What is ransomware?

Ransomware is one of the fastest-growing forms of malware affecting organizations today. 

When a ransomware attack is successful, it can cripple an organization. That’s why it’s critical for companies to understand the threat — and take action to prevent it. By employing best practices and leveraging secure software, you can guard your business against attacks.

Find out more about what ransomware is, how it works, why it’s on the rise, and  steps you can take to defend against it. 

What is a ransomware attack?

Ransomware is malware designed to encrypt a victim's information or lock the victim out of their device's basic functions until a ransom is paid to the attacker. Many  attackers threaten to release, sell, or delete an individual or organization's data if demands are not met by a certain deadline. 

How does ransomware work?

Ransomware employs asymmetric encryption, which is a kind of cryptography that uses two different keys designed to encrypt and decrypt files. The goal is to prevent victims from accessing their files or using basic computer functions. When an attacker employs ransomware, they generate a unique private key and a public key. 

The attacker withholds the private key from the victim, as it’s almost impossible to decrypt the victim's data without this key. Once an attack is underway, the attacker will demand money from the victim before they provide the private key. Some attackers still withhold the key after payment, deleting the files or selling them to other bad actors. 

Ransomware installation

Ransomware installation - an attacker can make the victim click on an attachment using social engineering

A threat actor might use various delivery methods to install ransomware on a victim's device. Usually, threat actors distribute malware via targeted attacks or phishing emails, where they trick a victim into downloading an attachment that installs the ransomware onto their device. 

In a targeted attack, a ransomware attacker often employs social engineering to access a victim's system or device. The social engineering attack strategy involves the threat actor pretending to be a trusted business, friend, colleague, or government agency. Since the victim thinks an email coming from one of these sources is safe, they are more likely to click on an attachment, accidentally downloading ransomware onto their device.

Data encryption

After the ransomware installs, the software begins to encrypt sensitive data on the device. If the device has any file shares attached to it, ransomware may encrypt those files, too. Once the data is encrypted, the ransomware displays a message on the infected device. This message often contains a ransom demand, a method for paying the ransom, and a deadline for when the money must be sent to the attacker.

Though there are a few different kinds of ransomware, the main types are screen lockers and crypto-ransomware. Locker ransomware is less damaging than crypto-ransomware, as it only aims to lock victims out of using basic computer functions. In this attack, the ransomware may partially disable the victim's mouse and keyboard but enable their function so the victim can interact with a window containing the ransom demand. Once the victim pays the demand, the attacker may unlock the device.

Crypto-ransomware can be much more dangerous than locker ransomware, as it encrypts sensitive data, preventing users from accessing it. While these attacks don't usually impact basic computer functions, the inability to access key files can cause victims to panic. Since the ransomware encrypts the victim's files, the threat actor could even delete the files if their demands are not met or they decide not to honor the ransom's terms.

Ransomware statistics

In 2020, the Federal Bureau of Investigation (FBI) reported that the Internet Crime Complaint Center (IC3) received 2,474 complaints identified as ransomware, with adjusted losses totaling more than $29.1 million. As ransomware spreads and becomes available to more bad actors, many industries have seen increased ransomware attacks and higher demands.

Some of the top ransomware statistics include:

  • In 2021, the average ransomware payment was $570,000, an increase of 82%
  • Worldwide, the percentage of organizations victimized by ransomware attacks reached 68.5% in 2021, representing a major growth in malware attacks since 2018, when only 55.1% of organizations were victimized
  • In 2020, there were 304 million global ransomware attacks
  • The highest ransom demand of 2021 so far was for $50 million
  • The first half of 2021 saw a 518% year-over-year increase in ransomware incidents

Why is ransomware spreading?

Bad actors are finding new techniques to spread malware such as encrypting an entire disk at once

Ransomware attacks continue to spread due to the rise of new technologies that are able to circumvent preventive measures. For example, some bad actors are creating cross-platform ransomware with known generic interpreters. Malware kits also make it easier for bad actors to quickly craft novel malware samples. And bad actors are finding new techniques to spread malware, such as encrypting an entire disk instead of just a few files.

Ransomware's spread can also be attributed to the rise of Ransomware-as-a-Service (RaaS), which is a subscription designed to give affiliates ransomware tools that are ready for use. Since RaaS gives bad actors a more decentralized method of attack and extended reach, it’s harder for authorities to stop an attack. 

Many RaaS creators also take a cut of the ransom, meaning bad actors are likely to demand higher payments. Many victims end up paying the ransom in an attack, which makes ransomware a very lucrative way for threat actors to make money. 

How to defend against ransomware

While you can take action to recoup your stolen data or minimize damage after a ransomware attack, it’s best to prevent attacks from occurring in the first place. Here are some of the top prevention practices for protecting your business against ransomware:

1. Stick to secure networks

Hackers can use unsecured networks to gain information about a company and find ways into a device, so it’s essential your organization has a secure network. Whenever an employee uses a work device on public Wi-Fi networks, they are putting your organization at risk, as many of these networks are not secure. When employees work from home or in public, consider having them use VPNs to ensure they are securely connected to the internet no matter where they are. 

2. Back up your data

Backing up your data on a secure external hard drive or in the cloud is one of the best ways you can prepare for a ransomware attack. If you have your data backed up, you can wipe an infected device and still retrieve your files when a ransomware attack occurs. Instead of paying the ransom, you can simply delete everything with peace of mind and no financial consequences.

3. Secure your data backups

Keep you bsckup data secure with cloud-native granular access controls and more security features

If you use data backups, such as , it's essential you ensure your backup data is secure. This includes making it impossible for users to delete backup data via the system it’s stored in. Since ransomware will attempt to encrypt or delete backup files, it's critical your devices can't directly access these backup files. At Box, our security and compliance solutions keep our clients' backup cloud data secure with native granular access controls and other security features.

4. Practice safe internet surfing

Anyone who works for your organization and has access to sensitive data needs to be careful while they surf the web. As they use the internet, they should only download applications after verifying the software comes from a trusted source. They should never respond to messages from people whose identities they can't confirm. Ensuring employees stay on guard while surfing the web can significantly reduce the chance they accidentally download ransomware.

5. Create a security awareness program

Since an employee's mistake can result in a ransomware attack, having a security awareness program is a critical component of protecting your organization. By regularly conducting training about cybersecurity, you can reduce the chance your employees fall for social engineering or phishing attacks. Ensure these trainings happen regularly and are supervised appropriately to help reinforce security best practices in your organization.

6. Use security software and keep it up to date

Download and install updates to prevent threats from breaching your defenses

Ransomware is constantly evolving, making it critical for security software to change with new threats. Select a security software with an excellent reputation for staying on the cutting edge of stopping cybercrime, especially ransomware. Always download and install updates as soon as they become available to avoid new threats getting past your defenses.

How to respond to a ransomware attack

Even when you take steps to prevent ransomware attacks, you may still come face-to-face with a threat. If an attack occurs, you need to know how to deal with it effectively so you can minimize damage. Having a response plan in place helps your team take appropriate action fast.

Review the steps below to effectively respond to a ransomware attack.

1. Quarantine any infected devices

Infected devices will continue to spread ransomware to any other connected device or systems. Just like you’d isolate patients infected with a virus, it's critical you quarantine an infected device as soon as you discover it’s been infected with ransomware. While one device infected with ransomware can be damaging, an organization with ransomware on every device can multiply the impact.

Reaction time is everything. When ransomware is discovered on a device, immediately disconnect the device from other devices, the internet, and your organization's network. If you can disconnect the infected device before it spreads ransomware to others, you can significantly reduce the amount of damage done in an attack.

2. Prevent the spread

Ransomware spreads fast, so the first device you identify may not be the initial source of infection

While quickly quarantining an infected device is critical to preventing ransomware from spreading, don’t stop there. Ransomware can spread very fast, and the device you identify may not be the source of the original infection. You might still have ransomware in other locations on your network.

For this reason, immediately remove any other potentially infected devices from the network. Even if a device is off-premises, you'll want to disconnect it, as malware could still gain access to it. You may also want to power down Bluetooth, Wi-Fi, and any other wireless connectivity methods. 

3. Assess damage

After you've disconnected all suspicious devices, you can move on to assessing the damage the ransomware has inflicted. Begin this assessment by identifying all the infected devices. Look for files users can’t open, strange file names, and odd file extensions. When you find devices that aren't completely encrypted, turn them off and quarantine them to stop ransomware from spreading.

During the damage assessment stage, it’s best to create a list containing information on every affected system, including external hard drive storage, smartphones, laptops, cloud storage, and network storage devices. This list helps you determine how many of your devices and parts of your network have been affected by the ransomware, giving you the chance to assess the damage accurately.

You can also lock down shares, making sure any encryption processes cannot continue and won't infect other shares. Before you lock your shares, you will want to first check on all your currently encrypted shares. If you find one device has more open files than the rest of your devices, you may be able to identify the originally infected device.

4. Find patient zero

Find patient zero - use your active monitoring platform, endpoint detection, and response solutions to help you

Preventing greater damage to your system and keeping track of a ransomware infection is much easier when you know where the attack originated. You'll want to identify your "patient zero," meaning the device where the ransomware first entered your system. You can often find patient zero by looking at your active monitoring platform, endpoint detection and response (EDR) solutions, or antivirus software for alerts about ransomware or suspicious activities. 

You can also speak with your employees about any suspicious emails they opened or any other irregular activity they noticed. Another way to find patient zero is to look at your files' properties, as the employee listed as an infected file's owner is often the entry point for the ransomware. 

5. Identify the ransomware

Since ransomware comes in different forms, you'll want to identify what kind of ransomware program is attacking your organization. After identifying the ransomware, you'll want to research its behavior and alert employees to the ways the program will attempt to infect their files.

6. Report the ransomware to authorities

Once you contain the ransomware, inform relevant authorities about the attack. Reporting ransomware may give you access to more advanced tools and abilities that only law enforcement agencies can access. By partnering with the appropriate authorities, you may be able to bring bad actors to justice and recover stolen data before hackers use it to do harm.

7. Eliminate ransomware, and use your backups

Box provides failsafe cloud backups that protect your files from infection

After you've contained and neutralized a ransomware attack, use an uninfected backup to restore your system. Before you restore your data, use an anti-malware or antivirus solution to ensure all your infected devices do not have any remaining ransomware or malware. 

Use your backup to restore lost files only after you confirm there is no trace of ransomware. At Box, we provide failsafe cloud backups to ensure you have uninfected files in the event of a data loss incident. We utilize multiple data centers featuring backup systems and reliable sources, ensuring we provide 99.9% SLAs and redundancy. 

Once your data is recovered, confirm that your processes and apps are working appropriately and that all your data is restored before returning to normal business operations.

8. Research your decryption options

When you don't have a backup, you can sometimes still recover your data via decryption with free decryption keys that may work to unlock your data. Be sure to look for a decryption key designed for the type of ransomware that’s impacting your data.

How Box can protect your company's data

The Content Cloud offers multiple tools and features designed to better protect your company's data. For example, many of our clients use our security and compliance solutions in Box Shield to prevent unauthorized access to files and reduce vulnerabilities that lead to successful ransomware attacks. Box cloud backup solutions can also keep your data secure and allow you to easily recover information after data loss occurs.

Box Shield

Box Shield - get timely alerts on malware attacks, insider threats, and account compomises

Box Shield helps you stop ransomware in its tracks with machine learning. You get accurate, timely alerts on malware attacks, insider threats, and account compromise. After receiving these alerts, your team can evaluate them to assess the danger and send notifications to your teams for additional analysis. 

Shield also easily integrates with your cloud security portfolio, complementing your cloud access security broker, security information, and event management solutions.

Security and compliance

Our security and compliance solutions are designed to help you better govern and protect your flow of information. Since these solutions give you full visibility and control over your data, you can quickly spot threats, such as ransomware, and review complete audit trails to discover how an attack occurred. You can also use our security solutions to encrypt all of your files with AES 256-bit encryption and better guard your content with built-in controls.

Cloud backup

With Box cloud backup solutions, you can store various kinds of files in our secure cloud. Along with frictionless recovery options, our cloud backup solutions feature strict sharing and access policies you can customize for your security needs. By storing your content in the Content Cloud, you foster greater collaboration throughout your organization by giving your employees access to the most current versions of any file.

Learn more about what Box has to offer

With all of the solutions Box offers to better protect your data, you might be interested in learning more about our platform. Find out more about how Box solutions can support and protect your business today. If you have any questions or want pricing information, request a free quote or contact us.

Box can help you protect your data and support your business

**While we maintain our steadfast commitment to offering products and services with best-in-class privacy, security, and compliance, the information provided in this blogpost is not intended to constitute legal advice. We strongly encourage prospective and current customers to perform their own due diligence when assessing compliance with applicable laws.