What is Ransomware?
Ransomware is a form of malware that locks users out of their systems and demands money for access. The malware is typically downloaded onto the infected system through malicious email attachments, compromised web pages through malvertisements, exploit kits dropped by other malware or directly via a vulnerability like EternalBlue or WannaCry. Once in the system, it encrypts critical files on the PC and attached file shares. The victim receives a message saying that a crime has been committed and a ransom needs to be paid to unlock the data.
In the early days of ransomware, small groups of criminals would attack individuals and businesses – usually in order to steal credentials or find vulnerabilities. Once ransomware became a business, organized gangs began advertising on dark web forums and recruiting affiliates to carry out attacks on their behalf. This led to improvements in the malware itself – stealing passwords, finding more vulnerabilities, and making it harder for antivirus scanners to detect it.
Once the malware is in a system, it starts encrypting files. It is very careful which files to encrypt, and it will often delete shadow and backup copies of files so that they cannot be recovered without the decryption key. In some cases, the attackers may provide a decryption key, but this isn’t guaranteed.
If an organization suffers a ransomware attack, the best course of action is to follow an incident response plan. This should include isolating the infected system components and powering them down so that the malware can’t spread further, removing all infected systems, restoring clean backup data, and scanning all restored data for ransomware. Once the data is restored, a change to all system and network passwords should be made. Finally, it should be considered whether or not to report the attack to law enforcement.