GitHub Actions Supply Chain Attack: A Targeted Attack on Coinbase Expanded to the Widespread tj-actions/changed-files Incident: Threat Assessment (Updated 3/21)
Off the Beaten Path: Recent Unusual Malware
Investigating Scam Crypto Investment Platforms Using Pyramid Schemes to Defraud Victims
See all Unit 42 Threat Research
Table of contents
Threats

What is Ransomware?

2 min. read
Table of contents

Ransomware is a criminal business model that uses malicious software to hold valuable files, data or information for ransom. Victims of a ransomware attack may have their operations severely degraded or shut down entirely.

While holding something of value for ransom is not a new concept, ransomware has become a multimillion-dollar criminal business, targeting both individuals and corporations. Due to its low barrier to entry and effectiveness in generating revenue, it has quickly displaced other cybercrime business models and become the largest threat facing organizations today.

Related Video

Ransomware (Part 1)

 

What Does a Ransomware Attack Look Like?

Attackers must execute five steps for a ransomware attack to be successful:

Compromise and Take Control of a System or Device

Most ransomware attacks begin by using social engineering to trick users into opening an attachment or following a malicious link in their web browser. This allows attackers to install malware onto a system and take control.

Prevent Access to the System

Once they have system access, attackers will either identify and encrypt certain file types or deny access to the entire system.

Notify the Victim

Naturally, attackers and victims often speak different languages and have varying levels of technical capabilities. Attackers must alert victims to the compromise, state their ransom demand and explain the steps for regaining access.

Accept Ransom Payment

To receive payment while evading law enforcement, attackers demand cryptocurrencies, such as bitcoin, for the transaction.

Return Full Access

Attackers must return access to the device(s). Failure to restore access to compromised data or systems undermines the scheme as few would be willing to pay a ransom if they didn’t believe their valuables would be returned.

Most Common Types of Ransomware

The most common types of ransomware include:

  1. Crypto Ransomware encrypts the victim's files, making them inaccessible. Popular examples include CryptoLocker and WannaCry. The attacker demands payment for the decryption key.
  2. Locker Ransomware locks the victim out of their system entirely, rendering it unusable. Examples include FBI Ransomware and Police Ransomware.
  3. Scareware: tricks victims into thinking their system is infected with a virus or malicious content. It then demands payment to fix the alleged issue, like WinFixer.
  4. Doxware (or Leakware) threatens to release sensitive or personal information unless the ransom is paid. It’s becoming more common as attackers target individuals and businesses.
  5. Ransomware-as-a-Service (RaaS) is a model in which attackers can buy ransomware from developers and use it to launch their own attacks. It lowers the barrier to entry for cybercriminals, leading to more widespread attacks.
  6. Fileless Ransomware operates in memory and doesn't leave a trace on the hard drive, making it harder to detect.

Each type of ransomware operates differently but shares the goal of extorting money from victims by denying access to their data or systems.

 

What is Multi-Extortion Ransomware?

Multi-extortion ransomware is a more advanced and sophisticated type of attack where cybercriminals use multiple extortion methods to pressure victims into paying the ransom. In addition to encrypting the victim's files and demanding payment for decryption, attackers often engage in one or more of the following tactics:

  1. Data Theft and Leak: The attackers exfiltrate sensitive data before encrypting it and threaten to release or sell this data if the ransom is not paid. This adds a layer of pressure, as victims fear the loss of valuable or sensitive information.
  2. Denial of Service (DoS) Attacks: Some ransomware groups launch DoS or DDoS attacks alongside encryption, further disrupting the victim’s ability to operate by overwhelming their network or servers.
  3. Threats to Expose or Harm: Attackers may also threaten to cause physical damage or expose embarrassing or compromising information, targeting the victim’s reputation and business integrity.

Popular examples of multi-extortion ransomware include REvil and Clop, which employ these tactics to increase the likelihood of the victim paying the ransom. The goal is to increase the pressure on victims by making the consequences of not paying far more severe than just losing access to data.

Keeping your organization safe from falling victim to a ransomware attack requires a fundamental shift – away from detection and remediation, toward prevention. This means reducing the attack surface, preventing known threats, and identifying and preventing unknown threats.

 

Ransomware FAQs

Ransomware is a type of malicious software designed to block access to a victim's files or system by encrypting data. Attackers demand a ransom, often in cryptocurrency, in exchange for the decryption key. It typically spreads through phishing emails, malicious websites, or software vulnerabilities.
To protect your computer from ransomware, use up-to-date antivirus software, enable firewalls, and regularly back up your data. Be cautious when opening email attachments or clicking on links from unknown sources. Ensure your system and software are updated to close any security vulnerabilities.
If infected with ransomware, disconnect your device from the internet immediately to prevent the malware from spreading. Avoid paying the ransom, as it does not guarantee that your files will be decrypted. Instead, report the incident to authorities and try restoring files from backups if available.
Yes, ransomware can be removed without paying the ransom in some cases. Many cybersecurity tools and decryption software can help remove the ransomware. If the ransomware is known, there may be a decryption tool available. If not, consulting with a cybersecurity professional may be necessary.

Get the latest news, invites to events, and threat alerts