What is Ransomware?

Ransomware is a growing threat to organizations around the world as cybercriminals use it in targeted and damaging attacks. It is a type of malicious software that prevents the victims from accessing their documents, pictures, databases and other files by encrypting them and demanding a ransom to decrypt them back. A deadline is assigned for the ransom payment, and if the deadline passes, the ransom demand doubles or files are permanently locked.

Request a Demo

What is Ransomware


Ransomware is an ever-increasing threat worldwide, claiming a new victim every 10 seconds. Here, we unpack the ransomware threat, discussing what ransomware is, how it works, how its use has changed in recent years, how to prepare for and prevent an attack, and what to do if you’re faced with a ransomware infection

Simply put, ransomware is a type of malicious software that prevents the victims from accessing their documents, pictures, databases and other files by encrypting them and demanding a ransom to decrypt them back. A deadline is assigned for the ransom payment, and, if the deadline passes, the ransom demand may increase or access to these files may be lost forever.

How Ransomware Works

An understanding of what is ransomware and how it works is essential to preparing to protect against it. Ransomware is malware that encrypts a victim’s files and then demands a ransom to restore access to these files. In order to be successful, ransomware needs to gain access to a target system, encrypt the files there, and demand a ransom from the victim.

  • Step 1. Infection and Distribution Vectors

Ransomware, like any malware, can gain access to an organization’s systems in a number of different ways. However, ransomware operators tend to prefer a few specific infection vectors. One of these is phishing emails. A malicious email may contain a link to a website hosting a malicious download or an attachment that has downloader functionality built in. If the email recipient falls for the phish, then the ransomware is downloaded and executed on their computer.

Another popular ransomware infection vector takes advantage of services such as the Remote Desktop Protocol (RDP). With RDP, an attacker who has stolen or guessed an employee’s login credentials can use them to authenticate to and remotely access a computer within the enterprise network. With this access, the attacker can directly download the malware and execute it on the machine under their control.

  • Step 2. File Encryption

The encryption of a user’s files is what sets ransomware apart from other malware variants. By encrypting sensitive and valuable data, the ransomware operator can demand a ransom in exchange for the decryption key with a reasonable belief that the victim will pay.

Ransomware typically makes use of two types of encryption: symmetric and asymmetric. Symmetric encryption requires the same key for encryption and decryption, while asymmetric cryptography uses a public key for encryption and a private key for decryption.

Ransomware variants carry a list describing the types of files that they should encrypt, whether listing certain file extensions, directories, or both. For each of these files, the ransomware uses symmetric encryption on the file and saves a copy of the symmetric key encrypted with a public key. The corresponding private key – which is needed to decrypt the symmetric key used to decrypt the files – is known only to the ransomware operator.

  • Step 3. Ransom Demand

Once file encryption is complete, the ransomware is prepared to make a ransom demand. Different ransomware variants implement this in numerous ways, but it is not uncommon to have a display background changed to a ransom note or text files placed in each encrypted directory containing the ransom note. Typically, these notes demand a set amount of cryptocurrency in exchange for access to the victim’s files. If the ransom is paid, the ransomware operator will either provide a copy of the private key used to protect the symmetric encryption key or a copy of the symmetric encryption key itself. This information can be entered into a decryptor program (also provided by the cybercriminal) that can use it to reverse the encryption and restore access to the user’s files.

The Ransomware Threat

Now that we understand what is ransomware, let’s dive into why it’s getting so much attention. First and foremost, ransomware is one of the biggest and most well-known cyber threats in existence. In 2019, the cost of ransomware attacks was estimated to be $11.5 billion. This is expected to nearly double to $20 billion by 2021. Ransomware attacks affect a wide range of systems, including mobile devices such as smartphones and tablets. In 2019 alone, over 68,000 new trojans were detected that installed ransomware on mobile devices. A successful ransomware attack can cause significant costs, damage, and downtime for an organization since all impacted systems must be cleaned and restored. While all industries are targeted, cybercriminals tend to focus on critical infrastructure like hospitals, cities, and schools. For more information check out the recent ransomware attacks.

The Evolution of Ransomware

The first known ransomware attack was deployed in 1989. The very first known malware extortion was called the AIDS Trojan, aka PC Cyborg. This low-tech malware was distributed in over 20,000 floppy disks to AIDS researchers. It hid files on the drive and encrypted the file names, displaying a message to the user that their license to use a specific type of software had expired. As a ransom, the user was asked to pay $189 USD to receive a repair tool. The decryption tool was easily extracted directly from the code of the Trojan, rendering the malware flawed because it was not necessary to pay the extortionist.

Most ransomware variants follow the same steps to move from initial infection to ransom note. However, over the last few years, the ways in which ransomware has been used by cybercriminals has changed dramatically.

  • Large-Scale, Random Attacks

The earliest ransomware attacks took a “quantity over quality” approach to selecting targets. These attacks were designed to infect as many computers as possible with ransomware and ask for a relatively small ransom in exchange for the decryption key.

Wannacry is a prime example of this approach to ransomware. Wannacry is a ransomware worm: a piece of ransomware that exploits a vulnerability to spread itself rather than relying on phishing emails or taking advantage of weak credentials.

Wannacry took advantage of the EternalBlue vulnerability discovered by the NSA and leaked by the Shadow Brokers to infect over 200,000 computers within the course of four days. With a ransom demand of $300-$600, the attack could be expected to net the cybercriminals a significant sum of money even if only a fraction of victims paid. Learn more about Wannacry ransomware attack

  • Targeting Businesses and Institutions

Over time, ransomware attacks have largely shifted away from large-scale, random attacks. One of the issues with this strategy is that the average person lacks the know-how to pay a ransom in cryptocurrency. As a result, cybercriminals either never got paid or spent a significant amount of time walking people through the process.

Now, most ransomware attacks are much more targeted. The use of spear phishing emails and RDP as delivery methods has grown, making attacks more likely to succeed. These more targeted attacks also have higher ransom demands since the cybercriminals are focused on organizations that cannot afford to lose their data and have the resources necessary to pay the ransom, such as the aforementioned hospitals, schools, cities, and large enterprises.

The Ryuk ransomware is one of the most famous ransomware variants carrying out this new, more targeted attack. Ryuk ransomware infections are tailored to a particular organization and require victims to contact the attacker by email to negotiate a ransom payment. This more personal approach comes with a higher price tag as well with Ryuk consistently setting records for the highest ransom demands to date.

  • Bundling Data Theft

The most recent stage in the evolution of ransomware is designed to deal with the problem that ransomware victims are commonly choosing not to pay the demanded ransom. Many organizations have chosen to try to recover on their own, at much greater expense, rather than allow cybercriminals to profit from their attacks.

Ransomware operators, such as those behind the Maze and REvil ransomware variants, have responded to this trend by bundling data stealing functionality within their ransomware. Before encrypting data on a target computer, the malware exfiltrates some of it to use as leverage against the victim. If the target of the attack refuses to pay the ransom, this data may be publicly breached or sold to the highest bidder. This could result in a loss of competitive advantage or penalties under the General Data Protection Regulation (GDPR) or similar privacy laws, providing ransomware victims with an additional incentive to pay.


Wannacry ransom note

Latest Ransomware Attacks

On April 2020, Cognizant, one of the largest tech and consulting companies in the Fortune 500, has confirmed it was hit by a Maze ransomware attack.

Maze is not like typical data-encrypting ransomware. Maze not only spreads across a network, infecting and encrypting every computer in its path, it also exfiltrates the data to the attackers’ servers where it is held for ransom. If a ransom isn’t paid, the attackers publish the files online. However, a website known to be associated with the Maze attackers, has not yet advertised or published data associated with Cognizant.

The FBI privately warned businesses in December of an increase in Maze-related ransomware incidents.

Since the warning, several major companies have been hit by Maze, including cyber insurer Chubb, accounting giant MNP, a law firm and an oil company.

Read more about Maze ransomware

Most Popular Ransomware Varients

  • Cryptowall – Ransomware that started as a Cryptolocker doppelgänger, but eventually surpassed it. After the takedown of Cryptolocker, CryptoWall became one of the most prominent ransomwares to date. CryptoWall is known for its use of AES encryption and for conducting its Command & Control communications over the Tor anonymous network. It is widely distributed via exploit kits, malvertising and phishing campaigns.
  • WannaCry – Ransomware which was spread in a large scale attack in May 2017 utilizing a Windows SMB exploit called EternalBlue in order to propagate within and between networks. It infected more than 100,000 computers by taking advantage of an unpatched Microsoft Windows vulnerability.
  • Jaff – Ransomware which began being distributed by the Necrus botnet in May 2017, via spam emails containing a PDF attachment which contains an embedded DOCM file. As the malware first emerged, it was massively spread at an infection rate of approximately 10,000 emails sent per hour.
  • Locky – Ransomware which started its distribution in February 2016, and spreads mainly via spam emails containing a downloader disguised as an Word or Zip attachment, which then downloads and installs the malware that encrypts the user files.
  • TorrentLocker – Ransomware that encrypts user documents, pictures and other type of files. Victims are requested to pay up to 4.1 Bitcoins (approximately US $1800 at the time) to the attackers to decrypt their files.
  • Cerber – An offline ransomware, meaning that it does not need to communicate with its C&C server before encrypting files on an infected machine. It is spread mostly via malvertising campaigns which leverage exploit kits, but also through spam campaigns. It is operated by its author as a ransomware as-a-service; the author recruits affiliates to spread the malware for a share of the ransom payment.

Protecting From and Preventing Ransomware

Proper preparation can dramatically decrease the cost and impact of a ransomware attack. Taking the following steps can reduce an organization’s exposure to ransomware and minimize its impacts:

  • Cyber Awareness Training and Education: Ransomware is often spread using phishing emails. Training users on how to identify and avoid potential ransomware attacks is crucial. As many of the current cyber-attacks start with a targeted email that does not even contain malware, but only a socially-engineered message that encourages the user to click on a malicious link, user education is often considered as one of the most important defenses an organization can deploy.
  • Continuous data backups:  Ransomware’s definition says that it is malware designed to make it so that paying a ransom is the only way to restore access to the encrypted data. Automated, protected data backups enable an organization to recover from an attack with a minimum of data loss and without paying a ransom. Maintaining regular backups of data as a routine process is a very important practice to prevent losing data, and to be able to recover it in the event of corruption or disk hardware malfunction. Functional backups can also help organizations to recover from ransomware attacks.
  • Patching: Patching is a critical component in defending against ransomware attacks as cyber-criminals will often look for the latest uncovered exploits in the patches made available and then target systems that are not yet patched. As such, it is critical that organizations ensure that all systems have the latest patches applied to them, as this reduces the number of potential vulnerabilities within the business for an attacker to exploit.
  • User Authentication: Accessing services like RDP with stolen user credentials is a favorite technique of ransomware attackers. The use of strong user authentication can make it harder for an attacker to make use of a guessed or stolen password.
  • Anti-Ransomware Solutions: The need to encrypt all of a user’s files means that ransomware has a unique fingerprint when running on a system. Specialized anti-ransomware solutions can use this to identify and terminate potentially malicious processes, minimizing the damage caused.

Ransomware Removal - What to do when infected

A ransom message is not something anyone wants to see on their computer as it reveals that a ransomware infection was successful. At this point, some steps can be taken to respond to an active ransomware infection, and an organization must make the choice of whether or not to pay the ransom.

  • How to Mitigate an Active Ransomware Infection

Many successful ransomware attacks are only detected after data encryption is complete and a ransom note has been displayed on the infected computer’s screen. At this point, the encrypted files are likely unrecoverable, but some steps should be taken immediately:

  1. Quarantine the Machine: Some ransomware variants will try to spread to connected drives and other machines. Limit the spread of the malware by removing access to other potential targets.
  2. Leave the Computer On: Encryption of files may make a computer unstable, and powering off a computer can result in loss of volatile memory. Keep the computer on to maximize the probability of recovery.
  3. Create a Backup: Decryption of files for some ransomware variants is possible without paying the ransom. Make a copy of encrypted files on removable media in case a solution becomes available in the future or a failed decryption effort damages the files.
  4. Check for Decryptors: Check with the No More Ransom Project to see if a free decryptor is available. If so, run it on a copy of the encrypted data to see if it can restore the files.
  5. Ask For Help: Computers sometimes store backup copies of files stored on them. A digital forensics expert may be able to recover these copies if they have not been deleted by the malware.
  6. Wipe and Restore: Restore the machine from a clean backup or operating system installation. This ensures that the malware is completely removed from the device.
  • Should You Pay the Ransom?

Ransomware’s definition states that it is designed to put victims in a position where they have to choose between paying a ransom and losing access to their data forever. In many cases, the cost of a ransom is lower than trying to recover without paying.

However, cybersecurity best practices say not to pay the ransom. This is for a number of reasons:

  • Ransomware is Profit-Driven: Ransomware operators create and use this malware to make money off of it. Paying a ransom enables them to continue to operate and keeps the threat of ransomware alive.
  • Paying Shows a Willingness to Pay: Paying a ransom shows a cybercriminal that you are willing to pay a ransom to end a cyber threat. This often increases the probability of being targeted for future attacks.
  • Paying Doesn’t Guarantee Recovery: Paying a ransom involves trusting the cybercriminal to provide the decryption key in exchange. However, not all ransom payers receive a key, and, even with a key, not all data is recovered successfully.
  • The decision whether or not an organization can afford to pay or not to pay a ransom rests with the organization itself. While best practice states that ransom demands should never be paid, every case is unique.

How Can Check Point Help

Check Point’s Anti-Ransomware technology uses a purpose-built engine that defends against the most sophisticated, evasive zero-day variants of ransomware and safely recovers encrypted data, ensuring business continuity and productivity. The effectiveness of this technology is being verified every day by our research team, and consistently demonstrating excellent results in identifying and mitigating attacks.

SandBlast Agent, Check Point’s leading endpoint prevention and response product, includes Anti-Ransomware technology and provides protection to web browsers and endpoints, leveraging Check Point’s industry-leading network protections. SandBlast Agent delivers complete, real-time threat prevention and remediation across all malware threat vectors, enabling employees to work safely no matter where they are, without compromising on productivity.

This website uses cookies to ensure you get the best experience. Got it, Thanks! MORE INFO