How ransomware spreads and what you can do about it

Ransomware has become big business with average payouts nearly doubling to £1.2 million over the last 12 months. Equally concerning, 67% of attacks have been attributed to Ransomware-as-a-Service (RaaS) tools readily available to buy on the dark web. Sometimes, organised gangs collude and split profits between them. Creative CTO, Rob Smith, examines the latest threat vectors and defence practices.

How ransomware works

Ransomware infection often relies on social engineering and starts with malware sent through a phishing attack. It freezes a system preventing users from accessing their data, usually through impossible-to-unlock encryption. The idea is to hold the asset(s) and only decrypt it upon payment. Cryptocurrencies, like Bitcoin, have accelerated threats because they’re easy to pay and often untraceable.


How quickly ransomware spreads

In 2022 the Costa Rican government was hit by ransomware gang Conti. The attack first targeted the financial sector — affecting government and private financial services — before spreading to the country’s healthcare network. The gang demanded $20 million. This shows the real-world ramifications of a breach and why ransoms get paid quickly.

One critical metric to measure is dwell time (how long a ransomware breach goes undetected). Typically, the longer it is, the larger the financial loss. The average cost of an attack that’s detected within 30 days stands at around £5.7 million. That figure rises steeply to £10.9 million after 90 days.

To truly mitigate damage, dwell time needs to no longer be measured in days but minutes. Yet, while organisations understand this, many lack the specialist knowledge and resources required to quickly spot and contain threats as they unfold. Attacks can then quickly proliferate through lateral movement and exploitation of unsecured access points.


How ransomware affects your computer

Hackers can steal valuable data for their own use or threaten to release it. Ransomware attacks can take several forms, such as:

  1. Crypto: The most common kind, where the data or system is encrypted by bad actors and can only be released with a software decryption key that they possess.
  2. Locker: When users are completely locked out of a system. Often, a lock screen will appear with details about the ransom demand.
  3. Scareware: Fake software tricks users into initiating the attack by indicating that a virus has been detected and prompting further actions.


Double and triple extortions have also been known. The first is where the attacker exfiltrates the data before the ransom is paid, and then threatens to release it. The second is where the attacker seeks multiple payouts, often contacting individuals affected by the data release and extorting them as well.


What to do if struck by ransomware

Ransomware attacks often target the healthcare and government sectors, but equally can strike other similar organisations that can’t afford downtime. With everything factored in – ransom payments, digital forensics, crisis response, legal advice, and other expenses – total costs could be upwards of seven figures.

However, there’s no guarantee that paying the ransom will stop the attack. A more effective approach is to work with qualified incident response teams and let those experts manage remediation and restoration. It’s also advisable to immediately contact them and your cyber insurance provider (if you have one).


Security Operations Centre as a Service (SOCaaS)

If the worst occurs and ransomware enters a system, strong access controls can stop it in its tracks. To quickly acquire (rather than build internally) these robust defence capabilities, organisations are increasingly turning to Security Operations Centre-as-a-Service.


Combining the latest cloud technologies and human expertise, SOCaaS solutions ensure rapid, real-time threat response, while continuously applying learning to strengthen cyber postures and resilience.


Ransomware defence with Creative ITC

Powered by Arctic Wolf’s cloud-native platform, which processes over 200 billion events daily, Creative SOCaaS offers 24×7 monitoring of networks, endpoints, and cloud environments. If there is a breech, the Creative Triage team help identify and remediate ransomware quickly and effectively. Delivered 24x7x365, Creative experts will also assess strategic attack implications and identify areas to strengthen security policies and harden defences.

Released from the cost of employing highly skilled cybersecurity staff, Creative clients benefit from around-the-clock monitoring and proactive threat hunting – ensuring faster detection, response, and recovery from ransomware attacks.