Tessian’s mission is to secure the human layer by empowering people to do their best work, without security getting in their way.
And the situation is getting worse. Research suggests that the overall cost of a ransomware attack doubled in the past year, rising from $761,106 in 2020 to $1.85 million in 2021—and that the global total cost of ransomware could exceed $265 billion per year by 2031.
This article will explain what ransomware is and how ransomware spreads. We’ll then analyze a recent ransomware attack to help you understand how this serious form of cybercrime works.
There are two main types of ransomware attacks. Both involve the victim downloading a malicious ransomware program.
In the first type of ransomware attack, the malicious program encrypts the victim’s files, rendering them unreadable and unusable. To decrypt their files, the victim must pay a ransom—or else they’ll never be able to access them again.
In the second type of ransomware attack, the malicious program transfers the victim’s files to the attacker. In this type of attack, the victim must pay a ransom to prevent their files from being published on the open web.
Either type of ransomware attack is avoidable. But ransomware can be devastating for any business, leading to extortion, recovery, and mitigation costs—not to mention a loss of your company’s time and reputation.
For a ransomware attack to succeed, the threat actor must find a way to get the malicious ransomware program onto their target’s device. Let’s take a look at three keys ways of achieving this.
In a typical social engineering attack, the target receives a malicious email encouraging them to click a download link or download an attachment. While the email may look trustworthy, it contains a payload in the form of a ransomware file.
The notorious “Ryuk” strain of ransomware spreads mostly via social engineering attacks. Security experts estimate that the Ryuk ransomware has earned cybercriminals over $150 million in ransom payments from companies worldwide.
Remote desktop protocol (RDP) enables a third party to take remote control of a person’s computer.
RDP has legitimate uses, including enabling IT support services to troubleshoot software issues. But once a cybercriminal has admin access to your system, they can do pretty much whatever they want—including carrying out a ransomware attack.
RDP was the root cause of several high-profile ransomware attacks, including the SamSam ransomware that forced Atlanta’s public authorities to pay out nearly $6 million in 2018.
When the victim clicks “Save” or runs the malicious download—whether due to carelessness or because they believe the file is legitimate—the ransomware installs itself and takes over their computer.
Here’s a recent example of a ransomware attack, to help you understand this devastating form of cybercrime works.
On July 3, 2021, hours before the long Independence Day weekend started in the U.S., thousands of workers got a message on their computer screens: “Your computer has been infected!”
These infected computers had recently installed an update of IT management software Kaseya—an update that had been infected with the REvil ransomware. This type of “supply chain” attack is an increasingly common vector for malware.
Here’s the ransom note that workers saw (shortly before they’d planned to go home for the holidays):
Let’s break this message down. The message informs the ransomware victim that:
You might be surprised to see the level of sophistication involved in this attack. The victim is offered a “trial decryption”, “chat support”, and a guide to buying Monero. Ransomware is becoming a quasi-professional criminal industry.
And note that $45,000 is actually a relatively modest ransom. But the Kaseya attack appears to have affected thousands of companies, directly and indirectly—so the cybercriminals are likely to make millions of dollars. The gang is also demanding $70 million for a “global” decryptor.
Looking for more examples of ransomware? Check out this article.