Fighting the Ransomware That Seeks Out Your Data

When 30 countries get together to discuss a problem, you know it’s serious. Last October, the US hosted a multi-country meeting to discuss an online scourge: ransomware. The problem is getting so bad that it isn’t just costing companies millions each year – it’s also threatening critical national infrastructure. So what is it, why has it become such a problem, and what do we do about it next? 

Ransomware has become a headline issue in the last few years but it existed long before that. Consumer-targeted malware froze victims’ machines and demanded payment twenty years ago. The problem for criminals was getting money from the victims’ accounts to theirs. 

Then, along came cryptocurrency. Ransomware criminals traditionally had to try and convince victims to buy gift cards or make payments via money transfer services like Western Digital. Starting with bitcoin in 2009, cryptocurrency offered a fast, friction-free payment method that exploded over the next decade, with more digital currencies appearing almost weekly. Some, like Monero, were specifically geared to be as anonymous as possible. 

This gave criminals a perfect payment channel, which paved the way for more professional attacks. The first ransomware strains were often poorly coded, enabling victims to share encryption keys and recover their own data. Later strains tightened up encryption and also used more sophisticated techniques. 

Ransomware began deleting shadow volumes files, which are backups of files created locally by Windows machines and a critical tool for Windows to restore files locally. Ryuk has been spotted automatically crawling and deleting any shadow volumes or other backup files that it finds, using simple scripts. Locky, Wannacry, and Cryptolocker all target shadow volumes. Most ransomware volumes will also crawl networks looking for shared volumes, meaning that backing up to a network drive won’t protect you. 

Introducing human hackers 

In the last few years, ransomware evolved again. It became more like a business. The criminal community behind it separated into different groups that operated on an affiliate model called ransomware as a service. The ransomware authors license their malicious software to others who find victims to infect. They then pay the authors a fee. 

Ransomware groups began sourcing large volumes of vulnerable attack vectors on the dark web. These included not only stolen login credentials but also vulnerable remote desktop protocol (RDP) ports that they could use to infect endpoints with ransomware. They then automated attacks, hitting vulnerable points using bots to see which networks they could gain a hold in. 

Once they infect a vulnerable network, many of today’s ransomware attackers do far more than just let the software run. Instead, they spend time manually picking their way through a victim’s network themselves, finding more machines to infect. This lateral movement enables them to find the victim’s most valuable resources. They often use everyday administrative tools that already exist on the target’s network, like PowerShell and Windows Management instrumentation, to avoid raising suspicion. This process is called ‘living off the land’. 

This more manual technique allows ransomware thieves to do more than encrypt data. Today, they’re stealing it too. That way, if a company is able to recover its data from a backup, they can still try to extort money by threatening to publish the information. 

The result? 

Ransomware has evolved from a time bomb to a smart missile, seeking out the most valuable information in your organisation. But it doesn’t stop at one data cache; it finds all the targets it can, maximising its blast radius. 

Those attackers don’t stop at primary data. They’ll do their best to access a victim’s backups too. This is often relatively easy, as some backup files have headers containing detailed information about their contents. 

Those backups are often an easy way to collect large amounts of sensitive data in one easy raid. Cloud backups are even better because ransomware thieves that gain access to those accounts can often steal the backups without triggering any alerts on the victim’s internal network. They can then pursue sensitive data at their leisure. 

Criminals that find those backups can delete them before detonating their ransomware. That stops the victims restoring data from them. 

The alternative is not to delete the backups at all, but instead to leave the ransomware lying dormant for weeks on the network. The ransomware files will then get backed up along with everything else. After it eventually detonates, the victim might restore the files only to find themselves infected again immediately. 

The problem is getting worse 

How can companies protect themselves against these ransomware attacks? Basic cybersecurity hygiene measures apply. Training end-users to watch for phishing attacks, scanning incoming emails and outgoing web sessions are all good lines of defence. Using multi-factor authentication for online accounts will help stop ransomware thieves from hacking accounts while switching off unused RDP ports will close down attack surfaces, as will regularly patching software. 

Beyond that, though, companies need security solutions built for ransomware – especially with the rise of Ransomware-as-a-Service. 

Ransomware-as-a-Service is exactly what you think it’s going to be, and it is becoming a significant threat as more and more threat actors are turning to it, meaning your solutions for recovery and cyber resilience will be even more crucial. The world isn’t like it used to be, that’s for certain. No longer do you only need to fear those with the capability to execute a ransomware attack, you now have to make sure you’re protected from every angle, because RaaS has enabled those with little knowledge and know-how to unleash attacks at their leisure. The kits are easy to access on the dark web, which ultimately means more attacks and attackers will usually utilise a “spray” tactic, hoping something lands. What does this mean for you? It means your defences and backups have never been more important.


The ransomware scourge isn’t going away. It’s going to get worse, and more companies are going to get hit. As we’ve seen, relying on traditional backups is cumbersome and unreliable. When online crooks come calling at your organisation, will you be ready? 

+ posts

Meet Stella

Newsletter

Related articles

How to add AI to your cybersecurity toolkit 

A successful implementation of AI in cyber defense requires a solid data governance system, reimagined incident response frameworks, sufficient talent and expertise to manage the new system, and established documentation practices.

The Metaverse: Virtually a reality?

Metaverses have the potential to enable virtual worlds to expand beyond the gaming genre to encompass all manner of social and commercial activities.

Cybersecurity and Cloud: A Look Back at 2022 and What to Expect in 2023

Businesses are continuously reassessing their resources and options to fill their tech stack. In this competitive digital landscape, the innovative use of technology will be something that would generate a competitive advantage for organisations.

Shopping for Data: Ensuring a seamless user experience 

This combination can drive a business’s data culture and provide a structured approach for businesses to benefit from data intelligence across their operations, with only a few clicks.

Unveiling the Top 10 Cybersecurity Threats to Watch Out for in 2023

As technology advances, so do cybercriminals' methods to gain unauthorised access to sensitive information. With the increasing reliance on technology in both personal and professional settings, it is crucial to stay informed about the top cybersecurity threats to watch out for in 2023.

Subscribe to our Newsletter