Breaking Down Ransomware Attacks

Author: Jeremy Brown, Ashlie Blanca November 12, 2020

Hooded man at multiple monitors running a ransomeware attack

In 2019, Crypsis worked with clients on hundreds of ransomware cases; victims ranged across nearly every industry and every size of business, demonstrating the pervasiveness of this significant threat to organizations today. Ransomware attacks can be extremely stressful and crippling for many businesses. Aside from ransom fees, there are other costs to consider, such as operational downtime, brand damage, data discovery fees, litigation, and data privacy concerns.

There are steps you can take to mitigate the risk of a ransomware attack occurring or posing a significant threat to you or your business. In this blog, we will explain what ransomware is and how an attack works. We also will provide tips on how organizations can prevent this type of cyberattack in the future.

The Definition of Ransomware

Ransomware is a type of malware used by cybercriminals for financial gain. It takes over the victim’s files or systems, and the attacker demands a ransom be paid in exchange for a decryption key, which presumably will return the files to their original state. Since the end of 2019, the definition of ransomware has extended to also include data extortion, as threat actors have begun to exfiltrate data during a ransomware attack to blackmail victims into paying the ransom.

Ransomware Facts and Figures

To give you an idea of the impact ransomware has recently been having, here are a few statistics surrounding this type of cyberattack:

  • According to our recent report, Crypsis found that ransom demands averaged nearly $116,000 in 2019.
  • Downtime associated with a ransomware attack averaged 16 days in Q2 of 2020.1
  • More than 500 schools were impacted by ransomware in 2019.2 In the same year, Crypsis observed nearly 50 state and local governments attacked. 
  • 46% of small to mid-sized businesses (SMBs) experienced ransomware attacks in 2019.3
  • The largest ransom demand observed by Crypsis reached $15M.

As you can see, the chances of being hit with an attack and the potential costs involved are too high to ignore.

To hear more about the financial impact of ransomware, check out this video.


Learn more about ransomware in Crypsis’s 2020 Incident Response and Data Breach Report.

How a Ransomware Attack Works

The most common type of ransomware circulating today is encryption-based ransomware. In these cases, the malware scrambles the contents of files, typically using very strong – sometimes virtually uncrackable – encryption protocols. As such, the owner cannot access the readable contents of the files. The perpetrator behind the attack demands a ransom in exchange for the return of the unencrypted files. Since the end of 2019, we have also observed an increasing trend where attackers behind ransomware variants such as Maze and LockBit exfiltrate data from the victim during the attack and post stolen data publicly to shame victims into paying their ransom. The addition of extortion and blackmail places an even greater burden on the victim, as the exposed data could contain sensitive information and escalate costs and brand exposure. 

Ransom requests are often presented in the form of a pop-up screen, which includes the ransom amount demanded, a desired payment method, and a deadline. These days, criminals tend to favor cryptocurrency as a form of payment and will often request specific types (usually Bitcoin, but sometimes Dash or Monero).

eenshot of a ransom note on a system infected with the WannaCry ransomware

A screenshot of a ransom note on a system infected with the WannaCry ransomware.

The idea is that once the ransom is paid, the file or system will be returned to normal. Usually, the attacker will send a decryption key that the victim can use to reverse the encryption applied to the files. In the cases where data exfiltration takes place, the attacker may also agree to not post any additional stolen data. 

However, even if you pay the ransom, there’s no guarantee that the cybercriminal will follow through on their end of the bargain. Even if your files are restored to their original state, it’s possible that the perpetrator will maintain a copy of the encrypted and/or stolen data to possibly sell it on the dark web or use it against you in future attacks. We have also observed attackers sending non-functioning or only partially functioning decryption keys. In some cases, we have even seen them contain additional malicious files or backdoors to give threat actors access to the environment in the future, which is why we are always careful to reverse engineer the key to ensure it is safe for our clients.

How Ransomware Infects Networks

A ransomware attack consists of two main steps. Initially, the malware has to find its way onto a device. Then comes the encryption stage: the ransomware must find and encrypt files and communicate the ransom terms to the victim. Some types of ransomware don’t stop there and can spread from device to device, affecting all computers in a network.

So how does the ransomware find its way into a network in the first place? 

It can have a variety of delivery methods, many of which are also used to distribute other types of malware. However in 2019, three methods dominated the cases we observed:

  • Email links or attachments: The user is sent a phishing email with a malicious link or attachment, which leads to the downloading of the ransomware. File extensions to watch out for are .exe and .zip as these are commonly used to distribute ransomware.
  • Remote Desk Protocol (“RDP”) attacks: This method of delivery is a growing trend and often a preferred method of distributing ransomware, given its ease of use and level of access. Cybercriminals will exploit publicly available or weak credentials and brute-force via the RDP protocol to gain access to a victim’s environment before remotely deploying and executing the ransomware. The well known ransomware family CrySIS/Dharma is known to push ransomware via RDP attacks.
  • Virtual Private Network (VPN) attacks: This method of delivery is also becoming a prominent way threat actors are distributing ransomware. Cybercriminals will identify and exploit unsecured and unpatched remote access VPN servers to gain access to a network and distribute malware once a foothold is established. In early 2020, the threat actors responsible for the ransomware variant Sodinokibi leveraged this trend, which still remains at the forefront of many cases we’ve observed to date.

Once on the device, the ransomware will typically look for specific types of files to encrypt. It might also encrypt shadow files, backups, and filenames, making recovery more difficult.

Want to learn more? Here's a quick video on techniques we've observed in ransomware attacks.

How Ransomware Attacks Work (1)

How to Protect Against Ransomware Attacks

A ransomware attack can cause you to feel powerless. However, there are some things you can do to avoid falling victim to an attack or lessen the impact of an incident should it occur:

    1. Keep your software up to date with the latest version as updates often patch security vulnerabilities. This includes patching VPN servers and upgrading from Server Message Block Version 1 to limit adversaries from using the inherent file sharing protocol to move laterally within the systems. 
    2. Maintain regular backups of your files and systems and ensure the backups are stored off network. By doing this, threat actors cannot gain access and disable or delete backups to prevent recovery. 
    3. Conduct comprehensive, rigorous end user training on standard and advanced phishing and social engineering techniques. It is important to tailor the curricula to fit your organization and employee roles.  
    4. Leverage log aggregation systems, such as a Security Information and Event Management (SIEM) system, to increase log retention, integrity, and availability.
    5. Understand where sensitive data lives and implement strong access controls to protect that data; monitor and audit access regularly.
    6. Invest in trusted antivirus software to help with ransomware detection, and employ the use of firewalls to block malicious traffic.
    7. Implement strict policies surrounding the use of employee-owned devices for work-related activities and limit user privileges whenever possible.
    8. Integrate multi-factor authentication (MFA) for all remote access, internet accessible, and business email accounts.
    9. Disable any direct external RDP access and ensure all external remote administration is conducted through an enterprise-grade MFA VPN. 
    10. Adopt account administration best practices across the organization, including requiring unique and complex passwords that are at least 15 characters in length so they cannot be easily brute forced.
    11. Limit the use of privileged accounts, and do not reuse local administrator account passwords to prevent initial access by attackers, privilege escalation, and lateral movement across the network.
    12. Create and maintain an asset inventory.

For more tips, check out this video on lessons learned.



Ransomware continues to be a pervasive and dangerous threat to organizations. With the total cost of a ransomware attack continuing to rise, organizations should embrace best practices to protect themselves and arm themselves with a strong understanding of the ransomware threat landscape. 

Learn more about ransomware and see the steps your business should initiate immediately if you find yourself under attack.





Topics: Security Insights