’t the only form of cyber attack to adopt the as-a-service model. In fact, malware-as-a-service (MaaS) is rising overall, with remote access trojans (RATs) and info-stealing malware now being offered for sale on dark web markets.
What RaaS and MaaS have done is lower the bar for entry and grant more cybercriminals access to the nefarious tools and services needed to help them disrupt operations and extort funds.
While ransomware and malware attacks are both increasing in number and evolving in execution, it’s ransomware that has captured global attention and dominated headlines. Thanks to attacks like the ones on Colonial Pipeline, Costa Rica, and MGM, the visibility of ransomware attacks has exploded within the IT community and the general public alike, so that the share of attention on ransomware far exceeds attention given to the malware strains that came before it and that continue to be used by bad actors today.
How Does Ransomware Spread?
Cybercriminals have become adept at evading security solutions to gain access into systems, encrypt data, and then culminate their attacks by demanding ransom. To start their attacks, cybercriminals gain access to the victim’s IT environment via initial access points – the device or attack surface that is first compromised. They gain initial access through root points of compromise; the methods threat actors use to enter environments.
Research from the Arctic Wolf Labs 2024 Threat Report shows the two most common root points of compromise in ransomware attacks are external exposure and user action.
External Exposure
Threat actors gain access to a victim’s IT environment through exposure to the public internet. Some examples of external exposure are:
- External remote access, which typically involves identity-based attacks aimed at breaching an organization’s identity and access management (IAM) system — the governance, control, and monitoring of users’ identities and access within a system or network
- External exploits, which involve leveraging either a known vulnerability or a zero-day vulnerability to gain access to an environment
User Action
Threat actors gain access to a victim’s IT environment through social engineering. Some examples of user action are:
- Phishing, where a user clicks on a malicious link and is tricked into sharing credentials or downloading and executing a malicious attachment within an email
- Previously compromised credentials, where a threat actor uses credentials that are known to be part of a data breach or credential dump — but that have not yet been deactivated by the victim organization
- Malicious software download, where a user falls prey to an intentional or unintentional download of software containing hidden malicious functionality
It’s after gaining initial access through one of these root points of compromise that ransomware attacks truly begin, with the installation of the malware package.
How To Defend Against Ransomware and Other Types of Malware
The best defense against every kind of malware, including ransomware, involves a comprehensive security strategy that contains proactive and reactive components.
Identity and Access Controls
Malware attacks often begin with a threat actor using a password purchased on the dark web, swiped from a previous breach, or gained through social engineering. In addition, credentials can be used by the threat actor to gain privileged access, allowing them to deploy malware like ransomware into critical parts of the network.
Proactive and reactive identity and access control measures that security teams can use to improve credential security include:
- Implementing multi-factor authentication (MFA)
- Conducting dark web monitoring
- Hardening Active Directory
- Embracing the principle of least privilege access (PolP), supported by a zero trust access model, role-based access controls, and privileged access management (PAM)
- Delivering comprehensive user security awareness training
Ongoing Vulnerability Management
While zero-days — like the MoveIT transfer vulnerability leveraged by the CIOp ransomware group in 2023 which led to a 180% spike in year-over-year vulnerability exploits — make headlines, it’s more often known, unpatched vulnerabilities that allow threat actors to gain access to load malware into a network or system. By staying on top of vulnerabilities, an organisation goes a long way in hardening their attack surface against all forms of malware, including ransomware. A full, risk-based vulnerability management program prioritises continuous vulnerability remediation and assessment, with other components of the program complementing and assisting overall remediation and mitigation.
Managed Detection and Response (MDR)
Monitoring is critical for preventing malware attacks, especially as threat actors utilise legitimate programs, such as PowerShell and Active Directory, for malicious ends. Without proper monitoring and detection, unusual behaviour in those programs would go unnoticed. In addition, swift detection and response capabilities allow your organisation to stop a ransomware threat during the initial access stage or before they can make lateral movement .
Incident Response
An insurance-approved incident response (IR) team provides the full suite of services needed to recover from a cyber attack like ransomware and quickly restore business operations to pre-incident conditions. A proper IR team will remove the threat actor from your environment, negotiate with threat actors, determine the root cause and extent of the attack, and restore critical systems.
Learn more about the ransomware ecosystem – from RaaS operators to ransom demands to how ransomware attacks work – with our interactive resource, Ransomware Explained.
Gain an in-depth understanding of some of the critical decision points organizations are faced with during a ransomware incident in our on-demand webinar, Experience Ransomware Without the Ransom.
