April 21, 2020
Ransomware attacks are becoming more and more common. But do you know what ransomware is? Ransomware is a type of malware that infects your system, encrypts your data, and holds your files until you pay a ransom for their release.
This article is part of our Definitive Guide to Ransomware series:
- The Definitive Guide to Ransomware
- What is Ransomware?
- How Does Ransomware Spread?
- How to Report Ransomware
- Recent Ransomware Attacks and Examples
- How to Prevent and Prepare for Ransomware Attacks
- Should You Pay the Ransomware Demand
- What You Need to Know About Ransomware Insurance
- Ransomware Removal
- Common Ransomware Attacks
Ransomware can be disguised in a few different ways:
Lockers Locker ransomware completely locks you out of your system or device. You can’t access any of your files. The malware will present a message demanding a ransom if you want to regain access to your device and files. This type of ransomware is common for Android devices.
Scareware Scareware poses as fake antivirus software. It pretends to scan your system, find a virus, and then presents an alert that suggests it can fix your problem if you pay a fee. Because scareware can also lock you out of your device or simply bombard you with messages about the fake virus, it can be hard to ignore. The perpetrators often include a purchased password (usually older) that corresponds to the email address as proof that they have access. They will also only give you a short amount of time to respond–hoping you will panic.
Crypto Malware Crypto malware does what most people think when they hear ransomware–it encrypts your files and holds them for a ransom. Crypto malware can infect your harddrive, files, folders of information, or your entire network. Oftentimes, crypto malware can target a specific operating system and usually demands cryptocurrency for the ransom.
Doxware Unlike crypto malware, which often promises the release of your files to you if you pay a ransom, doxware threatens to release your data to everyone online if you don’t comply with the ransom demand. Personal information or more sensitive data are at higher risk for doxware and people are often more motivated to pay.
Ransomware as a Service (RaaS) Ransomware as a Service is growing in popularity in the cyber crime world–hackers are hired to distribute malware, negotiate or collect ransoms, and deliver decryptor passcodes. The hired contractors take their cut of the ransom as a commission fee.
How do you get ransomware?
There are two common methods for delivering and executing ransomware on your system. Cyber criminals will send phishing emails to specific employees or your organization as a whole or try to exploit vulnerable web servers to gain access to your network.
In the case of phishing emails, malicious attachments or links to fake websites that house the malware are embedded within the email. The emails are made to look real and can be hard to identify as fake. This is why it’s important to keep your IT training up-to-date and require all employees to understand how to spot a phishing email. Many IT teams also deploy test phishing emails to see how their organization will react. This can identify who needs more training within the safety of a test, before an actual phishing email gets through to the organization.
It’s important to note that while ransomware may be consistently trying to get into your network, it can’t deploy it’s software unless someone executes it. The act of clicking on the link in the phishing email or downloading the malicious attachment executes the ransomware. Once the ransomware is executed, it can spread throughout your system, identify specific files to encrypt, and start the process of holding data for ransom.
The second most common method for delivering ransomware to your system is through vulnerable web servers. Hackers can gain access to your network if passwords are weak, two-step verification isn’t enabled, or your network has a weak entrypoint. The cyber criminals are well skilled and ready to take advantage of security holes.
You can learn more about specific examples of ransomware in our post on that subject.
How does ransomware work?
Ransomware typically works in similar patterns, no matter how it’s executed on your system. The most common steps for ransomware are:
1. Compromised System Your system is compromised because an employee clicks on a link in a phishing email or your network security isn’t robust enough. The ransomware is able to enter your system and activate.
2. Encrypt Data and/or Deny Access The ransomware deploys and either finds data to encrypt or denies access to whatever system it’s holding for ransom. It’s possible that the time between steps one and two won’t be short. In some cases, ransomware can live on a system for years and wait for the right moment to activate.
3. Demand Ransom A demand for ransom will show up in the form of a message, sometimes disguised as an official letter (in the case of lockers or scareware), and outline the timeline and payment details. Most ransomware attacks demand cryptocurrency for payment.
4. Pay Ransom (or not) If you decide to pay the ransom, this is the next step. While most experts discourage paying the ransom, many businesses do get the decryption code(s) to restore access to their system or files. If negotiating is part of the ransom payment, it’s important to consult a professional. Many ransomware attacks present a countdown, increasing the ransom price the longer it takes to be paid.
5. Data is Restored In most scenarios, after the ransom is paid, the cyber criminals restore your access to the encrypted files or information. At this point, it’s critical that you remove the ransomware and any other malware from your system and you update your security plan to prevent further attacks. Many experts believe that paying the ransom makes you a target for future attacks. You will need to weigh the cost/benefit analysis for your organization.
Assess your cyber risk for ransomware–take our 3-question quiz.
Written by: [Jack Vines]