Ransomware 101

Ransomware is an evolving malware threat.  Where once malware was predominantly an inconvenience, ransomware takes aim at data, the lifeblood of the modern business.  Ransomware is malware that infects a computer with the intention of extorting money.

Infection methods

Ransomware infects a computer using similar methods to other malware such as drive-by attacks through malvertizing, phishing email, exploitation of vulnerabilities, or malicious attachments.  Phishing emails generally contain links that, once clicked, will reroute the user to an infected website. Unless the email is from a trusted source, or if there is any doubt, never click on the link or the attachment.

Online advertisements, known as malvertising, can be used to distribute ransomware.  Users can unknowingly receive ransomware by clicking or just viewing an ad containing ransomware droppers, code that installs ransomware onto a machine.  Some ads contain a script that checks browsers for exploitable vulnerabilities which are used to then install ransomware onto a machine.

Social media, text messages, and instant message applications can be used to entice friends, contacts, and followers to click a link.  Social media can also host images or active content that has ransomware downloaders embedded into it.

Mobile applications for smartphones and tablets are becoming more popular targets for ransomware. It is a best practice to only download mobile apps from a trusted source such as Google Play or the App Store.

Lastly, ransomware can enter a system the old fashioned way – through vulnerabilities. By not maintaining Windows or OS X system updates, a computer is left open to an attack.  Ransomware can spread from one machine to another.  Some malware has been known to move from smartphone to cloud applications and then to local networks and ransomware may implement the same attack strategy in the future.  Ensure that only authorized and secured devices are allowed to connect to your network.

For this reason, it is important to have robust antivirus software installed on each machine, email filtering to screen out phishing messages and malicious attachments, ad blockers to prevent malvertizing, and monitoring and intrusion detection systems to detect the signs of ransomware on a network.

There are three types of ransomware.  File encryptors, drive encryptors, and lockers.

File encryptors

Once resident on a machine, file encryptors will encrypt work product such as documents, spreadsheets, photos, databases, email, presentations, schematics, calendars, and other important information on a machine.  File encryptors are the most popular form of ransomware.  An encryption key is generated and then used to encrypt file or other encryption keys that encrypt the files.

Driver encryptors

Similar to file encryptors, drive encryptors encrypt the entire hard drive of a machine so that users cannot access any of the data on the drive.  Some variants of drive encryptors only encrypt the file table, a small file at the beginning of a drive that describes where files are at and what their names are.  In such cases, files can be restored but they will not have names associated with them.

Lockers

Lockers do not actually encrypt any data.  Instead, a locker prevents a user from getting to a system in order to access their data.  Lockers are most popular on mobile devices where a single app often consumes the entire workspace.  Lockers prevent navigating away from their screen demanding payment and load themselves into the startup routine so that mobile devices or computers return to the ransom message even when restarted.

No matter which forms ransomware takes, each type will demand payment in order to receive the decryption keys.  Ransomware is an industry so a significant percentage of those who pay the ransom receive their decryption keys and can get their data back.  However, due to technical flaws or just greed, some extortionists do not provide the decryption keys even when paid the ransom.  Some extortionists will demand additional payment after an initial payment is made.  In other words, there is no guarantee that you will be able to get your data back by paying a ransom so it is essential that you back up your data so that it can be restored if ransomware strikes.



About The Author


Eric Vanderburg

Eric Vanderburg is an author, thought leader, and consultant. He serves as the Vice President of Cybersecurity at TCDI and Vice Chairman of the board at TechMin. He is best known for his insight on cybersecurity, privacy, data protection, and storage. Eric is a continual learner who has earned over 40 technology and security certifications. He has a strong desire to share technology insights with the community. Eric is the author of several books and he frequently writes articles for magazines, journals, and other publications.

Leave a Reply