What is ransomware? | Ransomware meaning

Ransomware is a type of malware that locks computer files until the victim pays a ransom.

Learning Objectives

After reading this article you will be able to:

  • Define ransomware
  • Explain how ransomware works
  • Describe ransomware prevention techniques
  • List famous ransomware attacks

Related Content

Want to keep learning?

Subscribe to theNET, Cloudflare's monthly recap of the Internet's most popular insights!

Refer to Cloudflare's Privacy Policy to learn how we collect and process your personal data.

Copy article link

What is ransomware?

What is ransomware? - Ransomware infects a computer and encrypts files

Ransomware is malicious software that locks up files and holds them for ransom. Ransomware can quickly spread across an entire network, and in some cases an infection has moved across multiple networks belonging to different organizations. The person or group controlling the ransomware unlocks the files only if the victim pays the ransom.

Imagine Chuck steals Alice's laptop, locks it in his safe, and tells her she can have it back only if she pays him $200. This is essentially how ransomware groups operate — only instead of physically taking computers away and locking them up, they do so digitally.

Strategies to prevent ransomware infections include scanning all files and network traffic for malware, filtering DNS queries, using browser isolation to prevent attacks, and training users on information security best practices. While no ransomware prevention strategy is foolproof, maintaining backups of all data can help businesses recover more quickly from a ransomware attack.

The recent rise in ransom-based DDoS attacks
Talk to an expert
Learn how Cloudflare can protect your business

How does ransomware work?

Typical ransomware attacks follow these basic steps:

  1. The ransomware establishes a foothold on a device or network.
  2. It encrypts any files it finds.
  3. It displays a message demanding payment to decrypt the files.

Encryption is the process of scrambling data so that it cannot be read except by parties who have the encryption key, which they can use to reverse the encryption. The reversal of encryption is known as decryption.

Encryption is used for legitimate purposes all the time and is a crucial element of security and privacy on the Internet. But ransomware groups use encryption maliciously to prevent anyone from being able to open and use the encrypted files, including the files' legitimate owners.

Imagine Chuck, instead of stealing Alice's laptop, translates all of her files into a language she cannot read. This is similar to encryption in a ransomware context — Alice still has access to the files, but she cannot read them or use them. Essentially, the files are lost until she can find a way to translate them.

But unlike translating a language, decrypting data is almost impossible without the encryption key. The attacking party keeps the key to themselves, which is why they have the leverage they need to demand payment.

Common features of ransom demands

Usually, a ransom demand comes with a time limit: pay before a certain deadline or else the files will remain permanently encrypted. The price may go up as time passes.

Ransomware groups want the victim's payment to be difficult to trace back to them. For this reason, these groups often demand payment via cryptocurrency or other methods that are difficult for law enforcement to track.

Once the ransom is paid, the attacker either decrypts the files remotely or sends the victim the decryption key. The attacker almost always decrypts the encrypted data or provides the key once the ransom is paid. It is in the attacker's interest to follow through on their promise to unlock data. Without this step, future ransomware victims will stop paying the ransom because they know it will not accomplish anything, and the attackers will not make any money.

Sign Up
Security & speed with any Cloudflare plan

What are the main types of ransomware?

  • "Crypto" or encrypting ransomware: This is the most common type. It functions as described above.
  • Locker ransomware: Instead of encrypting data, this type of ransomware simply locks users out of their devices.
  • Doxware: Doxware copies sensitive personal data and threatens to expose it unless the victim pays a fee. Doxware does not usually encrypt data.

A related form of malware is "scareware." Scareware shows a message to the user claiming that their device is infected with malware and demanding payment to remove it. When installed on a device, scareware can be persistent and difficult to remove. Although it may lock the victim's computer, it does not usually hold files and data for ransom as ransomware does.

How does ransomware get on a device or network?

Attackers use several methods to spread ransomware, but most often, they use a type of malware called a "trojan." A trojan is a malicious file disguised as something else (just as the Trojan horse of myth disguised the Greek army). Users have to execute trojans for them to work, and ransomware groups can trick them into doing so in a number of ways:

  • Social engineering. Often, malicious files are disguised as harmless email attachments, and ransomware gangs send targeted emails that make the recipients think they need to open or download the malicious attachment.
  • Drive-by downloads. A drive-by download is when opening a webpage automatically causes a file to download. Drive-by downloads take place on infected websites or websites controlled by an attacker.
  • Infecting seemingly legitimate applications that users download and install. An attacker may compromise an application that the user trusts so that opening the application also installs malware.
  • Creating fake applications that are actually malicious. Sometimes, attackers will even disguise their malware as anti-malware software.

Attackers also have been known to use vulnerabilities to create worms that spread across an entire network (and even to multiple networks) without users taking any action at all. After a vulnerability exploit developed by the American National Security Agency was leaked to the public in 2017, one ransomware worm, WannaCry, used this exploit to infect more than 200,000 computers almost simultaneously.

Regardless of the method used, the goal is to get the malicious file, also known as a malicious payload, onto the device or network. Once it executes, the malicious payload encrypts files on the infected system.

Before doing so, it may communicate with the attacker's command and control (C&C) server in order to receive instructions. Sometimes an attacker will wait for the opportune moment to send a command to encrypt files, and in this way ransomware can remain inactive and undetected on a device or network for days, weeks, or even months.

The cost of ransomware attacks

One report stated that the average price paid by ransomware victims was over $300,000. Another report found that the average total cost of a ransomware attack, in terms of lost business and other factors in addition to the cost of the ransom, was close to $2 million.

In 2020, one source estimated that the financial damage from ransomware over the previous 12 months was over $1 billion, although the real cost was probably much higher, factoring in the lost services and the victims who might have paid a ransom without announcing it publicly.

There is a huge financial incentive for criminals to conduct ransomware attacks, so ransomware is likely to remain an important security issue.

It is estimated that 95% of organizations that pay the ransom do in fact get their data back. However, paying a ransom can be a controversial decision. Doing so involves giving money to criminals, allowing them to further fund their criminal enterprises.

Removing ransomware

In some cases, it may be possible to remove ransomware from a device without paying the ransom. Victims can attempt to follow these steps:

  1. Isolate the infected machine by disconnecting it from all networks.
  2. Scan for and remove malicious files using anti-malware software.
  3. Restore files from a backup or use a decryption tool to decrypt files.

However, these steps are often difficult to execute in practice, especially when an entire network or data center has been infected and it is too late to isolate the infected device. Many types of ransomware are persistent and can duplicate themselves or otherwise resist removal. And many ransomware groups today use advanced forms of encryption, making decryption next to impossible without the key.

Preventing ransomware

Since ransomware removal is extremely difficult, a better approach is to try to prevent ransomware infections in the first place. These are some of the strategies that can help:

  • Anti-malware can scan all files to make sure they are not malicious and do not contain ransomware (this will not detect all strains of ransomware).
  • DNS filtering can prevent users from loading unsafe sites, and possibly prevent the malicious payload from communicating with the attacker's C&C server.
  • Browser isolation can close several possible attack vectors, including drive-by downloads.
  • Email security filters can flag suspicious emails and attachments.
  • IT teams can restrict the types of applications that can be installed on a device to prevent users from accidentally installing malware.
  • Security teams can train users to identify suspicious emails, avoid clicking on untrusted links and loading unsafe sites, and install only safe and trusted applications.

Even with these methods, 100% prevention of ransomware is not possible, just as 100% prevention of any threat is not possible.

The most important step a business can take is to back up their data so that if an infection occurs, they can switch to the backup instead of having to pay the ransom.

What are some famous ransomware attacks?

  • CryptoLocker (2013): Ransomware attacks using the CryptoLocker trojan took place from September 2013 to May 2014 and infected hundreds of thousands of systems. CryptoLocker spread mainly through malicious email attachments. It is estimated that the attackers earned about $3 million before the attacks were shut down.
  • WannaCry (2017): WannaCry was a ransomware worm that used a vulnerability exploit called EternalBlue to spread from computer to computer; originally, this exploit had been developed by the NSA. WannaCry infected more than 200,000 computers across 150 countries on May 12, 2017, until a security researcher discovered how to turn the malware off. The US and the UK later determined that the attack had originated from North Korea.
  • NotPetya (2017): NotPetya was a variant of an earlier strain of malware called Petya. NotPetya infected organizations all over Europe and the US, but especially in Russia and Ukraine.
  • Ryuk (2018): Ryuk ransomware has largely been used to target large enterprises. Its operators demand hefty ransoms from the victims. The FBI estimated that the attackers behind Ryuk earned more than $61 million in ransom payments in 2018 and 2019. Ryuk is still in use as of 2021.
  • Colonial Pipeline attack (2021): The largest fuel pipeline in the US was shut down by a ransomware attack in May 2021. The FBI stated that a ransomware group called DarkSide was behind the attack.

What is a ransom DDoS attack?

Similar to a ransomware attack, a ransom DDoS attack is essentially an extortion attempt. An attacker threatens to conduct a DDoS attack against a website or network unless payment is made. In some cases, the attacker may begin the DDoS attack first and then demand payment. Ransom DDoS attacks can be stopped by a DDoS mitigation provider (like Cloudflare).

Read about ransom DDoS in more depth.

Does Cloudflare help prevent ransomware attacks?

Cloudflare products close off several threat vectors that can lead to a ransomware infection. Cloudflare DNS filtering blocks unsafe websites. Cloudflare Browser Isolation prevents drive-by downloads and other browser-based attacks. Finally, a Zero Trust architecture can help prevent ransomware from spreading within a network.