www.proofpoint.com Open in urlscan Pro
2a02:e980:107::cf  Public Scan

URL: https://www.proofpoint.com/us/threat-reference/ransomware
Submission: On August 17 via api from DE — Scanned from DE

Form analysis 1 forms found in the DOM

/us

<form action="/us" data-region="us" data-language="en">
  <input type="text" name="search_block_form" placeholder="Search">
  <input type="submit">
</form>

Text Content

Skip to main content
Products Solutions Partners Resources Company ContactLanguages
Support Log-in Digital Risk Portal Email Fraud Defense ET Intelligence
Proofpoint Essentials Sendmail Support Log-in
Main Menu

EMAIL SECURITY AND PROTECTION

Defend against threats, ensure business continuity, and implement email
policies.

ADVANCED THREAT PROTECTION

Protect against email, mobile, social and desktop threats.

SECURITY AWARENESS TRAINING

Engage your users and turn them into a strong line of defense against phishing
and other cyber attacks.

CLOUD SECURITY

Defend against threats, protect your data, and secure access.

COMPLIANCE AND ARCHIVING

Reduce risk, control costs and improve data visibility to ensure compliance.

INFORMATION PROTECTION

Protect from data loss by negligent, compromised, and malicious users.

DIGITAL RISK PROTECTION

Protect against digital security risks across web domains, social media and the
deep and dark web.

PREMIUM SECURITY SERVICES

Get deeper insight with on-call, personalized assistance from our expert team.


RANSOMWARE HUB

Stop ransomware in its tracks with the free research and resources in our
Ransomware Hub.

Learn More


SOLUTIONS BY TOPIC

COMBAT EMAIL AND CLOUD THREATS

Protect your people from email and cloud threats with an intelligent and
holistic approach.

CHANGE USER BEHAVIOR

Help your employees identify, resist and report attacks before the damage is
done.

COMBAT DATA LOSS AND INSIDER RISK

Prevent data loss via negligent, compromised and malicious insiders by
correlating content, behavior and threats.

MODERNIZE COMPLIANCE AND ARCHIVING

Manage risk and data retention needs with a modern compliance and archiving
solution.

PROTECT CLOUD APPS

Keep your people and their cloud apps secure by eliminating threats, avoiding
data loss and mitigating compliance risk.

PREVENT LOSS FROM RANSOMWARE

Learn about this growing threat and stop attacks by securing today’s top
ransomware vector: email.

SECURE MICROSOFT 365

Implement the very best security and compliance solution for your Microsoft 365
collaboration suite.

DEFEND YOUR REMOTE WORKFORCE WITH CLOUD EDGE

Secure access to corporate resources and ensure business continuity for your
remote workers.

WHY PROOFPOINT

Today’s cyber attacks target people. Learn about our unique people-centric
approach to protection.


SOLUTIONS BY INDUSTRY

Federal Government State and Local Government Higher Education Financial
Services Healthcare Mobile Operators Internet Service Providers Small and Medium
Businesses


PARTNER PROGRAMS

CHANNEL PARTNERS

Become a channel partner. Deliver Proofpoint solutions to your customers and
grow your business.

ARCHIVE EXTRACTION PARTNERS

Learn about the benefits of becoming a Proofpoint Extraction Partner.

GLOBAL SYSTEM INTEGRATOR (GSI) AND MANAGED SERVICE PROVIDER (MSP) PARTNERS

Learn about our global consulting and services partners that deliver fully
managed and integrated solutions.

TECHNOLOGY AND ALLIANCE PARTNERS

Learn about our relationships with industry-leading firms to help protect your
people, data and brand.

SOCIAL MEDIA PROTECTION PARTNERS

Learn about the technology and alliance partners in our Social Media Protection
Partner program.

PROOFPOINT ESSENTIALS PARTNER PROGRAMS

Small Business Solutions for channel partners and MSPs.


PARTNER TOOLS

Become a Channel Partner Channel Partner Portal

RESOURCE LIBRARY

Find the information you're looking for in our library of videos, data sheets,
white papers and more.

BLOG

Keep up with the latest news and happenings in the ever‑evolving cybersecurity
landscape.

PODCASTS

Learn about the human side of cybersecurity. Episodes feature insights from
experts and executives.

THREAT GLOSSARY

Learn about the latest security threats and how to protect your people, data,
and brand.

EVENTS

Connect with us at events to learn how to protect your people and data from
ever‑evolving threats.

CUSTOMER STORIES

Read how Proofpoint customers around the globe solve their most pressing
cybersecurity challenges.

WEBINARS

Browse our webinar library to learn about the latest threats, trends and issues
in cybersecurity.

Watch now to earn your CPE credits


SECURITY HUBS

Get free research and resources to help you protect against threats, build a
security culture, and stop ransomware in its tracks.

Threat Hub
CISO Hub
Cybersecurity Awareness Hub
Ransomware Hub
Insider Threat Management Hub

ABOUT PROOFPOINT

Proofpoint is a leading cybersecurity company that protects organizations'
greatest assets and biggest risks: their people.

WHY PROOFPOINT

Today’s cyber attacks target people. Learn about our unique people-centric
approach to protection.

CAREERS

Stand out and make a difference at one of the world's leading cybersecurity
companies.

NEWS CENTER

Read the latest press releases, news stories and media highlights about
Proofpoint.

PRIVACY AND TRUST

Learn about how we handle data and make commitments to privacy and other
regulations.

ENVIRONMENTAL, SOCIAL, AND GOVERNANCE

Learn about our people-centric principles and how we implement them to
positively impact our global community.


SUPPORT

Access the full range of Proofpoint support services.

Learn More
United States United Kingdom France Germany Italy Spain Japan Australia
Products
Overview Email Protection Email Fraud Defense Secure Email Relay Threat Response
Auto-Pull Sendmail Open Source Essentials for Small Business
Overview Targeted Attack Protection in Email Email Isolation Threat Response
Emerging Threats Intelligence
Overview Assess Change Behavior Evaluate
Overview Browser Isolation Cloud Account Defense Cloud App Security Broker Web
Security Secure Access
Overview Automate Capture Patrol Track Archive Discover Supervision
Overview Enterprise Data Loss Prevention (DLP) Insider Threat Management
Intelligent Classification and Protection Endpoint Data Loss Prevention (DLP)
Email Data Loss Prevention (DLP) Email Encryption Data Discover
Overview Social Media Protection Domain Fraud Monitoring Executive and Location
Threat Monitoring
Overview Technical Account Managers Proofpoint Threat Information Services
Managed Services for Security Awareness Training People-Centric Security Program
Managed Email Security Managed Services for Information Protection Insider
Threat Management Services Compliance and Archiving Services Consultative
Services
Products Solutions Partners Resources Company
United States United Kingdom France Germany Italy Spain Japan Australia
Login
Support Log-in Digital Risk Portal Email Fraud Defense ET Intelligence
Proofpoint Essentials Sendmail Support Log-in
Contact


EMAIL SECURITY AND PROTECTION

Defend against threats, ensure business continuity, and implement email
policies.

ADVANCED THREAT PROTECTION

Protect against email, mobile, social and desktop threats.

SECURITY AWARENESS TRAINING

Engage your users and turn them into a strong line of defense against phishing
and other cyber attacks.

CLOUD SECURITY

Defend against threats, protect your data, and secure access.

COMPLIANCE AND ARCHIVING

Reduce risk, control costs and improve data visibility to ensure compliance.

INFORMATION PROTECTION

Protect from data loss by negligent, compromised, and malicious users.

DIGITAL RISK PROTECTION

Protect against digital security risks across web domains, social media and the
deep and dark web.

PREMIUM SECURITY SERVICES

Get deeper insight with on-call, personalized assistance from our expert team.

Overview Email Protection Email Fraud Defense Secure Email Relay Threat Response
Auto-Pull Sendmail Open Source Essentials for Small Business
Overview Targeted Attack Protection in Email Email Isolation Threat Response
Emerging Threats Intelligence
Overview Assess Change Behavior Evaluate
Overview Browser Isolation Cloud Account Defense Cloud App Security Broker Web
Security Secure Access
Overview Automate Capture Patrol Track Archive Discover Supervision
Overview Enterprise Data Loss Prevention (DLP) Insider Threat Management
Intelligent Classification and Protection Endpoint Data Loss Prevention (DLP)
Email Data Loss Prevention (DLP) Email Encryption Data Discover
Overview Social Media Protection Domain Fraud Monitoring Executive and Location
Threat Monitoring
Overview Technical Account Managers Proofpoint Threat Information Services
Managed Services for Security Awareness Training People-Centric Security Program
Managed Email Security Managed Services for Information Protection Insider
Threat Management Services Compliance and Archiving Services Consultative
Services


RANSOMWARE HUB

Stop ransomware in its tracks with the free research and resources in our
Ransomware Hub.

Learn More


SOLUTIONS BY TOPIC

COMBAT EMAIL AND CLOUD THREATS

Protect your people from email and cloud threats with an intelligent and
holistic approach.

CHANGE USER BEHAVIOR

Help your employees identify, resist and report attacks before the damage is
done.

COMBAT DATA LOSS AND INSIDER RISK

Prevent data loss via negligent, compromised and malicious insiders by
correlating content, behavior and threats.

MODERNIZE COMPLIANCE AND ARCHIVING

Manage risk and data retention needs with a modern compliance and archiving
solution.

PROTECT CLOUD APPS

Keep your people and their cloud apps secure by eliminating threats, avoiding
data loss and mitigating compliance risk.

PREVENT LOSS FROM RANSOMWARE

Learn about this growing threat and stop attacks by securing today’s top
ransomware vector: email.

SECURE MICROSOFT 365

Implement the very best security and compliance solution for your Microsoft 365
collaboration suite.

DEFEND YOUR REMOTE WORKFORCE WITH CLOUD EDGE

Secure access to corporate resources and ensure business continuity for your
remote workers.

WHY PROOFPOINT

Today’s cyber attacks target people. Learn about our unique people-centric
approach to protection.


SOLUTIONS BY INDUSTRY

Federal Government State and Local Government Higher Education Financial
Services Healthcare Mobile Operators Internet Service Providers Small and Medium
Businesses


PARTNER PROGRAMS

CHANNEL PARTNERS

Become a channel partner. Deliver Proofpoint solutions to your customers and
grow your business.

ARCHIVE EXTRACTION PARTNERS

Learn about the benefits of becoming a Proofpoint Extraction Partner.

GLOBAL SYSTEM INTEGRATOR (GSI) AND MANAGED SERVICE PROVIDER (MSP) PARTNERS

Learn about our global consulting and services partners that deliver fully
managed and integrated solutions.

TECHNOLOGY AND ALLIANCE PARTNERS

Learn about our relationships with industry-leading firms to help protect your
people, data and brand.

SOCIAL MEDIA PROTECTION PARTNERS

Learn about the technology and alliance partners in our Social Media Protection
Partner program.

PROOFPOINT ESSENTIALS PARTNER PROGRAMS

Small Business Solutions for channel partners and MSPs.


PARTNER TOOLS

Become a Channel Partner Channel Partner Portal

RESOURCE LIBRARY

Find the information you're looking for in our library of videos, data sheets,
white papers and more.

BLOG

Keep up with the latest news and happenings in the ever‑evolving cybersecurity
landscape.

PODCASTS

Learn about the human side of cybersecurity. Episodes feature insights from
experts and executives.

THREAT GLOSSARY

Learn about the latest security threats and how to protect your people, data,
and brand.

EVENTS

Connect with us at events to learn how to protect your people and data from
ever‑evolving threats.

CUSTOMER STORIES

Read how Proofpoint customers around the globe solve their most pressing
cybersecurity challenges.

WEBINARS

Browse our webinar library to learn about the latest threats, trends and issues
in cybersecurity.

Watch now to earn your CPE credits


SECURITY HUBS

Get free research and resources to help you protect against threats, build a
security culture, and stop ransomware in its tracks.

Threat Hub
CISO Hub
Cybersecurity Awareness Hub
Ransomware Hub
Insider Threat Management Hub

ABOUT PROOFPOINT

Proofpoint is a leading cybersecurity company that protects organizations'
greatest assets and biggest risks: their people.

WHY PROOFPOINT

Today’s cyber attacks target people. Learn about our unique people-centric
approach to protection.

CAREERS

Stand out and make a difference at one of the world's leading cybersecurity
companies.

NEWS CENTER

Read the latest press releases, news stories and media highlights about
Proofpoint.

PRIVACY AND TRUST

Learn about how we handle data and make commitments to privacy and other
regulations.

ENVIRONMENTAL, SOCIAL, AND GOVERNANCE

Learn about our people-centric principles and how we implement them to
positively impact our global community.


SUPPORT

Access the full range of Proofpoint support services.

Learn More
Zeigen Sie weiterhin Inhalte für Ihren Standort an
United StatesUnited KingdomFranceDeutschlandEspaña日本AustraliaItaliaFortsetzen
Glossary
What is Ransomware?


WHAT IS RANSOMWARE?

Ransomware Survival Guide Request Your Free Trial


DEFINITION

Ransomware is a type of malicious software (malware) that threatens to publish
or blocks access to data or a computer system, usually by encrypting it, until
the victim pays a ransom fee to the attacker. In many cases, the ransom demand
comes with a deadline. If the victim doesn’t pay in time, the data is gone
forever or the ransom increases.

Ransomware attacks are all too common these days. Major companies in North
America and Europe alike have fallen victim to it. Cybercriminals will attack
any consumer or any business and victims come from all industries.

Several government agencies, including the FBI, advise against paying the ransom
to keep from encouraging the ransomware cycle, as does the No More Ransom
Project. Furthermore, half of the victims who pay the ransom are likely to
suffer from repeat ransomware attacks, especially if it is not cleaned from the
system.


HISTORY OF RANSOMWARE ATTACKS

Ransomware can be traced back to 1989 when the “AIDS virus” was used to extort
funds from recipients of the ransomware. Payments for that attack were made by
mail to Panama, at which point a decryption key was also mailed back to the
user.

In 1996, ransomware was known as “cryptoviral extortion,” introduced by Moti
Yung and Adam Young from Columbia University. This idea, born in academia,
illustrated the progression, strength, and creation of modern cryptographic
tools. Young and Yung presented the first cryptovirology attack at the 1996 IEEE
Security and Privacy conference. Their virus contained the attacker’s public key
and encrypted the victim’s files. The malware then prompted the victim to send
asymmetric ciphertext to the attacker to decipher and return the decryption
key—for a fee.

Attackers have grown creative over the years by requiring payments that are
nearly impossible to trace, which helps cybercriminals remain anonymous. For
example, notorious mobile ransomware Fusob requires victims to pay using Apple
iTunes gift cards instead of normal currencies, like dollars.

Ransomware attacks began to soar in popularity with the growth of
cyptocurrencies, such as Bitcoin. Cryptocurrency is a digital currency that uses
encryption techniques to verify and secure transactions and control the creation
of new units. Beyond Bitcoin, there are other popular cryptocurrencies that
attackers prompt victims to use, such as Ethereum, Litecoin, and Ripple.

Ransomware has attacked organizations in nearly every vertical, with one of the
most famous viruses being the attacks on Presbyterian Memorial Hospital. This
attack highlighted the potential damage and risks of ransomware. Labs,
pharmacies and emergency rooms were hit.

Social engineering attackers have become more innovative over time. The Guardian
wrote about a situation where new ransomware victims were asked to have two
other users install the link and pay a ransom in order to have their files
decrypted.

More Information on Locky Ransomware >

Presbyterian Memorial Hospital Ransomware Attack >


EXAMPLES OF RANSOMWARE

By learning about the major ransomware attacks below, organizations will gain a
solid foundation of the tactics, exploits, and characteristics of most
ransomware attacks. While there continues to be variations in the code, targets,
and functions of ransomware, the innovation in ransomware attacks are typically
incremental.

 * WannaCry: A powerful Microsoft exploit was leveraged to create a worldwide
   ransomware worm that infected over 250,000 systems before a killswitch was
   tripped to stop its spread. Proofpoint was involved in finding the sample
   used to find the killswitch and in deconstructing the ransomware. Learn more
   about Proofpoint’s involvement in stopping WannaCry.
 * CryptoLocker: This was one of the first of the current generation of
   ransomware that required cryptocurrency for payment (Bitcoin) and encrypted a
   user’s hard drive and attached network drives. Cryptolocker was spread via an
   email with an attachment that claimed to be FedEx and UPS tracking
   notifications. A decryption tool was released for this in 2014. But various
   reports suggest that upwards of $27 million was extorted by CryptoLocker.
 * NotPetya: Considered one of the most damaging ransomware attacks, NotPetya
   leveraged tactics from its namesake, Petya, such as infecting and encrypting
   the master boot record of a Microsoft Windows-based system. NotPetya
   leveraged the same vulnerability from WannaCry to spread rapidly, demanding
   payment in bitcoin to undo the changes. It has been classified by some as a
   wiper, since NotPetya cannot undo its changes to the master boot record and
   renders the target system unrecoverable.

 * Bad Rabbit: Considered a cousin of NotPetya and using similar code and
   exploits to spread, Bad Rabbit was a visible ransomware that appeared to
   target Russia and Ukraine, mostly impacting media companies there. Unlike
   NotPetya, Bad Rabbit did allow for decryption if the ransom was paid. The
   majority of cases indicate that it was spread via a fake Flash player update
   that can impact users via a drive by attack.
 * REvil: REvil is authored by a group of financially motivated attackers. It
   exfiltrates data before it encrypts it so that targeted victims can be
   blackmailed into paying if they choose not to send the ransom. The attack
   stemmed from compromised IT management software used to patch Windows and Mac
   infrastructure. Attackers compromised the Kaseya software used to inject the
   REvil ransomware onto corporate systems.
 * Ryuk: Ryuk is a manually distributed ransomware application mainly used in
   spear-phishing. Targets are carefully chosen using reconnaissance. Email
   messages are sent to chosen victims, and all files hosted on the infected
   system are then encrypted.


HOW RANSOMWARE WORKS

Ransomware is a type of malware designed to extort money from its victims, who
are blocked or prevented from accessing data on their systems. The two most
prevalent types of ransomware are encryptors and screen lockers. Encryptors, as
the name implies, encrypt data on a system, making the content useless without
the decryption key. Screen lockers, on the other hand, simply block access to
the system with a “lock” screen, asserting that the system is encrypted.

Figure 1: How Ransomware tries to trick a victim into installing it

Victims are often notified on a lock screen (common to both encryptors and
screen lockers) to purchase a cryptocurrency, like Bitcoin, to pay the ransom
fee. Once the ransom is paid, customers receive the decryption key and may
attempt to decrypt files. Decryption is not guaranteed, as multiple sources
report varying degrees of success with decryption after paying ransoms.
Sometimes victims never receive the keys. Some attacks install malware on the
computer system even after the ransom is paid and the data is released.

While originally focused largely on personal computers, encrypting ransomware
has increasingly targeted business users, as businesses will often pay more to
unlock critical systems and resume daily operations than individuals.

Enterprise ransomware infections or viruses usually start with a malicious
email. An unsuspecting user opens an attachment or clicks on a URL that is
malicious or has been compromised.

At that point, a ransomware agent is installed and begins encrypting key files
on the victim’s PC and any attached file shares. After encrypting the data, the
ransomware displays a message on the infected device. The message explains what
has occurred and how to pay the attackers. If the victims pay, the ransomware
promises they’ll get a code to unlock their data.


WHO IS AT RISK?

Any device connected to the internet is at risk of becoming the next ransomware
victim. Ransomware scans a local device and any network-connected storage, which
means that a vulnerable device also makes the local network a potential victim.
If the local network is a business, the ransomware could encrypt important
documents and system files that could halt services and productivity.

If a device connects to the internet, it should be updated with the latest
software security patches, and it should have anti-malware installed that
detects and stops ransomware. Outdated operating systems such as Windows XP that
are no longer maintained are at a much higher risk.


THE BUSINESS IMPACT FROM RANSOMWARE

A business that falls victim to ransomware can lose thousands of dollars in
productivity and data loss. Attackers with access to data will blackmail victims
into paying the ransom by threatening to release data and expose the data
breach, so organizations that do not pay fast enough could experience additional
side effects such as brand damage and litigation.

Ransomware stops productivity, so the first step is containment. After
containment, the organization can either restore from backups or pay the ransom.
Law enforcement gets involved in investigations, but tracking ransomware authors
requires research time that just delays recovery. Root-cause analysis identifies
the vulnerability, but any delays in recovery impacts productivity and business
revenue.


WHY IS RANSOMWARE SPREADING?

With more people working from home, threat actors increased their use of
phishing. Phishing is a primary starting point for ransomware infection. The
phishing email targets employees, both low-privileged users and high-privileged
users. Email is inexpensive and easy to use, so it makes a convenient way for
attackers to spread ransomware.

Documents are normally passed in email, so users think nothing of opening a file
in an email attachment. The malicious macro runs, downloads ransomware to the
local device, and then delivers its payload. The ease of spreading ransomware in
email is why it’s a common malware attack.


WHO ARE THE MALICIOUS ACTORS?

Sophisticated attacks might use ransomware with authors who build their own
versions. Variants use the codebase from an existent ransomware version and
alter just enough of the functions to change the payload and method of attack.
Ransomware authors can customize their malware to perform any action and use a
preferred encryption cipher.

Attackers are not always authors. Some ransomware authors sell their software to
others or lease it for use. Ransomware can be leased as malware-as-a-service
(MaaS) where customers authenticate into a dashboard and launch their own
campaign. Therefore, attackers are not always coders and malware experts. They
are also individuals who pay authors to lease their ransomware.


WHY YOU SHOULDN’T PAY RANSOMWARE

After ransomware encrypts files, it shows a screen to the user announcing files
are encrypted and the amount of money that must be paid. Usually, the victim is
given a specific amount of time to pay or the ransom increases. Attackers also
threaten to expose businesses and announce that they were victims of ransomware
publicly.

The biggest risk of paying is never receiving cipher keys to decrypt data. The
organization is out the money and still doesn’t have decryption keys. Most
experts advise against paying the ransom to stop perpetuating the monetary
benefits to attackers, but many organizations are left without a choice.
Ransomware authors require cryptocurrency payments, so the money transfer cannot
be reversed.


STEPS FOR RESPONDING TO AN ATTACK

The payload from ransomware is immediate. The malware displays a message to the
user with instructions for payment and information on what happened to files.
It’s important for administrators to react quickly because some ransomware
attempts to spread to other locations on the network and find critical files in
additional scans. You can take a few basic steps to properly respond to
ransomware, but note that expert intervention is usually required for root-cause
analysis, cleanup, and investigations.

 * Determine which systems are impacted. You must isolate systems so that they
   cannot affect the rest of the environment. This step is part of containment
   that will minimize damage to the environment.
 * Disconnect systems, and power them down if necessary. Ransomware spreads
   rapidly on the network, so any systems must be disconnected either by
   disabling network access or powering them down.
 * Prioritize restoration of systems so that the most critical ones can be
   returned to normal faster. Usually, priority is based on productivity and
   revenue impact.
 * Eradicate the threat from the network. Attackers might use backdoors, so
   eradication must be done by a trusted expert. The expert needs access to logs
   so that a root-cause analysis will identify the vulnerability and all systems
   impacted.
 * Have a professional review the environment for potential security upgrades.
   It’s common for a ransomware victim to be a target for a second attack. If
   the vulnerability is not found, it can be exploited again.


NEW RANSOMWARE THREATS

Authors constantly change code into new variants to avoid detection.
Administrators and anti-malware developers must keep up with these new methods
so that detection of threats happens quickly before it can propagate across the
network. Here are a few new threats:

 * DLL side loading. Malware attempts to hide from detection by using DLLs and
   services that look like legitimate functions.
 * Web servers as targets. Malware on a shared hosting environment can affect
   all sites hosted on the server. Ransomware such as Ryuk targets hosted sites,
   mainly using phishing emails.
 * Spear-phishing is preferred over standard phishing. Instead of sending
   malware to thousands of targets, attackers perform reconnaissance on
   potential targets for their high-privilege network access.
 * Ransomware-as-a-Service (RaaS) lets users launch attacks without any
   cybersecurity knowledge. The introduction of RaaS has led to an increase in
   ransomware attacks.

A primary reason for an increase in threats using ransomware is remote work. The
pandemic introduced a new way of working globally. An at-home workforce is much
more vulnerable to threats. Home users do not have the enterprise-level
cybersecurity necessary to protect from sophisticated attacks, and many of these
users comingle their personal devices with work devices. Since ransomware scans
the network for vulnerable devices, personal computers infected with malware can
also infect network-connected business machines.


RANSOMWARE PREVENTION AND DETECTION

Prevention for ransomware attacks typically involves setting up and testing
backups as well as applying ransomware protection in security tools. Security
tools such as email protection gateways are the first line of defense, while
endpoints are a secondary defense. Intrusion Detection Systems (IDSs) are
sometimes used to detect ransomware command-and-control to alert against a
ransomware system calling out to a control server. User training is important,
but user training is just one of several layers of defense to protect against
ransomware, and it comes into play after the delivery of ransomware via an email
phish.

A fallback measure, in case other ransomware preventative defenses fail, is to
stockpile Bitcoin. This is more prevalent where immediate harm could impact
customers or users at the affected firm. Hospitals and the hospitality industry
are at particular risk of ransomware, as patients’ lives could be affected or
people could be locked in or out of facilities.

Discover Proofpoint’s Ransomware Solution


BEFORE/AFTER


HOW TO PREVENT RANSOMWARE ATTACKS

 * Defend your email against Ransomware: Email phishing and spam are the main
   way that ransomware attacks are distributed. Secure Email Gateways with
   targeted attack protection are crucial for detecting and blocking malicious
   emails that deliver ransomware. These solutions protect against malicious
   attachments, malicious documents, and URLs in emails delivered to user
   computers.
 * Defend your mobile devices against Ransomware: Mobile attack protection
   products, when used in conjunction with mobile device management (MDM) tools,
   can analyze applications on users’ devices and immediately alert users and IT
   to any applications that might compromise the environment.
 * Defend your web surfing against Ransomware: Secure web gateways can scan
   users’ web surfing traffic to identify malicious web ads that might lead them
   to ransomware.
 * Monitor your server, network and back up key systems: Monitoring tools can
   detect unusual file access activities, viruses, network C&C traffic and CPU
   loads, possibly in time to block ransomware from activating. Keeping a full
   image copy of crucial systems can reduce the risk of a crashed or encrypted
   machine causing a crucial operational bottleneck.


HOW TO REMOVE RANSOMWARE

 * Call federal and local law enforcement: Just as someone would call a federal
   agency for a kidnapping, organizations need to call the same bureau for
   ransomware. Their forensic technicians can ensure systems aren’t compromised
   in other ways, gather information to better protect organizations going
   forward and try to find the attackers.


RANSOMWARE RECOVERY

 * Learn about anti-ransomware resources: No More Ransom portal and Bleeping
   Computer have tips, suggestions and even some decryptors for selected
   ransomware attacks.
 * Restore data: If organizations have followed best practices and kept system
   backups, they can restore their systems and resume normal operations.


RANSOMWARE STATISTICS

The following ransomware statistics illustrate the rising epidemic and the
billions it has cost victims. To stay up to date on the latest ransomware
statistics, you can also check out the Proofpoint blog.


4,000

An average of 4,000 ransomware episodes occur every day. Source: FBI Internet
Crime Report.


39%

Ransomware is the top variety of malicious software, found in 39% of cases where
malware was identified. Source: Verizon’s 2018 Data Breach Investigations
Report.


46%

In our latest State of the Phish™ Report, only 46% of respondents could
correctly define ransomware.


42%

of U.S. respondents to our 2017 User Risk Report could not correctly identify
what ransomware is.




RANSOMWARE SURVIVAL GUIDE

Ransomware attackers collected on average $115,123 per incident in 2019, but
costs soared to $312,493 in 2020. One recorded event cost an organization $30
million. In addition to the ransom itself, these attacks can exact a heavy cost:
business disruption, remediation costs, and a diminished brand.

Download the Ransomware Survival Guide


RANSOMWARE FAQS


IS RANSOMWARE A VIRUS?

Ransomware and viruses are both forms of malware, but ransomware is not a virus.
Ransomware is considered its own category of malware, but it does not
self-replicate like a virus. Both viruses and ransomware damage files, but they
act differently once the payload is delivered.


WHAT IS THE WANNACRY RANSOMWARE ATTACK?

The WannaCry ransomware took advantage of a Microsoft Windows vulnerability to
spread quickly across the internet and encrypt files to hold them hostage. It
encrypts files with cryptographically secure algorithms so that targeted victims
are forced to pay the ransom in Bitcoin to obtain the private key or recover
from backups. The files cannot be decrypted, so many organizations were forced
to pay the ransom.


WHAT IS DARKSIDE RANSOMWARE?

The hacking group known as DarkSide created the DarkSide malware that works as
ransomware-as-a-service (RaaS). The malware double extorts its targets by first
requiring payment to decrypt files and second to require payment for the
exfiltrated sensitive data. It targets servers hosting the Remote Desktop
Protocol (RDP) and brute forces the password to gain access to the machine’s
local files.


HOW LONG DOES IT TAKE TO RECOVER FROM RANSOMWARE?

The time it takes varies wildly depending on the extent of the damage, the
efficiency of the organization’s disaster recovery plan, response times, and the
containment and eradication timeframes. Without good backups and disaster
recovery plans, organizations could stay offline for days, which is a severe
revenue-impacting event.


RANSOMWARE ATTACKS ON THE RISE – WHAT YOU NEED TO KNOW

Ransomware is one of today’s most disruptive forms of cyber attacks, putting
victims out of business, forcing hospitals to turn away patients, and bringing
entire city governments and municipalities to a standstill.

Read More


HOW TO PREPARE FOR RANSOMWARE ATTACKS

Download the Gartner report to learn how to prepare for ransomware and what you
should do before, during and after an attack.

Read More


THE FIRST STEP: INITIAL ACCESS LEADS TO RANSOMWARE

Ransomware attacks still use email -- but not in the way you might think.

Read More
Previous Glossary
Next Glossary


ABOUT

 * Overview
 * Why Proofpoint
 * Careers
 * Leadership Team
 * News Center
 * Nexus Platform
 * Privacy and Trust


THREAT CENTER

 * Threat Hub
 * Cybersecurity Awareness Hub
 * Ransomware Hub
 * Threat Glossary
 * Threat Blog
 * Daily Ruleset


PRODUCTS

 * Email Security & Protection
 * Advanced Threat Protection
 * Security Awareness Training
 * Cloud Security
 * Archive & Compliance
 * Information Protection
 * Digital Risk Protection
 * Product Bundles


RESOURCES

 * White Papers
 * Webinars
 * Data Sheets
 * Events
 * Customer Stories
 * Blog
 * Free Trial


CONNECT

 * +1-408-517-4710
 * Contact Us
 * Office Locations
 * Request a Demo


SUPPORT

 * Support Login
 * Support Services
 * IP Address Blocked?

 * Facebook
 * Twitter
 * linkedin
 * Youtube

 * United States
 * United Kingdom
 * France
 * Germany
 * Italy
 * Spain
 * Japan
 * Australia

© 2022. All rights reserved. Terms and conditions Privacy Policy Sitemap