2023 Ransomware Report

How Does Ransomware Work?

Ransomware has evolved considerably over the past few decades, taking advantage of multiple routes to achieve infection, as well as novel extortion techniques. This is a quick overview of how ransomware works.
NEED HELP NOW?

How Ransomware Works

Just how does ransomware work? Ransomware is a type of malicious software program used by criminals and hostile nation-states to infect the computer systems of a victim, and hold their data for ransom. Ransomware has evolved considerably over the past few decades, taking advantage of multiple routes to achieve infection, as well as novel extortion techniques. This is a quick overview of how ransomware works.

Classic Ransomware ...

... which is still the most common, encrypts all files on a target computer. Victims are then presented with a message informing them that their data is now inaccessible, and a ransom is demanded to unlock the encrypted files. Today, this “locker” type of ransomware is most commonly deployed as part of a mass campaign aiming to compromise as many victims as possible.

The extortion ...

... associated with ransomware, however, sometimes gets more creative. In addition to locking the data so that it’s unusable by the victim, it’s increasingly common for threat actors to exfiltrate victim data by uploading it to servers controlled by the threat actor. Once this is accomplished, threat actors can threaten to leak any data publicly, or to law enforcement agencies. They can also threaten to sell the data to third parties.

Latter approaches to data extortion ...

... today are most commonly used by threat actors who either specialize in specific industries, or who individually target their victims. Uploading data to a threat actor’s server is time-consuming, making it impractical to upload all of a victim’s data before the compromise is discovered. Because of the time it takes to upload data, making use of data extortion techniques beyond simply locking files either requires long-term undetected access to a network, or knowing where the important information is to allow for a targeted attack.

Once data has been encrypted ...

... and/or exfiltrated, victims are presented with a demand for payment, typically in cryptocurrency, in order to recover their data, and/or prevent the data from being leaked and/or sold. Some ransomware threat actors will, upon receipt of payment, unlock a victim’s data. Some will not. Many threat actors will still leak and/or sell data, even after receiving payment.

Ransomware threat actors are recognized ...

... by information security professionals in some cases—especially instances of targeted attacks. Security consultancies exist that specialize in negotiating with threat actors to increase the odds of a positive outcome, but this isn’t possible in all cases.

The cybercrime ecosystem ...

... is large, diverse, and increasingly specialized. Ransomware as a Service (RaaS) exists today, allowing inexperienced threat actors to purchase and deploy malicious software against large numbers of victims. RaaS is most frequently used as part of a mass campaign, and the diversity of threat actors operating in this space means that the outcome of paying the ransom can vary dramatically.

LEARN ABOUT ACTIVE DEFENSE INTRUSION

How Ransomware Starts

There is no one method to how a ransomware attack happens, but it’s true that in every case, a ransomware attack begins with the initial point of compromise. The initial point of compromise can be anything from a publicly accessible computer system with a vulnerability to an end user’s computer compromised via malicious email. Once an attacker has achieved an initial point of compromise, they’ll scan the victim’s network for other systems that could be attacked, and then spread laterally throughout the network.

Phishing emails are by far the most common vector of initial compromise. These emails can involve anything from malicious attachments to carefully designed emails that direct users to a seemingly legitimate webpage, designed to get them to enter their username and password.

When phishing emails aren’t the initial point of compromise, the culprit is usually an unpatched computer system exposing an IT service (such as VPN, remote desktop, or web server) to the Internet.

Ransomware doesn’t necessarily begin immediately after a system has been compromised. In many cases, individual computer systems or networks are compromised by cybercriminals who specialize in obtaining an initial point of compromise. Access to those networks is then sold as part of RaaS. In other circumstances, threat actors wait until a system is idle before beginning encryption, increasing the chances that the compromise will go undetected.

The Anatomy of a Modern Ransomware Attack

Once a ransomware attack has begun in earnest, the malicious software deployed by the threat actor begins encrypting the victim’s data.

Different ransomware families encrypt data at different speeds, and with differing levels of efficacy. As a result, there are multiple possible outcomes. Thus, the details of a ransomware attack are important to note.

There are many information security technologies in use today that can detect when malicious software has begun to encrypt data. This can either trigger an alert for an organization’s IT team, or it can trigger automated remediation.

Not all ransomware will be detected by ransomware monitoring software, nor are mitigation technologies universally successful, making proper backups and disaster recovery (DR) plans vital to all organizations, regardless of size.

Once a system’s data has been encrypted, the malicious software will inform the victim that their data is being held for ransom. This will typically occur in the form of a message displayed on the system’s screen, but in targeted attacks this may also involve an email or phone call to the victim.

Today’s ransomware threat actors almost universally demand payment in the form of cryptocurrency. Traditionally, payment demands have been for Bitcoin or Etherium. The Monero cryptocurrency is increasingly common today, as Monero transactions are harder for law enforcement agencies to trace.

Once payment has been received by the threat actors, they may provide a decryption key and/or decryption tool to victims that allows them to unlock their data. In some circumstances, information security vendors have discovered and made available “master keys” that can decrypt all files compromised by specific ransomware families, but this is only true for a small fraction of known ransomware.

LEARN MORE ABOUT THE ANATOMY OF A MODERN RANSOMWARE ATTACK

Get Your Copy of Ransomware:
Understand. Prevent. Recover

It’s the ransomware resource you can’t afford to be without. 437 Pages of ransomware know-how. Stay ahead of the cybercriminals: get your copy now!

Buy on Amazon
Get it for free
Ransomware-2E_Book-cover-mockup-left

Download The Free 313 Page Book: Ransomware Understand. Prevent. Recover

Download The “How To Prevent Ransomware” Cheat Sheet

Grab this free PDF resource on how to prevent Ransomware
Download the pdf

Share This Resource With Others

Embed The “How To Prevent Ransomware” resource on your site or blog using this code.

Get More Ransomware Tools Directly In Your Inbox

Sign Up To Receive Our Monthly Ransomware Newsletter
Don’t worry, we hate spam too

Need Help?

Get help now

Ransomware

Partners

Deep Dive

Is This Your Business?
Get In Touch

Contact Us To Sponsor Your Business Listing & Learn More About The Benfits.

Before You Go!
Sign up to stay up to date with everything ransomware

Sign Up To Receive Our Monthly Ransomware Newsletter
Don’t worry, we hate spam too

Free Download Now &
Stay Ahead In Future

Sign Up To Receive Our Monthly Ransomware Newsletter
Don’t worry, we hate spam too
Share via
Facebook
Twitter
LinkedIn
Mix
Email
Print
Copy Link
Powered by Social Snap
Copy link
CopyCopied
Powered by Social Snap