What is Ransomware?

Ransomware is a type of malware that encrypts valuable files on a victim’s device, denying the account holder access, and demanding money in exchange for the encryption key. Ransomware has been increasingly difficult to deal with, especially with ransom payments being made in cryptocurrency, which is untraceable. Ransomware can enter a system by clicking a link dangerous or downloading malicious files.

Ransomware can infiltrate a device through email phishing, malvertising, or when an attacker exploits vulnerabilities in a software or RDP. Once in a system, ransomware has the capacity to move laterally through a system, meaning it can spread to other systems on the same network or other networks if the device is still connected to the internet.

When ransomware is deployed on a victim's system, it encrypts valuable files like Word documents, emails, spreadsheets etc…, using a strong algorithm in order to deny access to the user. The threat actor will then display a message to the user that demands payment in exchange for the decryption key. The ransom amount can vary widely, from a few thousand to several million dollars, and is often paid in cryptocurrency to avoid detection. In many cases, even when the ransom is given, the threat actor fails does not release the encryption key.

The impact of a ransomware attack can be severe, causing data loss, business disruption, and financial damage. Ransomware attacks can be challenging to defend against for several reasons:

Reputational and financial consequences

A ransomware attack could put your organization in headlines for all the wrong reasons. When your systems are breached, your reputation is hurt and other organizations would sometimes be hesitant to trust you with their information. Therefore, a ransomware attack has both long-term and short-term effects.

Evolving threat landscape

The threat landscape is constantly changing, and new ransomware variants and attack methods are constantly being developed. This means that traditional anti-malware solutions may not be effective against the latest threats.

Social engineering tactics

Ransomware attacks often use social engineering tactics to trick users into downloading or opening malware-laden files or clicking on malicious links. Social engineering involves using manipulation tactics based on contextual knowledge of the victim to solicit sensitive information. These tactics can be difficult to detect and may be successful even if an organization has strong technical controls in place.

Encryption

Ransomware typically uses encryption to lock the victim's files, making them inaccessible. While it is possible to decrypt some ransomware variants without paying the ransom, this can be time-consuming and may not be possible in all cases. Think of encryption like a lock and key, where the cyber criminal locks files and is the only one with access.

Payment in cryptocurrency

‍Ransom payments are typically demanded in cryptocurrency, which can be difficult for law enforcement to identify and apprehend the attackers.

Human error

Ransomware attacks can also be successful due to human error, such as an employee inadvertently clicking on a malicious link or failing to keep software up to date.

Ransomware can target individuals, small businesses, and large organizations alike. However, some groups are more vulnerable to ransomware attacks than others, including:

Small and medium-sized businesses (SMBs)‍

SMBs are often targeted by ransomware because they may have weaker cybersecurity defenses than larger enterprises, making them an easier target.

Healthcare organizations

Healthcare providers and facilities are particularly at risk of ransomware attacks because they often store sensitive patient data that can be valuable to cybercriminals.

Government agencies

‍Government agencies and municipalities are frequent targets of ransomware attacks due to the large amounts of data they store and their critical role in providing essential services to the public.

Financial institutions

Banks and financial institutions are also at risk of ransomware attacks because they store large amounts of sensitive data and are a prime target for financial gain. 

Individuals

‍Anyone can be targeted by ransomware, and individuals may be particularly vulnerable if they lack cybersecurity knowledge or fail to keep their software up to date.

Preventing ransomware attacks can be done with the following methods:

Incident response plans

‍A response plan functions as a clear process for the security team to take when a ransomware attack does happen. Having a plan in place will ensure that the team is on the same page and that they can act quickly to contain the attack. A response plan to ransomware will likely include an attempt to isolate the infected system, reporting of the incident, and remediation efforts.

Security software

‍Purchasing a security software that can help improve the efficiency of your security team will help develop a stronger security stack in the long run. Many organizations are looking to AI powered security software in order to help fight against never before seen, sophisticated ransomware attacks.

See how AI-powered cybersecurity solutions can stop ransomware at every stage of the attack kill chain in the data sheet "Stages of a Ransomware Attack."

Secure backups

Ransomware specifically looks for data backups, using a backup system that does not allow direct access to its files would help prevent ransomware attacks.

Keep software up-to-date

‍Out of date software contains vulnerabilities that can potentially be used by cyber criminals to compromise devices or software. Security teams can be proactive about keeping their organizations software up to date by: creating an inventory of all their assets, using automated tools like network scanners, having processes in place for patch management, keeping up to date on the latest security news.

Security awareness training

‍Organizations are increasingly investing in security awareness programs designed to encourage best practice and discourage risky behavior across the workforce. This activity may reduce risk, but security teams struggle to enforce sustainable best practices. With bad habits inevitably returning once the training has passed and been forgotten, the challenge for security teams becomes instilling continuous awareness. 

Fog ransomware emerged in May 2024 as a novel ransomware strain developed by attackers to move through targeted networks, encrypt files, and steal data in as little as two hours.  

Darktrace’s AI cybersecurity quickly identified and stopped Fog cyber-attacks, with autonomous responses that isolated affected devices and blocked suspicious connections to neutralize attacks before they could progress. Unlike traditional network security tools that rely on known attacks, Darktrace defended our customers from this new and novel threat.

AI Security Solutions

There are several affordances of AI-powered security that can help fight against a ransomware attack. AI security solutions can detect and stop ransomware in real-time, using machine learning algorithms to identify and stop threats before they can cause damage. These solutions can also use behavioral analysis to detect and prevent ransomware attacks that use fileless techniques or that attempt to evade traditional signature-based detection.

AI can be used to analyze network traffic and identify unusual patterns or behaviors that may indicate a ransomware attack is in progress. This can help organizations detect and respond to attacks more quickly, potentially reducing the incident response time and the overall impact of the ransomware attack. 

When considering how to protect against email ransomware, a multilayered strategy focused on the email vector — analyzing content, context, and sender identity — is essential.

Use gateway-level security controls

A secure email gateway (SEG) is a fundamental approach to higher inbox security. These tools leverage features like attachment sandboxing, diverting suspicious emails to an isolated location instead of delivering them to users' inboxes. Once isolated, the SEG can compare URLs against real-time threat intelligence, blocking any connections to known ransomware hosting sites. SEGs can also analyze embedded links and safely execute any suspicious files to neutralize the threat.

Verify sender identity and authenticity

Sophisticated attackers often resort to spoofing to impersonate trusted brands or internal senior leadership. Countering these attacks requires specialized email authentication protocols. Consider combining Domain-based Message Authentication, Reporting, and Conformance (DMARC) with Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM). Together, these protocols create a more holistic system for verifying that an email is legitimately from the claimed domain, dramatically reducing the risk of spoofing and ransomware payload delivery.

Analyze content for malicious intent

Some of the most advanced attacks use novel social engineering tactics and benign-looking links. These attacks demand equally advanced techniques to protect against email ransomware — a deeper analysis of the communication's content and context. Modern email security solutions can analyze language to determine intent, flagging unusual requests or urgency that's inconsistent with the sender. These tools can also perform time-of-click analysis, verifying the URL's destination to safeguard against weaponizing links after initial message delivery.

For the latest on ransomware visit the Ransomware section of our blog:

‍A new sheriff in town: why the city of St. Catharines turned to Darktrace to protect its digital assets‍

Pulling back the curtain on Grief ransomware‍

When speedy attacks aren’t enough: Prolonging Quantum Ransomware

If you find yourself in the unfortunate situation of falling victim to a successful ransomware attack you should do the following:‍

Take a photo

Take a photo of the ransomware message it will come in handy when reporting to law enforcement and could contain useful information.

Disconnect

Disconnect any external storage devices you have connected to your compromised device.

Turn off your device

Ransomware has the potential to spread, making sure the device is disconnected from the internet is the best way to ensure that the ransomware will not move on to other devices.

Contact IT

Notify the IT department or other technology authority at your organization.

Reset passwords

Once someone has infiltrated your device they could have gained access to your passwords and still compromise your accounts after the ransomware has been dealt with.

Reinstall operating system

After backing up data, reinstall your operating system.