How ransomware works

Whether it’s end users who represent your greatest Achilles heel, vulnerabilities in your endpoint security, or a combination of both—ransomware attackers will find ways to exploit them. In order to effectively protect your business-critical data, you must understand how ransomware works.

At its most basic, a ransomware attack follows this process:

  • Cyber criminals leverage a ransomware attack vector, like an infected email, to trick end users into granting them access to your business’ workstations and servers
  • Once in, they hold your data hostage by encryption or lockscreen—or take control of your network
  • The cyber criminal then offers a decryption key, but it comes with a price: a demand for ransom

It’s called cryptoviral extortion, and it’s as awful as it sounds.

Recognizing ransomware attack vectors is critical

Typically, ransomware attacks occur via Trojans—malicious files disguised as photo .zip files, work resumes, free software, or other seemingly legitimate files, which end users are deceived into opening or downloading. The ransomware then runs a payload in order to render the system unusable—or at least it threatens to do so (think scareware program)—and the chaos begins.

Let’s take a look at some common modes of entry.

Emails

Despite the cost to launch ransomware attacks, email is still the most prevalent ransomware attack vector worldwide.

  • Email filters are easily bypassed when attackers attach Word, Excel, or PDF files, for example—or links to software for download
  • These attachments are often falsely labeled with a “harmless” sounding title or with multiple, confusing file extensions

It’s absolutely critical that end users never view or download email attachments from unknown sources.

USB storage devices

Attackers will also employ analog methods to gain access to your data.

  • Infected USB flash drives are being increasingly used as a portal for ransomware to gain access to your network
  • Reports of these flash drives being planted in business parking lots is not uncommon

Simply put: Avoid using USB storage devices from an unknown source.

Internet ads and exploit kits

Exploit kits are commonly available to would-be ransomware attackers at bargain prices. These kits infect websites via vulnerabilities in popular web applications, like Java and Adobe Flash, often deploying malvertising or abusing ad space with infected content.

  • Exploit kits and malvertising are difficult for end users to monitor, as not only can questionable sites be infected, but legitimate sites, as well
  • Malvertising can appear to be strikingly authentic
    Once discovered, these vulnerabilities are often quickly rectified by software vendors, but cyber criminals can do irreparable harm before the infection is detected

Visiting compromised websites with either unpatched third-party applications or outdated browsers or software plug-ins can leave you vulnerable to a ransomware infection. So, be diligent to not only avoid interacting with questionable links, popup ads, and websites—but be sure to immediately run software updates and patches, as well.

Free software

The proverb, “never look a gift horse in the mouth,” most definitely does not apply when it comes to free software.

  • “Free software” attack vectors may come in the form of free games, software, screensavers, and even online game “cheats”
  • Because the software is downloaded by the user, ransomware attackers bypass firewalls and email filters, gaining unrestricted access to your system

Before you take advantage of an offer that’s most definitely too good to be true, consider this: Not long ago, a ransomware attack took aim at the popular game Minecraft. The attackers offered a “mod” to payers, and weeks later, a sleeper version of the ransomware was activated on their machines.

Ransomware encryption technology is increasingly powerful stuff

Ransomware attacks are quickly becoming more and more sophisticated, and hybrid encryption—or AES ransomware—is the latest.

Now, the random symmetric key generated by the malware encrypts the user’s data—and the public key in the malware is used to encrypt the symmetric key. The result?

Data that’s impossible to recover by brute force decryption.

Is your encrypted data protected from ransomware?

Many—including IT professionals—believe that if a file is already encrypted, it’s protected from ransomware.

Not so.

Encrypted files are still vulnerable to ransomware attack, making it absolutely critical that IT departments are well-informed about the scope of attack methodologies and data vulnerabilities.

Understanding ransom demands and ransomware recovery

After a ransomware infection, the cyber extortion begins.

Now, the victim is left in the unenviable position of deciding whether or not to pay up in the hopes they’ll be granted the decryption key.

Usually, the ransom demand is in the form of untraceable Bitcoin. The attackers goal, of course, is to get their ransom quickly and easily with very little risk of trace. While wire transfers, high-rate text message, voucher services, and even Amazon and iTunes gift cards have been requested, Bitcoin has become the payment of choice.

Because Bitcoin is a public transaction system—without government or bank regulation—the account holder may remain anonymous. As a result, it’s become popular among illicit drugs and arms dealers and, you guessed it, ransomware attackers. It’s become so popular, in fact, that a 2016 survey commissioned by Citrix found that larger businesses were holding Bitcoin as part of their contingency plans.

Once the ransomware attacker receives payment, he or she may deliver the decryption key. (Emphasis on “may.”)

Because you’re dealing with a cyber criminal, ransom payment does not guarantee data recovery. Some attackers receive their payment and are never heard from again. Others may up the ante, demanding a second, larger payment. And, if you do regain access to your data, there’s no guarantee that it won’t be corrupted or incomplete.

Worse, if you pay, you’ve shown cyber attackers that you’re a willing participant in their malicious game—you’ve now got a target on your back.

Today, the best cure is an insurance policy—a clean backup. If you have an advanced backup and recovery solution in place, you’ll be empowered to remove the ransomware and restore a clean copy of your data without ever caving to ransomware attackers’ demands.

Why ransomware is so effective

When cyber criminals found a way to sell illegal products and services in a seemingly more legitimate way, the underground economy took note. Cybercrime grew quickly. And, because cyber criminals had more accessible and efficient avenues to learn the “trade”, the doors opened wide to less experienced criminals.

Ransomware attackers now peddle:

  • Ransomware-as-a-service, complete with tech support
  • Social networks with escrow services
  • Botnets for rent by the hour
  • Zero-day exploit markets

And, all of these criminal opportunities support higher-quality, more effective malware; more efficient supply chains; and the formation of co-conspirators, which makes it more difficult to pin blame and assign jurisdiction.

There is no question cybercrime of this kind isn’t going anywhere anytime soon; your best protection is a three-pronged approach to ransomware prevention and remediation:

  • End user education
  • Endpoint security
  • Backup and recovery
Recent posts
December 9, 2017
Poor digital hygiene + rise in cyberattacks = need for cyber security training Read
Your business critical systems, applications, and data are under a constant state of threat. In fact, a recent Cybersecurity Ventures report finds that a ransomware attack occurs every 40 seconds—and by the end of 2019 an attack is projected to occur every 14 seconds. It’s clear that you need a vigilant army of end users...

Your business critical systems, applications, and data are under a constant state of threat. In fact, a recent Cybersecurity Ventures report finds that a ransomware attack occurs every 40 seconds—and by the end of 2019 an attack is projected to occur every 14 seconds. It’s clear that you need a vigilant army of end users…

what to do when you've been infected by ransomware
November 30, 2017
What to do when you’ve been hit by ransomware – Your path to recovery Read
There it is—the ransomware lockscreen staring you down with its arrogant gaze, just begging you to cry, “Uncle!” So much for your pleasant morning cup of coffee. So, now what? What steps should you and your IT department take to mitigate the damage and restore your data? The answer is: It depends. Here are some...

There it is—the ransomware lockscreen staring you down with its arrogant gaze, just begging you to cry, “Uncle!” So much for your pleasant morning cup of coffee. So, now what? What steps should you and your IT department take to mitigate the damage and restore your data? The answer is: It depends. Here are some…

November 16, 2017
The password security tips you need to keep your business data safe Read
It’s a never-ending battle: Hackers relentlessly look for a way into your digital house, you work overtime, boarding up the windows. Meanwhile, your employees stand in the threshold graciously offering their up their keys. We know employees are the primary cause of data breaches—and that login credentials are almost always employed at some phase of...

It’s a never-ending battle: Hackers relentlessly look for a way into your digital house, you work overtime, boarding up the windows. Meanwhile, your employees stand in the threshold graciously offering their up their keys. We know employees are the primary cause of data breaches—and that login credentials are almost always employed at some phase of…

November 6, 2017
How to use WiFi safely as threats like KRACKS explode onto the scene Read
This month, a Grand Canyon-sized hole in WPA2 WiFi security protocol was discovered—and, it’s a vulnerability that has the potential to spell catastrophic consequences for organizations and their mobile workforces. So, what does the threat mean to you? And, more importantly, how can you use WiFi safely? Let’s dig in. KRACKS is a threat to...

This month, a Grand Canyon-sized hole in WPA2 WiFi security protocol was discovered—and, it’s a vulnerability that has the potential to spell catastrophic consequences for organizations and their mobile workforces. So, what does the threat mean to you? And, more importantly, how can you use WiFi safely? Let’s dig in. KRACKS is a threat to…

Site sponsor:
Render ransomware attackers powerless.
Restore encrypted data quickly with Arcserve backup and recovery.
Get your free trial now