How Ransomware Works - A Guide for Small Businesses
Ransomware has emerged as one of the most devastating cyber threats out there for businesses. It wreaks havoc on companies of all sizes, individuals and government institutions around the globe.
This type of malicious software, or malware, encrypts victims' data, rendering it inaccessible until a ransom is paid, often in cryptocurrencies. Understanding ransomware and how it operates is crucial for small businesses to protect themselves effectively.
In this post, we'll delve into how ransomware works and the steps you can take as a small business to boost your ransomware resilience.
The Rise of Ransomware
Ransomware attacks have been on the increase in recent years as cyber criminals constantly evolve their tactics to maximize profits. According to bodies such as the UK’s National Cyber Security Centre (NCSC), the global threat of ransomware is only likely to rise with the increasing prevalence of AI.
It may be tempting to think that smaller businesses would be less of a target to criminals than larger corporations. But data shows otherwise:
- Over three-quarters of cyber incidents impacted small businesses in 2023, with ransomware having the biggest impact on these firms.
- In 2023, the number of first-time attacks against small US-based businesses jumped 18 percentage points compared to 2022.
- 61% of small-to-medium-sized businesses were hit by a successful cyber attack between 2022 and 2023.
"Ransomware affects all sizes of businesses across all sectors, but we have seen it hit small- and medium-sized enterprises the most frequently. In 2021, the Institute for Security and Technology’s Ransomware Task Force found that 70% of ransomware attacks targeted small businesses." The 2024 Sophos Threat Report: Cybercrime on Main Street.
How Ransomware Works: A Step-By-Step Overview
Ransomware typically infiltrates systems through phishing emails, malicious attachments, or exploiting vulnerabilities in software. Once it's inside a system, it encrypts files, making them inaccessible to the user. The attackers then demand payment, usually in cryptocurrency, in exchange for a decryption key to unlock the files.
This is the order ransomware attacks usually take.
Ransomware Infiltration
Ransomware infiltrates a system through various means, including: Phishing Emails - Attackers often distribute ransomware through phishing emails that contain malicious attachments or links. These emails may masquerade as legitimate messages from trusted sources, enticing recipients to open attachments or click on links that contain the ransomware payload.
-
Exploiting Vulnerabilities- Ransomware can exploit vulnerabilities in software or operating systems to gain access to a victim's system. Cyber criminals may exploit known vulnerabilities that have not been patched by the victim's organization, allowing the ransomware to infiltrate the system undetected.
-
Encrypting Files - Once the ransomware is executed on a victim's system, it begins encrypting files using strong encryption algorithms. This process typically targets a wide range of file types, including documents, images, videos and databases, among others. As the encryption process proceeds, the files become inaccessible to the user and the contents are effectively locked.
Issuing a Ransom Note
After encrypting the files, ransomware typically displays a ransom note on the victim's screen. This note informs them that their files have been encrypted and provides instructions on how to pay the ransom to receive the decryption key.
The ransom note may include details such as the amount of the ransom, the deadline for payment and the cryptocurrency wallet address to which the ransom should be sent.
Data Exfiltration
In some cases, ransomware operators may also exfiltrate sensitive data from the victim's system before encrypting it. They may threaten to release this data publicly if the ransom is not paid, adding another layer of pressure on the victim to comply with their demands.
Demanding Payment
If the victim chooses to pay the ransom, they’re typically instructed to do so using cryptocurrencies such as Bitcoin or Ethereum. These currencies offer a degree of anonymity to the attackers. Once the ransom payment is made, the attackers may provide the victim with a decryption key or tool to unlock their files.
However, there is no guarantee that paying the ransom will result in the successful decryption of files. It may also incentivize further ransomware attacks. These are just some of the many reasons why cyber crime authorities and government bodies advise against paying ransoms to cyber criminals.
How to Mitigate Ransomware Threats
“Many ransomware incidents can be prevented by ensuring that appropriate security measures are in place.” Felicity Oswald, Chief Operating Officer, NCSC.
As with all types of cyber security threats, it’s widely accepted that businesses should prepare for when a ransomware attack happens, rather than if. These steps are the basics any small business should take as a starting point to building their ransomware resilience.
1.) Back up Data Regularly
Maintain regular backups of important data to minimize the impact of ransomware attacks. Ensure backups are stored securely and are accessible in the event of an attack.
2.) Stay on Top of Patch Management
Keep software and systems up to date with the latest security patches to mitigate any vulnerabilities that could be exploited by ransomware.
3.) User Training
Keep your teams educated and alert on the dangers of phishing emails and the importance of practicing good cyber security hygiene.
4.) Implement Network Segmentation
Network segmentation can limit the spread of ransomware within your business’ network.
5.) Invest in Quality Security Software
Choosing robust antivirus and antimalware solutions can help detect and prevent ransomware infections.
Ransomware Resources and Guidance for Small Businesses
Government bodies around the world have recognized the urgent need to combat ransomware. The US’ Cybersecurity and Infrastructure Security Agency (CISA) issues alerts and guidance to help businesses protect their data against ransomware attacks.
Similarly, the NCSC provides resources and advice to businesses on securing their systems and responding to ransomware incidents.
CISA
CISA offers excellent resources on ransomware via its dedicated Stop Ransomware site. Some useful downloads for small businesses include:
- A ransomware response checklist
- The ransomware protection guide
- Ransomware readiness self-assessment
NIST
The US’ National Institute of Standards and Technology (NIST) offers resources such as:
- The ransomware protection and response guidelines
- Videos on protecting your small business from ransomware
- Infographics featuring ransomware protection tips
NCSC
The NCSC also issues guidance and support for businesses to help them prepare for ransomware attacks, including:
- The small business' guide to cyber security
- A guide to protecting your business from phishing attacks
- The cyber incident response scheme
Keeping Your Small Business Protected Against Ransomware
Ransomware attacks can have severe consequences for small businesses. They face financial losses from ransom payment demands. But they can also suffer downtime, data breaches and reputational damage that can be difficult, if not impossible, to recover from.
By understanding how ransomware operates, putting effective cyber security measures in place and implementing trusted tools and software, small businesses can protect themselves as much as possible against this malicious threat.
At Macrium Software, we’re aware of the damage ransomware can do to your business. Get in touch for an informal chat about how our products can help guard your business’ valuable data.
What Is the Advanced Encryption Standard? AES Explained
What is Data Loss Prevention?
