Expanded Definition: Ransomware

What is ransomware?

Ransomware is a form of malware. It works by encrypting or otherwise locking down the contents of a device (often a computer), which blocks the owner from accessing it. The hackers then demand some kind of monetary payment in exchange for releasing the files and device access back to the user. 

Ransomware attacks can profoundly disrupt business, with long-reaching effects, including a damaged reputation, liability, and loss of business. Take, for example, a Medicaid subcontractor in Texas who lost their contract after a ransomware breach. These attacks have become so widespread that, in 2019, the U.S. Federal Bureau of Investigations (FBI) issued a public service announcement about the dangers of ransomware.

Ransomware attacks are a serious concern for MSP clients. From small to midsize businesses (SMBs) such as medical offices to international enterprises, client organizations of all sizes and across all industries are targeted by ransomware. 

In fact, according to the 2020 Sophos State of Ransomware report, over half (51%) of companies surveyed reported a ransomware attack within the last year. 

Famous and up-and-coming examples of ransomware

WannaCry 

In 2017, WannaCry began to make headlines. The ransomware attack was especially pernicious. Because WannaCry was structured as a worm, it could automatically replicate and infect other machines. So once it breached an organization’s systems—typically through vulnerabilities in Microsoft—it could infect even more devices unchecked. As a result, WannaCry very quickly spread far and wide. 

It impacted many notable organizations, including the U.K.’s National Health Service (NHS). According to ZDNet, the damage to the NHS totaled close to a costly 100 million pounds and caused thousands of appointments to be cancelled. This case is a good example of how ransomware attacks don’t just create financial loss. Patients also lost access (thankfully temporarily) to the services and professionals who help to keep them healthy.

Petya/NotPetya

Not too long after WannaCry swept the globe, another piece of ransomware hit businesses; Petya. Also called NotPetya, this ransomware variant spread quickly and, scarily, even impacted the system in charge of radiation monitoring at Chernobyl. The source of this ransomware was, once again, vulnerabilities and poor patch management in Windows.

Ryuk

Ryuk is a newer threat. In circulation for several years, the Ryuk ransomware variant has impacted numerous organizations around the world. It was even named the “threat of the quarter” by the Center of Internet Security (CIS) in the fall of 2019. 

Ryuk-specific attacks have impacted the healthcare system so widely and severely that in late 2020, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), FBI, and Department of Health and Human Services (HHS) issued a joint advisory about ransomware and Ryuk in particular. This form of ransomware continues to be a problem for organizations even today.

Sodinokibi / REvil / Sodin

Emerging in 2019, this ransomware known by several names—Sodinokibi, REvil, and Sodin—has just begun circulating in earnest. According to Krebs on Security, this new strain may be developed, backed, and used by a notorious band of hackers. Also according to Krebs on Security, data from targets who fell prey to Sodinokibi/REvil/Sodin has started to pop up for sale online as of 2020.

Ragnar Locker

In spring of 2020, a new piece of ransomware started making headlines: Ragnar Locker. The strain was a serious enough threat that the FBI issued a flash alert, according to Bleeping Computer. In fact, a ransomware report from Palo Alto Networks’ dedicated threat intelligence division found that Ragnar Locker was the second most common form of ransomware over the 12-month span between January 2020 and January 2021.

Egregor

Sometimes, the bad guys do get caught—or at least some of them do. This is the case with the ring behind ransomware variant Egregor, when news broke in early 2021 that members of the hacking group had been arrested in Europe. The group used “double extortion” techniques, according to CSO Magazine, not only encrypting data but also threatening to release that data publicly in order to increase the chance of the ransom being paid.

The MSP role in defending against ransomware

Ransomware is constantly changing. Hackers invent and use new kinds of ransomware all the time. But when operating systems and other software are out of date, organizations can still be vulnerable to old attacks, too. Organizations need to be constantly on their guard against ransomware, and MSPs can support them in several ways.

Keep patches updated

One thing is clear: unpatched vulnerabilities are a major way for ransomware to gain a foothold. MSPs play a vital role in patch management. By ensuring that operating systems and software are always up-to-date, MSPs can reduce the likelihood of an attacker using a known vulnerability to enter a system. 

Remote monitoring and management (RMM) tools can assist in continuous patching. With automation, MSPs can automatically deploy updates to endpoints, ensuring that patching never falls by the wayside. 

Discover and monitor every single asset

Unmanaged and unmonitored endpoints are prime targets for hackers. They’re more likely to be outdated and have vulnerabilities. But MSPs can only manage the assets they have on record. This is why asset discovery with automated network scans is an important service. With ongoing scans, MSPs can quickly find and monitor new devices as they join the network and then understand each device’s health. 

Once assets are in the system, MSPs must also monitor and manage them with an RMM solution. With an endpoint management tool, MSPs can catch issues sooner rather than later, keep devices current with automated updates, and provide IT support when users have questions or concerns. 

Provide the right products

Any piece of ransomware needs to find a security gap to install itself. And once it’s installed, it can get to work. Whether it’s through phishing emails, pop ups, bad links, or other vectors, hackers understand that the weakest link is often a human—and our temptation to click. 

MSPs can help keep people from taking unsafe actions by providing the right cybersecurity tools, such as:

• Email monitoring
• Anti-phishing and spam filters
• Ad- and popup-blocking technology 
• Backup technology
• Virtual private networks (VPNs)
• Security awareness training
• And more 

These tools are a vital resource for limiting the damage of unsafe behaviors, such as opening strange attachments. This is especially true as more and more employees work remotely, sometimes on insecure wi-fi and from personal devices.