CyberArk Glossary >

What is Ransomware?

Ransomware is a specific type of malware that extorts victims for financial gain. Once activated, ransomware prevents victims from interacting with their files, applications or systems until a ransom is paid, usually in the form of an untraceable cryptocurrency like Bitcoin. In some cases, the victim is instructed to pay the perpetrator by a set time or risk losing access forever. In other cases, the perpetrator intermittently raises the ransom demands until the victim pays.

Over the years, ransomware attacks have increased in complexity, scope and scale. Today’s ransomware actors are highly experienced, sophisticated and organized. Many collectives known as “ransomware gangs” are well-funded, backed by criminal syndicates or rogue nation-states.

Ransomware is Costly and Damaging

Ransomware is one of the most pervasive, dangerous and costly forms of malware. Contemporary ransomware can quickly spread throughout an organization, impairing business-critical systems and essential public services. Around 37% of global organizations were victimized by ransomware attacks in 2021, according to an IDC report. And the average total cost of a ransomware breach is $4.62 million, according to an IBM Security report.

Recent headline-making ransomware incidents include:

  • An attack against the Irish Health Service by the Conti ransomware group that impacted patient care for months, forcing healthcare providers to cancel appointments, postpone elective surgeries and delay treatments
  • An attack against an oil pipeline operator by the DarkSide ransomware syndicate that caused supply disruptions, panic buying and gasoline shortages in several U.S. states
  • An attack by the REvil ransomware group against multiple managed service providers that ultimately impacted 1,000+ end customers
  • A widespread ransomware attack targeting Log4j vulnerabilities perpetrated by a variety of nation-state actors and individual hackers, impacting numerous technology vendors and service providers

Ransomware Ramifications

Ransomware can damage a company’s reputation and result in revenue loss, regulatory fines, legal settlements and other expenses. Worse still, it can disrupt critical infrastructure and threaten public health and safety.

Governments and industry regulators around the world are taking notice, issuing guidelines to defend critical infrastructure against ransomware and other attacks. In 2021, the Biden administration issued an executive order intended to strengthen the nation’s cybersecurity, and several European and Asia-Pacific nations introduced laws intended to protect essential infrastructure against ransomware and other cyber threats.

Cyber insurance providers are taking notice as well. In response to rising ransomware claims, most insurers are raising rates, adding exclusions and slashing payouts. Cyber premiums rose a staggering 27.6% in 2021, according to one insurance industry report.

Ransomware is Big Business

Ransomware is incredibly lucrative for cyber criminals. According to a blockchain analysis, ransomware groups received more than $600 million in cryptocurrency extortion fees in 2021.

Most of these ill-gotten gains come from large-scale Ransomware as a Service (RaaS) operations that make it easy for anyone with internet access to orchestrate a ransomware attack. With a RaaS “business model,” a ransomware “service provider” sells or leases malware services to “affiliates” who carry out attacks. The affiliates require no special knowledge, dedicated IT infrastructure or tools to perpetrate an advanced attack.

Conti, DarkSide and REvil are all prominent examples of large-scale RaaS operations. Conti has perpetrated more than 400 attacks and is believed to have extorted more than $180 million from its victims. DarkSide is believed to have made over $85 million in 2021. And REvil claims to have raked in over $100 million.

To make matters even worse, many cyber criminals are no longer content to simply hold data for ransom. Many now carry out double extortion schemes, threatening to publicly disclose stolen data if victims don’t pay up quickly. REvil even announced its intent to launch distributed denial of service (DDoS) attacks as part of a new “triple extortion” scheme. Double and triple extortion attacks up the ante, subjecting organizations to additional business loss, reputational damage, legal exposure and fines.


Mitigating Contemporary Ransomware Attacks

Conventional endpoint security tools like anti-virus software don’t adequately protect against modern ransomware attacks. Traditional anti-virus solutions use signature patterns to identify and block known malware variants. But contemporary ransomware continuously morphs and can’t be detected using signature-based methods; it is impossible for the anti-virus vendors to keep pace with the evolving ransomware landscape.

Ransomware attacks follow common patterns of other data breaches, in which an attacker gains a foothold in a network, then escalates privileges to spread malware to other parts of the organization. Organizations can defend against modern ransomware by taking a multi-layered, defense-in-depth approach to security that includes robust Identity Security controls to contain breaches and contain spread. By combining strong Identity and Access Management (IAM) capabilities like multi-factor authentication (MFA) methods with comprehensive endpoint privilege manager (EPM) and privileged access management (PAM) solutions, organizations can block and limit ransomware.

Endpoint privilege managers can be used to tightly control the behavior of untrusted applications and thwart unknown ransomware variants. Used in conjunction with endpoint detection and response (EDR) solutions, endpoint privilege managers can prevent privilege escalation and contain threats to the endpoint. Security professionals can sandbox unknown applications and prevent them from accessing the internet or gaining read/write/modify permissions needed to encrypt files. An endpoint privilege manager can also remove local admin rights from endpoints for additional defense against ransomware. (Some ransomware strains exploit privileged accounts and link Windows admin accounts to carry out attacks.)

Organizations can also use PAM solutions to enforce the principle of least privilege and minimize the blast radius of ransomware. When brokering privileged sessions, PAM solutions isolate workstations from sensitive servers and virtual machines, helping to prevent the spread of ransomware.

PAM solutions also let organizations manage and secure the privileged account credentials used to access an organization’s most sensitive systems—those that would be most impacted by a ransomware attack. They help organizations mitigate credential theft and abuse by rotating and updating privileged credentials based on policy. The best PAM solutions support single sign-on (SSO) functionality and MFA to positively confirm privileged user identities, eliminate poor password hygiene and prevent unauthorized access.

Additional Considerations

Security organizations should institute an air-gapped data protection strategy to improve recovery efforts in the event of a ransomware attack. Network-attached storage (NAS) and direct-attached storage (DAS) storage technologies are both vulnerable to ransomware. Replicating data to cloud storage or frequently backing up data to removable media provides better protection against ransomware.

It is always a good idea to have a trusted outside professional services organization analyze a team’s ability to detect and respond to ransomware. Consulting firms and security solution providers offer Red Team services to help simulate ransomware attacks and assess readiness.

Learn More About Ransomware