PDF version of this report
You must have Adobe Acrobat reader to view, save, or print PDF files. The
reader is available for free


by James G. Barr

Docid: 00021047

Publication Date: 2210

Report Type: TUTORIAL


Ransomware is a form of malware in which an attacking agent assumes
control of a victim’s computer, encrypts the victim’s files, and demands
payment before system and file access is restored. Once the files are
encrypted, the hacker responsible will display a screen message explaining
how to pay to unlock the files, usually with a short deadline to induce a
sense of urgency and discourage the victim from seeking possible
remediation from law enforcement or computer security experts.

Report Contents:

Executive Summary

[return to top of this

Ransomware is a type of malware in which an attacking agent assumes
control of a victim’s computer and demands payment before owner access is

Cybersecurity Best Practices

Ransomware is a particularly insidious form of extortion since it
encrypts a victim’s data at the file or disk level – thus leveraging the
same technique that computer users are encouraged to employ to protect
their information against loss or theft. Like other malware, ransomware
can be easily activated by opening an e-mail attachment or simply clicking
a Web link. Once the files are encrypted, the hacker will display a screen
message explaining how to pay to unlock the files. The perpetrator often
provides a short deadline to induce a sense of urgency and discourage the
victim from seeking intervention from law enforcement or computer security

When the victim capitulates (often out of fear or ignorance), payment is
normally rendered in a form of a cryptocurrency like bitcoin, although
credit card payments are often arranged in situations where the hacker is
masquerading as a security company or other benevolent force. Once payment
is received, the encrypted files are normally unlocked – although there is
no guarantee.

Like other types of malware, ransomware can propagate across a network
and encrypt files located on shared network drives.

How Bad Is It?

According to statistics accumulated by The Record by Recorded
(see Figure 1), the number of reported monthly attacks
from September 2020 to September 2022 ranged from a low of about 120 in
January 2021 to about 360 in November 2021.

Two things are clear:

  1. The actual numbers are much higher, owing to the reticence of some
    victims, particularly high-profile victims, to report.
  2. Ransomware remains an unchecked epidemic.

Figure 1. Ransomware Attacks – The Latest Figures

Figure 1. Ransomware Attacks - The Latest Figures

Contributing to the legacy of ransomware are several highly publicized

City of Baltimore Attack

As evidence of the corrosive effects of ransomware, hackers struck the
city of Baltimore, Maryland, in May 2019, encrypting government files and
demanding payment for the decryption keys. Mayor Bernard C. “Jack” Young
refused to pay and ordered his officials to rebuild the city’s computer
systems. Concerned, no doubt, by public reaction, it was not until
September that officials finally acknowledged that performance data was
lost in the attack.1

In response to the incident and its associated costs, city officials
announced their intention to acquire $20 million in cyber liability

  • $10 million from Chubb Insurance costing $500,103; and
  • $10 million from AXA XL Insurance costing $335,000.2

Colonial Pipeline Attack

Two years after the Baltimore incident, in May 2021, a ransomware attack
was responsible for disrupting critical US infrastructure operations. As The
New York Times
reported, “One of the US’s biggest pipeline
operators, Colonial Pipeline, disclosed … that it was forced to shutdown
after it was hit by ransomware, crippling [a] company that supplies 45
percent of the East Coast’s fuel.”3 The ransom, $4.4 million,
was eventually paid as the alternative, severe fuel shortages and business
disruptions, rendered the decision easier – and more defensible.

The Facebook Dilemma

On October 4, 2021, a series of maintenance errors committed by internal
IT staff caused Facebook and its family of apps, including Instagram,
WhatsApp, and Messenger, to go offline for five hours, affecting 3.5
billion users.4 While ransomware was not involved, the outage
highlights the fragility of even the best-run IT networks, and raises the
question of whether Facebook, Google, Amazon, Microsoft or any other major
tech company is truly prepared to prevent a ransomware event that targets
their vast array of interconnected systems and servers.

Victims’ Alternatives

Once successfully attacked, ransomware victims can pursue one of four
basic strategies:

  1. Restore the compromised data from a recent backup
    Presuming the backup exists and is viable.
  2. Decrypt the files using a third party decryptor – If
    available and reliable.
  3. Do nothing – And possibly lose the data.
  4. Pay the ransom – In some cases, negotiating a lower

Ransomware Threat

[return to top of this

A ransomware attacker’s typical modus operandi is to:

  • Encrypt a victim’s sensitive files.
  • Demand a ransom from the victim for releasing those files (see Figure
  • Provide the victim with a decryption key if and when the ransom is

Figure 2. You Have Been Infected with Ransomware

Figure 2. You Have Been Infected with Ransomware

Source: FireWire

The ransomware threat is both broad and multi-faceted. In fashioning a
ransomware defense, enterprise chief security officers should consider the
following factors:

Managed services providers (MSPs) are being exploited.

Analyst Rob Sobers reports that “Ransomware gangs have been shifting
their focus to managed services providers (MSPs),” a clever strategy since
each vendor offers an avenue of entry into multiple client companies.6

The cloud and cloud operations are being targeted.

According to the US Cybersecurity & Infrastructure Security Agency
(CISA), ransomware developers are targeting cloud infrastructures to exploit
known vulnerabilities in cloud applications, virtual machine software, and
virtual machine orchestration software.

Ransomware actors are also targeting cloud accounts, cloud application
programming interfaces (APIs), and data backup and storage systems to deny
access to cloud resources. Perhaps most worrying, they are also targeting
cloud service providers to encrypt large amounts of customer data.7

Certain industries are inherently vulnerable.

Sectors including healthcare, education, finance and insurance, and
government experience both internal and external pressure to “pay up” in
the wake of a ransomware attack. Especially in healthcare, any delay in
resolving a ransomware incident could cost lives in addition to dollars.
While no organization of any size is immune to ransomware attacks,
hospitals, schools, and small town governments will remain high-valued
targets on a ransomware attacker’s “hit list.”

Ransomware is evolving, presenting new and more virulent virus strains.

Similar to real-world viruses, ransomware variants continue to emerge,
often confounding the security specialists tasked with detecting and
deterring them. One promising development, according to Sobers, is that
“defenses have begun to harden, including improved heuristics or
behavioral analysis, and the use of canary or bait files for earlier

Ransomware is spreading rapidly to mobile devices.

Check Point Software Technologies reports that “ransomware has shifted
its focus and is now keyed in on mobile devices like smartphones and
tablets. While most mobile ransomware attacks center on individuals, the
growth of BYOD movements at an enterprise level means businesses have to
worry about this threat as well.”9

Ransomware-as-a-Service is expanding.

One of the latest variations on the malware-as-a-service phenomenon,
ransomware-as-a-service is lowering the cost of entry, both technical and
financial, for aspiring ransomware actors.

Analyst Adam Jeffs sadly observes, “RaaS [reveals] how cyber crime is
[becoming] a fully-fledged economy. There is the individual that develops
and maintains the ransomware tools that power the attacks and then there is
an affiliate that will invest in these tools in order to carry out attacks.
There is no one ransomware family here and the profits of an attack are
typically split between the RaaS developer and the attacker. An access
broker may also be involved in the operation in order to secure the entry
point to the network for the RaaS [malware] to be deployed.”10

Ransomware can feel like being shot, stabbed, and poisoned.

The latest generation of ransomware can be particularly devastating,
establishing multiple attack vectors. As described by CISA, after
encrypting a victim’s network, a ransomware actor will pursue a “triple
extortion” strategy by threatening to do one, two, or all three of the

  • Publicly release sensitive information
  • Disrupt the victim’s Internet access
  • Inform the victim’s partners, shareholders, or suppliers about the

Remote workers will continue to provide cyber attackers with a
target-rich environment.

Remote work and remote workers will remain a fertile environment for
planting ransomware. Consider that wholesale-level remote work, which
began as a accommodation to COVID-19, is now mainstream and many remote
work facilities, often an employee’s spare bedroom, lack the overall
security afforded by company offices. In these insecure settings, expect
ransomware attacks to escalate.

The Internet of Things (IoT) will facilitate the spread of malware,
including ransomware.

As analyst Patrick Howell O’Neill succinctly observes, “The unavoidable
fact [is] that weak cybersecurity combined with ubiquitous connectivity
equals increasingly vulnerable targets. Everything in America – from our
factories to our hospitals – is connected to the Internet, but a lot of it
is not adequately secured.”12

Since in many cases we can’t even secure the Internet, securing the
Internet of Things – against ransomware and other threats – will be even
more demanding.

Ransomware Prevention

[return to top of this

While more disruptive than most viruses and worms, ransomware is, after
all, just another form of malware. As such, the best strategy for
preventing a ransomware attack is to erect robust and reliable
anti-malware defenses.

Practice IT Hygiene

Keeping IT systems clean and secure requires, at minimum, the following:

  • Installing robust and reliable anti-malware software and appliances.
  • Promptly applying vendor-supplied software, hardware, and firmware
  • Implementing multi-factor user authentication, combining a password,
    for example, with a biometric identifier.
  • Regulating – if not restricting – the use of “shadow” software,
    hardware, and services.
  • Routinely – and automatically – backing up all essential data.

While these actions will not necessarily prevent ransomware infections,
they will reduce the likelihood of exposure.

Preach Security Awareness

Some argue that virtually all malware infestations, including ransomware,
are ultimately preventable if users refrain from certain risky behaviors,
such as:

  • Opening e-mails from unknown senders.
  • Downloading unknown attachments.
  • Clicking unknown links.
  • Visiting unknown websites.

The first best defense against ransomware is training users to behave in
a responsible manner, limiting their Internet interactions to trusted
individuals and organizations.

Segment IT Networks

Once ransomware penetrates an enterprise system it can normally propagate
across the entire enterprise network. Analyst Puja Mahendru recommends
reducing the potential for “lateral movement” – restricting the overall
attack space – by segmenting the network. In specific terms, “Segment LANs
into smaller, isolated zones or VLANs that are secured and connected by
the firewall. Be sure to apply suitable IPS policies to rules governing
the traffic traversing these LAN segments in order to prevent exploits,
worms, and bots from spreading between LAN segments.”13

A more radical approach is to “air gap” certain critical systems, ensuing
these systems are not directly connected to the Internet or to other
systems that are connected to the Internet.

At the other end of the scale, a more modest measure is to leave some
systems connected and other systems of the same type and function
unconnected. In this way, the unconnected systems could be used to
maintain limited operations in the wake of a ransomware attack. 

Validate Backup Viability

In the event of a ransomware attack, the only way to guarantee survival
is to recover encrypted files from backup media. To ensure backups are
complete and uncompromised, enterprise IT should conduct routine “retrieve
and restore” exercises, in which random backup files are retrieved or
downloaded from offsite storage, and their data compared – byte for byte –
against pristine reference samples preserved at the time of backup. Such
exercises validate the backup and recovery process by verifying that:

  • Backup data can be readily retrieved.
  • Backup data can be restored, in whole or in part.
  • Restored data is identical to the original, i.e., source, data.

Conduct Ransomware Self-Assessment

Radware, a provider of cybersecurity services for data centers, suggests
that enterprises evaluate their present ransomware posture by answering
the following questions.

  • “Are we prepared for cyber ransoms?
  • “Would we ever pay a ransom? If not, why? If so, when?
  • “Who is responsible for making that call?
  • “If cyber ransomed, would we go public? What is our public
    relations/communications plan?
  • “Do we have internal and external technical resources with the
    expertise to guide us through these situations?
  • “Do we have any insurance to [recover] any financial losses during [a
    post-event] period?
  • “Do we have a legal and/or law enforcement plan in each geography
    where we operate?
  • “Do we have a policy or plan for cyber hack-back?
  • “Should we consider trial exercises or desktop planning events to help
    with preparations?
  • “Do we have plans for recovering technical data and infrastructure?”14

The answers will help inform the development of an enterprise’s
ransomware strategy, and prepare enterprise officials for the reality of a
highly-possible ransomware attack.

Follow NIST Guidelines

The US National Institute of Standards and Technology (NIST) has released
a series of “tips and tactics for dealing with ransomware.”

Use antivirus software at all times
– and make sure it’s set up to automatically scan your e-mails and
removable media (e.g., flash drives) for ransomware and other malware.

Keep all computers fully patched with
security updates

Use security products or services that
block access to known ransomware sites
on the Internet.

Configure operating systems or use
third-party software to allow only authorized applications
run on computers, thus preventing ransomware from working.

Restrict or prohibit use of personally
owned devices
on your organization’s networks and for telework
or remote access unless you’re taking extra steps to assure security.

Use standard user accounts
instead of accounts with administrative privileges whenever possible.

Avoid using personal applications and
, such as e-mail, chat and social media, on work

Avoid opening files, clicking on
links, etc. from unknown sources
without first checking them
for suspicious content. For example, you can run an antivirus scan on a
file, and inspect links carefully.

Develop and implement an incident
recovery plan
with defined roles and strategies for decision

Carefully plan, implement and test a
data backup and restoration strategy
. It’s important not only
to have secure backups of all your important data, but also to make sure
that backups are kept isolated so ransomware can’t readily spread to them.

Maintain an up-to-date list of
internal and external contacts
for ransomware attacks,
including law enforcement.15

Perform Penetration Tests

Even if an enterprise has done “all the right things” security-wise,
there is no way to predict with confidence that a ransomware attack is
impossible or even substantially improbable. That’s why enterprises should
commit to regular rounds of “penetration testing,” in which third-party
analysts – invoking the same tools and techniques utilized by hackers –
attempt to breach an organization’s network and deposit a piece of
malicious code.

Often under-appreciated and under-utilized, penetration tests provide
important intelligence, identifying network vulnerabilities and,
crucially, enabling software and process repairs.

Conduct Simulated Recoveries

Understanding the danger posed by ransomware, enterprises should test
their ability to respond to a ransomware attack. In particular, they
should determine the viability of restoring massive amounts of data from
their regular system backups. Two questions are central:

  • Are the data available?
  • Can the data be recovered in a reasonable time frame?

If backup data are missing or the restore process is prohibitively long,
enterprise IT must work to establish a fast and reliable backup and
recovery mechanism.

Ransomware Recovery

[return to top of this

After suffering a ransomware attack, the US government recommends taking
the following steps:

Step 1: Isolate the infected
computer immediately.
Infected systems should be removed from
the network as soon as possible to prevent ransomware from attacking
network or share drives.

Step 2: Isolate or power-off
affected devices that have not yet been completely corrupted.

This may afford more time to clean and recover data, contain damage, and
prevent worsening conditions.

Step 3: Immediately secure backup
data or systems by taking them offline.
Ensure backups are free
of malware.

Step 4: Contact law enforcement
Contact a local field office of the Federal
Bureau of Investigation (FBI) or US Secret Service immediately upon
discovery to report a ransomware event and request assistance.

Step 5: If available, collect and
secure partial portions of the ransomed data that might exist.

Step 6: If possible, change all
online account passwords and network passwords after removing the system
from the network.
Furthermore, change all system passwords once
the malware is removed from the system.

Step 7: Delete Registry values and
files to stop the program from loading.

Step 8: Implement your security
incident response and business continuity plan.
organizations will ensure they have appropriate backups, so their response
to an attack will simply be to restore the data from a known clean backup.
Having a data backup can eliminate the need to pay a ransom to recover

Getting Out of Jail for Free

In addition to the above actions, Adam Alessandrini, author of the
“Ransomware Hostage Rescue Manual,” suggests trying to identify the
ransomware strain. “Ransomware strains vary in that some are more costly
(in ransom payments) than others, while some versions will have even more
options to pay than just Bitcoin. There is the off-chance that your
particular strain has had a decryption tool built by an antivirus company
that will allow you to decrypt your files without having to pay anything.


[return to top of this

According to a US Government interagency technical guidance document
designed to inform CIOs and CISOs at critical infrastructure agencies,
ransomware is one of the fastest growing malware threats, targeting users
of all types – from the home user to the corporate network. Enterprise
officials (CEOs, CIOs, CSOs, CISOs) should plan for ransomware attacks before
it’s too late

Determine the Enterprise’s Ransomware Posture

Radware, a global leader in cybersecurity, suggests that officials
determine the enterprise’s present ransomware posture by asking a number
of key questions, including:

  • “Are we prepared for cyber ransoms?
  • “Would we ever pay a ransom? If not, why? If so, when?
  • “Who is responsible for making that call?
  • “If cyber ransomed, would we go public? What is our public
    relations/communications plan?
  • “Do we have internal and external technical resources with the
    expertise to guide us through these situations?
  • “Do we have any insurance to resuscitate any financial losses during
    the struggle period?
  • “Do we have a legal and/or law enforcement plan in each geography
    where we operate?
  • “Do we have a policy or plan for cyber hack-back?
  • “Should we consider trial exercises or desktop planning events to help
    with preparations?
  • “Do we have plans for recovering technical data and infrastructure?”18

Remember That Paying IS an Option

Paying ransom in response to a ransomware attack has been compared to
“negotiating with terrorists” and, therefore, unacceptable. A computer
user, whether individual or enterprise, should refrain from “putting a
stake in the ground” if, upon reflection, paying up is the best course of

Leverage the Ransomware Threat to Improve Overall Enterprise

Ransomware is malware. The same techniques that mitigate other types of
malware will mitigate ransomware. As they did with identity theft, chief
security officers can leverage the current concern over ransomware to
affect overall improvements in enterprise cybersecurity by extending and
enhancing the anti-malware measures already in place.

Cooperate with Law Enforcement to Combat Ransomware

For example, analyst Bob Brown reports that “The FBI has issued a plea
for those who have been hit by ransomware to report this to federal law
enforcement so that the country can get a better sense of just how bad
this problem really is. It suspects many victims – both individuals and
businesses – don’t report incidents for any number of reasons, including
that they don’t know where to turn and fear loss of privacy.”19

Gauging the true scope of the ransomware problem will enable the FBI –
and other law enforcement and security agencies – to justify increasing
their investment in ransomware detection and deterrence.


[return to top of this

About the Author

[return to top of this

James G. Barr is a leading business continuity analyst
and business writer with more than 30 years’ IT experience. A member of
“Who’s Who in Finance and Industry,” Mr. Barr has designed, developed, and
deployed business continuity plans for a number of Fortune 500 firms. He
is the author of several books, including How to Succeed in Business
BY Really Trying
, a member of Faulkner’s Advisory Panel, and a
senior editor for Faulkner’s Security Management Practices.
Mr. Barr can be reached via e-mail at jgbarr@faulkner.com.

[return to top of this