What is Ransomware?

What is Ransomware? 

Ransomware is malware designed to deny a user or organization access to files on their computer. By encrypting these files and demanding a ransom payment for the decryption key, cyberattacks place organizations in a position where paying the ransom is the easiest and cheapest way to regain access to their files. Some variants have added additional functionality – such as data theft – to provide further incentive for ransomware victims to pay the ransom. 

Ransomware has quickly become the most prominent and visible type of malware. Recent ransomware attacks have impacted hospitals’ ability to provide crucial services, crippled public services in cities, and caused significant damage to various organizations. 

Popular Ransomware Variants

     1.Ryuk

Ryuk is well-known as one of the most expensive types of ransomwares in existence. Ryuk demands ransoms that average over $1 million. As a result, the cybercriminals behind it primarily focus on enterprises that have the resources necessary to meet their demands. 

     2.  Maze 

The Maze ransomware is famous for being the first ransomware variant to combine file encryption and data theft. When targets started refusing to pay ransoms, Maze began collecting sensitive data from victims’ computers before encrypting it.  

     3.REvil (Sodinokibi) 

REvil is one of the most well-known ransomware families on the net. The ransomware group, which has been operated by the Russian-speaking REvil group since 2019, has been responsible for many big breaches. 

4. Lockbit

LockBit is a data encryption malware in operation since September 2019 and a recent Ransomware-as-a-Service (RaaS). This piece of ransomware was developed to encrypt large organizations rapidly as a way of preventing its detection quickly by security appliances and IT/SOC teams.  

5. DearCry

In March 2021, Microsoft released patches for four vulnerabilities within Microsoft Exchange servers. DearCry is a new ransomware variant designed to take advantage of four recently disclosed vulnerabilities in Microsoft Exchange.  

6. Lapsus$

Lapsus$ is a South American ransomware gang that has been linked to cyberattacks on some high-profile targets. The cyber gang is known for extortion, threatening the release of sensitive information, if demands by its victims aren’t made. The group has boasted breaking into Nvidia, Samsung, Ubisoft and others.  

How Ransomware Works 

Step 1. Infection and Distribution Vectors 

Ransomware, like any malware, can gain access to an organization’s systems in several different ways. However, ransomware operators tend to prefer a few specific infection vectors. 

One of these is phishing emails. A malicious email may contain a link to a website hosting a malicious download or an attachment that has downloader functionality built in. If the email recipient falls for the phish, then the ransomware is downloaded and executed on their computer. 

Another popular ransomware infection vector takes advantage of services such as the Remote Desktop Protocol (RDP). With RDP, an attacker who has stolen or guessed an employee’s login credentials can use them to authenticate to and remotely access a computer within the enterprise network. With this access, the attacker can directly download the malware and execute it on the machine under their control. 

Step 2. Data Encryption 

 After ransomware has gained access to a system, it can begin encrypting its files. Since encryption functionality is built into an operating system, this simply involves accessing files, encrypting them with an attacker-controlled key, and replacing the originals with the encrypted versions. Most ransomware variants are cautious in their selection of files to encrypt to ensure system stability. Some variants will also take steps to delete backup and shadow copies of files to make recovery without the decryption key more difficult. 

Step 3. Ransom Demand 

Once file encryption is complete, the ransomware is prepared to make a ransom demand. Different ransomware variants implement this in numerous ways, but it is not uncommon to have a display background changed to a ransom note or text files placed in each encrypted directory containing the ransom note. Typically, these notes demand a set amount of cryptocurrency in exchange for access to the victim’s files. If the ransom is paid, the ransomware operator will either provide a copy of the private key used to protect the symmetric encryption key or a copy of the symmetric encryption key itself. This information can be entered into a descriptor program (also provided by the cybercriminal) that can use to reverse the encryption and restore access to the user’s files.