Ransomware is a general name for a class of malware that holds a victim’s data hostage until a ransom payment is made to the attacker.
Ransomware is probably best known for its ability to encrypt a victim’s data. The encrypted data will typically remain encrypted until the victim pays for a decryption key. Not all ransomware aims to encrypt a victim’s data, however. Doxware, for example, threatens to publicly expose the victim’s data instead.
Ransomware infections can occur through various means. These can include users engaging with phishing emails, downloading software from untrustworthy sources, or visiting infected websites. With email, the victim may receive a message that prompts them to click a malicious URL or open an infected attachment.
At a broad level, there are two categories of ransomware: automated ransomware or human-operated ransomware. Automated ransomware is ransomware that is installed as a result of something that the user did (e.g., opening an infected email attachment). Once installed, it operates autonomously. Human-operated ransomware, meanwhile, is executed by an attacker that has created a backdoor in the victim’s system. After the attacker uses the backdoor to thoroughly explore and possibly steal data, they will then plant ransomware on the compromised system.
Countless types of ransomware exist in the wild today. Some of the more common categories of ransomware include the following.
Crypto ransomware is probably the best known of all ransomware types. Crypto ransomware encrypts a victim's files and demands a ransom payment for a decryption key.
Locker ransomware prevents the victim from accessing their device until a ransom is paid. Locker ransomware might prevent access by changing the device’s password, effectively locking out the device’s owner.
Doxware, sometimes known as leak ware, steals the victim’s data and threats to expose the data to the public unless a ransom is paid. Unlike traditional ransomware that encrypts files or locks the device, doxware exfiltrates data for extortion purposes.
Scareware is a type of fake ransomware that displays an ominous warning on the victim’s device and demands a ransom payment. It is designed to trick the victim into thinking their device has been compromised but is ultimately harmless. The attacker’s goal is to deceive the victim into paying a ransom.
Ransomware as a service is an online service that cybercriminals can use to create ransomware even if they lack technical skills. It is essentially a do-it-yourself ransomware kit, and the ransomware as service’s owner gets a percentage of each ransom paid. Ransomware as a service can create any of the previously discussed ransomware types.
Unfortunately, there is no magic formula for preventing ransomware attacks. However, you can take important steps to reduce your chances of falling victim.
Antivirus software acts as a first line of defense against ransomware, although it’s not guaranteed to catch all threats. It’s important to use reputable antivirus software, as some free options found online may contain malware.
It’s critical to install software updates as soon as they become available. More specifically, you need to update your operating system, antivirus software, and applications.
The most common way ransomware attacks occur is through email messages and websites. To avoid such attacks, never open suspicious email attachments or click on links within messages unless they are verified to be legitimate. Additionally, you must avoid downloading anything from unfamiliar websites.
Some human-operated ransomware attacks use stolen passwords. As such, make sure that you are using strong, unique passwords for each account.
By using the available security settings on your computer, you may be able to prevent or minimize the damage caused by a ransomware infection. It's important to enable the security settings that are appropriate to your situation.
Backups are the most effective way to recover from a ransomware infection. Make sure that you are regularly backing up your computer.
To protect your data during a ransomware attack, it is recommended to use an offline backup, also known as an air-gapped backup. An air-gapped backup is often the last resort for recovering your data following a severe ransomware attack.
Ransomware typically needs time to complete its mission and so doesn’t display its ransom demand until after the damage is done. During that time, there are often subtle signs that an attack is underway. Signs can include large amounts of unexplained disk activity, unrecognized programs appearing on your computer, slow or unstable computer performance, or corrupted files.
The most common way is a user clicking a malicious link in a phishing message. However, ransomware can also be spread by a user downloading and installing an infected application, opening an infected email attachment, or visiting a malicious website.
Some ransomware contains backdoors that an attacker can use to access the victim’s system. Other types of ransomware are designed to act as “droppers”: The ransomware will download and install additional malware, including backdoors.
The best way to deal with a ransomware infection is to format the disk, reinstall clean copies of the operating system and applications, and restore data from backups. It is crucial to make sure that your system is entirely clean before restoring any data. Otherwise, your backup may become infected.
It’s always best to avoid paying a ransom if possible. Paying a ransom emboldens the attacker and helps to fund future ransomware efforts. Besides that, paying the ransom doesn’t guarantee you will receive the decryption key (you’re dealing with criminals after all). Additionally, the attacker may demand even more money once you have paid the initial ransom.
The only guaranteed method to restore encrypted files is to restore them from a known good backup. If you do not have a backup, check to see if anyone has posted a decryption key online (but be careful not to be tricked into downloading even more ransomware in the process). Some websites offer decryption keys for common ransomware variants.
To prevent ransomware attacks, it is essential to avoid risky behaviour like opening untrusted email attachments or clicking suspicious links. Using antimalware software and keeping your software up to date is also important. Application whitelists can be used to prevent unauthorized software from running on your system. For example, Windows operating systems include a tool called AppLocker that can help to prevent ransomware from executing.
Follow us on LinkedIn
Kamal Rastogi is a serial IT entrepreneur with 25 yrs plus experience. Currently his focus area is Data Science business, ERP Consulting, IT Staffing and Experttal.com (Fastest growing US based platform to hire verified / Risk Compliant Expert IT resources from talent rich countries like India, Romania, Philippines etc...directly). His firms service clients like KPMG, Deloitte, EnY, Samsung, Wipro, NCR Corporation etc in India and USA.