Need cloud computing? Get started now

What Is Ransomware Protection?

Ransomware has become one of the most dangerous cyberthreats in recent years. With the ability to cripple the operations of business enterprises, supply chains, healthcare institutions, and government agencies, ransomware can cause widespread disruption and cost victim organizations millions of dollars.

For effective ransomware protection, organizations must focus both on threat protection technology to prevent ransomware from entering their IT networks and on incident response to minimize the damage from any successful cyberattacks.

The history of ransomware

Ransomware is a type of malware that blocks access to a user’s files, data, and applications, enabling attackers to demand a ransom in exchange for decryption keys. Ransomware threats have evolved from simple viruses that locked users out of their computers to sophisticated malware that encrypts files and steals sensitive data from computers, mobile devices, cloud storage, and on-premises servers. The latest incarnation of ransomware is RaaS (ransomware as a service), in which ransomware operators allow other cybercriminals to use their code to launch ransomware attacks in exchange for a percentage of the ransom payment. Because it takes very little skill or knowledge to employ RaaS, a much larger group of would-be hackers can launch ransomware attacks, increasing the frequency of these sophisticated threats.

How ransomware infects IT systems

To achieve superior ransomware protection, security teams must understand and defend against all the ways that threat actors can infect an IT system with ransomware.

  • Phishing attacks: Phishing attacks use social engineering and messages that appear to be legitimate but, in reality, contain malicious links or attachments. When a user opens an attachment or clicks on a link, ransomware can be downloaded to their system.
  • Vulnerability exploitation: Hackers often gain access to devices by using automated tools to exploit known vulnerabilities in software and operating systems like Microsoft Windows, Linux, and macOS. Some ransomware variants can spread across networks by exploiting vulnerabilities without any user intervention.
  • Malvertising: In malicious advertising, hackers inject ransomware-laden ads into legitimate web pages and online advertising networks. Ransomware is downloaded to a user’s device when unsuspecting users click on an ad.
  • Remote Desktop Protocol (RDP) attacks: RDP enables users to access computers remotely. Ransomware gangs frequently gain unauthorized access to a computer or network by exploiting weak or stolen RDP credentials.
  • Drive-by downloads: When a user unknowingly visits an infected website, ransomware may be automatically downloaded and installed on their computer even if they don’t click on any links on the page.
  • Removable media: Ransomware may be downloaded automatically to a device when a user connects an infected USB drive or external hard drive to a system.
  • Supply chain attacks: As organizations open their networks to third-party suppliers and vendors, attackers are targeting companies by embedding malware within third-party systems or legitimate software updates.
  • Mobile apps: Ransomware may be downloaded to mobile devices when a user installs an app from a third-party app store on their mobile device.

How ransomware works

Once ransomware has successfully infected a server or machine, it typically performs a series of actions in several stages.

  • Installation: After it’s downloaded to a device, ransomware code installs itself on a host system. It may attempt to gain persistent access by modifying system registry files or installing additional malware to ensure that the ransomware code will run whenever the system is rebooted.
  • Evasion: The latest strains of ransomware frequently take steps to evade detection by disabling security software, obfuscating malicious code, and detecting virtual machine environments that could aid analysis by cybersecurity researchers.
  • Privilege escalation: This involves gaining higher-level access rights to systems and accounts, enabling the malware to access more files and perform other malicious acts without being restricted by user permissions.
  • Discovery: Ransomware may search the affected system and connected networks to identify valuable data that could be targeted for encryption or exfiltration.
  • Exfiltration: Before encrypting files, some ransomware variants exfiltrate data to external servers. This enables attackers to add another layer of extortion, demanding payment in return for not leaking sensitive data.
  • Encryption: This is the central function of ransomware. Most variants target specific types of files like documents and databases, using strong encryption algorithms to conceal files, which prevents users from accessing them. Encryption usually takes place very quickly to maximize impact.
  • Ransom note: After encryption is complete, ransomware notifies the victim that an attack has taken place and provides instructions on how to pay the ransom by a certain deadline.

The keys to ransomware protection

Ransomware protection focuses both on ransomware prevention and on rapid mitigation and remediation, minimizing the “blast radius” of an attack and recovering quickly without having to pay a ransom. Best practices include:

  • Implement multilayered security solutions: To stop ransomware, security teams may deploy antivirus software, anti-malware protection solutions, and anti-ransomware services that prevent ransomware infections. These solutions must be updated in real time with advanced threat intelligence. Network security measures like host-based firewalls, secure remote access solutions, and ransomware detection and response capabilities are essential. Email filtering technology can block messages that contain executable files or links to malicious websites. Application allowlisting permits only approved software to run on network devices and reduces the risk of ransomware execution.
  • Adopt Zero Trust solutions: Applying the principles of Zero Trust and least privilege across all systems and services ensures that only authorized users have access to the network and that they can access only the data and resources required for their roles.
  • Enable multi-factor authentication (MFA): By requiring users to provide more than one type of authentication, MFA adds additional security to prevent unauthorized access to sensitive systems and data.
  • Conduct security awareness training: Because many ransomware attacks are enabled by human error, such as clicking on a link in a phishing email, training employees to watch for signs of ransomware can help prevent attacks.
  • Perform frequent data backups: In effective data protection plans, critical data is frequently backed up and stored in secure, offsite, and offline locations.
  • Develop robust recovery plans: Superior data recovery and business continuity plans help minimize downtime when an attack is successful.
  • Adopt an optimal patching cadence: Mitigate vulnerabilities in software and operating systems by regularly applying patches and updating systems, applications, and firmware.
  • Enable strong identity and access management: Strictly limiting permissions for access to files and directories can prevent ransomware attackers from moving laterally once they have infected one part of the network.
  • Use endpoint protection: Ransomware protection solutions for endpoints can monitor and restrict executable paths to reduce the risk of ransomware on individual machines and devices.
  • Segmentation: Solutions for segmentation enable security teams to limit lateral movement by placing security parameters around individual IT assets and smaller sections of the network.
  • Develop an incident response plan: A well-executed incident response plan can help speed detection, mitigation, remediation and ransomware removal while streamlining communication with stakeholders and law enforcement agencies, such as the FBI.

Frequently Asked Questions (FAQ)

 

Ransomware variants like WannaCry, Ryuk ransomware, CryptoLocker, REvil, Cerber, Bad Rabbit, LockBit, and Conti ransomware fall roughly into several categories of malware.

  • Crypto ransomware is the most common type of variant. It encrypts the files on a hard drive using complex encryption algorithms.
  • Leakware uses malware that exfiltrates valuable files from the victim’s IT environment. This allows attackers to perform double extortion by threatening to leak sensitive data unless they are paid another ransom.
  • Locker ransomware is a simpler type of attack that locks victims out of their devices rather than encrypting files.
  • Scareware is a variant that aims to frighten users into paying a ransom by presenting a pop-up message that indicates a device has been infected.
  • DDoS ransomware uses botnets to conduct a distributed denial-of-service attack on an IT system, allowing attackers to demand a ransom in exchange for ending the attack.

In 2023, there were 317.59 million attempted ransomware attacks globally.

 

Why customers choose Akamai

Akamai is the cybersecurity and cloud computing company that powers and protects business online. Our market-leading security solutions, superior threat intelligence, and global operations team provide defense in depth to safeguard enterprise data and applications everywhere. Akamai’s full-stack cloud computing solutions deliver performance and affordability on the world’s most distributed platform. Global enterprises trust Akamai to provide the industry-leading reliability, scale, and expertise they need to grow their business with confidence.

Explore all Akamai security solutions