What does ransomware do to an endpoint device? Ransomware attacks have been increasing in number and severity lately — and without awareness of the issue, the problem will only get worse.
In the first half of 2021, for example, the FBI's Internet Crime Complaint Center (IC3) received more than 2,000 ransomware complaints totaling $16.8 million in damages. This represents an increase of 62 percent in reports, and 20 percent in damages, compared to the same time period in 2020.
To know how to guard against ransomware, you first need to understand how this form of malware operates. From the definition of "ransomware attack" to what ransomware does to an endpoint device, in this article, we'll go over everything you need to know.
How can we define ransomware? A quick computer ransomware definition would be malicious software that encrypts data and files on a victim's computer, preventing users from accessing them without the corresponding decryption key. The attackers ask users for a ransom to gain access to their information again; data loss is very likely without paying the ransom.
There are several modern ransomware variants, each one more insidious than the next. In May 2017, for example, the WannaCry ransomware made global news by infecting people and organizations in more than 150 countries, causing an estimated $4 billion in damages. In 2021, the Colonial Pipeline gasoline pipeline system was struck by a ransomware attack and went offline for several days. To deal with the attack's impact, the U.S. government issued an emergency declaration for states in the southern and eastern United States to keep fuel supply lines open.
Related Content: Should you pay the ransomware fee?
There are essentially four stages of a ransomware attack:
Related Content: Can EDR stop ransomware?
What happens in detail when ransomware infects an endpoint device (such as a desktop, laptop, smartphone, or tablet)? As mentioned above, much of ransomware's lifetime is spent in surveillance, gathering information for the most effective attack. The malware uses lateral movement to prolong its lifetime, stealthily propagating itself to other computers throughout the network—much as a biological virus replicates itself by finding new hosts.
If a computer becomes infected by ransomware, the organization has only a limited time to respond. The term "breakout time" refers to the amount of time between the malware first entering the system and spreading to other computers. Many ransomware attackers appear to be getting more sophisticated: the average ransomware breakout time was 9 hours in 2019, but less than 5 hours in 2020.
Once the attacker decides to strike, things rapidly escalate. The ransomware uses a secret encryption algorithm to scramble the contents of the device's files and data. The precise method in which the algorithm encrypts data is known to the attacker, but not the user, creating an information imbalance that is essential to the attack's success.
Without the matching decryption key, it will be nearly impossible for the user to recover the encrypted data. The good news is that it's not always a lost cause. Initiatives such as No More Ransom and Kaspersky's No Ransom have cataloged the ransomware variants for which there is a decryption tool available. If you get hit with a ransomware attack, one of the first steps should be to diagnose the variant and check if there is a corresponding ransomware decryptor available.
If you have no such luck, the next question is whether you should pay the ransom in the hopes that you can regain access to your files. Unfortunately, given their unscrupulous morals, to begin with, there's no guarantee that the attackers will decrypt your system after making the ransomware payment.
During the WannaCry attack, for example, users were told to send their ransomware payments (either $300 or $600) to one of just three Bitcoin wallets. In other words, the attackers had no way to distinguish which victims had sent in a payment since many people were told to send Bitcoins to the same address (and Bitcoin is by design, an anonymous payment system). Multiple security researchers stated that they had not heard of any WannaCry victims successfully recovering their data.
What's more, the aims of the attackers may not even be primarily financial ones. Countries such as Russia, Iran, China, and North Korea are known to have sophisticated cyber warfare programs, including ransomware. The Colonial Pipeline ransomware is an example of attackers aiming at high-profile targets such as infrastructure or governments, although the attack, in this case, is not believed to be political.
Unless organizations begin to take ransomware seriously, the threat posed by this malicious software will only continue to increase. The good news is that there are several effective methods of ransomware protection, including:
Businesses concerned about ransomware should begin to build a robust, comprehensive tech stack that covers all these bases. That's why UncommonX has developed the BOSS XDR platform for advanced cyber threat detection and response. The BOSS XDR platform helps our clients with everything from protecting against threats to reacting and recovering after an incident.
Want to see the power of best-in-breed technology for defending against ransomware and other cyber threats? UncommonX is here to assist. Contact our team of IT security experts today for a chat about your business goals and requirements and to see a demo of the BOSS XDR solution.