A Ransomware attack is a sophisticated form of malware attack that looms as a serious and costly threat to virtually every enterprise organization, regardless of size, by putting their critical data at risk of destruction and data breach while rendering IT systems inoperable. Enterprise Ransomware attacks have been increasing in volume and sophistication for years and detecting ransomware on network is getting very difficult . In 2019, the damages caused by ransomware amounted to at least $11.5 billion, and possibly as much as $170 billion. 27% of all malware incidents are ransomware attacks. While email-based spear-phishing has long been a favorite vector of ransomware attackers, ransomware allows hackers to attack social media accounts, mobile chat and digital collaboration channels.
In just 15 years, enterprise ransomware attacks have gone from a slapdash type of scam to a major and lucrative weapon for cybercriminals.

icon quote2005 to 2012.

History of ransomware starts early in 2005.  Ransomware attacks emerged as a subclass of “scareware” – a basic social engineering technique that attempted to frighten users into buying software (usually phoney antivirus software). Early enterprise ransomware was unsophisticated, relying on panic more than advanced cryptography and it was easy to prevent ransomware attacks. Often, targets were able to reclaim their targeted data with ease.
As history of ransomware evolved, bad actors faced a big challenge: collecting ransoms. Since enterprise ransomware attacks  amount to fraud, cybercriminals need to collect money from victims in a way that is quick, anonymous, and untraceable. Until 2012, the only way to do this was by using prepaid cash cards, retail shopping cards, and other jury-rigged methods. Though there was plenty of cyber attack through ransomware floating around online, defeating ransomware  wasn’t  difficult as there weren’t many ways of collecting ransoms. It also  meant that overall damages were low.

icon quote2012: Bitcoin.

The arrival of the cryptocurrency, Bitcoin, changed the history of ransomware . As a decentralized digital currency, operated over a blockchain network, Bitcion offered the ability to easily move large amounts of money with anonymity. Bitcoin was the ransomware tool that cyber-criminals had been waiting for. Rather than asking their victims to pay them in piecemeal amounts using odd methods, they could instantly ransom dollars in electronic form. Today, all major variants of  enterprise ransomware attack require payment in Bitcoin, ethereum, or other cryptocurrencies.

icon quote2013/2014: CryptoLocker.

In the wake of bitcoin’s emergence, enterprise ransomware attacks  quickly grew more sophisticated. A type of ransomware called CryptoLocker was created. CryptoLocker spread via a trojan botnet, and wielded a powerful new form of encryption technology. CryptoLocker earned its distributors $300 million within a 100-day stretch, before a combined effort led by the FBI and a team of cybersecurity experts managed to shut it down. CryptoLocker was a turning point in the history of ransomware; its criminal success caught the attention of larger criminal syndicates, and inspired cybercriminals to refine their ransomware approach even further. They realised big enterprises were not ready to prevent ransomware attacks.

icon quote2015 to present: Bigger Targets

icon quote"Many of your documents, photos, videos, databases and other files are no longer accessible because they have been encrypted. Maybe you are busy looking for a way to recover your files, but do not waste your time. Nobody can recover your files without our decryption service."
-- WannaCry ransom note text
Since 2015, Enterprise ransomware attacks have become more and more powerful. In 2017, a brand of ransomware attacks called WannaCry ransomware  began attacking older Windows systems. The healthcare and pharmaceutical industry were particularly targeted. Amongst other companies attacked by ransomware was the UK’s National Health Service, within a day, WannaCry had spread across tens of thousands of systems in more than 150 countries. The largest ransomware attack epidemic in history, WannaCry has cost businesses millions of dollars in damages. Through 2019, WannaCry remained the most common encryption family used in ransomware attacks.
This pivot to attacking commercial and civic targets represents ransomware’s contemporary phase. As part of this shift, many ransomware attackers have traded quantity for quality, making ransomware prevention difficult . Rather than going after numerous individuals, they are targeting a smaller amount of large organizations handling more sensitive data and possessing more funds for ransom payouts.

icon quoteToday

One in three attacks is enterprise ransomware. 24% of cyber attacks happen through ransomware. On the Dark Web, a lucrative trade has sprung up around ransomware codes and exploit kit components – tools that help cybercriminals target victims.
From a survey we conducted on 600 senior enterprise IT and security professionals about how their businesses rate their own security and compliance, these are the risks of greatest concern in digital technologies for them.


Ransomware is such an issue because the 15-year history of ransomware  has seen various nefarious forces coalesce.
  • Email gateways are overwhelmed because of huge, botnet-driven campaigns, polymorphic malware, and URLs escaping attachment detection techniques.
  • The explosion in third party cloud channels, used by every enterprise and individual on earth, has dramatically expanded the threat surface. There are far more attack vectors than there were even a couple of years ago. Phishing attacks (the main source of enterprise ransomware attacks) are now about far more than just email, as we cover in this blog post on how hackers profile victims for social engineering attacks.
  • Social digital defenses are relatively weak compared to the $3B email security industry. Simply put, cybercriminals have a higher probability of success in these channels and it's hard to prevent ransomware attacks.
  • The increased accessibility of technologies for encryption and malware development has lowered the bar to entry. Building ransomware attacks is cheaper than ever before. As a result, far more cybercriminals are experimenting with ransomware than ever before. 
  • Encryption technologies are better than ever. Modern ransomware allows hackers to lock encryption of a hard drive or a set of files. It can be near impossible to perform the de-encryption without purchasing the key from the attacker.
  • There is no honor amongst malware thieves: With trojan ransomware, victims who do pay are frequently targeted again. 
Why is Ransomware Such a Problem in 2020
There are three main vectors that ransomware can get inside a device or system. The most common methods of how does ransomware work include:

icon quoteEmail Phishing

Most of the attacks in the history of ransomware has spread through phishing emails. These emails trick users into opening a malicious attachment or clicking a malicious URL. Opening the attachment or clicking the link activates the enterprise ransomware, which then proceeds to infect the recipient’s computer or device and potentially spreads throughout the entire IT infrastructure. Having a strong email security system is the best way to protect against ransomware.
While emails are common deployment systems for most cyberattacks, many people still fall for it as they don’t understand how does ransomware work.  Malicious emails are highly effective, especially when they appear to be from legitimate contacts and parties the recipient trusts. Part of the scammer’s sophisticated approach is to craft convincing emails that contain authentic-looking email addresses, logos, and other elements like specific text types and tone of the message.

icon quoteSocial Media Phishing

Ransomware attacks occurring through social media – rather than email – make up an increasing proportion of overall attacks. In 2019, Facebook experienced a massive 176% year-on-year growth in phishing URLs, many of which contained ransomware. We dive deeper into the benefits and risks for social media enterprise use in this whitepaper.

Social media ransomware attacks mimic their email counterpart: bad actors send malicious links via direct message. Usually, these links spoof a real login page and steal credentials. Phishing links sent via direct message tend to be opened even more than those sent over email, as people are generally wiser to email threats, but tend to open messages without thinking. The only way of defeating ransomware is being aware of the attacks and identifying malicious links before the cause irreparable damage.

icon quoteExploit Kits

Exploit kits are automated programs used by attackers to exploit known vulnerabilities within systems or applications. A user will visit a certain website or and/or use a certain piece of software, and the exploit kit will silently download ransomware onto the user’s device and execute it. Certain pieces of software, such as Adobe Flash and Oracle Java, are known to contain vulnerabilities. The computing community attempts to track these in a reference list of Common Vulnerabilities and Exposures (CVE), but bad actors can often be a step ahead.
WannaCry infected people via an exploit pack. The most devastating piece of trojan ransomware in history used a Microsoft exploit stolen from the National Security Agency (NSA).
Different Types of Ransomware restrict access to files or data that are valuable to the user and then demand payment in order to recover that access. So how many types of ransomware are there?
Crypto-malwareCrypto-malware. The most popular form of ransomware, and extremely damaging, crypto-malware gets inside a system and encrypts all the files and data contained within. Access is impossible without the malefactor’s decryption key.
Crypto-malwareScareware. Once executed, scareware ransomware allows hackers to automatically locks a user’s computer and displays a message claiming that it has detected a virus or an error. The scareware instructs the victim to pay a specific amount to “fix” the issue. Some forms of scareware don’t technically encrypt files, but flood the screen with pop-up messages that make using the system impossible.
LockersLockers. Rather than encrypting select files, lockers lock victims out of their systems completely, preventing them from accessing anything. Locker-based ransomware attacks include a screen display that tells the victim the ransom demand, and often includes a countdown timer, intended to induce panic and force victims to pay without attempting to find another solution.
Doxware/Leakware. This type of ransomware allows hackers to claim and encrypts a certain sort of data. It then threatens to release victims’ personal (in the case of an individual) or sensitive (in the case of a business) data to specific parties or the general public. Victims of doxware/leakware are driven to pay the ransom for fear of highly private data being exposed.
RaaSRaaS (Ransomware as a Service). For parties that want to initiate a ransomware attack but don’t have the time, the tools, and/or the expertise, the cybercriminal market has a solution. People can reach out to a professional hacker to do the job for them. This hacker will carry out the attack, and receive a portion of the ransom reward in exchange for their services.
ExtortionExtortion. According to Recorded Future, different types of ransomware are now carrying out extortion, by threatening to release exfiltrated files unless a victim pays a ransom. This is partly due to the fact that extortion cases garner media attention, something many cybercriminals crave. This publicity aids the sales of their Ransomware-as-a-Service (RaaS) offerings.
Big Game HuntingBig Game Hunting. This is a targeted, complex, low-volume, high-return form of ransomware attack. The attacker gains entry, makes lateral movements to observe the network, then gains access to exfiltrate files and deploy the ransomware. Big game hunters are patient. It typically takes days for an attacker to understand the network, gain the proper access, and deploy.
The spear-phishing techniques deployed on email and social channels are very similar in nature and involve an element of ransomware social engineering to enable the initial compromise to succeed.  In the case of social media compromise, the attacker can often perform their target recon on the channel itself (e.g. LinkedIn) and then simply make a connection request to the target to begin establishing the trust relationship. In fact, the more connections the attacker makes within the organization, the greater the sense of trust that is established.
At this point, the attacker is in an excellent position to launch the attack by sending a malware-laced attachment or link to the targeted victim, under the pretext of a legitimate purpose. For example, cyber criminals might adopt the guise of a recruiter, and after penetrating the organization with a multiplicity of connection requests, may now send a malware-laced file link under the cover of a job description. Once the victim clicks through on the document, the host device can be compromised with a first stage malware payload.
In an enterprise attack, this would only be the first stage and would unlikely contain ransomware per se. The longer term objective would be to effect lateral movement for long term persistence and to establish command and control for data exfiltration and finally ransomware deployment.
The Anatomy of a Social Ransomware Attack (Graphic)-01
Given the nature of these “Big Game Hunting” scenarios where ransomware is often delivered as part of a multi-stage attack process,  and may occur on any one of several attack surfaces, it is important to coordinate defensive counter-measures across all of these vectors. For example, detecting a malware attack on a social channel could also be an indication of a broader attack front across multiple attack surfaces such as email and remote access management tools.
On the whole, ransomware attacks are frighteningly successful. The only protection against them is the taking steps for ransomware prevention itself. The malware and the techniques are constantly evolving, and once encryption takes place, it can be very hard to reverse. The reality is that, hit with a sophisticated ransomware attack, most enterprises pay.
For this reason, the absolute best course of action against ransomware is proactive ransomware prevention combined with constant data backup but Ransomware Recovery Software can help. Some best practices include:

correct_iconBack Up and Test Restoring.

The most important part of a ransomware prevention  security strategy is the use of regular data backups. Enterprises should perform these as often as possible, and they should be combined with backup and restore drills. Both processes are important; restore drills are the only way to know if a backup plan is a good one. If a team can restore from a very recent backup, then they put themselves in a position where they might not need to pay to get data back.

correct_iconGain Powers of Detection.

The malicious links and attachments that are the main source of ransomware attacks can arrive through multiple routes. Not only email, but social media messages, collaboration tools, and any other cloud channel. Proper digital risk protection tools can proactively monitor all digital communications and immediately detect and quarantine potentially problematic links, attachments and URLs. Traditional antivirus software isn’t enough here; enterprises need next-gen solutions leveraging machine learning to detect both known and unknown forms of ransomware. 

correct_iconEducate Employees On Cybersecurity Best Practices.

A recent study by Kaspersky revealed that almost half of employees don't know how to respond to ransomware attacks. All employees should gain a basic understanding of what ransomware is, how it usually arrives, and what the warning signs are. They should know who to report suspicions to, and what to do in the event that their actions trigger the execution of ransomware. 

correct_iconConstantly Update And Patch Operating Systems And Software.

Attackers work relentlessly to discover vulnerabilities that can be exploited. ransomware prevention is the best approach.IT professionals need to be equally rigorous in return. CVEs are always being patched. By constantly updating systems and patching software, enterprises significantly reduce their exposure to vulnerabilities.

correct_iconMonitor Endpoints for IOAs (Indicators of Attack).

A dedicated set of cybersecurity solutions offer endpoint detection and response (EDR). These solutions can closely monitor activities across all endpoints, and capture raw events deemed suspicious. These solutions can deliver unhindered environment visibility for proactive threat recognition and response at the endpoint level.

correct_iconIncorporate Digital Risk Protection Into the Core of Cybersecurity Efforts.

To keep up with the growing and ever-changing threat of ransomware attacks, enterprises need to invest in ransomware prevention tools that provide full threat intelligence. This way, IT teams can automatically identify, assess, and proactively respond to threats, and stop any ransomware spread before it begins.
Ransomware prevention is better than cure. However, should an organization be unfortunate enough and fall prey to ransomware, the following steps should be followed:


The Different Types of Ransomware-Icons_1Remove The Device From The Network.

Ransomware on one device is bad, but ransomware proliferating through a network of devices is catastrophic. Employees should be trained to immediately disconnect their device from the network if they see a ransomware demand displayed on their screen. They should also do the same if they observe anything peculiar, such as an inability to access their own files. Employees must not attempt to restart the device; it should be sent immediately to the IT department.

The Different Types of Ransomware-Icons_2Notify Law Enforcement.

Ransomware attack is a crime. Theft and extortion rolled into one make it a law enforcement concern. Organizations should all default to immediately contacting the police cybercrime department, should they fall victim to a ransomware attack.

The Different Types of Ransomware-Icons_3Use Digital Risk Protection to Establish The Scope of Attack.

In the wake of a ransomware attack, security teams need to gather as much intelligence as they can, as fast as they can. This will help both internal IT teams and law enforcement agencies formulate a response. Enterprises should strive to figure out the nature of the attack: who is behind it, what tools they used, who they targeted and why. Answering such questions can help your IT managers and network administrators figure out the extent of the attack and protect networks from future attacks.

The Different Types of Ransomware-Icons_4Consult with Stakeholders to Develop the Proper Response.

Enterprises suffering a bad ransomware attack need to answer a host of questions: Can they afford to lose access to the targeted files, either because they have been backed up, or because they are not of the highest priority? Can the organization afford the ransom? Is there any room for negotiation? All stakeholders, from shareholders to legal counsel, should be consulted.

The Different Types of Ransomware-Icons_5Get the Post-Mortem Right.

The best way to resist a ransomware threat is to have learnt from the last one. After an attack, enterprises should task their IT technicians, network administrators, and cybersecurity teams with a thorough review of the breach. A meticulous assessment of an organization's infrastructure, practices, and processes is required to discover flaws in security, and reinforce an enterprise against existing and future threats.
With proper digital risk protection and ransomware prevention strategies, organizations can detect and nullify ransomware threats before they become an issue. The Safeguard Cyber Platform can keep pace with the scale and velocity of modern digital communications, and detect phishing links and other indicators of ransomware attacks across the full suite of cloud platforms. Threats are instantly flagged and quarantined before an unsuspecting human target clicks on anything dangerous.