CONTACT AN SAP EXPERT
Search
CONTACT AN SAP EXPERT

Understanding & Defending Against Ransomware Attacks

What is Ransomware and How Does It Work?

Ransomware is a type of malware (malicious software) that encrypts a victim’s files or locks their computer, effectively rendering them inaccessible to the user. The attacker then demands a ransom payment in exchange for restoring access to the files or device.

Ransomware can infect a computer system through a variety of methods, such as malicious email attachments, fake software updates, or drive-by downloads from compromised websites. Once the ransomware is executed on a victim’s device, it can begin to encrypt files or lock the device.

The Different Types of Ransomware

There are several different types of ransomware, each with their own characteristics and methods of operation. Some of the most common examples include:

Encrypting Ransomware

This type of ransomware encrypts the victim’s files or data, making them inaccessible without a decryption key.

Locker Ransomware

This type of ransomware locks the victim’s computer or device, preventing them from accessing their files or using their device.

Scareware

This type of ransomware displays fake warnings or pop-ups on the victim’s device, claiming that their computer is infected with a virus or other malware. The victim is then prompted to pay for a fake anti-virus software to remove the supposed threat.

Doxware

Also known as leakware or extortionware, this type of ransomware threatens to publish or leak the victim’s sensitive information, such as personal files or confidential data, unless the ransom is paid.

Mobile Ransomware

This type of ransomware targets mobile devices, such as smartphones or tablets, and can lock the device or encrypt its data.

RAAS (Ransomware-As-A-Service)

RaaS is distributed through a network of affiliates, who use pre-packaged ransomware kits to launch attacks in exchange for a percentage of the ransom payments.

Common Threat Vectors for Ransomware Infection

Some common sources that can often lead to a ransomware attack include:

  • Internet-Facing Vulnerabilities and Misconfigurations
  • Phishing
  • Precursor Malware Infection
  • Third Parties and Managed Service Providers
Ch4tter Report

400% increase in ransomware attacks involving compromising SAP systems & data*

*Between 2021 and 2023

Read the report

Industries Most Targeted by Ransomware

A recent study of 500 cybersecurity professionals investigated how enterprises  experience and manage ransomware attacks. The research found that ransomware is an all-too-common occurrence across a vast array of industries with threat actors seeking to profit. However, the following industries are increasingly targeted by ransomware attacks:

Manufacturing

39%

of manufacturers experienced a breach in last 12 months (1)

$4.5M

=average cost of data breach for manufacturing industry (2)

34%

of manufacturers say theft of intellectual property is their top cyber threat (1)

1 Cyber Risk in Advanced Manufacturing, Deloitte
2 Cost of a Data Breach Report 2022, IBM Security

A successful attack on a manufacturing organization could interfere with business continuity, product safety, delay digital transformation projects, or put company intellectual property (IP) at risk. With the number of cyber attacks targeting manufacturers aggressively growing, organizations are challenged to protect their critical systems.

Read More

Utilities

$4.7M

average cost of energy industry breach (1)

94%

of energy industry breaches impacted personal data (2)

25%

of energy industry data breaches caused by Ransomware (3)

1 IBM Security Cost of a Data Breach Report 2022
2 Verizon 2021 Data Breach Investigations Report
3 IBM Security Cost of a Data Breach Report 2022

Energy and utility companies are facing increased risk and the impact of a successful cyber attack could be devastating. Whether on their production and supply chain, or customer portals–downtime is not an option making it valuable to cyber criminals.

Cyberattacks are growing in number against utility companies, targeting the systems that support critical operations such as: 

  • Energy assets
  • Metering
  • Field service
  • Customer service

Outages created by these attacks can have real human costs on those that rely on power or water. Under the growing threat of targeted cyber attacks, energy and water utility companies are challenged to protect their critical systems while modernizing their systems to take advantage of clean energy technologies and improving access for their customers and workforce, all under government oversight.

Read More

Chemicals

$4.7M

the average cost of a data breach for the chemical industry (1)

25%

of chemical industry data breaches caused by Ransomware (2)

74%

of involved privileged account access (3)

1 IBM Security Cost of a Data Breach Report 2022
2 IBM Security Cost of a Data Breach Report 2023
3 Centrify

Cyberattacks targeting the systems that support critical operations such as R&D, financials, and manufacturing are growing in number and severity. With the primary goal being industrial espionage, these attacks create business disruptions that potentially cripple operations. Due to this, most nations have designated the chemicals industry to be critical infrastructure. The chemical industry is challenged to protect these critical systems and ensure the quality and delivery of their products in the face of regulatory oversight and complex compliance audits.

Read More

Signs of a Ransomware Attack
and How You Can Detect It

Some common signs that may indicate a ransomware attack include:

Encrypted Files

If you are unable to access your files and notice that their file extensions have been changed or they have been renamed, it may indicate that they have been encrypted by ransomware.

Pop-up Messages

Some ransomware displays pop-up messages or alerts on the victim’s screen, which may demand payment in exchange for decryption keys or threaten to delete the files.

Locked Computer or Device

If your computer or device becomes unresponsive or is locked, it may indicate a ransomware infection.

Slow or Unresponsive System

Ransomware may cause your system to slow down or become unresponsive due to the resource-intensive encryption process.

Missing Files

Ransomware may delete or move files as part of its attack, leaving you with missing files or folders.

Unusual Network Activity

Ransomware may use your network to communicate with the attacker’s servers or to spread the infection to other devices on the network, leading to unusual network activity.

Best Practices for Protecting Against Ransomware Attacks

Regularly Backup Your Data

Backup your important data regularly, preferably on a separate device or in the cloud. This will allow you to restore your data in the event of a ransomware attack without paying the ransom.

Keep Your Software Up-To-Date

Keep your operating system, software, and applications up-to-date with the latest security patches and updates. Vulnerabilities in outdated software can be exploited by attackers to launch ransomware attacks.

Educate Employees

Educate employees about the risks of ransomware attacks and provide training on how to identify and avoid phishing emails and other common attack vectors.

Implement Access Controls

Implement access controls to limit access to sensitive data and resources, and consider using multi-factor authentication to add an extra layer of security.

Protecting Business Critical Applications Against Ransomware

Onapsis protects the application layer with the Onapsis Platform and serves an essential part of our clients’ plans to protect their SAP and Oracle applications from ransomware:

  • Onapsis provides automatic visibility into critical vulnerabilities, missing important patches and security updates, misconfigurations–identifying all open doors–which is a crucial component for ransomware prevention. Once all possible entry points are identified, they can be closed/addressed, which reduces an organization’s attack surface.
  • Through continuous monitoring and real-time alerts, Onapsis helps monitor real-time attempts to access critical SAP and Oracle systems.
  • With code analysis prior to moving into production, and in transport, Onapsis can help identify malware or new vulnerabilities before they are released to the public. Code vulnerabilities may appear to be low risk, but we have seen examples like SolarWinds where a small risk can turn into a large security incident. Onapsis generally sees one critical vulnerability per 1,000 lines of code, but our clients generally have millions of lines of custom code. It’s important to close those open doors to prevent any access to business-critical systems.

Developing a Ransomware Incident Response Plan

Protecting against and preparing for Ransomware can be challenging, but the most important best practice is to be prepared and have a plan. According to SANS, there are six steps in order to properly handle a security incident: Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned.

  • Preparation: Preparing for a security or ransomware incident begins with research of existing processes, who within the organization should have access to information, and who needs to be involved should an incident occur.
  • Identification: Identifying your most valuable data, where it is located, and how you will operate should this data be inaccessible is the next step.
  • Containment: Developing a plan for how you will contain a given security incident or ransomware attack is the next critical step.
  • Eradication: Planning for how your team will eradicate ransomware is another vital step in your incident response plan.
  • Recovery: If any sensitive or proprietary data was lost or encrypted, this step aims to recover that data and ensure it is no longer in the wrong hands.
  • Lessons Learned: What part of this response plan worked? What didn’t? This is the time to truly evaluate the effectiveness of your response plan and communication.

Annual Tabletop Exercises

CISA Tabletop Exercise Packages (CTEPs) for example, can be a starting point or foundation for your organization’s preparedness. Simulated ransomware attacks enable an organization to identify gaps in incident response plans. This can not only help the IT and security teams feel prepared, but the board and other stakeholders. Practice and preparedness helps teams be measured instead of chaotic in the event of an incident.

Read The Whitepaper Watch On Demand Webinar

Steps Your Organization Can Take in 2025 to be More Prepared for Ransomware

01. Review your incident response plans (or start developing one) and continuously evaluate whether it is sufficient should a security event arise.

02. Conduct tabletop exercises with stakeholders in your organization at least once a year.

03. Patch known & exploited vulnerabilities and address misconfigurations.

04. Establish visibility for your organization’s full attack surface and anticipate how threat actors may seek to take advantage of any weaknesses.

Steps Your Company Can Take in 2025 to Recover from A Ransomware Attack

In the event your company has already fallen victim to a ransomware attack, CISA guidance recommends these steps. Here is some high-level guidance to begin to recover:

01. Isolate Infected Systems: Immediately isolate infected systems from the network to prevent the ransomware from spreading to other devices.

02. Assess the Damage: Assess the extent of the attack and determine which systems and data have been affected. Conduct a thorough investigation to identify the source and scope of the attack.

03. Restore Data from Backups: Restore your data from backups, if available. Ensure that the backups are clean and do not contain any malware.

04. Implement Additional Security Measures: Implement additional security measures to prevent future attacks. This may include updating software, implementing access controls, and training employees on cybersecurity best practices.

05. Conduct a Post-Incident Review: Conduct a post-incident review to evaluate the effectiveness of your response and identify areas for improvement. Use this review to update your incident response plan and improve your security posture.

Recent Ransomware Attacks in the News

News

A large water provider in the United Kingdom recently shared that the ransomware attack they suffered in February 2024 cost them $5.7M.

LEARN MORE
Blog

Stoli Group USA (“Stoli”) filed for Chapter 11 bankruptcy in November 2024, citing a ransomware attack as a contributing factor to their filing.

LEARN MORE
Press Release

A study of 500 cybersecurity professionals showed 46% of enterprises experience four or more ransomware attacks in a single year.

LEARN MORE
Threat Research

Data from Flashpoint & Onapsis Research Labs showed an increase in ransomware attacks specifically targeting SAP in this research report.

LEARN MORE
News

MOVEit Hackers Pivot to SysAid Zero-Day in Ransomware Attacks

LEARN MORE
News

The U.S. Marshalls Department suffered a ransomware attack, which reportedly resulted in a loss of critical data on a standalone computer system.

LEARN MORE
News

The city of Tulsa, Oklahoma, was hit by a ransomware attack that resulted in the city’s email system being shut down for several days, causing disruption to city services.

LEARN MORE
News

The ransomware group Conti claimed responsibility for a cyber attack on the Irish health service, resulting in the disruption of healthcare services across the country.

LEARN MORE
News

The Japanese multinational company Toshiba reported that it had been hit by a ransomware attack that resulted in the theft of sensitive corporate data.

LEARN MORE
News

The ransomware group REvil demanded a $70 million ransom from the U.S. food processing company JBS after they were hit by a cyber attack that disrupted the company’s operations.

LEARN MORE

Further Reading

Want a more in-depth exploration? Start with these related pieces, then visit our Resources page for more.

All Resources
Infographic

ERP Security in the Age of Ransomware

Find out how ransomware attacks are affecting enterprises. Learn valuable insights and discover how to protect your ERP applications.

LEARN MORE

Ready to eliminate
your SAP cyber security
blindspot?

Let us show you how simple it can be to protect your business applications.

Request A Demo

Sitemap  | Terms of Use | Privacy Policy   |  Quality Policy  |  Disclosure PolicySecurity Vulnerability Reporting Guidelines |  ©2025 Onapsis  |  All rights reserved