How Ransomware Works and What Your Company Can Do About It Today

There’s no escaping the headlines about ransomware today. The 2024 Thales Data Threat Report findings show a 27 percent increase in companies that fell victim to ransomware attacks last year. It’s easy to trace the source of most of these attacks: The Verizon 2023 Data Breach Investigations Report found that 74 percent of all breaches involved the human element. 

You’ve probably seen statistics like these before. But how does ransomware work? In this post, we’ll explore the details of ransomware and how it works and then describe the step-by-step process of recovering from it.

What Is Ransomware?

Let’s start with a definition from TechTarget: “Ransomware is a type of malware that locks and encrypts a victim's data, files, devices, or systems, rendering them inaccessible and unusable until the attacker receives a ransom payment.”

Ransomware attacks come in many forms, with the terms “strain” and variant” often used interchangeably. However, the two have subtle differences, depending on the context.

A ransomware strain typically refers to a distinct family or type of ransomware. It covers a broad classification based on the ransomware’s origin, method of distribution, encryption methods, and other characteristics. WannaCry and Ryuk are two ransomware strain examples.

A ransomware variant generally refers to a version of a particular strain that has been altered or evolved. (Note that on the Cybersecurity and Infrastructure Security Agency (CISA) Stop Ransomware website, Ryuk is referred to as a variant. It was initially a strain known for its targeted attacks on large, high-profile organizations. Over time, many variants have emerged with different characteristics.) Variants usually share core similarities with the original strain but employ different algorithms, delivery mechanisms, or evasion techniques.

Put simply, a strain is a broader classification of ransomware, while a variant is an altered version of a particular strain. Tracking variants is vital for implementing effective defenses, as they reflect how cyber threats are evolving and adapting to defenses.

How Does Ransomware Work?

Most ransomware attacks start with a focus on exploiting human behaviors or system vulnerabilities. Here’s how it works.

Initial Compromise

As the Verizon report makes clear, phishing emails are the most common entry point for ransomware. Typical phishing schemes, such as a recent one that targets Microsoft 365 by bypassing multi-factor authentication (MFA), contain malicious attachments or links that, when clicked, initiate a ransomware download. These emails can be incredibly deceiving, often looking like they are entirely legitimate and inducing the user to take action, such as an urgent request from a known contact. 

Exploit kits on compromised websites are the other common ransomware tactic, scanning for vulnerabilities in a user’s system and exploiting these weaknesses to inject ransomware. This tactic depends less on the users taking action, as all it takes is visiting a compromised page for the ransomware to get in. 

Ransomware Installation

Once the system is compromised, the ransomware installs itself on the host computer. Most ransomware employs techniques to evade detection by antivirus software, such as obscuring the code or mimicking legitimate software processes. Advanced ransomware strains may also try to escalate privileges in the system to gain administrative access. Once that happens, the cybercriminals can execute commands to disable your security software, alter system processes, and extend the reach of the damage they wreak.

Ransomware Propagation

Some ransomware variants are designed to move laterally across your network, infecting other systems and servers within your organization. This can be a “worst-case” scenario because it can lead to widespread disruption and increased ransomware demands. Propagation techniques range from exploiting network vulnerabilities to stealing credentials to gain network access to maliciously using legitimate network management tools.

Data Encryption

After propagating through your system, ransomware encrypts files using powerful encryption algorithms like AES or RSA. Once encrypted, your files, databases, applications, and entire system may be inaccessible.Unfortunately, the encryption keys are usually unique and held by the hackers, making decryption nearly impossible without paying the ransom.

Data Exfiltration

Some ransomware variants exfiltrate your data to servers controlled by the attackers. As noted in a recent CISA Cybersecurity Advisory, Phobos Ransomware is one example. This takes the threat to your organization to another level—often called ransomware double extortion—as cybercriminals can threaten to publicly release sensitive information if the ransom isn’t paid. That’s on top of the problems you’ll have with your data being encrypted.

Ransom Demands

Once your data is encrypted—and possibly exfiltrated—you’ll typically discover a ransom note displayed on your device or system. This note includes instructions on how to pay the ransom, usually in cryptocurrencies like Bitcoin, and may include threats and deadlines to push you to pay quickly. 

Some ransomware groups even provide victim support services. Rhysida is one example. It offers a victim support chat portal accessible through the TOR site and claims to act in its victims’ best interests by targeting their systems and drawing attention to the purported security vulnerabilities and potential consequences. 

How Do You Protect Against Ransomware? 

Ransomware prevention requires a multilayered approach covering every aspect of your business. Here are a few key areas that significantly bolster your defenses.

Create an Ongoing Employee Awareness and Education Program

The fact that 74 percent of all breaches involved the human element says it all. Hold regular training sessions to teach your team to recognize phishing emails and malicious attachments and to avoid suspicious websites.This should be an ongoing program with consistent testing. CISA offers a wealth of information and resources on its Cybersecurity Training & Exercises website. 

Deploy AI-Driven Security Solutions

Prevention is key. Deploy advanced antivirus and anti-malware software that specifically includes ransomware detection based on signature and behavioral analysis. Endpoint detection and response (EDR) systems should also be on your list. EDR tools can monitor and respond to threats in real time and provide automated responses to detected ransomware activity. 

Arcserve products include Sophos Intercept X Advanced for Server, which combines anti-exploit, anti-ransomware, deep learning AI, and control technology to stop attacks before they affect systems. Sophos Intercept X also offers powerful EDR and XDR tools that let you hunt for, investigate, and respond to suspicious activity and indicators of an attack.

Keep Software and Patches Up to Date

Mundane tasks like updates and patches are often neglected, as IT teams are busy keeping operations moving and innovations coming. Automated patch management tools eliminate that burden. TechRadar’s list of the best patch management tools is available here.

Employ Network Segmentation

As noted, cybercriminals can move laterally through your systems once they gain access. Segmenting your network can prevent this spread and limit the impacts of a breach.

Invest In Advanced Backup and Disaster Recovery Solutions

Implement solutions that automatically and regularly back up your data. Ensure your data is encrypted in transit and at rest. Follow the 3-2-1-1 strategy to ensure all of your data is protected. The strategy calls for keeping copies of your data onsite, offsite, and in the cloud for additional redundancy.

It also stresses that at least one copy of your data is kept in immutable storage, a write-once-read-many (WORM) format that can’t be altered or deleted. Read this recent post for a deep dive into how immutable storage works.

How to Recover From a Ransomware Incident

While solutions like Arcserve Unified Data Protection (UDP) software automatically handle many aspects of ransomware recovery, it’s essential to understand the recovery process step-by-step.

Incident Detection and Isolation

As noted regarding Sophos Intercept X Advanced, you must detect a ransomware attack as early as possible, ideally through alerts from your antivirus or EDR systems. You must also isolate infected systems from the network to prevent the ransomware from spreading.

Assessment and Forensic Analysis

Next, you’ll want to identify the ransomware variant that has infected your systems. According to CISA, identification “may involve the deployment of EDR solutions, audits of local and domain accounts, examination of data found in centralized logging systems, and deeper forensic analysis of specific systems once movement within the environment has been mapped out.” Find a list of Expert Insight’s top 10 malware analysis tools here.

Recover and Restore

Now, and most important, comes recovery. You must restore affected systems and data from your backups. This is where immutable backups can make a big difference because even if all of your systems are affected, you will always have a secure, recoverable copy of your data. Without immutable backups, your next step may be to see if a free ransomware decryption tool will work—find Kaspersky's list of free tools here—or find out if professional ransomware decryption services can help.

Post-Incident Review and Disaster Recovery Plan Update

Conduct a comprehensive post-mortem analysis to identify entry points, successes, failures, and areas of concern. Integrate these learnings into your incident response, business continuity, and backup and disaster recovery plans for continuous process improvement.

Get Expert Guidance and Advanced Ransomware Protection

Arcserve Technology Psartners is here to help you implement ransomware protections that ensure your data is secure and that you can always recover.

Find an Arcserve Technology Partner here.

To learn more about Arcserve UDP, request a demo.