Ransomware Explained. What It Is and How It Works

[harlan4096]

Every day, cybersecurity specialists detect over 200,000 new ransomware strains. This means that each minute brings no less than 140 strains capable of avoiding detection and inflicting irreparable damage. But what is ransomware in the end? Briefly, ransomware is one of the most common and most dangerous cyber threats of today, with damaging consequences for individuals and businesses alike.

In this article, I will explain what ransomware is, how it works, its tops targets, how to prevent it, and what to do if attacked. Besides, recent statistics and ransomware examples will show you real facts to make you understand that ransomware really happens and how!

What Is Ransomware?

Ransomware is a sophisticated piece of malware (malicious software) that encrypts all the data on a victim’s PC or mobile device, blocking the data owner’s access to it. After the infection happens, the victims receive a message telling them that a certain amount of money must be paid (usually in Bitcoins) in order to get the decryption key. Normally, there is also a time limit for the payment to be completed, otherwise, the files could be lost forever. It should be noted that there is no guarantee that even if the victim pays the ransom, he/she will receive the decryption key.

How Does Ransomware Work?

Every ransomware has different behavior. There are 2 types of ransomware: locker ransomware and encrypting ransomware. The first locks the victim out of the operating system making it impossible to access the desktop and any apps or files and the latter is the most common which incorporates advanced encryption algorithms and it’s designed to block system files.

However, the result is always the same. Locking files or systems and demanding a ransom for their recovery. Here are some common steps on how ransomware works:

1. Ransomware Delivery and Deployment

Cybercriminals simply look for the easiest way to infect a system or network and use that backdoor to spread the malicious content. Nevertheless, these are the most common infection methods used by cybercriminals:

• Phishing email campaigns that contain malicious links or attachments (there are plenty of forms that malware can use for disguise on the web);
  
• Security exploits in vulnerable software;
  
• Internet traffic redirects to malicious websites;
  
• Legitimate websites that have malicious code injected into their web pages;
  
• Drive-by downloads;
  
• Malvertising campaigns;
  
• SMS messages (when targeting mobile devices);
  
• vulnerable Remote Desktop Protocol exploitation.
  

2. Lateral Movement

After the initial access, ransomware spreads via lateral movement tactics to all devices in your network and tries to get full access. If no micro-segmentation or network segmentation is put in place, the ransomware will move laterally on the network, this meaning that the threat spreads to other endpoints and servers in the entire IT environment, therefore engaging in self-propagation. This way, hackers can use detection evasion techniques to build persistent ransomware attacks.

3. Attack Execution

Data exfiltration

If in the past ransomware used tactics like weak symmetric encryption, now ransomware operators leverage more advanced methods like data exfiltration. Basically, hackers can exfiltrate sensitive business data before making the encryption leading to double extortion: this way, cybercriminals can threaten organizations to make their private information public if the ransom is not paid. Keeping data hostage is no longer the only method.

Destroy backups

Ransomware will look for backups in order to destroy them before encrypting data. This type of malware can recognize backups by file extension and documents stored in the cloud could be at risk too. Offline backup storage or read-only features on backup files might prevent backups recognition and deletion.

Data Encryption

Ransomware is practically the combination of cryptography with malware. Ransomware operators use asymmetric encryption, a.k.a. public-key cryptography, a process that employs a set of keys (one public key and one private key) to encrypt and decrypt a file and protect it from unauthorized access or use. The keys are uniquely generated for the victim and only made available after the ransom is paid.

It is almost impossible to decrypt the files that are being held for ransom without access to a private key. However, certain types of ransomware can be decrypted using specific ransomware decryptors.

Demand Ransom

After encryption, a warning pops up on the screen with instructions on how to pay for the decryption key. Everything happens in just a few seconds, so victims are completely dumbstruck as they stare at the ransom note in disbelief.
...

Continue Reading