BotNet News

Ransomware is malware that encrypts files on an infected system or network, preventing users and external software from accessing them until a ransom payment is made. Attackers usually select files to encrypt carefully to avoid impacting the operating system or critical functions, and they often delete backup and shadow copies as well to make recovery without the decryption key more difficult.

Ransom attacks typically start with a compromised email attachment or click on an infected URL. The malware infects one or more systems and, once a command-and-control server has been contacted, it spreads to additional computers and network devices by exploiting common techniques like Remote Desktop Protocol or malicious macros in Microsoft Office documents.

Once a ransomware infection has spread, attackers display a message on an infected computer screen indicating the attack and demanding payment to unlock the victim’s files. Payments are usually requested in cryptocurrencies such as Bitcoin, which makes it nearly impossible to trace cybercriminals.

In some instances, attackers threaten to publicly expose or sell the victim’s data, which can provide a greater incentive for victims to pay. The first ransomware to combine file encryption and theft was a virus called Maze, which was mailed on floppy disks to AIDS researchers in 1989.

Many cybersecurity experts advise organizations to follow their written incident response plan in the event of a ransomware attack, and specifically to consult with their attorney from the outset to ensure that communications to threat actors are protected by attorney-client privilege or the attorney work product doctrine. A lawyer can also assist with evaluating whether the company has cyber insurance coverage to cover a potential ransom payment and help avoid the risk of class-action lawsuits.