Behind The Attack: Ransomware

Ransomware is an online attack executed by cybercriminals or nation-state-sponsored groups who demand a ransom to release compromised data. In recent years ransomware attacks have grown more sophisticated with advanced encryption capabilities that target public and private sector organizations that no single industry or size of business can escape from the wrath of ransomware.

As ransomware capabilities continue to grow, so does the amount of ransom demanded to release data. The majority of SMBs cannot afford these consequences and need a plan that will protect, prevent, and prepare them for a ransomware attack. This article will discuss the preparations you can make, the process of a ransomware campaign, and methods to keep your business secure during and after a ransomware campaign.

How Ransomware Spreads

ransomware Ransomware is a type of malware designed to encrypt data until the ransom is paid. Threat actors have developed their own organizations that develop and set the ransom. These “organizations” function similarly to a business with the intent of generating revenue by deploying ransomware attacks. However, these organizations have recently found it more lucrative to develop ransomware and sell it to individual threat actors.

Ransomware spreads after first gaining access to a target system, encrypting the files there, and lastly demanding the victim pay a ransom. Individual incidents will vary, but will always contain three main elements: infection and distribution vectors; data encryption; and ransom demand. Some common ransomware campaigns include: 

Social Engineering

Because threat actors must gain access to the network they often begin their attacks by targeting an organization’s greatest vulnerability: people. 78% of ransomware attacks began with an email last year. Attackers email individuals and attempt to build a rapport with their targets before executing phishing campaigns. Occasionally there are several exchanges before anything malicious is sent. Once they have the victim’s trust, attackers will send a malicious link or file with an executable that allows them into a company’s network. 

Double Extortion

Double extortion occurs when cybercriminals compromise your data, encrypt it, and then analyze it. Because they already possess a copy of your data, they are able to identify how to extort your business for the most money possible. This information will typically include revenue, your employees, your industry, and your partners and clients. Then attackers will only have to take and leverage your most critical data to extort your business.

Triple Extortion 

Triple extortion is a step further than double extortion notched up due to the addition of an active and aggressive threat actor. They utilize the compromised information on your employees, partners, and clients to harass them via emails, texts, and phone calls. 

How to Prepare For A Ransomware Attack

With proper preparation, your company can drastically lower the cost and impact of a ransomware attack. In fact, recovery or remediation costs can be 10 to 15 times more than the ransom. Adopting best practices can reduce an organization’s exposure to ransomware and minimize potential damages:


Training your staff is the most rudimentary action you can take to prepare for a ransomware attack. Knowing what to look for when a malicious file appears in their inbox and end-user training are key first steps in protecting sensitive data. However, in order to be effective it must also be continuous so it is critical that you run frequent phishing tests and ensure that employees are alert, aware, and knowledgeable. 

Email Security

When it comes to cybersecurity, solutions must be layered to ensure the most coverage. A multi-layered approach is essential in preventing ransomware as cyberattacks continue to grow more sophisticated, as should the tools that prevent them. Having multiple tools in place, like email security gives your organization a holistic defense ready to prevent ransomware.


MFA confirms a user’s identity with the use of a combination of factors, with the most common one being their credentials, and the second being a limited-time one-time password (OTP), biometric, or key card. MFA can most easily be understood as something you know and something you have. This additional authentication reduces unauthorized access as the attacker needs all three pieces of required information during authentication.


Data backups enable an organization to recover from an attack with a minimum of data loss and without paying a ransom. Performing route backups are important for preventing data loss, as well as being able to recover in the event of corruption or disk hardware malfunction. Functional backups can also help organizations recover from ransomware attacks.

The Aftermath of An Attack

ransomware 5231739 340Money is one of the most common associations of ransomware, however, it is not the only consequence. An organization that has been the victim of a ransomware attack must also deal with damage to its reputation, image, and public relations. 60% of small to medium-sized businesses (SMBs) shut down after being hit with ransomware due to a lack of security measures, such as failure to recover backups and the inability to pay the ransom.

The majority of law enforcement agencies and experts say not to pay ransomware attackers, based on the logic that this will only encourage hackers to create more ransomware. Despite this, many organizations disregard this mentality and begin a cost-benefit analysis and weigh the price of the ransom against the value of the encrypted data. Research shows that while 66% of companies say they would never pay a ransom, in actuality, 65% end up paying the ransom after getting hit. Besides the financial cost of a ransomware attack, other damages include reputational harm to the business and compromised data of clients.

Many successful ransomware attacks go unnoticed until after encryption is complete and a ransom note has been displayed on the infected computer’s screen. It is unlikely that the encrypted files are recoverable, however, there are some steps that should be taken immediately:

  • Quarantine the Device: variants may try to spread to connected drives and other machines, by removing access to other potential targets you effectively limit the spread.
  • Leave the Device On: encrypted files may cause a computer to become unstable, and turning off a computer can result in loss of volatile memory. 
  • Create a Backup: decryption of files for some ransomware variants is possible without paying the ransom. Make a copy of encrypted files on removable media in case a solution becomes available in the future or a failed decryption effort damages the files.
  • Seek Professional Help: computers sometimes store backup copies of files stored on them. A digital forensics expert may be able to recover these copies if they have not been deleted by the malware.
  • Wipe and Restore: restore the machine from a clean backup or operating system installation. This ensures that the malware is completely removed from the device.

German Newspapers Targeted by Ransomware Attack

Ransomware AttackThe German newspaper Heilbronner Stimme has been part of an ongoing cyberattack, after recently having all its systems encrypted by unknown attackers. The publication`s printing systems were compromised, while phone and email communication were only offline for a weekend. Editor-in-chief Uwe Ralf Heer claimed the attack impacted the entire Stimme Mediengruppe, including the companies Pressedruck, Echo, and RegioMail. Echo, which circulates 254,000 copies, was also affected by the ransomware attack and dealt with issues accessing its e-paper on the website. 

Heer also stated that the attack encrypted their systems and left ransom notes behind, but did not make any specific ransom demands. A crisis team was set up, and cyber experts are investigating the events as well as the police and the Ministry of the Interior are involved in the investigation.

In 2020, ransomware attacks increased by more than 130%, and recent data shows global losses will exceed $20 billion rising to $265 billion by 2031, with the average ransom costing $312,493. The time to protect users, applications and data is now, by taking a proactive stand on ransomware. 

Keep Learning

When it comes to ransomware, prevention is better than remediation, and implementing the caliber of email protection required to repel these attacks is a significant investment. 

Ransomware protection mechanisms used by organizations are evolving, but many businesses still lack adequate defenses to repel ransomware attacks.

Must Read Blog Posts

Latest Blog Articles