Ransomware is a type of malware that locks computer files until the victim pays a ransom.
After reading this article you will be able to:
Related Content
What is a social engineering attack?
Malicious payload
On-path attack
What is buffer overflow?
What is SQL injection?
Subscribe to theNET, Cloudflare's monthly recap of the Internet's most popular insights!
Copy article link
Ransomware is malicious software that locks up files and holds them for ransom. Ransomware can quickly spread across an entire network, and in some cases an infection has moved across multiple networks belonging to different organizations. The person or group controlling the ransomware unlocks the files only if the victim pays the ransom.
Imagine Chuck steals Alice's laptop, locks it in his safe, and tells her she can have it back only if she pays him $200. This is essentially how ransomware groups operate — only instead of physically taking computers away and locking them up, they do so digitally.
Strategies to prevent ransomware infections include scanning all files and network traffic for malware, filtering DNS queries, using browser isolation to prevent attacks, and training users on information security best practices. While no ransomware prevention strategy is foolproof, maintaining backups of all data can help businesses recover more quickly from a ransomware attack.
Typical ransomware attacks follow these basic steps:
Encryption is the process of scrambling data so that it cannot be read except by parties who have the encryption key, which they can use to reverse the encryption. The reversal of encryption is known as decryption.
Encryption is used for legitimate purposes all the time and is a crucial element of security and privacy on the Internet. But ransomware groups use encryption maliciously to prevent anyone from being able to open and use the encrypted files, including the files' legitimate owners.
Imagine Chuck, instead of stealing Alice's laptop, translates all of her files into a language she cannot read. This is similar to encryption in a ransomware context — Alice still has access to the files, but she cannot read them or use them. Essentially, the files are lost until she can find a way to translate them.
But unlike translating a language, decrypting data is almost impossible without the encryption key. The attacking party keeps the key to themselves, which is why they have the leverage they need to demand payment.
Usually, a ransom demand comes with a time limit: pay before a certain deadline or else the files will remain permanently encrypted. The price may go up as time passes.
Ransomware groups want the victim's payment to be difficult to trace back to them. For this reason, these groups often demand payment via cryptocurrency or other methods that are difficult for law enforcement to track.
Once the ransom is paid, the attacker either decrypts the files remotely or sends the victim the decryption key. The attacker almost always decrypts the encrypted data or provides the key once the ransom is paid. It is in the attacker's interest to follow through on their promise to unlock data. Without this step, future ransomware victims will stop paying the ransom because they know it will not accomplish anything, and the attackers will not make any money.
A related form of malware is "scareware." Scareware shows a message to the user claiming that their device is infected with malware and demanding payment to remove it. When installed on a device, scareware can be persistent and difficult to remove. Although it may lock the victim's computer, it does not usually hold files and data for ransom as ransomware does.
Attackers use several methods to spread ransomware, but most often, they use a type of malware called a "trojan." A trojan is a malicious file disguised as something else (just as the Trojan horse of myth disguised the Greek army). Users have to execute trojans for them to work, and ransomware groups can trick them into doing so in a number of ways:
Attackers also have been known to use vulnerabilities to create worms that spread across an entire network (and even to multiple networks) without users taking any action at all. After a vulnerability exploit developed by the American National Security Agency was leaked to the public in 2017, one ransomware worm, WannaCry, used this exploit to infect more than 200,000 computers almost simultaneously.
Regardless of the method used, the goal is to get the malicious file, also known as a malicious payload, onto the device or network. Once it executes, the malicious payload encrypts files on the infected system.
Before doing so, it may communicate with the attacker's command and control (C&C) server in order to receive instructions. Sometimes an attacker will wait for the opportune moment to send a command to encrypt files, and in this way ransomware can remain inactive and undetected on a device or network for days, weeks, or even months.
One report stated that the average price paid by ransomware victims was over $300,000. Another report found that the average total cost of a ransomware attack, in terms of lost business and other factors in addition to the cost of the ransom, was close to $2 million.
In 2020, one source estimated that the financial damage from ransomware over the previous 12 months was over $1 billion, although the real cost was probably much higher, factoring in the lost services and the victims who might have paid a ransom without announcing it publicly.
There is a huge financial incentive for criminals to conduct ransomware attacks, so ransomware is likely to remain an important security issue.
It is estimated that 95% of organizations that pay the ransom do in fact get their data back. However, paying a ransom can be a controversial decision. Doing so involves giving money to criminals, allowing them to further fund their criminal enterprises.
In some cases, it may be possible to remove ransomware from a device without paying the ransom. Victims can attempt to follow these steps:
However, these steps are often difficult to execute in practice, especially when an entire network or data center has been infected and it is too late to isolate the infected device. Many types of ransomware are persistent and can duplicate themselves or otherwise resist removal. And many ransomware groups today use advanced forms of encryption, making decryption next to impossible without the key.
Since ransomware removal is extremely difficult, a better approach is to try to prevent ransomware infections in the first place. These are some of the strategies that can help:
Even with these methods, 100% prevention of ransomware is not possible, just as 100% prevention of any threat is not possible.
The most important step a business can take is to back up their data so that if an infection occurs, they can switch to the backup instead of having to pay the ransom.
Similar to a ransomware attack, a ransom DDoS attack is essentially an extortion attempt. An attacker threatens to conduct a DDoS attack against a website or network unless payment is made. In some cases, the attacker may begin the DDoS attack first and then demand payment. Ransom DDoS attacks can be stopped by a DDoS mitigation provider (like Cloudflare).
Read about ransom DDoS in more depth.
Cloudflare products close off several threat vectors that can lead to a ransomware infection. Cloudflare DNS filtering blocks unsafe websites. Cloudflare Browser Isolation prevents drive-by downloads and other browser-based attacks. Finally, a Zero Trust architecture can help prevent ransomware from spreading within a network.