What Ransomware Allows Hackers to Do Once Infected

Ransomware is a type of malware that became popular with the WannaCry attack in 2017. This particular type of malware lets hackers deny users access to the data on their computers by encrypting files. Once the files have been encrypted, the hacker can demand payment (i.e. a ransom) in exchange for the decryption key necessary to restore access to these files.

Get a Demo Gartner Ransomware Report

Hacker Techniques

With early ransomware variants, people infected with ransomware mainly needed to worry about losing access to their files due to file encryption. However, hackers have also incorporated data theft to help incentivize ransomware victims to make payments.

1. File Encryption

The practice of denying users access to their data via file encryption and demanding payment is what makes a piece of malware “ransomware”. This technique is effective and profitable for a hacker because it is relatively easy to encrypt a user’s files once the malware is running on their computer, and many individuals and organizations are willing to pay significant ransoms to regain access to their data.

While the details of the file encryption process vary from one ransomware variant to another, most of them search through the infected computer for files of particular types (documents, pictures, etc.). When these files are located, they are encrypted, and the encrypted version replaces the original. Because modern encryption is currently unbreakable without the decryption key – which only the attacker knows – a well-implemented ransomware variant makes it impossible to recover these files without paying the ransom.

To maximize their impact, many ransomware variants also include self-spreading capabilities. The malware may search for and encrypted shared drives, scan other computers for exploitable vulnerabilities, or use the victim’s email account to send phishing emails carrying the ransomware. This helps the hacker to maximize their profits by both increasing the number of victims and providing access to high-value targets (like database servers).

2. Data Theft

Hackers will profit only if their victims pay the ransom. For this reason, many organizations elected not to pay the ransom and accept the loss of their data or the much higher cost of attempting to recover it by other means.

To help incentivize their victims to pay the ransom demands, some ransomware variants now include a data theft component. Before encrypting the files on a user’s computer, the ransomware will search for valuable data and send copies to the attacker.

If the victim refuses to pay the ransom, this data theft gives the hacker additional leverage. By threatening to reveal the stolen data if the ransom is unpaid, the hacker puts the victim at risk of regulatory non-compliance or having sensitive data sold or publicly exposed. As a result, victims may pay the ransom to prevent this data breach even if they wouldn’t pay to restore access to the data.

Common Ransomware Infection Vectors

Ransomware is one of the leading threats to corporate cybersecurity because it can be very difficult to protect against. Hackers an infect an individual or organization with ransomware by a few different means, including:

  • Phishing Attacks: Phishing is the most common method of starting a cyberattack, and it is also a popular delivery mechanism for ransomware. Phishing threats are not limited to email and may come via social media, malicious mobile apps, SMS messaging, corporate collaboration platforms, and more.
  • Malicious Downloads: Ransomware can also be delivered via malicious websites. The ransomware (or another type of malware that delivers it) may be masquerading as a legitimate application or be delivered by a script that exploits vulnerabilities in the user’s browser.
  • Compromised Credentials: With the growth of telework, enterprises are increasingly using systems like virtual private networks (VPNs) and the Remote Desktop Protocol (RDP) to provide teleworkers with remote access to the corporate environment. If a hacker learns an employee’s login credentials, they can log in remotely and directly install and run the ransomware.

How to Protect Against Attacks

Once ransomware has begun encrypting files, the damage is already done for those files. Minimizing the impacts of ransomware requires detecting and blocking it before it can begin encryption. Due to the wide range of potential attack vectors, achieving comprehensive protection against ransomware requires deployment of a complete security platform, including:

  • Email Security: Phishing is a common delivery vector for ransomware. An email security solution can scan and identify ransomware in emails before they reach the target computer.
  • Endpoint Security: Ransomware can bypass network-level security solutions using infected removable media and other techniques. An endpoint security solution can detect and delete ransomware on a device before it can cause damage.
  • Mobile Security: Mobile devices are becoming central to both personal and professional lives. Ransomware also targets these devices, making a mobile security solution essential for protecting against it.
  • Network Security: After infecting one device, ransomware commonly moves through the network to find other targets. A network security solution helps to both block initial infections and inhibit the spread of ransomware.

To learn more about how Check Point can provide comprehensive ransomware protection, contact us. You’re also welcome to request a demo to see one or all of our anti-ransomware defenses in action.

This website uses cookies for its functionality and for analytics and marketing purposes. By continuing to use this website, you agree to the use of cookies. For more information, please read our Cookies Notice.