Anatomy of a Ransomware Attack
February 14, 2023
By Jorge Bolanos
Was it curiosity or panic from receiving a terrifying message about your data being held random that led you to this article? Ransomware is a type of malware that encrypts a victim's files and asks them to pay a ransom to the attackers in exchange for the key that will decrypt the files. Most attackers’ goals today are to maintain access in the system for as long as possible while being undetected to steal valuable information that can be used to commit fraud or sold on the dark web. The ransom may even be used to divert focus away from the real breach by causing havoc and confusion, making it difficult to forensically investigate.
There are several types of ransomware, including:
- Lockers: This type of ransomware prevents the victim from accessing their system or certain files. The victim is usually presented with a message demanding payment to regain access to their system or files.
- Cryptoviral Extortion: This encrypts the victim's files and demands payment in exchange for the decryption key. The victim is usually given a deadline to pay the ransom, after which the price will increase or the decryption key will be destroyed.
- Scareware: Designed to trick the victim into thinking their system has been compromised and that they need to pay to fix the problem. Scareware often uses fake antivirus or security software to persuade the victim to pay for a "solution" to a nonexistent problem.
Ransomware can be devastating for individuals and organizations, as it can result in the loss of important data, disrupt critical operations and become a PR nightmare. Often the largest cost is the lost revenue no longer quantifiable after such an event. There are a few ways that ransomware can initially gain access to a computer:
- Email Attachments: Attackers often send ransomware through email attachments, disguised as legitimate files. When the user opens the attachment, the ransomware is downloaded and installed on the computer.
- Drive-by Downloads: A drive-by download is when a user visits a malicious website, and the ransomware is automatically downloaded and installed on the computer.
- Malvertising: This is the use of online advertising to spread malware. When a user clicks on an ad, the ransomware is downloaded and installed on the computer.
- Exploiting Vulnerabilities: Attackers can also use vulnerabilities in software or operating systems to install ransomware on a computer.
Ransomware uses strong encryption algorithms to encrypt files on a victim's computer. When a file is encrypted, it becomes unreadable and cannot be accessed without the decryption key. The attackers typically demand payment from the victim in exchange for the decryption key, which they claim they will provide upon receipt of payment. The exact process of how ransomware encrypts files varies depending on the specific type of ransomware; however, the general process is as follows:
- The ransomware is installed on the victim's computer, either through email attachments, drive-by downloads, malvertising or exploiting vulnerabilities in software or operating systems;
- The ransomware scans the victim's computer for specific file types, such as documents, images and videos;
- The ransomware uses a strong encryption algorithm, such as an advanced encryption standard (“AES”) or Rivest-Shamir-Adleman (“RSA”), a suite of cryptographic algorithms that are used for specific security services or purposes to encrypt the files it has identified;
- The ransomware displays a ransom note on the victim's computer, demanding payment in exchange for the decryption key;
- The victim is given a deadline to pay the ransom, after which the attackers may threaten to delete the decryption key or increase the ransom amount.
Mitigation and Remediation
Be cautious when opening emails, downloading attachments and clicking on links from unknown sources. Use a reputable antivirus program, keep all software and operating systems up to date and have all staff undergo mandatory cybersecurity training to reduce the risk of falling victim to a ransomware attack. Businesses should strive to reduce the time needed to identify such a threat as much as possible to mitigate how large of an impact they are hit with. If you think your computer has been infected with ransomware, there are a few steps you can take:
- Disconnect from the Internet. Disconnecting from the internet will prevent the ransomware from encrypting any more of your files and will also prevent the attacker from receiving payment if you choose to pay the ransom.
- Run a malware scanner. Use a reputable malware scanner to detect and remove the ransomware. Keep in mind that some ransomware is able to evade detection by malware scanners, so this may not always be effective.
- Restore from a backup. If you have a recent backup of your files, you can restore your computer from the backup to remove the ransomware. This is the most effective way to remove ransomware and recover your files, but it requires having a recent backup.
- Consider paying the ransom. As a last resort, you may consider paying the ransom if you don't have a recent backup and the encrypted files are extremely valuable to you.
It is generally not recommended to pay the ransom, as this may encourage the attackers to continue their activities and potentially leads to more attacks on your ’systems or those of others.
Paying ransom does not guarantee that the attackers will actually provide the decryption key or restore access to the encrypted files. In some cases, the attackers may simply take the payment and not provide the decryption key. Instead, try to restore from a backup or use other methods to recover the encrypted files.
It's always best to try to prevent ransomware infections in the first place by following best practices for computer security.