What is ransomware and how does it work?

The volume of cyber threats delivered by email has been increasing sharply. With an organization's email environment holding some of the most important data about the company, it's a vulnerable area where attacks are only bound to increase. When threat actors invade a company's emails and gain access to sensitive and urgent data, organizations are willing to go to any length to get their data back and avoid interruptions to business operations. This makes ransomware attacks highly lucrative and highly effective. 

Therefore, it's essential for organizations to understand what ransomware is, how the attacks propagate, the impact they can have, and how attacks can be detected and prevented. In this article, we'll delve into these aspects to ensure that your company is guarded from ransomware attacks. 

What is ransomware?

Ransomware is a type of malware in which cybercriminals encrypt important folders and documents on users' devices and refuse to let users access them until they pay a ransom amount. In ransomware attacks, threat actors identify data that the individual or organization might deem important and lock users out of the device entirely or restrict access to specific files and documents. The threat actor then displays a ransom note and instructs the victim to make the payment through cryptocurrency. This causes a sense of panic in the target individual or organization, and they often feel that they have to make the payment.

Sometimes, even if the ransom payment is made, the threat actors don't provide the key to decrypt the data. They may also make a copy of the data and release it on the dark web for more money. The multiple avenues for profit in these attacks make it an attractive option for hackers.

How does ransomware spread?

The start of a ransomware attack could be anything from a spam or phishing email to a vulnerability in a device or software. Let's take a look at some common propagation techniques.

Email attacks

Malicious emails continue to be one of the highest used threat vectors for all types of cybercrimes. Spam emails or phishing emails that go undetected by email providers make their way to users' mailboxes. The attachments (in the form of executable files) or links in these emails contain malicious content that will get downloaded onto the user's system and take control of the system as a whole. 

Hackers can also get access to systems through previously conducted email attacks, if the resulting data has been leaked on the internet. This includes credential theft, which can be used to take over accounts and then infect the device that's used to log in to the account.

System vulnerabilities

Another common entry point for hackers is exploiting the existing vulnerabilities in a device, software, or network. Finding unresolved vulnerabilities is an easy way for threat actors to gain access to a system. By using existing loopholes, they don't have to spend time crafting an attack that bypasses the system's defenses. 

Sometimes, hackers even sell their findings on the web to enable other cybercriminals with this data. This generates additional revenue for threat actors through just the one vulnerability that they've found.

Stages of a ransomware attack

There are several steps threat actors follow to create a successful ransomware attack. Let's look at the four major stages of an attack.

Initial access

The first step in a ransomware attack most commonly occurs through a phishing or spam email. Through the email, the attacker sends a malicious file that can encrypt the documents in the user's machine. If the recipient downloads the attachment, the first step is successful, and the file starts infecting the device.

Attack propagation

The propagation of the attack begins once the malicious attachment is downloaded onto the system. The virus in the attachment starts spreading, infecting the documents on the device and other connected devices on the network. In this stage, the attacker decides whether to infect all the files, or only certain important files, or to lock the user out of the system entirely.

Encryption

In the third step, the attacker encrypts the infected files with a key that they control. They make sure that only the files that don't affect the basic system functioning are encrypted and that any duplicate copies of the encrypted files are removed from the system. During this phase of the attack, the hacker tries to make it as difficult as possible for the user to gain access without decryption.

Ransom demand

After the files are encrypted, the attacker either displays a message stating their demand or completely locks the user out of the system and sends the ransom note separately. They usually demand the ransom payment in the form of cryptocurrency to ensure that it's not traced back to them. If the victim accepts the demand and makes the payment, the attacker releases the private key information, which will give the user access to the infected files. 

Frequently, even after payment, the hackers refuse to restore the user's access or release the private key. Instead, they demand more money to unlock the system, prolonging the attack and making it harder for the victims to regain access.

Common targets of ransomware attacks

The hard reality of ransomware attacks in recent times is that almost anyone can find themselves a target. Since hackers often don't know how much a company or individual values data privacy and security, they might attack at random and hope for a lucrative outcome. 

However, these attacks are most prevalent among companies that don't have strong security on their systems. If a company has strong defenses set up to detect attacks, many threat actors will avoid targeting them and focus instead on small or medium businesses that might not follow secure practices. 

Industries that have a general sense of urgency and need immediate access to relevant or important documents can also be a primary target. Healthcare institutions, law firms, and financial companies are at high risk of facing these attacks.

Impact of ransomware attacks

The period between the start of an attack and its resolution can be difficult and stressful for the target. Ransomware attacks have multiple effects, all of which need to be mitigated and dealt with efficiently.

Ransom payments

The number of organizations that are agreeing to make ransom payments has increased over the years. As of 2024, 84% of organizations agree to pay the ransom. The unfortunate part is that a vast majority of these payments go to waste as the attacker refuses to release the data even after the payment is made. A lot of companies give in to the pressure and make the payment in the hopes of recovering the data, but it's advised not to pay ransom since the likelihood of regaining access is very low. 

Data loss or leak

If a victim refuses to comply with the ransom request, the attacker threatens to erase their data.This can cause huge losses for targeted companies if the encrypted files are the only available copy of the data. Most attackers also take a copy of the data for themselves during the ransomware attack in order to sell sensitive information contained in it. If the data is sold, it can cause serious privacy and regulatory issues for the business.

Business interruption

When sensitive information is withheld as part of a ransomware attack, businesses can no longer function seamlessly. Systems that hold business-critical information might be rendered inaccessible to the organization's employees, making customer service, e-commerce, and other essential operations unusable. In 2024, a health insurance company called Change Healthcare was the victim of a ransomware attack. The attack disrupted healthcare claims processing, billing, and eligibility checks across the USA, causing huge delays in patient discharge and processing. 

Financial losses

The financial losses that occur due to ransomware attacks are not just limited to the ransom payments. The loss of business that occurs during the interruption leads to lost revenue, missed sales, and refunds. The legal fees and technical efforts required to reinstate the missing data can add a heavy financial burden as well.

Reputational damage

When customers and the general public realize that a company has been the target of such an attack, they lose trust in the company and start to look for reliable alternatives. This leads to a serious drop in both new business and customer retention. Backlash from the media, public, and other stakeholders in the business can also become cumbersome and damaging. 

Legal repercussions

Every business owner knows that a loss or leak of customer data and other sensitive data is no joke. Regulatory bodies look closely at data mishaps and can issue fines, limitations, and other consequences to companies for mishandling data. Companies that have been at the receiving end of ransomware attacks often have to face legal consequences and defend themselves in court. Customers who have been affected by an attack may also start legal proceedings to which the business owner must respond.

How to protect against ransomware

The evolution of ransomware and the havoc it wreaks on organizations might seem daunting. However, there are precautionary and remediation steps that organizations can take to protect themselves and their business. 

Have a secure data backup

Identify the sensitive data in your employees' devices and ensure that all of it is securely backed up in a location that's different from the primary location. Ensure that the backup option you choose is reliable, secure, and encrypted. You can consider email archiving solutions for this purpose. This way, even if an attacker encrypts or deletes your data as part of an attack, you can rest assured that a copy of this data is available for your retrieval. While this doesn't completely solve the problem, it will at least reduce the level of damage the hacker can cause.

Check for vulnerabilities periodically

Cybercriminals are constantly looking for unidentified vulnerabilities in devices and networks that they can exploit to spread ransomware attacks. In fact, some threat actors also sell these attack mechanisms as a service for other hackers. This is called ransomware as a service (RaaS). Therefore, your organization's IT team needs to stay updated about any OS or machine-level vulnerabilities and alert the relevant people to fix them. By staying ahead of the attackers, companies can protect their data.

Update software frequently

The devices and software we use often have bugs that hackers can use to their advantage. Most developers identify these entry points or threats and issue bug fixes in the form of software updates. So it's important to update to the latest versions of machines, operations systems, and software. The patches or fixes available in these updates keep your employees' devices secure from any possible vulnerabilities. 

Use a reliable antivirus solution

Even if an employee downloads an attachment or opens a link containing malicious code, it's possible to prevent the spread of the malware to the system if you have an antivirus solution in place. These solutions have mechanisms to detect malware propagation attempts and alert both the user and the company's IT team, allowing them to spot the suspicious file and remove it from the system. By deleting the file, the spread of the attack is contained, and any damage that has been done already is localized. This makes it much easier to clean up the device. 

Engage with emails cautiously

Phishing and spam emails are the most common threat vectors faced by organizations. While they cause other damage as well, ransomware has become one of the most lucrative types of attack for cybercriminals. Make sure that you and your employees learn to identify suspicious markers in any email that your organization receives. If the email is from an unknown sender or if the communication pattern seems odd, do not engage with the email. 

Avoid clicking on any links or downloading any attachments present in the email. Hover over links to see if the redirection link is in line with the intent of the email. Attachments containing malware are usually sent in the .exe or .zip formats. If you receive such attachments from a suspicious sender or email content, steer clear of them. Inform your IT administrator so that they can take the necessary steps.

Conduct awareness workshops

The weakest link in cyberattacks is humans. Therefore, it's vital to train your employees to be aware of the different types of attacks, mechanisms, and precautionary measures to be followed. As part of onboarding, conduct workshops and awareness programs to teach the basics of security in your company. Regularly test your employees' knowledge and alertness through phishing awareness campaigns. This can be done by simulating phishing emails, making note of the employees who fall prey to the email, and conducting additional training for them.

Deploy an email security solution

While all of these measures can help to an extent, the most efficient way to keep ransomware and other cyber threats at bay is to deploy a robust email security solution. Email security solutions complement the security measures that are already offered by your email provider and add a layer of security. They spot the emails that seem suspicious and keep businesses safe from cybercriminals, data loss, and financial loss.

eProtect is a cloud-based email security and archiving solution that provides an additional layer of security for email accounts. The solution offers advanced threat detection mechanisms that can secure on-premise and cloud email accounts from evolving email threats. eProtect is the security solution powering Zoho Mail, a platform trusted by millions of users.