What is ransomware? Definitions, examples and security tips

What is ransomware?

Ransomware is typically a piece of malware – malicious software – that gets into your system and locks or encrypts your files, assets and data so you can no longer access them. The cybercriminals then demand a ransom for the release of those files. This is a ransomware attack.

Increasingly, cybercriminals can also demand a ransom for not leaking or selling confidential information and intellectual property, which is sometimes called a “double extortion” ransomware attack. The publication of stolen data can be especially devastating in areas like healthcare or law, since the exposure of sensitive information can devastate the target organisation and its individual customers.

What are ransoms in the cyber world?

Ransoms usually come in the form of cryptocurrency, which needs to be paid to the cybercriminal on the promise that your locked files will be released, and stolen data destroyed.

Why do they happen?

The motive behind ransomware attacks vary, though they’re usually financially motivated. However, some groups might be trying to destabilise critical organisations or sectors, or they may be trying to make a little extra money while conducting espionage backed by a nation-state.

As for how it happens, ransomware attacks usually occur because of human error, often as a result of phishing or other social engineering. By opening a malicious or unexpected email or attachment, clicking on a suspicious link on social media (malvertising – malicious advertising – is increasingly common) or visiting a suspicious website, the malware can get into your system.

It can also happen because of weakness in systems, which is why it’s important to always keep software and systems up to date, and use up-to-date security software. Another ransomware attack source can, unfortunately, result from employees deliberately loading ransomware onto your systems. You don’t really want to imagine a threat coming from within, but it’s smart to be aware of the possibility.

What is the impact of a ransomware attack on a business?

The impact can be significant and costly – both literally and in terms of brand reputation. The ransomware will lock your important files, assets and photographs, meaning you are unable to access them.

For the vast, vast majority of businesses, this will stop day-to-day activity immediately – the average time a business is down after a ransomware attack is 24 days. For all businesses, that would be challenging – for services such as health or transport, for example, the consequences can be devastating. Suppliers can also be affected, with linked systems and stolen details being used to affect their operations, too.

Aside from halting business operations, your business then faces the financial risk of paying the ransom without any guarantee of getting files and data back, as well as the impact of your data – potentially including your customer records and files – being released onto the dark web.  This, of course, can cause serious reputational damage, as we’ve seen with the Optus and Medibank data breaches, for example. In addition, there are legal implications, as well as staff morale and HR concerns to address.

Who’s behind ransomware attacks?

Behind ransomware attacks are organised gangs – although using ‘gangs’ probably conjures up the wrong mental image. Cybercrime is a slick, highly skilled, organised and professional business, and there are a number of ‘gangs’ around the world – many in Eastern Europe – that make significant amounts of money from extorting people online. Today, many of these gangs offer ‘ransomware as a service’ creating affiliate schemes in which they get paid commission for successful ransomware attacks carried out by others using their technology.

Ransomware organisations LockBit, BlackCat and Clop are three of the biggest players today, and in the first six months of 2023.

Are ransomware attacks common?

Ransomware attacks are incredibly common. In 2023, a survey found that 56% of Australian businesses had fallen victim to a ransomware attack, and incidences have steadily increased over the years. Globally, organisations around the world detected nearly half a billion ransomware attacks in 2022.

How much do ransomware attacks cost a business?

In 2023, the average ransom was US$1.54m – a figure that’s almost doubled since 2022. In 2021, an insurance company reportedly made a payout of US$40m – the largest recorded to date.

What is an example of a ransomware attack?

In February 2023, global fruit and vegetable producer Dole fell victim to a ransomware attack, resulting in a shutdown of its systems throughout North America.

Consequently, product shortages followed, and there was some impact on operations. Company data, including some employee information, was also stolen. Dole acted swiftly to minimise the impact of the incident. However, it still reported US$10.5 million in direct costs, and endured reputational damage. In Australia, the Medibank cyber incident had devastating consequences that resulted in serious financial, reputational, legal and operational costs for the insurer.

How do I know if I’ve been affected by ransomware?

You might be unable to open files or access devices – they’ll ask for a password or code – and/or files may have moved or have different file extension names. A pop-up message might appear requesting a ransom is paid in order to access files, or you might receive an email claiming to be from the group who has successfully infiltrated your systems or data.

How can you protect your business from ransomware attacks?

First and foremost, the best way to protect your business from a ransomware attack is to not fall victim in the first place. Given that ransomware usually relies on human error – someone opening a suspicious attachment, clicking on a social media or emailed link, or visiting unsafe or suspicious websites – regular training on how your teams can help prevent cyber attacks is essential.

It’s also smart to back up all files regularly to an on-premises server or a portable hard drive. While it’s best to prevent an attack, having backups means your business will be able to get back up and running more quickly than it otherwise would be able to.

What should you do if you’re the victim of a ransomware attack?

The official advice from the Australian Cyber Security Centre is to never pay a ransom – and Australia is one of 40 countries to sign up to a US alliance plan to pledge never to pay ransom to cybercriminals.

However, of the 56% of Australian businesses that have been held to ransom, 75% that paid the ransom did so within 48 hours, and research has shown that many of the major ransomware groups do honour the promise to destroy copies of the data once payment is made.

Many experts are reportedly in favour of negotiating due to the benefit for the victim, however, that brings a moral dilemma in terms of validating the cybercriminal’s activity.

Ransomware’s impacts on financial professionals

In addition to the obvious financial impact of falling victim to a ransomware attack, it’s vitally important that financial professionals are constantly on guard against potential cyber threats.

Invoices attached to – and linked within – emails, for example, should be scrutinised before opening, while payment details included on invoices need to be verified before payment is made. Payment redirection scams, or business email compromise (BEC) scams – where payment details on a genuine invoice are altered – are incredibly common, and cost Australians $224m in 2022.

Of course, any data shared or sold on the dark web increases the risks for finance professionals, too. From compromised login credentials and transaction histories to personal data that could be used for social engineering or other scams, there’s a wide range of potential security challenges.