Exploring Ransomware Attacks

What is Ransomware?

Ransomware is malicious software that can hinder access to a computer system or data, generally by encrypting the data, till the time victim of the ransomware doesn’t pay the demanded fee to the ransomware attacker. In most cases, ransomed demand is coupled with a deadline and if the victim fails to pay the demanded amount, he loses out on his data forever.


How Ransomware Works

Ransomware usually spreads by means of spam or phishing emails. It can also spread by the means of a website or driven by downloads for infecting the user system and then infiltrate in the network. With time, the infection techniques have evolved and new ways are being used by the attacker to penetrate and expose the user vulnerability. In ransomware, the attacker locks all the files using strong encryption techniques to whom he has gained access. Once the files are locked, the attacker demands a ransom for decrypting the files and completely restoring the operations for all the affected IT systems.

Steps Involved in a Ransomware Attack

Steps involved in Ransomware Attack

  1. Infection

Once the ransomware has been delivered to the victim’s system by the means of either email attachment or phishing email or any other method, the ransomware begins installing itself on the system and all the network devices can access it.

  1. Secure Key Exchange

Ransomware starts to establish a connection with the command and control server that is operated by the cybercriminals behind the attack for generating cryptographic keys that are used on the local user system

  1. Encryption

The process of encrypting by the ransomware starts. It begins encrypting the files that it finds on the local machines and network

  1. Extortion

Once the encryption process is completed, the ransomware displays instructions related to extortion and ransom payment, thus, threatening the destruction of data, in case the payment is not made

  1. Unlocking

The victims can either pay the demanded ransom or just hope that the attackers decrypt the files. The victims might also try for recovery by eliminating infected files and systems from the network and then restoring data using clean backup mechanisms

Before a Ransomware Attack

  • Secure Emails

Email phishing along with mail spamming is a common way in which ransomware gets spread. Secured email gateways with targeted attack protection are important when it comes to detecting and blocking malicious emails that can infiltrate ransomware on the user system. These solutions shield the mail from any kind of malicious documents, attachments, and URLs that can be delivered in the user system through emails.

  • Secure Web Surfing

Using strong and secured web gateways help in scanning the user’s web traffic for identifying malicious ads that might be an intermediate path to ransomware

  • Monitoring Servers, Networks and Back-Up Systems

Deploying monitoring tools can help in detecting any kind of irregular file access activities, viruses and other malicious vulnerabilities in time for blocking ransomware to get activated. Having a backup of the crucial systems help in reducing risks related to a crashed or encrypted machine resulting in significant operational bottlenecks.

Types of Ransomware

Ransomware can be classified into two major broad categories, namely- crypto ransomware and locker ransomware.

  1. Crypto Ransomware

This type of ransomware can encrypt all the important and high-valued user files on a computer such that the user is denied of accessing his files. Cybercriminals that perform crypto ransomware attacks make money by demanding victims to pay a hefty ransom amount to get the files restored back.

  1. Locker Ransomware

Locker ransomware, unlike crypto ransomware, doesn’t encrypt the user files. It locks the user out of his device, thereby, preventing him to use his system. Once the user is locked out of his system, cybercriminals demand a ransom amount to unlock his system.

Popular Ransomware Examples from the Past

  1. Locky

Locky ransomware first came into existence in the year 2016. It holds the ability to encrypt over 160 types of user files. The spread of Locky takes place by fooling the victims and instigating them to install it using fake emails that have infected attachments. This is a phishing approach, a type of social engineering. Locky targets various file types that are often used by professionals like- designers, engineers, testers, etc.

  1. WannaCry

WannaCry is a ransomware that came into light by spreading across 150 countries in the year 2017. At its peak spread, it affected over 2 lakh computer systems across the globe. Here, users were locked out of their systems and demanded ransom was in the form of Bitcoin. The attack exposed the problems related to the usage of legant and outdated systems.

  1. Ryuk

Ryuk ransomware spread in August 2018, then disabled the Windows System Restore option, thus making it impossible for the users to restore their encrypted files without performing a backup. Ryuk also encrypted the network devices. It had a crippling effect and many organizations that were under the attack in the US had to pay the demanded ransoms.

  1. Troldesh

Troldesh ransomware struck in 2015 and its spread took by the means of spam email through infected links and attachments. The attackers of this ransomware established direct connections with the victims over the email for demanding a ransom. To a great surprise, the cybercriminals even negotiated with the victims who were willing to pay the demanded ransom.

  1. Jigsaw

Jigsaw is a ransomware attack that first came into existence in the year 2016. In this ransomware attack, it started deleting user files every hour such that the ransom demand was left unpaid. The attackers used horror imagery in the attack scared the victims with additional distress.