Ransomware is a type of malware that became popular with the WannaCry attack in 2017. This particular type of malware lets hackers deny users access to the data on their computers by encrypting files. Once the files have been encrypted, the hacker can demand payment (i.e. a ransom) in exchange for the decryption key necessary to restore access to these files.
With early ransomware variants, people infected with ransomware mainly needed to worry about losing access to their files due to file encryption. However, hackers have also incorporated data theft to help incentivize ransomware victims to make payments.
The practice of denying users access to their data via file encryption and demanding payment is what makes a piece of malware “ransomware”. This technique is effective and profitable for a hacker because it is relatively easy to encrypt a user’s files once the malware is running on their computer, and many individuals and organizations are willing to pay significant ransoms to regain access to their data.
While the details of the file encryption process vary from one ransomware variant to another, most of them search through the infected computer for files of particular types (documents, pictures, etc.). When these files are located, they are encrypted, and the encrypted version replaces the original. Because modern encryption is currently unbreakable without the decryption key – which only the attacker knows – a well-implemented ransomware variant makes it impossible to recover these files without paying the ransom.
To maximize their impact, many ransomware variants also include self-spreading capabilities. The malware may search for and encrypted shared drives, scan other computers for exploitable vulnerabilities, or use the victim’s email account to send phishing emails carrying the ransomware. This helps the hacker to maximize their profits by both increasing the number of victims and providing access to high-value targets (like database servers).
Hackers will profit only if their victims pay the ransom. For this reason, many organizations elected not to pay the ransom and accept the loss of their data or the much higher cost of attempting to recover it by other means.
To help incentivize their victims to pay the ransom demands, some ransomware variants now include a data theft component. Before encrypting the files on a user’s computer, the ransomware will search for valuable data and send copies to the attacker.
If the victim refuses to pay the ransom, this data theft gives the hacker additional leverage. By threatening to reveal the stolen data if the ransom is unpaid, the hacker puts the victim at risk of regulatory non-compliance or having sensitive data sold or publicly exposed. As a result, victims may pay the ransom to prevent this data breach even if they wouldn’t pay to restore access to the data.
Ransomware is one of the leading threats to corporate cybersecurity because it can be very difficult to protect against. Hackers an infect an individual or organization with ransomware by a few different means, including:
Once ransomware has begun encrypting files, the damage is already done for those files. Minimizing the impacts of ransomware requires detecting and blocking it before it can begin encryption. Due to the wide range of potential attack vectors, achieving comprehensive protection against ransomware requires deployment of a complete security platform, including: