Ransomware: Facts, Threats, and Countermeasures

Ransomware is a malicious software package that cybercriminals use to hold your computer or computer files for ransom, demanding payment from you to get them back. Sadly, ransomware is becoming an increasingly popular way for malware authors to extort money from companies and consumers alike. There is a variety of ransomware that can get onto a person’s machine, but as always, those techniques either boil down to social engineering tactics or using software vulnerabilities to silently install on a victim’s machine. Most of the current ransomware variants encrypt all the files on the infected system or network (also called Crypto-ransomware) and few deletes all files or block access to the system (Locker Ransomware).

Terrifying facts about Ransomware

• Ransomware costs businesses more than $75 Billion per year.
• Ransomware attacks have increased over 97 percent in the past two years
• The average ransom demand per incident was $5900 in 2019 and was projected up to $8100 in 2020.
• A new organization will fall victim to ransomware every 11 seconds by 2021. (Source: Cyber Security Ventures)
• 7 out of 10 malicious email attachments delivered Locky

Statistics of organizations hit :

stats of org hit by Ransomeware last year (2019)

The delivery vehicle for Ransomware :

The delivery vehicle for Ransomeware

What steps should be taken for Ransomware/malware protection?

• AV / Security Suite / ATP — An antivirus is just a first and basic layer of defense. It should be installed and updated with the latest definitions across all the systems in your business environment. offers an ‘Advanced Threat Prevention’ module that contains a suite of protection rules against ransomware based on how it behaviourally interacts on the operating system. An email ATP is also recommended as shown above most of the attacks are via business email phishing attacks.
• Backup your data — Here are a ton of options here, from backing up to cloud providers to local storage devices or even network-attached drives, but each comes with a certain level of risk. It’s imperative to remove the external storage device once a backup has been taken so that if ransomware does infect the computer, it won’t be able to touch the backup. Using a good backup solution provider is recommended as data is the most crucial element of any business.
• Executable and GPO restrictions — Disable files running from AppData/LocalAppData folders. You can create rules within Windows or with Intrusion Prevention Software, to disallow a particular, notable behavior used by Crypto-locker, which is to run its executable from the App Data or Local App Data folders. If (for some reason) you have legitimate software that you know is set to run not from the usual Program Files area but the App Data area, you will need to exclude it from this rule. It is also recommended to use whitelisted applications either via GPO or third party software for adding another level of protection.
• PTH Attack — Pass the hash attack a hacking technique that allows an attacker to authenticate to a remote server/service by using the underlying NTLM and/or LanMan hash of a user’s password, instead of requiring the associated plaintext password as is normally the case. It is recommended to disable batch execution and use Microsoft’s LAPS to provide management of local account passwords of domain-joined computers. Passwords are stored in Active Directory (AD) and protected by ACL, so only eligible users can read it or request its reset.
• Patching of OS and Applications — Patching commonly exploited third-party software such as Java, Flash, and Adobe will undoubtedly prevent many of these types of attacks from even being successful in the first place. Windows update actually prevents many exploits of windows and should be pushed on all systems every month during patch Tuesday.
• Use the Crypto-locker Prevention Kit — The Crypto-locker Prevention Kit is a tool created by Third Tier that automates the process of making a Group Policy to disable files running from the App Data and Local App Data folders, as well as disabling executable files from running from the Temp directory of various unzipping utilities. This tool is updated as new techniques are discovered for Crypto-locker, so you will want to check in periodically to make sure you have the latest version.
• Disable Macros — Macros are a common way of Ransomware attacks, if Macros are not being used, they can be disabled from the backend (MDM or Group Policies). Or consider using Office-viewer software to open MS office files received via emails.
• Security Awareness — Establish security awareness campaigns that stress the avoidance of clicking on links and attachments in email. I literally ask myself these questions when receiving an email message with a link or an attached file: 1) Do I know the sender? 2) Do I really need to open that file or go to that link? 3) Did I really order something from FedEx?? Phishing is a common entrance vector for ransomware and because most end users never think twice, it’s extremely successful. There are multiple phishing training campaigns that companies are using to educate their employees and are one of the important aspects that a business should take care of frequently.

Securing the End-User

• Provide social engineering and phishing training to employees — Urge them not to open suspicious emails, not to click on links or open attachments contained in such emails, and to be cautious before visiting unknown websites.
• Remind users to close their browser — when browsers are not in use, and keep only essentials Add-ons on browsers.
• Have a reporting plan — that ensures staff knows where and how to report suspicious activity.

Responding to a Compromise/Attack

• Immediately — Disconnect the infected system from the network to prevent infection propagation.
• Determine the affected data — As some sensitive data may require additional reporting and/or mitigation measures.
• Determine if a decryptor is available — Online resources such as No More Ransom! Can be a great help.
• Restore — Restore files from regularly maintained backups.

Most Prominent Types of Ransomware

most prominent types of Ransomeware