The most informative cyber security blog on the internet!
Ransomware is a growing threat in the post-covid era. According to Ivanti’s 2022 Ransomware Spotlight Report, of the 311 known exploits CISA warned federal agencies to address within a specific amount of time, 57 of them (18%) were tied to ransomware. But what makes matters worse is that their research shows that no scanner tools are perfect: only 92.7% of the 288 vulnerabilities they studied that ransomware can exploit were detected by three popular scanners combined.
As such, one of the best ways to prevent ransomware from affecting your business is to better understand this type of threat. We’ve already written at length about ransomware statistics and the ransomware prevention and protection methods you should know. Now, it’s time to break down what ransomware is and answer the question “how does ransomware work?” Our goal is to help you understand what it is and how it operates so you can strengthen your defenses against potential ransomware attacks. 
Let’s hash it out.
The way ransomware works is that an attacker uses a type of malicious software to encrypt your IT systems and/or data. They then hold your sensitive data captive until you agree to pay for access to a decryption key.
Here’s a quick overview of how ransomware works from a step-by-step perspective:
Don’t worry — we’ll go into all of this more in depth in a little bit. But first, there’s something that we think might be helpful for some of you before we get into all that.
Ransomware is malicious application or code that cybercriminals use to restrict access to, alter, destroy or steal your most sensitive data and systems. It typically uses encryption — a method of converting data from a readable format into utter gibberish through the use of a cryptographic key — to restrict your access. They’ll offer a solution — a decryption key that will, essentially, revert that gibberish into readable, useful data — in change for some type of demanded payment (i.e., ransom). This is the primary tool, along with phishing and other attack tactics, used in ransomware attacks.
If you find yourself the victim of a ransomware attack, the assailant will offer you the key, but it typically comes with a steep price tag. For example, during a ransomware attack on the tech company Acer, the REvil ransomware gang demanded $50 million in exchange for access to the company’s encrypted data. And that price tag was just the cost of the ransom itself — it doesn’t include the direct and indirect costs associated with mitigating the attack and dealing with everything that follows (including unanticipated downtime and outages).
No matter how much data you have, cybercriminals want to get their grubby hands on it. This way, they can either use it for nefarious purposes, or sell/trade it to others who will use it for the same.
Unless you’re living your life without ever touching a computer or electronic device of some kind, ransomware has the potential to impact you. Contrary to popular belief, ransomware attacks don’t just target major enterprises. The previously mentioned Sophos report shows that mid-size organizations (100-5,000 employees) also make a tempting target for cybercriminals.
This is particularly worrisome considering that this underreported group of 32.5 million businesses represents 99.9% of all U.S. businesses (according to the Small Business Administration [SBA]).
The FBI even reports that private individuals are targeted in ransomware attacks. Data from the Bureau’s Internet Crime Complaint Center (IC3) shows that the agency received 3,729 ransomware complaints with adjusted losses of nearly $50 million in 2021.
Basically, the idea here is that if the bad guys can block you from everything, thereby crippling your business, you’ll feel like you have no choice but to pay whatever they ask to get the decryption key.
While this may come as a surprise to some of you, it’s important to keep this truth in mind when weighing your options about whether to pay a ransom: cybercriminals lie. Even if you bother to pay their exorbitant ransom demands, there’s no guarantee that they’ll follow through with sending you the decryption keys — or, even if they do, that the keys will work as promised.
The FBI IC3’s 2021 Internet Crime Report states that paying a ransom doesn’t guarantee that your files will be recovered. However, it may encourage additional future attacks against your organization and others. If they know you’re willing to pay their demands, then you may be an especially appealing target.
There’s also the trouble that if you decide to pay a ransomware demand, you may find yourself facing civil penalties. This can happen if the U.S. government is sanctioning the cybercriminals you’re paying. The U.S. Department of the Treasury reports that the Office of Foreign Assets Control (OFAC) may still be able to impose those penalties based on “strict liability,” meaning that you can still face those penalties even though you “did not know or have reason to know” that the person you’re dealing with faces sanctions under OFAC laws and regulations.
Clearly, ignorance isn’t always bliss.
This may come as a surprise, but some ransomware attacks involve internal threat actors. Data from a 2021 Hitachi ID Systems poll shows that 65% of North American organizations’ IT and security personnel say they were approached directly by cybercriminals to aid in ransomware attacks against their employers. According to Cyberreason, LockBit is one example of a ransomware-as-a-service platform that’s trying to solicit employees into compromising their employers.
But how did attackers try to reach them? Hitachi reports that a whopping 59% of those outreaches came via email — another 27% of communications were received via phone calls and 21% through social media. What makes attackers’ recruitment efforts particularly concerning is that they’re offering 85% of employees either cash transfers or Bitcoin payments worth up to $1 million.
All it takes is one employee accepting such a deal to bring your company to its knees.
In some cases, ransomware attacks are automated attacks that attack companies and individuals randomly. In other cases, they target specific businesses, organizations, and even local, state or federal government entities. Once they choose a target, it’s game on for these schmucks.
Knowing this, it’s time to answer the question “how does ransomware work?”
If someone has the know-how to create ransomware, they can code the malicious programs to operate however they choose. But in many cases, most attackers don’t have the skill or inclination to create their own malware. Instead, they hire someone with their own malicious software to do their dirty deeds for them by buying or leasing their ransomware capabilities.
This unsavory trade, known as ransomware-as-a-service (RaaS), gives shady individuals (RaaS affiliates) access to ransomware tools (typically in kits) so they don’t have to create the malware programs themselves. These kits often include 24/7 support from the RaaS operators and a variety of other services you’d come to expect from legitimate software-as-a-service providers.
Here’s a quick breakdown of the roles of ransomware operators and the people who hire their services:
Examples of common RaaS families Sophos observed in 2020-2021 included:
Cybercriminals are always looking for a way into your organization’s IT systems and data. There are a few ways they can gain the desired access:
Apple recently found itself making headlines because cybercriminals have been able to exploit vulnerabilities within their operating system after a recent update. One potential concern is that if hackers used one of these exploits to take control of your device, they could use that access to install whatever malware (such as ransomware) they want onto it.
The good news is that Apple released several updates this month (Aug. 17 and 20) to quickly address these vulnerabilities in multiple operating systems.
Much like its namesake (fishing), phishing is all about setting bait to lure and reel in an unsuspecting target. Phishing can occur in a lot of ways:
The Uptime Institute estimates that downtime for nearly 40% of organizations results from human error. A whopping 85% is attributed to employees’ failure to follow organizational processes and procedures.
Remote desktop protocols are useful tools that enable remote access to a device and are typically used by IT admins. However, when used by people with nefarious intentions, these tools can be used to carry out an assortment of malicious activities (RDP attacks) on your device.
Cybercriminals sometimes use phishing emails — think of common tech support scams — to trick, manipulate, or coerce people into installing the software to get the “tech support” they think they need. According to the FBI, there were 23,903 tech support fraud complaints in 2021 with losses totaling more than $347 million.
Of course, not all RDP attacks involve the use of phishing emails. In some cases, cybercriminals will capitalize on known and zero-day (i.e., unknown or unannounced) vulnerabilities they can exploit to gain access to your systems.
Not all ransomware attacks will target your organization directly. In some cases, cybercriminals have been known to target websites you or your employees are known to visit (such as a third-party vendor’s website). Why? Because they can use an auto installer to get their ransomware onto your device.
Continuing on with our list of how ransomware works is what bad guys do once they get into your systems: encrypt everything. Simply put, data encryption is the nasty main purpose of ransomware attacks. The idea here is that if an attacker can control access to your sensitive data and resources, they’ve got you where they want you and you’ll feel like you have no choice but to give into their demands.
Typically, attackers upload basic text files to the encrypted server, directory, or device that communicate who the attackers are and their demands. In some cases, these notes will offer to provide a decryption key and program in exchange for X amount of cryptocurrency (commonly Bitcoin) that must be paid within a specific amount of time.  
Of course, not all attacks are always such straightforward transactions. Unfortunately, as some companies and organizations have learned the hard way, some ransomware attackers have more than one trick up their sleeves…
In some cases, the “fun” doesn’t stop there. Some bad guys, before they encrypt your systems and data, will exfiltrate (a fancy word for “withdraw” or “steal,” in this case) your sensitive data to a server they control. Why do this? So, they can hit you up for additional money or cause additional damage to your brand and reputation by publishing the information online.
Either way, unauthorized data exfiltration is bad news and will result in damage to your brand and reputation in one way or another.
Now that we know how ransomware works, it’s time quickly talk about what you can do to protect yourself against these types of attacks. We’ve explored this topic at length in the article “11 Ransomware Prevent & Protection Methods to Implement Now” we mentioned earlier. However, we’ll briefly cover a few of the top highlights here:
Check out the article for a more in depth look at these suggestions and other methods. But before we wrap things up here, there’s one last important thing we want to mention: be sure to store your data in both online and offline backups. This way, you have a backup to your backup in the event that an attacker manages to get their hands on your online backup. A good recommendation is to follow the 3-2-1 backup rule.
Hopefully, this article answers your question “how does ransomware work?” and gives you a lot to think about regarding what you need to do to protect your organization.
As you can imagine, ransomware creates lot of problems for companies and their customers in many ways. In terms of your organization, a ransomware attack can cause operations to come to a screeching halt and result in everything from lost customer trust and damaged relationships to lost revenue and lawsuits. 
From your customers’ perspectives, it can cause them to lose trust in your brand and lead them to turn to your competitors for business from now on. Data from a global survey by Axway supports this:
Knowing this, you need to decide where you want data breach prevention and mitigation to fall on your list of IT security priorities. The time to plan and get your ducks in a row is now. Don’t wait until you’re already under attack to start thinking about how you want to respond when crap hits the fan.
Your email address will not be published. We will only use your email address to respond to your comment and/or notify you of responses. Required fields are marked *

Captcha *

Affiliate Marketing As A Business

Casey Crane is a regular contributor to (and managing editor of) Hashed Out with 15+ years of experience in journalism and writing, including crime analysis and IT security. Casey also serves as the Content Manager at The SSL Store.
Download Now
Download Now
The SSL Store™ | 146 2nd Street North #201 St. Petersburg, FL 33701 US | 727.388.1333
© 2022 The SSL Store™. A Subsidiary of DigiCert, Inc. All Rights Reserved.


/ Uncategorized

Leave a Reply

Your email address will not be published. Required fields are marked *