What is Ransomware? | Costs are High | Prevention | Recovery | Resources | History
All trademarks, company names or logos are the property of their respective owners.
Ransomware remains a top threat for Canadian organizations with more than a quarter (28 per cent) saying they've been the victim of a successful ransomware attack in the last 12 months. This figure has grown significantly since 2021, when just 17 per cent of organizations reported being victimized by this type of cyber attack.
— CIRA 2024
[R]ansomware can alter your master boot records, change partitions tables and encrypt files. That means it can do real damage to your machine.
— TechRepublic
See also, identity theft, phone scams, email scams and computer & "tech support" scams
Ransomware is a specialized form of malware that encrypts your computer then demands a ransom for the encryption key.
This makes all your files (documents, financial data, letters, photos, music, etc.) inaccessible, then displays a message with the promise to provide a recovery key once you pay the ransom.
A complete and current backup is your ONLY reliable defense against ransomware.
Ransomware is like blackmail — you're not dealing with honest people. The fee demanded is significant and untraceable (generally Bitcoin or other crypto-currencies). If the recovery key doesn't work, there are no refunds.
Failure to pay or any attempt to recovery your data results in the data being destroyed permanently but as long as people pay these criminals, ransomware will continue to be profitable.
There is evidence that more recent versions of ransomware simply destroy your data. Whether this is simply malicious actions by state-sponsored hackers or simply ignorance by script-kiddies, the result is the same — your data is gone forever unless you have recent reliable backups that are secured away from online access.
Some facts about ransomware:
The good news is that ransomware files can be decrypted:The bad news is that decryption often doesn't work, so the best option for recovery will always be the availability of sufficient, isolated data backups and a practiced restoration process.
- Tools (paid or free) can be obtained to decrypt ransomware.
- Ransomware recovery specialists can be hired to perform the decryption and system recovery.
— eSecurity Planet
Organized crime and “state actors” (foreign governments) use their huge technical and financial resources to develop ransomware then offer it to small-scale criminals to ensure rapid distribution (ransomware as a service).
Like all malware, you can get infected from many sources including:
If your security software isn't up to the task, your computer will become useless and your data will be encrypted.
Ransomware-as-a-service is a commercial product sourced on the dark web making ransomware available to virtually anyone to use. It began to show up in late 2017.
Ransomware is following the same trajectory as phishing. The criminals have worked out how to monetize the crime, and they know which types of businesses are likely to pay up — and how to collect the money without being caught.
— Phillip Hallam-Baker
The criminal organization provides support for payments, decryptions, etc. in return for a cut of the proceeds.
Computers are infected automatically, with viruses that spread over the internet.Payment is no more difficult than buying something online -- and payable in untraceable bitcoin -- with some ransomware makers offering tech support to those unsure of how to buy or transfer bitcoin.
Customer service is important; people need to know they'll get their files back once they pay.
— Bruce Schneier
The costs to businesses, governments and other organizations are very high. Paying the ransom is not a good idea because it makes future attacks more profitable because they know you're unprepared.
Ransomware has proven to be very damaging for Canadian organizations. Almost three quarters (73 per cent) of those that experienced a ransomware attack say that their data was exfiltrated. Almost eight in 10 organizations (79 per cent) that experienced a ransomware attack paid the attackers' ransom demands, up from 70 per cent in CIRA's 2023 survey. For organizations that chose to pay up, the typical cost was at least $25,000.Among those who fell victim to an attack in the last 12 months, almost three quarters (72 per cent) say it took under a month to recover their IT systems to pre-incident capacity and about half (52 per cent) say it took less than a week.
As for stolen or compromised data, most organizations say it took under a month to recover, and 41 per cent say it took less than a week. Reputational damage continues on an upward trend with 28 per cent of organizations citing it as an impact of a successful attack compared to just six per cent in 2018.
— CIRA 2024
The average cost of a data breach is $3.86 million, a malicious breach cost $4.27 million, and a ransomware attack costs about $4.44 million, according to IBM's 2020 Cost of a Data Breach report.
— TechRepublic
[T]he average downtime an organization suffers from a ransomware attack is three days, but at times can be indefinite and lead to the failure of a business.
— TechRepublic
As inconvenient as it is, your best bet is to tighten your security (educate yourself and your employees about the warning signs) and be prepared to restore your files from a secure backup.
In short, your security comes down to the same three words: backup, protection, awareness. All three need to be in place, and when they are, you can confidently say you're employing optimal antiransomware security strategy.
— Kaspersky
It is unfortunate that many corporate boards fail to adequately finance their security staff. Much like avoiding insurance payments, this is false economy. When disaster strikes, the blame should be put where it belongs: in the corporate boardroom.
Ransomware is responsible for millions of dollars of downtime and lost revenue, not to mention damage to an organization's reputation. Why isn't every organization doing everything it can to ensure a rapid recovery from an attack? A common answer is that "it's not in the budget". Ransomware attacks are unscheduled, random events and they come with a host of expenses, none of which are in the budget. Here are some the expenses you can expect:
- One obvious option is to pay the ransom. The Baltimore attackers asked for $76,000 while the two small communities in Florida coughed up over $1 million. Ransoms are not usually in the budget.
- In the wake of an attack most victims engage an Incident Response Team to conduct a forensic analysis of the attack. Atlanta paid over $2.6 million for emergency IT services and this was not in the budget.
- The Incident Response Team usually makes recommendations on how to upgrade hardware and software to be more resilient to future attacks. In Riviera Beach, FL, they spent $1 million on new systems in addition to the $600,000 ransom. This wasn't in the budget
- Downtime represents a crippling cost in terms of lost productivity and lost business opportunities. Hospitals have had to cancel procedures and turn patients away, municipal governments have been unable to deliver services and access court records, law firms lose the ability to track billable hours and shipping companies have been unable to deliver goods. Many ransomware articles cite how employees were doing their jobs with pencil and paper and analog fax. This lost revenue wasn't in the budget.
- The organization's reputation also suffers. A prolonged recovery impacts customers, vendors and employees. The longer it takes to recover, the more severe and longer the consequences. Any financial or goodwill damage incurred by an attack is likely not in the budget.
- While cyber-insurance may offset some of the recovery expense, it does not cover everything. Food giant Mondelez, the owners of Oreo and Cadbury brands, is in litigation over a $100 million claim related to a ransomware attack. Norway's aluminum manufacturer, Norske Hydro, also has litigation under way related to an attack last spring. Litigation expense was probably not in the budget.
- — Roxco Blog
Paying the ransom should be your last option. Studies indicate that paying the ransom demonstrates that you aren't prepared, making you a prime target in the future.
Nearly 40% of the victims who pay the ransom never get their data back and 73% of those that pay are targeted again later — which is why you need to protect against ransomware.
— Acronis
A 2024 report by CIRA indicates that Canadian governments and businesses are paying ransomware demands and that shows in the rise in ransomware attacks.
A successful ransomware attack isn't one that encrypts your files, but one where the attacker gets paid.That means the best thing you as an individual, but especially big corporations, can do to stem the spread of ransomware is keep your wallets closed.
It will be painful, but we cannot trust crooks to return access to our systems and data, nor can we keep rewarding them for their crimes.
— PCMag
The prevailing wisdom from cybersecurity experts is that trying to negotiate with ransomware hackers is a bad idea, but on December 30, 2020, one victim broke the rules and gave it a shot.After agreeing on an expedited payment, the hackers accepted the offer -- a stunning 94.7% reduction from their initial demand.
— PCMag
Other than prevention and preparation, your only realistic alternative is to wipe your computer, reinstall everything and restore your data from a reliable (and uninfected) current backup.
There is no guarantee that you'll get your data back even after paying.
[E]ven if a payment was forthcoming, new research reveals the shocking reality of ransomware today: 92% of organizations don't get all their data back.
— Forbes
If your confidential data was taken in a data breach which was masked by the ransomware attack, paying the ransom won't resolve the fact that your data was leaked.
A survey of organisations affected by ransomware attacks found that the average total cost of a ransomware attack for organisations that paid the ransom is almost $1.4m, while for those who didn't give into ransom demands, the average cost is half of that, coming in at $732,000.
— ZDNET
Cities, hospitals and other government services are prime targets for ransomware.
Governments are now facing the threat of confidential information being released.
There is no guarantee that this information will not be sold on the dark web and eventually be exposed anyway. In the past, the defense for ransomware was simply to have good backups, however, with the addition of data exfiltration, the ransomware groups have changed the game.
— Erich Kron
These are favoured targets because these services are both unprepared (their security and often their hardware is sub-standard) and motivated (because of the confidential and often critical nature of their data).
Healthcare companies have made themselves a target because they are unprepared and their data is both critical and very sensitive so they have tended to pay to retrieve the locked data.
The number that work-from-home has increased not only for employees in businesses, but there are more small businesses run out of homes. That has implications for security, especially ransomware threats.
Experts warn that desperate ransomware attackers are shifting focus from businesses to individuals, applying "psychological pressure" with personal threats that bring digital extortion into the physical world. In one stunning recent example, Guy Segal and Moty Cristal from ransomware negotiator and incident response firm Sygnia said a threat actor personally called an executive's mobile phone and referenced sensitive details extracted from the company's internal system."During the call, they referenced personal information, underscoring just how much data an employer may hold on its employees," Cristal — a tactical negotiator — told TechRepublic. "Ransomware attacks aren't just about encrypted files; they can become invasive in other ways."
Targeted individuals are often C-level executives or work in legal fields. The stolen personal data can include information about where their children live or go to school or even photos of loved ones. Cristal added that it is "extremely rare" for an attacker actually to act on these physical threats, but the success of the attack only requires the victim to believe they could.
— Tech Republic
Prevention isn't easy and the only you can be sure you're safe is to wipe your hard drive then recover your files via a RECENT secure backup.
In short, your security comes down to the same three words: backup, protection, awareness. All three need to be in place, and when they are, you can confidently say you're employing optimal antiransomware security strategy.
— Kaspersky
Preventing a ransomware attack is a combination of knowledge and education backed up by security software.
You and everyone with access to your computer(s) needs to learn to recognize the signs of malware and phishing:
Securing your computers and networks includes ensuring that no one can commit identity theft or gain access via the “forgot my password” recovery methods.
These 11 suggestions will help to prepare:
- Make sure your antivirus software is up to date
- Understand what's happening across the network
- Scan and filter emails before they reach your users
- Have a plan for how to respond to a ransomware attack, and test it
- Think very long and hard before you pay a ransom
- Understand what your most important data is and create an effective backup strategy
- Understand what's connected to your network
- Make it harder to roam across your networks
- Train staff to recognise suspicious emails
- Change default passwords across all access points
- Apply software patches to keep systems up to date
- — ZDNET
The first step is to ensure the physical safety of your computers, equipment and data. Develop policies regarding employee and guest access.
While there are sneaky methods for getting around even “air-gapped” computers, most users will not be the focus for such attacks.
Once you've ensured that your hardware and data is as secure as possible, train your employees to recognize and respond appropriately to any threat.
LastPass revealed [April 10, 2024] that threat actors targeted one of its employees in a voice phishing attack, using deepfake audio to impersonate Karim Toubba, the company's Chief Executive Officer. [T]he LastPass employee didn't fall for it because the attacker used WhatsApp, which is a very uncommon business channel.
— BleepingComputer
If you have any doubts about an email, don't click on any links. Report it to your IT department or IT support resource.
Be cautious of sensitive instructions received via email, especially if it involved large financial transactions. Call the department head to verify legitimacy.
The use of the company network and Internet should be restricted to company business.
If you have a home office, don't allow people to use your computer unsupervised. Because this office is in your home, other family members and visitors may not respect the need for security like they would in a regular office.
The rules for company computers also apply.
Other than prevention, reliable backups are one of your best defenses in case something goes wrong, including ransomware attacks.
Ransomware now attacks backup software and devices to ensure you don't have that recovery option.
You want to ensure that you have all your files backed up onto safe media and continuously verify the integrity of those backups before you need them.
As a way to deal with ransomware attacks specifically, organizations need to back up data regularly to a nonconnected environment and verify the integrity of those backups regularly….
— TechRepublic
Internal drives or always-connected USB drives (such as Western Digital My Book drives) are subject to being infected at the same time as your computer.
If a backup device is connected to the infected computer or its network, it is likely that the backups on that drive will be corrupted if infected with ransomware.
If you are using external drives that are continually connected, ensure that they are powered off when not actively backing up your data. If there is no power switch, unplug the USB cable or power supply.
Cloud-based storage provides an excellent recovery option in case physical backup drives are damaged or stolen.
However, cloud services like OneDrive, iCloud and DropBox can be hacked (strong passwords are essential).
Avoid using an automatic login to your cloud service because this makes it easy for either ransomware or anyone with access to your computer to damage or delete your backups.
Any data that is changed or created after your last backup is unrecoverable unless you make other arrangements.
Take precautions like saving changed or new files onto a thumb drive as soon as changes are made to them. These files can overwrite older versions once the backup is restored.
Don't delay. Once you've been hit by ransomware, your options are limited and it is unlikely that you or your business will recover unscathed.
It is always tempting to try and solve our problems for free, but sometimes the value of the software is worth the amount we paid — or worse. When considering a free tool, it is worth investigating the reputation of the person or organization that developed the free tool and considering the reputation of the source providing information on the tool.
— eSecurity Planet
DON'T pay the ransom. There is no guarantee that you'll receive a recovery solution that works and it marks you as a vulnerable target for future attacks.
Here's some keys to preparing your computer(s) and data for recovery:
Increase your security budget and train your employees on how to spot and avoid risky behaviour. The cost is far less than a successful ransomware attack.
Before you restore your data, you need to ensure that your recovery is not corrupted by remaining security issues.
As with any malware infection, leaving any residual of the malware will defeat the next steps. If you're unsure, get professional help in ensuring your computer is clean.
How your proceed depends upon which is more critical: speed or security.
Once your computer has been prepared and you're sure it is secure, proceed with restoring the data from the backups. Only restore program settings if you're certain they are not compromised.
Do not use your computer during the restore process to avoid external threats that can compromise the data being restored.
Once the restore process is complete, run a full security scan to ensure that no malware or other threats remain on your computer.
This process may determine that some of the restored files are corrupt. If your security software cannot repair these infections, delete the files.
These additional resources can help you develop policies to prevent ransomware (prevention is best) or seek out recovery solutions.
The Canadian government provides some guidance on preventing ransomware from gaining a foothold in your business but the information can also be useful for individuals.
It is better to prevent ransomware in the first place.
Check Point ZoneAlarm Anti-Ransomware remains one of the most effective ransomware-specific security tools we've tested. It detected all our real-world ransomware samples, though its recovery system missed some files.
— PCMag
You can try these recovery tools but it would be advisable to bring in expert help than to muddle through a process you don't understand.
These recovery tools relate to older ransomware variants. Modern ransomware is not so easy to recover from.
Ransomware was largely made possible by the development of crypto-currencies that allow untraceable payments.
CryptoLocker, released in 2013, demanded a significant ransom fee in BitCoins payable within 72 hours or the encryption key (the file needed for recovery) is destroyed.
CryptoLocker spread through ad networks but other ransomware was spread via email or TOR networks.
While the botnets distributing CryptoLocker have been stopped, it has since morphed into newer variations (CryptoWall, CoinVault, TorrentLocker and Cerber) which don't respond to CryptoLocker solutions.
Bad Rabbit moved ransomware into the low-rent district.
Access to a Windows XP machine can be purchased for $3; a Windows 10 machine for $9.
The hacker regains over 30 times his investment on the first sale.
The 0.05 bitcoin ransom (approx. $3,200) increases after a deadline.
Ransomware has evolved over time.
The Locky Ransomware was initially distributed via malicious emails. Attached “invoices” used macros that initiated the ransomware download which encrypted your files.
It later used fake Adobe Flash updates to spread its payload.
Microsoft patched the vulnerabilities that permitted WannaCry ransomware in advance of the attack (even for XP)
Still there were disasters. One in Europe looked like an update to a popular accounting software.
Many organizations engaged in lengthy tests to ensure that a patch won't create issues in their networks.
Ransomware is evolving so quickly we no longer have that luxury.
Any weakness in the network or the equipment attached can be exploited.
People will often not account for the fact that attackers attempt to get in through the most vulnerable parts of their organisation, leaving them with a network composed of 99.9 percent super-hardened endpoints and one box running Windows XP.
— SC Media
Vulnerable software (especially on legacy Windows computers or vulnerable personal devices) can be the pathway in which other computers on your network are infected.
Legacy systems need to be disconnected from the Internet as well as networks.
The pandemic brought a resurgence of ransomware. People were working from home, away from their technical support, often on home equipment unprepared for the business world.
The Digital CoronaVirus sent out emails promising pandemic relief from the from the U.S. Federal Reserve or similar institutions.
Instead, the user installs both ransomware and Infostealer, a program that grabs passwords from browsers, installed games (e.g., Steam), communication software (e.g., Skype), FTP and VPN credentials.
Like most ransomware, the threat attempts to delete local backups and shadow files before encrypting the users data, emphasizing the need for offline backups.
Criminals are starting to look at cloud services for future ransomware attacks because data is moving to the cloud — because that's where the “money” is.
The future of ransomware could be even grimmer with the Internet of Things (IoT).
Manufacturers have been busy installing Internet-connected microcomputers in everything — baby monitors, cameras, cars, hospital equipment, smart TVs and much more. They have failed to provide security in order to keep costs down.
Forbes predicts that by 2025, we'll have over 80 billion smart devices on the internet. Much of the embedded firmware running on these devices is insecure and highly vulnerable, leaving an indeterminate number of critical systems and data around the world at risk.
— IoT for All
It's only a matter of time before people get messages on their car screens saying that the engine has been disabled and it will cost $200 in bitcoin to turn it back on. Or a similar message on their phones about their Internet-enabled door lock: Pay $100 if you want to get into your house tonight. Or pay far more if they want their embedded heart defibrillator to keep working.
— Bruce Schneier
Security has not even been considered in the rapidly expanding list of IoT products and is probably not even possible to implement post-manufacturer.
On this site:
Return to top
RussHarvey.bc.ca/resources/ransomware.html
Updated: March 29, 2025