banner-ad Fortinet
Fortinet's Global Threat Intelligence and Research Organization Fortinet

Anybody who hasn’t been living under a rock knows that ransomware attacks are not rare. Recently, the May 6th ransomware attack on Colonial Pipeline, a major fuel pipeline operator in the U.S., became the latest in a seemingly endless stream of cyber attack news stories. The fact that ransomware attacks are pervasive is not surprising, but what is alarming is that these insidious threats increased sevenfold in the second half of 2020 alone, according to Fortinet’s FortiGuard Labs threat research. In addition, ransomware continues to evolve rapidly and new variants are constantly being discovered, meaning security strategies must also evolve to be able to handle new types of attacks.

What’s Driving the Sudden Increase?

There are a number of factors behind the enormous growth in ransomware. Generally speaking, ransomware attacks carry low risk and have a low barrier to entry with the potential for high profits. Further, the recent move to telework opened up new targets globally, and the rise in Ransomware-as-a-Service has made attacking easy.


When the global workforce shifted to telework in 2020, cybercriminals shifted into high gear. Home offices simply do not have the same security controls in place as a corporate office, and bad actors immediately went to work targeting remote workers. They are adept at quickly taking advantage of any new vulnerability and did not hesitate to exploit the pandemic in every way possible, including launching ransomware attacks on home office users and devices.

Ransomware-as-a-Service (RaaS)

The rise of the Ransomware-as-a-Service industry has made it possible for just about any bad actor to launch a successful ransomware attack. Just like users of Software-as-a-Service ( SaaS ) don’t need special skills to use these applications, cybercriminals can launch ransomware attacks even without any skills or experience.

The way RaaS works is that a skilled ransomware developer will create ransomware code that is likely to succeed, as well as documentation on how to use it. Then the developer sells a subscription, and/or makes a deal for a percentage of the profits. The up-front cost for the purchaser is minimal.

This means nearly anybody, regardless of whether they have money or skills, can launch a ransomware attack. RaaS has proven to be extremely popular, enabling more criminals to launch more attacks more quickly, and it will not slow down.

Ransomware Damage

Advanced attacks take only seconds to compromise endpoints and cause damage to systems and network infrastructure. As attacks grow in sophistication, so do the consequences. Impacts go beyond just financial losses and loss of productivity that occur when systems go down.

A new trend in ransomware being perpetuated by bad actors is not just holding data for ransom, but posting encrypted versions of data online. A threat is given indicating that if the ransom is not paid, all of this data will be released to the public or sold. As a result, there are now organizations on the Dark Net that exist mainly to negotiate ransoms. Paying a negotiated ransom may sound like a good solution, but there are negative long-term effects, including the normalization of criminal behavior.

In addition, paying a ransom does not guarantee that the company’s data will not be sold or leaked. In some cases, the information that organizations paid to get back had already been exposed, potentially causing additional long-term problems.

How Ransomware Is Distributed

Phishing. Most ransomware depends on one person clicking on one thing they shouldn’t. Phishing email campaigns are the primary way ransomware is delivered. They trick the victim into opening an attachment that contains malware or clicking on a malicious URL that triggers a ransomware download.

Remote Desktop Protocol (RDP). Another common distribution method is through RDP, a communications protocol intended for IT administrators to access systems for updates and fixes. If RDP exposes a port, cybercriminals can use a port scanner to find systems and uncover administrator login credentials.

Drive-by downloads. Legitimate websites can also be hijacked by bad actors and used to deliver malware. Ransomware can be embedded in the back end of the website, or it can redirect visitors to a fake website they set up.

USB drives/removable media. Removable media can be an easy-to-access vessel for ransomware. Bad actors just put malicious software onto the devices and wait for them to be plugged in. From there, the ransomware can infect the endpoint device or the entire organization, if the endpoint is connected to a network.

Key Steps to Safeguard Against Ransomware

There is a lot an organization can do to implement a strong ransomware mitigation strategy. Some key steps include:

  • Continuously providing employees with updates on new social engineering attack methodologies so they know how to recognize a threat
  • Establishing a zero-trust access ( ZTA ) strategy that includes segmentation
  • Regularly backing up data, storing it offline
  • Encrypting all data inside the network to prevent exposure
  • Regularly practicing response strategies to ensure all responsible parties know what to do in case of an attack, thereby reducing downtime
  • Implementing a strong security posture that includes behavior-based endpoint security to automatically detect and defuse potential threats in real-time, even on already infected hosts
  • Getting serious about cybersecurity training and awareness for employees as well as family and students. The home is the new branch today and a vector into the core network

A Proactive Security Approach Can Stop Ransomware

Though ransomware is increasing in sophistication and volume, it is possible to avoid being a victim. Planning and preparation are required before an attack reaches the organization. With the right training, processes, and technology, damage can be prevented, even after an attack has been detected. Everyone should be cyber aware.

Learn more about Fortinet’s free cybersecurity training, an initiative of Fortinet’s Training Advancement Agenda (TAA), or about the Fortinet Network Security Expert program, Security Academy program, and Veterans program.