How Does Ransomware Work (And Is It Still A Threat)?

How Does Ransomware Work (And Is It Still A Threat)?

How Does Ransomware Work ThumbWith cryptomining taking the spotlight in recent months, ransomware has been out of the news. That doesn’t mean ransomware has gone away, however; it just means that crypto-based threats are a hot topic. Ransomware is still one of the largest methods of cybercrime and one of the biggest threats that business owners will encounter today. Compared to cryptomining, the threat of ransomware can be far greater.

How Does Ransomware Work?

Before talking about whether or not ransomware is still relevant, let’s have a quick refresher on how it works.

What would happen to your business if you were suddenly denied access to your network and data? Most companies would be forced to cease their operations entirely if they were suddenly denied the ability to manage their inventory, collect payments, or even communicate. Ransomware is a specific type of malware that operates by holding hostage an organization’s most precious resource: its data.

Once introduced to an organization’s network, ransomware works quickly to encrypt the system and its files. From there, the only way to recover data and resume operations is often to pay an exorbitant fee to have the files unlocked. The organization may be able to recover without paying the ransom by restoring from its data backups – but if this data isn’t totally up to date, the company may still experience substantial losses.

Ransomware is particularly insidious because it can spread across a network quickly. In recent years, it has become a common threat because networks are increasingly exposed to additional vulnerabilities, in the form of mobile and Internet of Things (IoT) devices, plus improved phishing and social engineering techniques.

The one advantage that cybersecurity specialists have over ransomware is the fact that, unlike other threats, ransomware identifies itself to its victim.

Why Ransomware is Still Common

Cybercrime is an international industry in which businesses exist for the sole purpose of launching new cyber-attacks. Ransomware is still frequently utilized by this industry for a simple reason: it passes the cost-benefit analysis.

Ransomware can be sent to thousands upon thousands of computer systems without any real cost to the perpetrator. If even a small percentage of these organization’s pay the ransom, the criminal will make a sizable sum. Moreover, there is very little risk associated with the production and distribution of ransomware.

Cyberattacks often originate and are distributed from countries that do not take a strict stance on these criminal activities. Indeed, many of these countries may see substantial profits from cybercrime in terms of money coming into the local economy and thus would not like to see the industry shut down. This makes prosecuting cybercriminals difficult, in addition to the fact that ransoms typically are paid in virtually untraceable methods, such as cryptocurrency.

In short, ransomware continues to proliferate because it continues to work. As long as there are systems and users that are vulnerable to attack, cybercriminals are going to continue to distribute ransomware. It costs them virtually nothing to continuously target potential victims, and every time a target is successfully hit by ransomware, it reaffirms their efforts.

No malicious program truly ever goes away. Ransomware was initially discovered in the 1980’s, and it has continued to evolve since then. As long as data is useful to an organization, there will be malicious programs that are designed to lock away and hold that data hostage until a ransom is paid. It’s these new, evolving attacks that companies must also consider when they’re considering how to effectively defend against ransomware.

Ransomware in the Age of Crypto Threats

Cryptomining threats and ransomware are, in a sense, closely related. Both ransomware and cryptomining have proliferated recently due to cryptocurrency. Ransomware became more popular as a direct result of the rise of cryptocurrency, as it made it easier for cybercriminals to collect payment for ransoms immediately and without the threat of being tracked.

Similarly, criminal cryptomining has become popular because cryptocurrency is so valuable. It’s become cost effective and profitable for cybercriminals to place cryptomining utilities on devices and mine cryptocurrency directly rather than holding files for ransom and hoping for a payout. However, that won’t always be true.

Cryptomining is profitable right now because cryptocurrencies are valuable. If cryptocurrency takes a downturn as a whole, then it may become more profitable for attackers to return to seeking ransoms (possibly with another type of currency) rather than mining.

Further, while cryptomining has been in the news a lot this year, the number of known attacks actually peaked in January and has dramatically dropped off since then. As systems are patched, and advanced threat solutions are updated to better identify cryptomalware, the effectiveness of cryptomining decreases. As a result, bad actors may switch back to ransomware.

Even if cryptomining is always more profitable than ransomware, that doesn’t mean ransomware is going to go away. Malicious attackers often use a multitude of threats against their victims, to see what their victims are vulnerable to. If they believe that ransomware will be the more lucrative type of attack, then that is what they will use.

So, just because ransomware has lost first chair to criminal cryptomining, don’t let your guard down.

How to Defend Against Ransomware

Ransomware is distributed through many attack vectors, though the primary point of entry is still through email. To defend against ransomware, companies need to be particularly vigilant about upgrading, updating and maintaining their threat detection technologies.

Employees can easily introduce ransomware without the knowledge of what they are doing. Though training can limit this risk, it can’t reduce it entirely; any employee can ultimately make a mistake. As ransomware is constantly changing, a single system or process isn’t always able to catch it. Next-generation security solutions can detect ransomware based on its activity. In the case of most ransomware, for instance, one of the first behaviors it may display is encrypting a multitude of files very quickly. Similarly, ransomware wants to spread, so network security solutions can be helpful to detect this lateral movement.

Best practice defense against ransomware starts with frequent backups. Another increasingly viable option is to store all data in the cloud so if a computer is infected by ransomware, the user can simply reimage the whole thing and not lose a byte of data.

Not only do next-generation security products defend users against ransomware, but they are also designed to protect networks against new threats like cryptomining. Businesses investing in advanced network security solutions can protect themselves from a wide array of malicious behaviors, no matter which tools cybercriminals prefer to use.

Bert Rankin

Bert Rankin

Bert Rankin has been leading technology innovation for over 25 years including over 5 years in security solutions that prevent cybercrime. He is a frequent blogger and is often quoted in security-related articles. Bert earned his BA from Harvard University and an MBA at Stanford University.
Bert Rankin