What Is Ransomware?

How does ransomware work?

Ransomware uses asymmetric encryption. This is cryptography that uses a pair of keys to encrypt and decrypt a file. The public-private pair of keys is uniquely generated by the attacker for the victim, with the private key to decrypt the files stored on the attacker’s server. The attacker makes the private key available to the victim only after the ransom is paid, though as seen in recent ransomware campaigns, that is not always the case. Without access to the private key, it is nearly impossible to decrypt the files that are being held for ransom.

Many variations of ransomware exist. Often ransomware (and other malware) is distributed using email spam campaigns or through targeted attacks. Malware needs an attack vector to establish its presence on an endpoint. After presence is established, malware stays on the system until its task is accomplished.

After a successful exploit, ransomware drops and executes a malicious binary on the infected system. This binary then searches and encrypts valuable files, such as Microsoft Word documents, images, databases, and so on. The ransomware may also exploit system and network vulnerabilities to spread to other systems and possibly across entire organizations.

Once files are encrypted, ransomware prompts the user for a ransom to be paid within 24 to 48 hours to decrypt the files, or they will be lost forever. If a data backup is unavailable or those backups were themselves encrypted, the victim is faced with paying the ransom to recover personal files.

Why is ransomware spreading?

Ransomware attacks and their variants are rapidly evolving to counter preventive technologies for several reasons:

• Easy availability of malware kits that can be used to create new malware samples on demand
• Use of known good generic interpreters to create cross-platform ransomware (for example, Ransom32 uses Node.js with a JavaScript payload)
• Use of new techniques, such as encrypting the complete disk instead of selected files

Today’s thieves don’t even have to be tech savvy. Ransomware marketplaces have sprouted up online, offering malware strains for any would-be cybercrook and generating extra profit for the malware authors, who often ask for a cut in the ransom proceeds.

Why is it so hard to find ransomware perpetrators?

Use of anonymous cryptocurrency for payment, such as bitcoin, makes it difficult to follow the money trail and track down criminals. Increasingly, cybercrime groups are devising ransomware schemes to make a quick profit. Easy availability of open-source code and drag-and-drop platforms to develop ransomware has accelerated creation of new ransomware variants and helps script novices create their own ransomware. Typically, cutting-edge malware like ransomware are polymorphic by design, which allows cybercriminals to easily bypass traditional signature-based security based on file hash.

What is ransomware-as-a-service (RaaS)?

Ransomware-as-a-service is a cybercrime economic model that allows malware developers to earn money for their creations without the need to distribute their threats. Non-technical criminals buy their wares and launch the infections, while paying the developers a percentage of their take. The developers run relatively few risks, and their customers do most of the work. Some instances of ransomware-as-a-service use subscriptions while others require registration to gain access to the ransomware.

How to defend against ransomware

To avoid ransomware and mitigate damage if you are attacked, follow these tips:

• Back up your data. The best way to avoid the threat of being locked out of your critical files is to ensure that you always have backup copies of them, preferably in the cloud and on an external hard drive. This way, if you do get a ransomware infection, you can wipe your computer or device free and reinstall your files from backup. This protects your data and you won’t be tempted to reward the malware authors by paying a ransom. Backups won’t prevent ransomware, but it can mitigate the risks.
• Secure your backups. Make sure your backup data is not accessible for modification or deletion from the systems where the data resides. Ransomware will look for data backups and encrypt or delete them so they cannot be recovered, so use backup systems that do not allow direct access to backup files.
• Use security software and keep it up to date. Make sure all your computers and devices are protected with comprehensive security software and keep all your software up to date. Make sure you update your devices’ software early and often, as patches for flaws are typically included in each update.
• Practice safe surfing. Be careful where you click. Don’t respond to emails and text messages from people you don’t know, and only download applications from trusted sources. This is important since malware authors often use social engineering to try to get you to install dangerous files.
• Only use secure networks. Avoid using public Wi-Fi networks, since many of them are not secure, and cybercriminals can snoop on your internet usage. Instead, consider installing a VPN, which provides you with a secure connection to the internet no matter where you go.
• Stay informed. Keep current on the latest ransomwares threats so you know what to look out for. In the case that you do get a ransomware infection and have not backed up all your files, know that some decryption tools are made available by tech companies to help victims.
• Implement a security awareness program. Provide regular security awareness training for every member of your organization so they can avoid phishing and other social engineering attacks. Conduct regular drills and tests to be sure that training is being observed.

Key incident response ransomware data points

The following trends are commonly seen by our frontline incident response experts when investigating and remediating ransomware.

Median Dwell Time for Ransomware Attacks (in Days)

The median dwell time for ransomware attacks is 72.75 days, in comparison to all threats at 56 days (including ransomware).

Popular Days of the Week for Ransomware Deployment

Days of the week highlighted above represent when deployment and execution of the ransomware attack begins, not when the attacker gains initial access.

Minimize Risk and Reduce Ransomware Dwell Time

Focus on attacker behavior to reduce the average dwell time of a strategic ransomware actor
from 72 days to only 24 hours or less.

9 steps for responding to a ransomware attack

If you suspect you’ve been hit with a ransomware attack, it’s important to act quickly. Fortunately, there are several steps you can take to give you the best possible chance of minimizing damage and quickly returning to business as usual.

1. Isolate the infected device: Ransomware that affects one device is a moderate inconvenience. Ransomware that is allowed to infect all of your enterprise’s devices is a major catastrophe, and could put you out of business for good. The difference between the two often comes down to reaction time. To ensure the safety of your network, share drives and other devices, it’s essential that you disconnect the affected device from the network, internet and other devices as quickly as possible. The sooner you do so, the less likely it is that other devices will be infected.
2. Stop the spread: Because ransomware moves quickly—and the device with ransomware isn’t necessarily Patient Zero— immediate isolation of the infected device won’t guarantee that the ransomware doesn’t exist elsewhere on your network. To effectively limit its scope, you’ll need to disconnect from the network all devices that are behaving suspiciously, including those operating off-premises—if they’re connected to the network, they present a risk no matter where they are. Shutting down wireless connectivity (Wi-Fi, Bluetooth, etc.) at this point is also a good idea.
3. Assess the damages: To determine which devices have been infected, check for recently encrypted files with strange file extension names, and look for reports of odd file names or users having trouble opening files. If you discover any devices that haven’t been completely encrypted, they should be isolated and turned off to help contain the attack and prevent further damage and data loss. Your goal is to create a comprehensive list of all affected systems, including network storage devices, cloud storage, external hard drive storage (including USB thumb drives), laptops, smartphones, and any other possible vectors. At this point, it’s prudent to lock shares. All of them should be restricted if possible; if not, restrict as many as you can. Doing so will halt any ongoing encryption processes and will also keep additional shares from being infected while remediation occurs. But before you do that, you’ll want to take a look at the encrypted shares. Doing so can provide a useful piece of information: If one device has a much higher number of open files than usual, you may have just found your Patient Zero. Otherwise…
4. Locate Patient Zero: Tracking the infection becomes considerably easier once you’ve identified the source. To do so, check for any alerts that may have come from your antivirus/antimalware, EDR, or any active monitoring platform. And because most ransomware enters networks through malicious email links and attachments, which require an end user action, asking people about their activities (such as opening suspicious emails) and what they’ve noticed can be useful as well. Finally, taking a look at the properties of the files themselves can also provide a clue—the person listed as the owner is likely the entry point. (Keep in mind, however, that there can be more than one Patient Zero!)
5. Identify the ransomware: Before you go any further, it’s important to discover which variant of ransomware you’re dealing with. One way is to visit No More Ransom, a worldwide initiative Trellix is a part of. The site has a suite of tools to help you free your data, including the Crypto Sheriff tool: Just upload one of your encrypted files and it will scan to find a match. You can also use the information included in the ransom note: If it doesn’t spell out the ransomware variant directly, using a search engine to query the email address or the note itself can help. Once you’ve identified the ransomware and done a bit of quick research about its behavior, you should alert all unaffected employees as soon as possible so they’ll know how to spot the signs that they’ve become infected.
6. Report the ransomware to authorities: As soon as the ransomware is contained, you’ll want to contact law enforcement, for several reasons. First of all, ransomware is against the law—and like any other crime, it should be reported to the proper authorities. Secondly, according to the United States Federal Bureau of Investigation, “Law enforcement may be able to use legal authorities and tools that are unavailable to most organizations.” Partnerships with international law enforcement can be leveraged to help find the stolen or encrypted data and bring the perpetrators to justice. Finally, the attack may have compliance implications: Under the terms of the GDPR, if you don’t notify the ICO within 72 hours of a breach involving EU citizen data, your business could incur hefty fines.
7. Evaluate your backups: Now it’s time to begin the response process. The quickest and easiest way to do so is to restore your systems from a backup. Ideally, you’ll have an uninfected and complete backup created recently enough to be beneficial. If so, the next step is to employ an antivirus/antimalware solution to ensure all infected systems and devices are wiped free of ransomware—otherwise it will continue to lock your system and encrypt your files, potentially corrupting your backup. Once all traces of malware have been eliminated, you’ll be able to restore your systems from this backup and—once you’ve confirmed that all data is restored and all apps and processes are back up and running normally—return to business as usual. Unfortunately, many organizations do not realize the importance of creating and maintaining backups until they need them and they aren’t there. Because modern ransomware is increasingly sophisticated and resilient, some of those who do create backups soon find out that the ransomware has corrupted or encrypted them, too, rendering them completely useless.
8. Research your decryption options: If you find yourself without a viable backup, there’s still a chance you can get your data back. A growing number of free decryption keys can be found at No More Ransom. If one is available for the variant of ransomware you’re dealing with (and assuming you’ve wiped all traces of malware from your system by now), you’ll be able to use the decryption key to unlock your data. Even if you’re fortunate enough to find a decryptor, however, you’re not done yet—you can still expect hours or days of downtime as you work on remediation.
9. Move on: Unfortunately, if you have no viable backups and cannot locate a decryption key, your only option may be to cut your losses and start from scratch. Rebuilding won’t be a quick or inexpensive process, but once you’ve exhausted your other options, it’s the best you can do.

Why shouldn’t I just pay the ransom?

When faced with the possibility of weeks or months of recovery, it might be tempting to give in to a ransom demand. But there are several reasons why this is a bad idea:

• You may never get a decryption key. When you pay a ransomware demand, you’re supposed to get a decryption key in return. But when you conduct a ransomware transaction, you’re depending on the integrity of criminals. Many people and organizations have paid the ransom only to receive nothing in return—they’re then out tens or hundreds or thousands of dollars, and they still have to rebuild their systems from scratch.
• You could get repeated ransom demands. Once you pay a ransom, the cybercriminals who deployed the ransomware know you’re at their mercy. They may give you a working key if you’re willing to pay a little (or a lot) more.
• You may receive a decryption key that works—kind of. The creators of ransomware aren’t in the file recovery business; they’re in the moneymaking business. In other words, the decryptor you receive may be just good enough for the criminals to say they held up their end of the deal. Moreover, it’s not unheard of for the encryption process itself to corrupt some files beyond repair. If this happens, even a good decryption key will be unable to unlock your files—they’re gone forever.
• You may be painting a target on your back. Once you pay a ransom, criminals know you’re a good investment. An organization that has a proven history of paying the ransom is a more attractive target than a new target that may or may not pay. What’s going to stop the same group of criminals from attacking again in a year or two, or logging onto a forum and announcing to other cybercriminals that you’re an easy mark?
• Even if everything somehow ends up fine, you’re still funding criminal activity Say you pay the ransom, receive a good decryptor key, and get everything back up and running. This is merely the best worst-case scenario (and not just because you’re out a lot of money). When you pay the ransom, you’re funding criminal activities. Putting aside the obvious moral implications, you’re reinforcing the idea that ransomware is a business model that works. (Think about it—if no one ever paid the ransom, do you think they’d keep putting out ransomware?) Bolstered by their success and their outsized payday, these criminals will continue wreaking havoc on unsuspecting businesses, and will continue putting time and money into developing newer and even more nefarious strains of ransomware—one of which may find its way onto your devices in the future.