A guide to Ransomware – what it is, how it works, and how to defend against it

‘In the first half of 2020, the total number of global ransomware reports increased by 715% year-over-year.’ (Threat Landscape Report 2020 by Bitdefender)

In this guide to Ransomware – we take a look at what it is, how it works, and how to defend against it as best as possible.

Since ransomware has become by far the fastest growing type of cyber threat faced by businesses in recent years, we thought we’d take a closer look at this type of malware. 

As an ever-evolving attack tool, the simplest form of ransomware can cost an organisation significant time and money, but more severe attacks can cripple or even destroy a company completely. 

This is especially dangerous in these days of economic uncertainty, and since both individuals’ and businesses’ online-activity such as; cloud usage, online payments, online entertainment, working from home, has increased considerably.

Cyber attacks ahead image

The already significant threat of ransomware grew more sharply this year with the onset of the current coronavirus pandemic and transition by many organisations to remote working arrangements. 

As a result, cybercriminals have sought to exploit the security vulnerabilities that coincide with working from home and are now capitalizing on the opportunity.

Paying ransomware image

Ransomware cyber-attacks are a big business, to the point that research anticipates a business is attacked by a cyber-criminal every 11 seconds, and damage costs from these attacks will hit around $20 billion by 2021.

There is no easy win in the battle on cyber extortion, and the best way to deal with this threat is to firstly understand what ransomware is, how it works, and who it targets, and then look to the best lines of prevention and ultimately the best methods of mitigation should a breach occur.

What is Ransomware?

‘A type of malicious software designed to block access to a computer system until a sum of money is paid.’

A ransomware cyber-attack occurs when malicious software (malware) is used to deny a user or business access to a computer system or data. The malware attack takes over computer networks as the malware locks up the victim’s computer and renders it unusable by the victim until they pay the attacker the ransom (frequently in bitcoin).

The first known ransomware attack occurred in 1989 and targeted the healthcare industry, but it’s has been constantly evolving, with more sophisticated strains on the increase. Over the last year, the number of new variants increased by 46%. Unprepared network users and businesses can quickly lose valuable data and money from these attacks.

Types of Ransomware

STOP/Djvu, is the most reported ransomware family in Q1 2020. The prolific strain typically spreads through cracked software, key generators, and activators.

This year there have been a number of changes in the most commonly reported ransomware strains. Rapid, Rapid 2.0, Ryuk and Zeppelin fell out of the top 10 and have been replaced by Makop, Paymen45, LockBit, and GoGoogle.

How does Ransomware happen?

URLs embedded in emails remains the number one way for computers to become infected, and despite it being well known that emails are the main infection method for all types of cyber-attacks, people still fall victim to malicious social engineering, and subsequently, infect whole systems.

In general, a lack of proper cybersecurity procedure (or a poorly implemented one) and lack of training in basic cybersecurity practices eg; re-using weak passwords, lack of proper access management and poor user awareness, commonly are the causes of ransomware infection.

For example, many managed service providers (MSPs) report that Windows OS is targeted the most by ransomware attacks as Windows-based computers are typically more affordable, meaning more people use them. This along with the knowledge that there is a large number of users who use them but don’t install necessary updates for their operating systems, (leaving them without patches that protect against these viruses) opens up the doorways and makes them sitting targets for cyber-attackers. 

This doesn’t mean that macOS, Android, and iOS are immune however, poor user activity can make any device vulnerably and potentially compromise a whole company and its systems.

Encrypting ransomware (or cryptoware) is the most common recent variety, however there are other types; non-encrypting ransomware or lock screens which restrict access to files and data, but does not encrypt them, leakware or extortionware that steals compromising or damaging data that the attackers then threaten to release if ransom is not paid, and mobile device ransomware which infects mobile phones through drive-by downloads or fake apps.

This guide to ransomware firstly gives the phases of an attack and then the steps to remediate impact.

5 Phases of a Ransomware Attack

There are 5 distinct phases of a ransomware attack, which can generally be executed in as little as 15 minutes:

1. Exploitation and infection

The pathway for the malicious Ransomware file to execute on a computer is often through a phishing email or an exploit kit (a specific kind of toolkit that takes advantage of security holes in software applications to be able to spread malware). Users running insecure or outdated software applications on their computers often fall foul of these kits.

System infected image

2. Delivery and execution

Ransomware is then delivered to the system and persistence mechanisms are put in place. This process can take just a few seconds, depending on the network. Executables are most often delivered via an encrypted channel.

3. Backup defilement

The ransomware targets the backup files and folders on a system and removes them to stop any restoring from backup, this is intended to prevent any means that the victim has to recover from the attack without paying the ransom.

4. File Encryption

Once backups are completely removed, the malware performs an exchange to establish encryption keys that will be used on the local system. Depending on the network speed, number of documents, and amount of devices connected, the encryption process can take anywhere from a few minutes to a couple of hours.

5. User notification and removal

Following encryption, the demand instructions for payment are sent to the victim. The victim is usually given only a few days to pay before the ransom demand increases.

Finally, the malware removes itself from the system so as not to leave behind considerable forensic evidence that might help build better defences against the malware.

Who’s targeted with Ransomware?

Ransomware statistics

Ransomware attacks have experienced a resurgence, and whereas individuals and small businesses were key targets in the early days, in more recent years the likes of; large corporate businesses, governments, councils, public health departments, educational facilities and other various organisations have not been exempt as targets. 

Recently, Microsoft announced it took down a major hacking network that had been used to spread ransomware, and the company said it could have been used to interfere with the US election indirectly by freezing access to voter rolls or websites displaying election results.

The US Elections are indeed a notable target at the moment. A ransomware attack could suddenly lock down important parts of the voting infrastructure all around the country. This could happen at county and state level to disable voting registers.

Concerns around ransomware’s disruptive potential spiked after Tyler Technologies, a major software vendor to many state and local governments, disclosed a ransomware attack affecting its systems recently. The company sells software that is used by some clients to display voting information on websites, it said in a statement, ‘but that software is hosted on Amazon servers, not its own, and it was not affected’. The attack targeted Tyler Technologies’ internal corporate network.

In general, however, the healthcare industry has by far been the main target for ransomware attacks.

‘The industry with the highest number of attacks by ransomware is the healthcare industry. Attacks will quadruple by 2020’. (CSO Online)

The arrival of COVID-19 has become an influential force in the threat landscape for not only the health care industry but businesses as a whole due to the increase in remote working – this sudden surge in working from home has helped cement remote desktop protocol (RDP) as the attack vector of choice for ransomware operators. 

Many organizations have evidently failed to securely implement RDP in their rush to roll out work from home arrangements, which has left RDP connections vulnerable to compromise.

Virus on computer image

Consequences of a Ransomware attack

‘By 2021, experts predict the total damage from ransomware to reach $20 billion USD.’ (CyberSecurity Ventures)

There is now a greater than 1 in 10 chance of data being stolen in a ransomware attack and the average ransom payment has nearly doubled over the years, with this trend showing no signs of slowing down. Hackers also tend to duplicate successful attacks and hit victims over and over again. 

Some hackers even corrupt and delete a company’s files while they await the ransom payment, just to show that they’re serious.

While a few thousand dollars may seem insignificant for larger businesses, it can be crippling for smaller businesses that cannot afford to lose their data. 

Regardless of the cyber criminal’s ultimate actions, the actual cost of ransomware goes beyond just the pay-out. Not only the potential legal costs, data-loss and down-time financial consequences but there is the reputational cost to a business which can lose consumer trust and subsequently custom as a result of a breach.

To pay or not to pay

Non-paying victims run the risk and generally fall foul of their data being published on leak sites or sold off to the highest bidder.

Paying a ransomware demand is however generally discouraged, in the event an entity considers paying a ransom demand, it must take the risk that the attacker may not return access to the data, or may even have released it already onto the dark web. And as stated, there is no reason why a hacker may not simply try again as the business is then seen as an easy, paying target.

Another concern especially for businesses when considering paying the hacker, is that on 1st October 2020, the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued guidance cautioning companies of the potential risk of US sanctions for certain ransomware payments paid to parties designated as malicious cyber actors under OFAC’s cyber-related sanctions program.

The OFAC advisory clearly states that engaging in or facilitating ransomware payments may result in enforcement actions and civil penalties in the event the payee is a sanctioned party – even if the entity is unaware that the cyber-criminal is subject to US sanctions.

Rock and a hard place

Cyber Insurance

The cost of a ransomware attack can be extremely high—not just the cost of the ransom itself, but also with the costs associated to loss of business whilst the files and documents are unavailable.

Cyber insurance image

James Carder, LogRhythm CISO and Vice President of LogRhythm Labs, advises organizations to prepare by getting a good cyber insurance policy that explicitly covers losses due to ransomware.

“If you have a loss of revenue due to a ransomware infection, you may be able to use your cyber insurance to make a claim to recover that revenue,” says Carder “From a pure risk management perspective, getting a really good cyber insurance policy is probably worth its weight in gold in situations like this.”

How can you protect yourself from a Ransomware attack?

The best defence against ransomware is for users not to just learn about ransomware; what it is and what happens, but to know the organisation’s cyber security status, the controls and processes that are in place and understand how to mitigate impact as best as possible should an attack happen. Individuals need to know their devices, what the risks are and where to go for advice and support. In the UK the NCSC provides excellent support, advice and information to individuals, small businesses and large organisations alike.

For businesses in the UK that aren’t sure where to start with cyber security, the National Cyber Security Centre (NCSC) provides cyber security guidance and support to individuals, families, businesses large or small. Working with the Information Assurance for Small and Medium Enterprises Consortium (IASME) they also provide the Cyber Essentials, the government-backed, industry supported scheme to help organisations protect themselves against common cyber attacks. Working towards this certification is an easy introduction and start for a business to build its cyber defences. Find out more about Cyber Essentials here.

Steps of defence you can take to keep an attack from shutting down your business

‘On average it takes around 23 days to resolve a ransomware attack.’ (Accenture)

Ransomware attacks are increasing in frequency and seriousness, so you need to prepare your organisation for the very real possibility of an attack.

Following is a brief overview of the incident response advice from both the SANS Institute and National Institute of Standards and Technology (NIST), for a more in depth look into the phases cleck here. The key phases and actions for defence are:

Cyber security

1 Preparation

Preparation can be as simple as making sure you have a trained incident response team; inhouse, contracted or at least a business card to know who to call. But keys steps within preparation include:

  • Pen-test and Patch (Find out more about pen-testing here)
  • Create and Protect Your Backups
  • Prepare a Response Plan
  • Assign Least Privileges
  • Connect with Industry and Threat Intelligence Sources
  • Protect Your Endpoints
  • Educate Employees and Users
  • Consider Cyber Security Insurance
Detecting virus image

2 Detection and Identification

Should your business get hit with an attack, you can minimize the damage if you can detect the malware early, by including the following steps:

  • Prime Your Defence Devices
  • Screen Email for Malicious Links and Payloads
  • Look for Signs of Encryption and Notification
  • Scope the incident

3 Containment

Damaged systems need to be removed, devices isolated and compromised accounts locked down. A key step at this stage is to isolate the afflicted endpoint as quickly as possible.

4 Eradication

Once the ransomware incident is identified and contained, it needs to be removed from the network, and any damage discovered in the identification phase remediated.

Replace, rebuild or clean

It’s generally recommended where possible that machines are replaced rather than cleaned as a tool an attacker has put in place may not be detected in a clean-up. However, it can be more pertinent to clean some certain locations. If so, it is imperative to continually monitor to prevent the attack from re-emerging.

5 Recovery

Having and following your disaster recovery plan is vital to get all affected systems up and running again and quickly get back to business as usual.

A full investigation into the ransomware attack as to what specific infection vector was used against the system is also needed. Knowing how the ransomware came onto the system in the first place helps to prepare and improve defence systems for the future.

Business recovery button

6 Lessons Learnt

The last phase, but arguably the most important is to learn from the incident to help prevent future incidents. Businesses can be too quick to delete, restore, and re-image at the first sign of an incident before they’ve fully learned how the attacker got in, or how much damage was really done. Without this stage, a business can easily find itself repeating the same steps again and again, against the same attack, with no improvement.


Ransomware isn’t going away any time soon, in fact it continues to grow. Quite simply, as long as it keeps working for attackers, so individual users and businesses will continue to be targeted. Cybercriminals will continue to take advantage of security weaknesses to deploy destructive ransomware attacks, as long as individuals and businesses fail to make cyber security a priority.

Both prevention (regular security audits, application testing and penetration testing etc.) and cure (incident plan and response management tool in place) are both as important as each other. Considering and implementing both, not just one are vital for an organisation’s cyber hygiene in the fight against cybercrime. Following a guide to ransomware or indeed advice on improving cyber posture and cyber protection as a whole should become a habit rather than a chore. 

Logically Secure provides experienced and expert security testing, incident response consultancy and management tool for businesses of all sizes.