What Are Ransomware Attacks? How They Work and Prevention

Ransomware Is on the Rise

Ransomware attacks have been evolving quickly over the last few years, becoming more frequent, evasive, and costly. New ransomware-as-a-service (RaaS) models offer ready-made paths to profit for aspiring threat actors, even without expertise.

At the same time, attackers are putting new spins on old techniques. Some are using double extortion, multiplying pressure on their victims by combining encryption and data theft. Others have pioneered "encryption-less" attacks, focusing entirely on the threat of a leak.

As new techniques emerge, traditional methods of file recovery and decryption are becoming less viable. In this threat landscape, it's more important than ever to focus on prevention.

How Do Ransomware Attacks Work?

A typical ransomware attack sequence looks like this:

Initial Compromise

Many ransomware attacks begin with phishing emails. These may appear to be from retailers, banks, or other entities regarding delivery delays, fraudulent transactions, and so on. Such emails include infected files or links that, when opened, drop malware onto the victim’s device to set up an attack.

Lateral Movement

Once the malware infects a device, the attack spreads. If the infected device is on a network, the malware will try to compromise a domain controller or steal credentials that let it move throughout the network and infect other devices.

Execution

The malware will execute once it has enough access, exfiltrating and/or stealing the victim’s data. Finally, the victim receives a ransom demand, typically with a time limit before the data is sold, leaked, or lost. If the victim pays, attackers using encryption strategies generally promise to provide a decryption key that unlocks the data. However, they don't always provide the decryption key, and when they do, it doesn't always work.

How Have Ransomware Attacks Evolved?

The widely cited first ransomware attack occurred in 1989. Following a World Health Organization conference on AIDS, attendees received “AIDS Information” floppy disks laden with a trojan virus. The trojan would encrypt files on an infected system, and then ask the victim to mail a $189 payment to an address in Panama to restore access.

In the early 1990s came “scareware,” so called for its use of fear-based social engineering. Infected computers would display an error message with a link to buy and download software to fix the issue. (The software was, of course, usually more malware, often designed to steal data.) Scareware persists today in many forms, such as malspam and browser popups.

The rise of file sharing popularized a category of ransomware called screen lockers. Instead of encrypting files, these would lock the user's system and demand a ransom or "fine" (frequently citing police, the FBI, etc.). In reality, many lockers simply restricted mouse movement, and a system restart could restore normal functions. Nonetheless, fear led many victims to pay.

The Link Between Ransomware and Cryptocurrency

Early on, ransom demands typically peaked at a few hundred dollars from individual users. Moreover, ransom payments were usually made with ordinary payment cards, making the transactions far easier to track and the threat actors easier to catch.

Today, innovations in cybercrime and crypto technology have helped ransomware explode in popularity. In particular, cryptocurrency—digital currency based on anonymity and encryption—has enabled bad actors to cover their tracks by making transactions nearly untraceable.

Ransomware as a Service (RaaS)

A byproduct of that popularity and success, RaaS tools are often subscription-based and affordable, just like legal SaaS offerings. Many are readily available on the dark web, and they enable even people without programming skills to launch a cyberattack and earn part of its profits. Some RaaS providers even offer technical support and paid bug bounty programs.

Double Extortion Ransomware

Eventually, better data backup and decryption technology began to move the needle in victims’ favor. In response, in 2019, a criminal group called TA2102 perpetrated the first high-profile double extortion ransomware attack, both encrypting and exfiltrating the victim’s data before threatening to leak it unless paid US$2.3 million in bitcoin. This way, even if the victim had managed to restore their data, they would still suffer a severe data breach unless they paid.

Encryption-less Ransomware

In 2022 and 2023, an insidious trend emerged that reimagined how ransomware works at its core. Both an evolution and a sort of regression, encryption-less ransomware attacks don’t encrypt victims’ files. Instead, attackers focused only on exfiltrating sensitive data as leverage for extortion.

Victims of these attacks tend to be in sectors that handle highly sensitive PII, such as legal and healthcare. Because their key concern is preventing leaks of their sensitive data, many will pay the ransom regardless of encryption. In addition, victims can recover unencrypted data more quickly and easily, often translating to faster ransom payouts.

Types/Examples of Ransomware Attacks

Among the myriad types of ransomware and ransomware groups, some of the most common and well-known are:

• CryptoLocker: Characterized by its strong encryption and massive botnet, this ransomware was so successful in 2013 and 2014 that it continues to inspire copycat attacks.
• WannaCry: A cryptoworm that targets the Windows operating system, it has impacted more than 300,000 systems (and counting) worldwide since its release in 2017. Because of its scale and global reach, it remains one of the biggest ransomware attacks in history.
• NotPetya: Surfacing soon after WannaCry, NotPetya first appeared to be a new round of 2016's Petya ransomware. However, there was no way to recover encrypted data. The attack was actually virulent ”destructionware” credited to the Russian hacker group Sandworm.
• Ryuk: This ransomware strain has been tied to a number of groups that have impacted the healthcare industry, the public sector, and education, particularly US school systems.
• REvil: Notorious for breaches in the legal, entertainment, and public sectors, REvil launched a barrage of attacks between May 2020 and October 2021, including the Kaseya VSA attack.
• DarkSide: This ransomware variant is responsible for the 2021 Colonial Pipeline attack, one of the most famous double extortion attacks. DarkSide is a common "as a service" variant, with licensees sharing in its profits.
• GandCrab: VirusTotal’s 2021 Ransomware in a Global Context report cited GandCrab as the most prevalent ransomware attack of that year, accounting for 78.5% of samples taken for the report.
• LockBit: A builder tool for this sophisticated ransomware leaked in late 2022. In the hands of countless new attackers, it was 2023's most prolific variant, with more than 800 known data leak victims.

How Can Ransomware Be Delivered?

Attackers are always devising new ways to deliver ransomware, but several stand out as the most popular and effective. The main ransomware attack vectors are:

• Phishing: Deceptive emails or similar messages, usually laden with infected links or attachments, trick users into letting ransomware onto their system.
• Drive-by downloads: Attackers exploit software, OS, or browser vulnerabilities to enable stealthy downloads of ransomware when victims interact with compromised websites or links.
• Software vulnerabilities: Attackers exploit weaknesses in applications or systems, giving them entry points into a network, where they can deploy ransomware directly.
• Malicious websites: Attackers create fraudulent sites that host ransomware, and then convince visitors to download it under false pretenses.
• Watering hole attacks: Attackers compromise legitimate websites used by their intended victims, and then use social engineering to trick visitors into downloading ransomware.
• Remote Desktop Protocol (RDP) attacks: Hackers gain illicit access to RDP connections, generally by cracking or stealing login credentials, to deploy ransomware directly onto a target network.
• Malvertising (malicious advertising): Attackers place infected ads on otherwise legitimate websites, which infect systems with ransomware when victims interact with the ad.

Should You Pay the Ransom?

For many ransomware victims, the most difficult question is, “To pay, or not to pay?”

Many organizations are willing to pay to protect their data, but is that the right decision? Multiple reports since 2021 have found that some 80% of organizations that do so still suffer a repeat attack. Beyond that, as CISO Brad Moldenhauer put it, “... paying digital ransoms could aid and abet terrorism and certainly does so for cybercrime.”

Consider these other angles, as well:

• Recovering your data isn't a guarantee—assuming that was the attacker’s intent to begin with (read about NotPetya).
• In some circumstances and jurisdictions, paying a ransom is illegal. Read more.
• In the case of double extortion, even if you recover your data, attackers still have copies and can expose it if you don't pay.

The choice often comes down to your unique circumstances. You'll need to consider how a breach and possible loss of data will affect your operations, users, and customers.

What Are the Effects of Ransomware on Businesses?

Ransomware impacts organizations of all kinds worldwide, with more attacks each year. It can have ill effects on revenue, public opinion, and more.

Lost Capital and/or Data

Making the choice between losing data and losing money is a dangerous dilemma, particularly in industries that handle sensitive data. If you ignore ransom demands, you risk a data leak. Even if you pay, however, there’s no guarantee you’ll get your data back.

Reputational Damage

Whether you pay or not, you're obligated to report the crime, which can lead to media coverage. When that happens, your organization can lose business, customer trust, or both, even if you're arguably not at fault.

Legal Repercussions

In a growing number of US states, paying a ransom is illegal in most cases. Other jurisdictions worldwide are considering similar statutes, as well. In addition, a breach can result in added regulatory scrutiny, which may lead to fines and other legal costs.

How to Remove Ransomware

If you suspect a ransomware infection, you should first immediately take a few key steps to stop it from spreading. Then, in some cases, you can remove the ransomware infection. Start with:

Step 1: Isolate infected devices. Disconnect them from any wired or wireless connections—even disconnect them from AC power, if necessary—to help prevent the infection from spreading. If you discover ransomware before it executes, you may be able to remove it before the attacker can make a ransom demand.

Step 2: Determine what you’re facing. Consult your IT or security team for help identifying the infection and understanding your next steps. You can find decryptor tools for some variants, but it's important not to count on them. Decryptors are often ineffective against sophisticated ransomware, and they won’t help much in the case of double extortion.

Step 3: Recover your lost data. Usually, you'll do this by restoring it from a backup. Maintaining regular backups is the only way to guarantee you can recover all your data. If you can't recover your data, carefully consider the potential legal and financial consequences before paying a ransom.

Step 4: Remove the ransomware. Here, you'll generally need the help of a security professional. In some cases, you'll want to consult law enforcement, such as the FBI, as well. Your support should investigate the root cause of the infection to determine the vulnerability that enabled the attack.

Step 5: Evaluate and address the root cause. Shore up your defenses wherever they failed, whether that’s a backdoor exploit, a flaw in your email filtering, insufficient user training, or something else. Repeat attacks can and do happen, and you can be better prepared.

Ransomware Prevention Is Key

The reality is that once attackers encrypt or exfiltrate your data, one way or another, you lose. That’s why preventing ransomware infections in the first place is the real key to defending against them.

Stopping every attack that comes your way is likely impossible, but with due diligence, security awareness training, and the right technology, you can minimize your risk. You need an effective anti-ransomware strategy, including principles and tools that:

• Use an AI-driven sandbox to quarantine and inspect suspicious content
• Inspect all TLS/SSL-encrypted traffic
• Implement always-on protection by following off-network connections

Pairing modern solutions with a proactive defensive approach is the most effective ransomware protection model in today's cybersecurity playbook.

How Zscaler Can Help

Zscaler offers cloud native ransomware protection to defend your data across the full attack life cycle. Our globally proven, cloud-delivered zero trust architecture empowers you to:

Eliminate the attack surface
Make all entry points invisible to attackers. Zero trust architecture never exposes users, networks, or applications to the internet.

Prevent initial compromise
Inspect 100% of inbound and outbound connections. Threats are blocked before they can cause damage.

Stop lateral movement
Broker direct, 1:1 connections between users, workloads, and applications. The network remains invisible to attackers.

Block data exfiltration
Inspect all traffic in real time and at cloud scale. Sensitive data never leaves the network on an untrusted connection.