How Does Ransomware Work?

What is Ransomware?

Ransomware is a type of malicious software designed to block access to a computer system or computer files until a sum of money is paid. Most ransomware variants encrypt the files on the affected computer, making them inaccessible, and demand a ransom payment to restore access.

Ransomware code is often not sophisticated, but it doesn't need to be, because unlike many types of traditional malware, it usually does not need to remain undetected for long in order to achieve its goal. This relative ease of implementation versus high-profit potential attracts both sophisticated cybercrime actors, as well as novice ones to operate ransomware campaigns.

How does Ransomware Spread?

Most ransomware is delivered via email that appears to be legitimate, enticing you to click a link or download an attachment that delivers the malicious software. Ransomware is also delivered via drive-by-download attacks on compromised or malicious websites. Some ransomware attacks have even been sent using social media messaging.

Generic ransomware is rarely individually targeted, but rather a “shotgun” approach where attackers acquire lists of emails or compromised websites and blast out ransomware. Given the number of attackers out there, it will be likely that if you get hit multiple times, it will be by a different attacker.

Whether or not the ransom is paid, keep in mind that attackers will always try extracting useful data from a compromised machine. Assume all sensitive data on the machine was compromised, which could include usernames & passwords for internal or web resources, payment information, email addresses of contacts, and more.

How to Prevent Ransomware

Unfortunately, the methods that companies use to protect themselves from ransomware haven’t developed at the same pace as the malware authors. However, there are a few actions that organizations can take to help mitigate risk and limit the fallout of a ransomware attack.

The most important thing that organizations can do is make sure that they regularly and consistently back up data, but filter out potentially malicious websites and emails. If a ransomware attack is successful, they will at least have their important data accessible elsewhere.

Organizations can also deploy an anti-ransomware technology in order to prevent the execution of ransomware, either as a standalone tool or incorporated into the organizational anti-malware platform. Cybereason offers RansomFree, a free tool to protect PCs and servers from ransomware attacks.

Understanding the Economics of Ransomware

According to the DOJ, an average of 4,000 ransomware attacks occurred per day in 2016 in the U.S., a 4x increase over 2015. The FBI reports more than $1 billion in ransoms were paid in 2016, up from 240M in 2015. In April 2017, Verizon published its 2017 Data Breach Investigations Report (DBIR), which confirmed the rise in these attacks.

The spikes are extreme, but for those familiar with ransomware, they come as no surprise. Ransomware is simple to create and distribute and offers cybercriminals an extremely low-risk, high-reward business model for monetizing malware. Combine that with how most companies and people are unprepared to deal with ransomware, and no wonder why it's become the fastest growing cyber threat to date.

Ransomware purveyors are often savvy e-marketers that know their targets. It is not uncommon for a ransomware gang to run multiple campaigns at the same time, with tiered pricing based on a variety of parameters such as vertical industry, region, age, etc. While ransoms have surpassed the hundreds of thousands mark, the goal is to set a price that makes it either cheaper or easier for the victims to pay the ransom than to recreate or restore the compromised systems, especially when the victim has a sense of urgency.

The end result is a whole new economy for cybercrime, one with risk management gaps that allow it to thrive. One significant gap is that the cyber insurance industry is in many cases useless when it comes to ransomware. Most policies have an “extortion” clause, but the deductibles are cost prohibitive and require hundreds of thousands to be extorted before the insurance will kick in. Plus, policies are typically invalidated if a cyber-extortion clause is publicly disclosed.

How Does Anti-Ransomware Work?

To top modern ransomware it is no longer enough to rely on vulnerable data backups or even simply Next-Gen AV. But consistent and comprehensive protection against ransomware is possible through multilayered prevention, the ability to detect behavioral anomalies, and the ability to scale with automation and integration.

Cybereason doesn't rely on vulnerable data backups to recover from a ransomware attack, we simply stop it in the first place. Detect anomalies based on indicators of behavior specific to ransomware strains and identify early stage breach activity, block attack progression, and recover impacted endpoints and users.

Prevent ransomware attacks before damage can occur with industry-leading effectiveness and block zero day ransomware strains or never-before-seen malware.

Learn more about Cybereason Anti-Ransomware.

Israel Barak
About the Author

Israel Barak

Israel Barak, Chief Information Security Officer at Cybereason, is a cyber defense and warfare expert with a background developing cyber warfare infrastructure and proprietary technologies, including that of proprietary cryptographic solutions, research and analysis of security vulnerabilities. Israel has spent years training new personnel, providing in-depth expertise related to cyber warfare and security, threat actor’s tactics and procedures. As Cybereason’s CISO, Israel is at the forefront of the company’s security innovation, research and analysis of advanced threats.

All Posts by Israel Barak