Ransomware

Ransomware is malware that encrypts files on infected systems, rendering them inaccessible until a ransom is paid. Modern ransomware often combines encryption with data theft (double extortion), threatening to publish stolen data if the ransom is not paid.

Ransomware attack stages:

1. Initial access: Phishing email, exploited vulnerability, or compromised credentials
2. Lateral movement: Spreading across the network to access more systems
3. Privilege escalation: Gaining admin access to maximise impact
4. Data exfiltration: Stealing sensitive data before encryption (double extortion)
5. Encryption: Encrypting files across all accessible systems
6. Ransom demand: Displaying ransom note with payment instructions
7. Negotiation/payment: Attackers may negotiate ransom amount

Ransomware prevention:

• Regular, tested backups (3-2-1-1-0 rule) with air-gapped copies
• Patch management (close known vulnerabilities)
• Email security (block phishing and malicious attachments)
• Endpoint protection with anti-ransomware capabilities
• Network segmentation (limit spread)
• Multi-factor authentication (prevent credential-based access)
• Principle of least privilege (limit damage scope)
• Security awareness training (prevent phishing success)
• Immutable backups (backups that cannot be encrypted)

Ransomware response:

• Do not pay the ransom (no guarantee of recovery, funds criminal activity)
• Isolate affected systems immediately
• Activate incident response plan
• Contact law enforcement (AFP, ACSC)
• Assess backup availability and integrity
• Engage specialist incident response if needed
• Determine notification obligations (NDB scheme)

Australian ransomware landscape:

• ACSC reports ransomware as the most destructive cybercrime
• Australian businesses paid an estimated $1.4 billion in ransomware in 2024
• Critical infrastructure (healthcare, education, government) frequently targeted
• Cyber Security Strategy 2023-2030 increasing focus on ransomware deterrence