Skip to content
Illustration of a laptop with a lock image displayed. A striped sleeved hand holds out a key in the forground, with opposing hands holding stacks of money and coins reaching out to exchange.


What to Expect When You’re Infected with Ransomware

The ransomware attack method made its debut in 1989 when the “father of ransomware,” Joseph Popp, distributed 20,000 infected floppy disks labeled “AIDS Information - Introductory Diskettes” to attendees of the World Health Organization’s AIDS Conference.

Although Popp, a biologist, warned the people taking the disks with leaflets that said the disks would negatively impact other computer programs and would result in the need to pay to reverse the damage, the disks were still used. The AIDS trojan via floppy disk held victim’s data and systems hostage unless they sent $189 to a post office box in Panama.

While floppy disks have been relegated to the past, ransomware continues to develop and threat actors continue to deploy new tools and tactics to initiate an attack and get targets to pay costly ransoms to recover their data—and they’re not subtle about it.

Ransomware is the “biggest, noisiest threat we’ve seen in the world from a cybersecurity perspective,” said Jon Clay, vice president of threat intelligence at Trend Micro. “Once you’re infected, you know it.”

Ransomware is the last revenue opportunity for these groups.

And threat actors only play this card—of notifying their victims that their data has been compromised, is encrypted, and might be published online if they fail to pay up—when they’ve achieved their other goals, such as stealing intellectual property or obtaining and selling company credentials.

“Ransomware is the last revenue opportunity for these groups,” Clay added. “The likelihood they’ve been in your network for days or weeks is high.”

In a presentation at GSX 2022, “Research Reveals Best Practices in Ransomware Response and Negotiation,” Clay shared the trends he’s been following on ransomware threat actors, the tactics they’re using, and what to expect when hit with it—including how to navigate the negotiation process should you decide to pay the ransom, even if it’s not a recommended practice.

“Every time you pay a ransom, you’re funneling more to these groups to do ransomware activities against others,” he explained. “But you, as an organization, need to make that decision.”

Paying Up

If you’re hit with ransomware, you or your organization will be assigned a unique ID to help identify you—since the threat actor group has numerous targets that it might be attacking at the same time. If you then decide to pay the ransom, you’ll negotiate with the attacker—typically via a chat system that could potentially be made public, depending on how the negotiations go.

“You want to try to maintain that anonymity and make sure that information doesn’t get out to the public sites,” Clay said. “So that you’re negotiating one-on-one, so to speak.”

Every time you pay a ransom, you’re funneling more to these groups to do ransomware activities against others.

Most ransomware groups will inform victims of the amount of data taken and encrypted in the attack—which they might threaten to leak if the ransom is not paid—and then provide the ransom amount to get it back. This amount will likely be based off how much revenue your organization has, what your insurance coverage is for a ransomware incident, and the perceived value of the data itself.

Then, victims have an opportunity to negotiate the ransom amount. Clay added that his firm has tracked ransomware negotiations where victims were able to negotiate a 25 to 90 percent discount, with the discount potentially going up the longer negotiations continue.

One trend Clay has noticed during the years is that ransomware groups are continuing to work to improve their processes to help ensure they get paid. This has led to the development of the Ransomware-as-a-Service model, where threat actor groups will make their services available for purchase and provide complete, easy-to-use kits detailing how to launch an attack, victims to look at, the ransomware itself, and how to track your communications with victims.

“We’re seeing a lot of automation nowadays to make it much more efficient to launch and run a ransomware attack,” he added.

Other Trends of Note

As ransomware attacks continue to proliferate, threat actors are increasingly going after valid credentials to gain access to trusted accounts that they can use to obscure their activities until they’re ready to launch the attack.

For instance, Clay said he’s seen instances of attackers stealing administrative credentials that were then used to turn off security software on devices so ransomware could be planted without the victim detecting it.

Threat actors also continue to target individuals, such as through phishing, because fooling an employee into clicking on a link or opening an attachment is easier than launching a technical attack against an organization’s networks. “And it’s low risk for high reward,” Clay added.

Best Practices

When it comes to preventing ransomware attacks and mitigating their impacts, Clay said companies should have a plan in place on what to do should they be hit. This plan should detail who is responsible for specific incident response actions, as well as a process for deciding on payment and how that decision will be communicated with the board, insurance companies, and the legal team. Then, this plan should be exercised regularly.

Additionally, companies should regularly back-up their files following the 3-2-1 back-up system. This involves creating a primary backup and two copies of data, saving backups to two different media types, and keeping one backup file offline.

Clay also recommended hardening administrative accounts by implementing multi-factor authentication and disabling PowerShell where possible. Additionally, he suggested taking a look at third-party access to networks and assessing what vendors need privileged access. This will help prevent threat actors from island hopping—attacking a primary target via a third-party vendor, such as the cyberattack against Target carried out via access to its systems through its HVAC provider.

Finally, Clay said it’s critical to develop a security aware culture with leadership support within your organization, which can be accomplished by training employees to understand how they could be targeted.

Five Takeaways

Clay ended his presentation with a list of five main takeaways useful for ransomware incident response, as well as for improving overall security:

  1. Understanding ransomware negotiations can help if you fall victim.

  2. Consider any negotiation as being public.

  3. The principle of least privilege and limiting administrative access as much as possible is beneficial to preventing these attacks.

  4. Logging security events is only helpful if someone is monitoring those logs against a baseline to know when something abnormal is occurring.

  5. Use the 3-2-1 rule for data backup.

Clay’s session was not recorded at GSX 2022, but copies of his slides from his presentation are available for All-Access attendees via the GSX app.

Megan Gates is editor-in-chief of the GSX Daily, which is published by Security Management. Connect with her at [email protected]. Follow her on Twitter: @mgngates.