How Ransomware Works
Ransomware is malware that extorts money from businesses of all sizes in exchange for the keys to unlock encrypted files. Understanding how ransomware works helps businesses defend against it.
Ransomware attacks are increasing in frequency and severity, threatening the livelihoods of many organizations. The FBI recommends organizations report cyber incidents to law enforcement immediately. This will help identify attackers and enable the FBI to leverage its partnership with industry to stop new threats, including ransomware.
Attackers distribute ransomware through multiple methods, including phishing, malvertising, RDP attacks and exploit kits. Once the malware gains access to a system, it begins to encrypt files, replacing them with variants containing an encryption key controlled by the attackers. Some ransomware variants also delete backup and shadow copies to make recovery more difficult.
Once the files are encrypted, the victim receives a message from the attackers demanding payment in exchange for decryption keys. Many companies and individuals have paid the ransom, but some have found that they still can’t recover their data even after paying. And since payments to criminals are often untraceable, victims may face repeated ransom demands or find themselves out tens or millions of dollars.
Some recent ransomware strains are more sophisticated than ever, with attacks that target a wider range of business sectors and use advanced techniques. For example, BlackMatter ransomware used double extortion and command and control via Tor to evade detection by security tools. Another notable strain is Maze, which first combined file encryption with data theft and threatened to publicly expose victims’ private information if they didn’t pay the ransom.