... which is still the most common, encrypts all files on a target computer. Victims are then presented with a message informing them that their data is now inaccessible, and a ransom is demanded to unlock the encrypted files. Today, this “locker” type of ransomware is most commonly deployed as part of a mass campaign aiming to compromise as many victims as possible.
... associated with ransomware, however, sometimes gets more creative. In addition to locking the data so that it’s unusable by the victim, it’s increasingly common for threat actors to exfiltrate victim data by uploading it to servers controlled by the threat actor. Once this is accomplished, threat actors can threaten to leak any data publicly, or to law enforcement agencies. They can also threaten to sell the data to third parties.
... today are most commonly used by threat actors who either specialize in specific industries, or who individually target their victims. Uploading data to a threat actor’s server is time-consuming, making it impractical to upload all of a victim’s data before the compromise is discovered. Because of the time it takes to upload data, making use of data extortion techniques beyond simply locking files either requires long-term undetected access to a network, or knowing where the important information is to allow for a targeted attack.
... and/or exfiltrated, victims are presented with a demand for payment, typically in cryptocurrency, in order to recover their data, and/or prevent the data from being leaked and/or sold. Some ransomware threat actors will, upon receipt of payment, unlock a victim’s data. Some will not. Many threat actors will still leak and/or sell data, even after receiving payment.
... by information security professionals in some cases—especially instances of targeted attacks. Security consultancies exist that specialize in negotiating with threat actors to increase the odds of a positive outcome, but this isn’t possible in all cases.
... is large, diverse, and increasingly specialized. Ransomware as a Service (RaaS) exists today, allowing inexperienced threat actors to purchase and deploy malicious software against large numbers of victims. RaaS is most frequently used as part of a mass campaign, and the diversity of threat actors operating in this space means that the outcome of paying the ransom can vary dramatically.
Different ransomware families encrypt data at different speeds, and with differing levels of efficacy. As a result, there are multiple possible outcomes. Thus, the details of a ransomware attack are important to note.
There are many information security technologies in use today that can detect when malicious software has begun to encrypt data. This can either trigger an alert for an organization’s IT team, or it can trigger automated remediation.
Not all ransomware will be detected by ransomware monitoring software, nor are mitigation technologies universally successful, making proper backups and disaster recovery (DR) plans vital to all organizations, regardless of size.
Once a system’s data has been encrypted, the malicious software will inform the victim that their data is being held for ransom. This will typically occur in the form of a message displayed on the system’s screen, but in targeted attacks this may also involve an email or phone call to the victim.
Today’s ransomware threat actors almost universally demand payment in the form of cryptocurrency. Traditionally, payment demands have been for Bitcoin or Etherium. The Monero cryptocurrency is increasingly common today, as Monero transactions are harder for law enforcement agencies to trace.
Once payment has been received by the threat actors, they may provide a decryption key and/or decryption tool to victims that allows them to unlock their data. In some circumstances, information security vendors have discovered and made available “master keys” that can decrypt all files compromised by specific ransomware families, but this is only true for a small fraction of known ransomware.
It’s the ransomware resource you can’t afford to be without. 437 Pages of ransomware know-how. Stay ahead of the cybercriminals: get your copy now!