Since the COVID-19 pandemic, many modern businesses have shifted to remote working. This has given rise to a surge in the number of ransomware attacks. One such example is the WannaCry ransomware attack from 2017.

WannaCry targeted computers using Microsoft Windows as an operating system. It encrypted essential data and extorted payments in the cryptocurrency Bitcoin for its return. The ransomware hit around 230,000 computers globally.

One of the first and biggest companies affected was the Spanish mobile firm Telefónica. By May 12th, thousands of NHS hospitals and surgeries across the UK were influenced as well. Ambulances were reported to be rerouting and emergency services had to be put on hold.

As a whole, computer systems in 150 countries were crippled, causing a financial impact worldwide that was estimated to be $4 billion.

The only way to avoid your organization suffering a terrifying ransomware attack is to know enough about it. This article will go through everything you need to know about ransomware attacks, from what they are, how they work, and how to protect yourself from them. Read on for more information about ransomware attacks.

What is a Ransomware Attack and How Does It Work

What is a Ransomware Attack?


Ransomware is a type of malicious software designed to encrypt a victim’s files, systems and data. Attackers often threaten to publicly release or block victims’ access to confidential data or a computer system. Cybercriminals then demand a ransom to restore access to the locked date upon payment. 

Victims of ransomware attacks are often notified by a message displayed on a lock screen. Thanks to the advancements and tremendous growth trends in cryptocurrency, attackers often request the ransom to be settled in Bitcoin or other cryptocurrencies because of its untraceable nature. Once the requested ransom amount is paid, victims can expect to receive the decryption key. However, similar to paying ransom in reality, successful decryption is not guaranteed. Sometimes the payee will never regain access to the system or will see data being exposed to the public. 
A ransomware attack is one of the most dangerous and prominent types of malware attacks. Ransomware attacks can cause significant damage to not only commercial businesses but also organizations in the public sector, such as medical facilities and government agencies. In fact, many high-profile ransomware attacks worldwide targeted the healthcare and financial services sectors. Both industries handle extremely private information on a daily basis and even minutes of downtime can cause serious consequences. As such, professionals in these industries are more often willing to pay more to regain access to essential systems and restore daily operations.  According to research in 2021, the average amount for rectifying a ransomware attack in the financial services sector, considering downtime, people time, device cost, network cost, lost opportunity, ransom paid, and more, was US$2.10 million. ​​More than two-thirds of healthcare organizations in the US have reported that they had experienced a ransomware attack in 2021, risking patients’ lives.

How does a ransomware attack work?

Typically disguised as a legitimate file and tricking users into downloading or opening it, all ransomware begins the attack by gaining access to the target system. Once the ransomware enters, it secretly encrypts and attacks files in the background while altering credentials at the same time. By this time, the user still doesn’t have a clue. Once the entire system infrastructure is infected and held hostage by the cyber-attacker, the victim will be notified. 

Despite having diversified variants, a ransomware attack is not a single event but a series of carefully planned activities. The attacks all come in 7 distinct phases. 

Phase 1: Initiation of the attack campaign

The first stage is when the attack locks down a particular victim and launches the campaign. By setting up the ransomware and luring victims into downloading or opening the infected file, attackers infiltrate every system they target. Some common ways of starting a ransomware attack include:

Sending out phishing messages

Phishing is undoubtedly one of the easiest forms of cyberattacks to fall for. Phishers look to abuse the fact that many people don’t have the time to analyze all messages received every day. Usually carried out over emails, a phishing message tricks the receiver into

  • revealing passwords or banking information
  • altering finance details so that money goes to the fraudsters instead
  • clicking a link to install ransomware
  • visiting a malicious site
  • downloading a document that contains the ransomware 

There are more complex phishing schemes that involve social engineering measures for the long run. Hackers sometimes establish fake social media profiles or email threads to win the trust of the victim. 

Exploiting weaknesses in Remote Desktop Protocol (RDP) connections

RDP pitfalls are why ransomware can infiltrate systems on a larger scale. Developed by the industry giant Microsoft, RDP is a secured network communication protocol that makes remote working possible. Essentially, RDP allows network users to work from anywhere as if they are located locally. The basic concept of RDP is to transmit an output device from the remote server to the client and the keyboard and/or mouse (input devices) from the client to the remote server. Users can then connect and control devices without geographical limits. Hence in recent years, RDP technology has been crucial in accelerating advancements in cloud computing.

However, the continuous growth in RDP usage has subsequently exposed more devices to ransomware attacks. The number of ransomware attacks has escalated at an unprecedented rate in correlation with the development of the COVID-19 infection rate. The shift from secure office locations to less protected remote work environments became inevitable across multiple industries. A majority of ransomware attacks gain access to the user’s system through a “backdoor” approach exploiting an RDP’s vulnerability or deployment method. However, in 2020 alone, IT experts discovered 25 weaknesses in RDP clients. 

One of the most prevalent ransomware attack methods leveraging RDP loopholes is “reverse RDP”. Ransomware can infect the server when an off-site employee connects to an onsite server via RDP. Once the off-site computer connects to the infected onsite server, the attacker gains access to the entire server network. These are all done by passing through the RDP connection. 

Targeting software loopholes or vulnerabilities

Whenever you install software from an unknown source, chances are your system will default confirm with you whether you trust the source. This is in fact one of the protective measures to avoid cyberattackers to take advantage of software flaws. 

The hackers behind a ransomware attack often plant malware in old software cracks. All they have to do is to attract users into downloading and installing compromised software. 

Setting up malicious websites

Malicious actors can also get into systems through fake websites. When the victim visits a compromised website with hidden ransomware codes, exploit kits are executed. Malicious websites often appear as an online display ad that redirects you to another landing page unnoticed. 

Phase 2: Instantiation

This indicates the time when ransomware has already occupied your system. Once infiltrated, the ransomware will set up a communication line back to the code owner. The attacker may then choose to dig deeper or lateral across systems to look for valuable files. Cybercriminals can also intensify the scale of the ransomware attack by downloading additional malware with the communication line.

Instead of initiating the ransomware attack immediately, many attackers tend to lay low and wait for the optimal time. Note that many ransomware variants now even attack backup systems and wipe out the victim’s chance to restore access to data. 

Phase 3: Attack

This is when the perpetrator activates the ransomware attack. Once the ransomware attack is triggered, it is a race of time between the victim and the attacker, with a system and data being in jeopardy. 

How to Detect a Ransomware Attack

  • Alert from the Anti-virus scanner. If your device has a virus scanner, oftentimes it will detect ransomware infection automatically unless it has been bypassed.
  • Investigate file extension. Pay attention to the file extension on your systems. For example, the normal extension of a Microsoft Word document is ".doc". If this extension is altered to an unfamiliar combination of letters, there may be a ransomware infection in your system.
  • Spot name changes. Apart from extensions, look also at the actual file name. If files have different names than those you put in, that would also be an indicator of infection. 
  • Increased main processor and disk activity. If the ransomware works in the background, there must be an increased disk or CPU activity. Check in-depth if your processor seems to be heated all of a sudden.  
  • File encryption. Encrypted files – a smoking gun of a ransomware attack is that files are suddenly locked.

Steps to respond to a ransomware attack

  • Find out which system(s) are impacted. The very first step of dealing with a ransomware attack is determining the infected systems. Isolate them with functioning ones right away. This helps greatly by stopping the ransomware from spreading, reducing the damage caused in the long run. Among all of the recovery steps, containment is the most important. 
  • Disconnect compromised systems. Shut them down if necessary. Given the contagious spread rate of ransomware, the most effective containment method is powering the influenced systems down immediately.
  • Prioritize restoration of essential systems. Based on profitability or impact, rank the importance of systems to restore critical systems as soon as possible.
  • Eradicate the ransomware with expert help. The elimination of ransomware should be done by a trusted professional. When working on attacks concerning “backdoor” approaches, the hired cybersecurity expert will get access to backlogs. Only when proceeding to a root-cause analysis can a security veteran get details on the attack. Sometimes, calling local law enforcement units can help with recovery too. Their forensic technicians are most likely more experienced in cyberattacks. Ask for their help in ensuring systems aren’t compromised in other ways, and investigate how to better protect organizations in the future and catch the attackers.
  • Conduct a thorough security review. Most victims report experiencing a ransomware attack, especially the ones who pay the ransom. Go through the entire network with a professional review, ensuring all weaknesses are found. Get prepared for potential security upgrades. If the system’s vulnerabilities are not found, chances are it can be exploited again.

How to protect yourself or your organization from ransomware attacks?

Never pay the ransom

This is strongly suggested by IT professionals as well as government authorities. Paying the ransom encourages criminal activities to prevail. In many cases, the victim does not receive the decryption key and they also become prime targets of another cyberattack. The fact that a victim can afford and is willing to pay offers an incentive for future perpetrators.

Maintain backups - always

When it comes to recovery, keeping relevant backups is the single most effective way to help your organization. Victims of a ransomware attack can quickly revert to a backup to resume essential operations. Although this won’t stop you from being a potential target of a ransomware attack, at least the fallout won’t be as devastating.

However, make sure you put efforts into appropriately securing backups to lower the chance of further infection. You can consider protecting files by keeping them offline, or out-of-the-band. For the most crucial files, you should be backing them up once per day at a minimum. Look also for immutable and indelible cloud storage services to keep your copies.

​​Investing in continuous, organizational security training

Apart from capable solutions, the human factor is another major reason ransomware infiltrates systems. Protect your system from phishing and social engineering tactics by training your team on security awareness. With regular cybersecurity awareness training, you can turn your workforce into a defense line. Some of the most common cybersecurity topics include but are not limited to:

  • Safe web surfing
  • Secure password creation
  • VPNs
  • Identifying suspicious emails or attachments
  • Keeping systems and software updated
  • Confidentiality training
  • Common phishing techniques

Adopting email security solutions

The majority of ransomware is delivered by email. Strengthen your organization’s email system’s security posture to avoid falling victim to email-based attacks. Consider using secure email gateways and targeted attack solutions to scan, flag and filter malicious emails. A powerful email security solution can protect you from questionable URLs, attachments and emails.

Using better threat detection

Similar to fighting cyberattacks, an all-in-one antivirus or firewall solution significantly helps in preventing ransomware attacks. Firewalls are often a defense frontier by detecting and blocking suspicious files from entering the system. They are powerful enough to defend against both software-based and hardware-based attacks.

A bonus tip is to pay extra attention to fake antivirus alerts. Malware evolves rapidly and some of them are disguised as a link for a fake antivirus alert. Be wary of alerts coming from emails or website pop-ups.

Ensuring systems and software are up-to-date

As mentioned, plenty of ransomware attackers exploit vulnerabilities of old software as an entry point to the system. One of the best ways to protect your organization is to ensure that all systems and endpoints are updated immediately after patches are released.

A patch translates to a new version of existing software that possesses flaws. An effective patch management strategy is basic in cybersecurity hygiene, especially in battling ransomware. Spend time and ensure all your team members follow the latest updates.

Implementing network segmentation

Since ransomware can spread swiftly between systems and networks, get prepared in advance with separate systems. Think about breaking networks into subsystems so that if something goes wrong, the ransomware can be isolated immediately, preventing it from spreading to other systems.

Equip each subsystem with proper safety measures like a comprehensive antivirus and two-factor authentication. In urgent times, this will not only help secure your files but also buy time for cybersecurity professionals to recover any data lost.

Limiting user access

For cybersecurity and management purposes, team members should sorely have access to data they actually need for work. Incorporate the idea of “least privilege” to control who can have permission to access confidential data. Not only does this help stop the spread of ransomware and data breaches, but it is also a better measure in terms of business interests. Even if access is granted, functions or available resources should be controlled based on necessity.

The “least privilege” model involves a zero-trust policy, assuming that everyone in the organization cannot be fully trusted. Every level of access often includes identity verification measures such as two-factor (2FA) or multi-factor authentication (MFA).

Running regular security tests

To adapt to the ever-changing landscape of cybersecurity, it is inevitable for organizations to execute routine security tests. Only by evaluating current security posture, endpoints and user access levels can you find loopholes and perfect them accordingly.

One of the most commonly used methods for internal security assessment is sandboxing. Put malicious code in an isolated environment so that you can determine whether existing safety protocols are sufficient enough.

Obtaining anti-ransomware solutions

Last but not least, the ultimate way to tackle ransomware attacks is with tools specifically designed for them. Anti-ransomware solutions focus on monitoring suspicious signs commonly exhibited by ransomware.

Safeguard your business and organization with Sangfor

Sangfor offers a suite of comprehensive cyber security solutions to protect your business from risks brought on by a ransomware attack. If you want to learn more about how to defend your valuable data against ransomware attacks, get in touch with a member of our team today.

Listen To This Post


Get in Touch

Get in Touch with Sangfor Team for Business Inquiry

Related Glossaries

Cyber Security

What is Privileged Identity Management?

Date : 03 Jun 2024
Read Now
Cyber Security

What is a Whaling Attack: A Guide

Date : 31 May 2024
Read Now
Cyber Security

What is an Endpoint Protection Platform?

Date : 29 May 2024
Read Now

See Other Product

Best Darktrace Cyber Security Competitors and Alternatives in 2024
Sangfor Omni-Command
Cyber Command - NDR Platform
Endpoint Secure
Internet Access Gateway (IAG)
Sangfor Network Secure - Next Generation Firewall