IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

What is ransomware?

This type of malware could hit you hard in the pocket

Ransomware is one of the biggest cyber security threats facing businesses today. It's a type of malware that attackers can use to lock a device or encrypt its contents in order to extort money from the owner or operator. 

Given its potential to deliver a high return on investment, and the relative ease at which it can spread, this type of attack has become extremely popular among cyber criminals. It was recently named the biggest threat facing small-to-medium-sized businesses (SMBs) as attackers take advantage of the COVID-19 pandemic to attack employees outside of the office.

According to figures from cloud cyber security company Datto, 59% of MSPs said a shift to remote working had resulted in increased ransomware attacks, and 60% reported that their SMB clients had been hit by ransomware in the third quarter of 2020. 

How ransomware works

Much like other malware types, ransomware is typically spread by tricking victims into downloading malicious email attachments, which prompt scripts to automatically run on their system. However, it's also possible for ransomware to be spread wherever there's an opportunity to hide malicious scripts.

Ransomware usually starts an attack by trying to remain undetected, slowly encrypting files one after another to avoid suspicion. However, unlike other variants, ransomware then makes its presence known to the user once it has encrypted enough files, usually through a ransom note or splash screen.

It's from this splash screen that users are first told that their files are locked and that in order to retrieve their data they're required to pay a monetary sum. The exact wording of the demands vary between ransomware strains, but most demand some sort of payment within a specified timeframe.

The splash screen associated with the Cerber ransomware

Some messages are aggressive in the hopes of scaring the user into a quick payment, while others attempt to masquerade as legitimate organisations, such as the FBI. For example, the Jigsaw ransomware strain attempts to rush the user into paying its fee by deleting a file for each hour that the demand is ignored, and will often delete around 1,000 files if the user attempts to reboot their system.

Related Resource

Ransomware made MSPeasy

The MSP's guide to saving the day

The MSP's guide to ransomware - whitepaper from DattoFree download

The first instance of ransomware was the relatively unsuccessful 'AIDS Trojan' which struck in 1989, encrypting the name of files, rather than the content of the files, while the decryption key was hidden within the malware's code. Despite these errors in deployment, the attack was the first case of a hacker demanding cash in exchange for the secure return of stolen data.

Attackers still operate under the same core principles, but are usually far more effective, and more often than not demand payment not in physical currency, but in cryptocurrencies. Most attackers favour Bitcoin or Monero, which are inherently difficult to trace.

Ransomware in 2020

There are hundreds of ransomware strains operating across the world, and which particular threat you're likely to face can depend on the continent, the country, or even the city in which you operate. For example, we recently examined the latest strains attacking businesses operating across the UK, but the picture can vary wildly from region to region.

Ryuk is one of the most popular ransomware strains across the world, and recent figures show it accounted for a third of all ransomware attacks in 2020. The ransomware, which has hit high-profile companies including French IT services giant Sopra Steria, was recorded in 67 million attacks in 2020, compared to just 5,123 attacks were recorded during the first three quarters of 2019, compared to 67 million during 2020, according to research by SonicWall.

Maze is another. This ransomware strain has been highly active over the last year and a half, most recently crippling the systems of several large companies, including Canon in August and Xerox in July. However, in November 2020, the Maze ransomware gang announced that it’s shutting down its operations for good.

What's also common is a select number of strains which are being offered up for hire. Known as ransomware as a service, this model involves criminals paying established hacker groups to coordinate a ransomware campaign against desired targets. This makes it possible for criminals to attack a target without the risk of being identified and without the need for in-depth coding knowledge.

This has also significantly lowered the barriers to entry, meaning that anyone, provided they have the cash and inclination to do so, can launch a coordinated and comprehensive ransomware attack.

According to the Beazley Breach Response team, there was a 105% year-over-year increase in the number of ransomware attacks against businesses in Q1 of 2019. The same report found that the average ransomware demand has also increased by 93% to $224,871, although this has been skewed somewhat by a small number of large payouts.

However, large payouts are quickly becoming normal, as ransomware has started to shift its focus to larger organisations or critical public services. For example, two towns in Florida agreed to pay collectively $1.1 million to regain access to their systems following a widespread public sector ransomware attack.

Should I pay the ransom?

By design, ransomware is incredibly disruptive for businesses, and it can be tempting to take the quick way out and submit to demands – after all, every minute your business is offline, the greater the financial and reputational damage might be.

However, most experts agree that paying a ransomware demand is the worst thing you can do. Ransomware has become incredibly lucrative, with 121 million attacks recorded in the first half of 2020 alone, up 20% over the previous year. This is entirely fuelled by the shakedown of its victims, and the more that businesses give in to demands, even if the price is relatively low, the more hackers are going to use this tactic.

Even if you don’t buy into that idea of the greater good, there’s ultimately no guarantee that hackers will uphold their end of the bargain. Of course, it’s in a hacker’s own interests to do so, as victims will be unwilling to hand over their cash if they think their attackers will split and run, but there’s nothing to prevent them from deleting data once they get their money.

Unfortunately, in many cases, data encrypted by ransomware is best thought of as lost. How damaging that will be for your business will depend on how robust your data backups and recovery processes are. With a strong disaster recovery plan in place, it’s possible to take the sting out of a ransomware attack as soon as it starts.

Related Resource

6 best practices for escaping ransomware

A complete guide to tackling ransomware attacks

Download now

2017 NHS ransomware attack

Perhaps the most famous ransomware attack to hit the UK happened on 11 May 2017, when the NHS and a number of large organisations in England and Scotland were hit by WannaCry. This strain is thought to have quietly spread across Europe, infecting major organisations including Telefonica in Spain, Deutsche Bahn in Germany, Renault and FedEx, before activating. It's believed hundreds of thousands of computer systems across 99 countries were affected.

The infection spread through three vectors. The initial payload (i.e. the ransomware software known as WannaCry or WannaCrypt) was brought into the organisations' network via a phishing email, with a user clicking on a malicious link or downloading a malicious file.

The infection then spread rapidly through the network using two tools thought to have been developed by the NSA the EternalBlue exploit and DoublePulsar backdoor which were released into the wild by the ShadowBrokers hacking group along with a number of other cyber weapons.

All the infected computers on the network consequently had their files encrypted with a ransom message displayed on their screen demanding of around $300 in Bitcoin to be paid within three days or $600 within seven days. It's unclear how many organisations paid, but by Monday 15 May, the cyber criminals had made over $40,000 according to the URLs associated with the ransom demands.

Microsoft had released a patch for the vulnerability, which affected all Windows operating systems from Windows 7 through to 8.1, back in March. However, it hadn't been applied to all elements of the affected organisations' network. There are several reasons this may have occurred, including the need for organisations to carry out a staged roll-out and potential conflicts with other critical systems and software.

Another reason is that many organisations still run Windows XP, once again usually due to compatibility issues. As XP is out of support, no patch for it was released in March, leaving all systems running it vulnerable to this attack. 90% of the NHS' IT estate was known to be running Windows XP at the beginning of 2017, with its custom support contract having been terminated in 2015.

Given the magnitude of the attack, however, Microsoft did create and issue a patch for XP, but advised that organisations and individuals should always apply the latest software updates as soon as possible to protect against threats of this kind.

Featured Resources

Accelerating AI modernisation with data infrastructure

Generate business value from your AI initiatives

Free Download

Recommendations for managing AI risks

Integrate your external AI tool findings into your broader security programs

Free Download

Modernise your legacy databases in the cloud

An introduction to cloud databases

Free Download

Powering through to innovation

IT agility drive digital transformation

Free Download


Best free malware removal tools 2022

Best free malware removal tools 2022

22 Jun 2022
A guide to cyber security certification and training
Careers & training

A guide to cyber security certification and training

16 Jun 2022
What is shoulder surfing?
social engineering

What is shoulder surfing?

10 Jun 2022
CIAM buyer’s guide

CIAM buyer’s guide

6 Jun 2022

Most Popular

Former Uber security chief to face fraud charges over hack coverup
data breaches

Former Uber security chief to face fraud charges over hack coverup

29 Jun 2022
Macmillan Publishers hit by apparent cyber attack as systems are forced offline

Macmillan Publishers hit by apparent cyber attack as systems are forced offline

30 Jun 2022
FCC commissioner urges Apple and Google to remove TikTok from app stores
data protection

FCC commissioner urges Apple and Google to remove TikTok from app stores

29 Jun 2022