BotNet News

Ransomware is malware that encrypts files on infected systems, rendering them inaccessible and displaying a ransom note to demand payment, typically via cryptocurrency like Bitcoin. Attackers may also threaten to delete data, increase the ransom amount or publish sensitive information publicly if the victim doesn’t cooperate. Victims can recover encrypted data from backups, if available, or seek professional help to decrypt the data.

Often, hackers are able to gain access to systems by exploiting vulnerabilities in the web and network infrastructure. Depending on the initial access vector, they may deploy an intermediary RAT to gain a foothold in the system, and then start stealing or encrypting files with ransomware.

Once attackers are inside a network, they can access the devices and applications they want to target. They are cautious about which files they choose to encrypt and can also delete backup and shadow copies of the affected systems to make recovery more difficult.

Some ransomware variants also contain cryptoworm capabilities to spread between systems and domains, a process known as lateral movement. A variant called Ryuk has been linked to attacks against high-profile targets, including the Colonial Pipeline in 2021, which temporarily shut down oil transport services for 45% of the US East Coast.

Once an organization is infected with ransomware, the best course of action is to immediately disconnect all connected devices from the network, ideally disconnecting wireless connectivity. This will ensure the infection cannot spread to other devices. Additionally, it is a good idea to run security software on all systems and devices to see if they can detect and remove the ransomware.