Ransomware Explained: What Is It and How Does It Work?
If you use the internet (and let’s face it, we all do), it’s important to be aware of cyber security. Whether you’re a normal at-home user, a small or home business, or a large corporation, you can be targeted by a cyber attacker.
Cyber attacks can cause significant harm, especially to businesses that rely on their systems and data to function. One of the most common forms of malicious cyber attacks is ransomware, and while it may often be associated with the typical “scammer wanting your bank details to give you a million dollar inheritance,” ransomware is much more than that, and it can pose a major threat.
What is Ransomware?
Simply put, ransomware is software that holds a computer system ‘ransom’. It’s a type of malicious software that is designed to block access to a computer system until a sum of money is paid.
Cyber attackers are extremely technical and can use a number of methods to infiltrate a computer system. Common types of ransomware are spam emails that include malicious files, but ransomware can also enter a computer system due to users’ lack of cyber security training, weak passwords or access management, poor user practices, malicious websites or ads, and more.
Ransomware attacks are financially motivated, and they can hit both individuals and companies. Targets are typically selected on their wealth; as the whole purpose is to extort money, these attacks are more commonly targeted at organisations.
What Does Ransomware Do?
There are many scenarios in which ransomware can infect a system, but here is a basic example:
A person is sitting at home using their regular computer when they receive an email that – unbeknownst to them – contains a ransomware file. The user opens the file, but nothing seems to happen; at least, nothing that the user notices at first. However, the file has infected the computer in the background. It lies in wait until the attacker activates it, at which point they use it to gain control of the computer to scan the network for anything they can access. Once the attacker has found the high-value data, they encrypt or destroy it, making it inaccessible to the user. Then they disable the computer so it is unusable and advise the user of the encryption, at which point they demand the ransom.
How Does Ransomware Work? A Breakdown of the Break-In
An easy way to understand how ransomware works is using an analogy of a house. In this analogy, the business or organization is the house, and the cyber attackers are trying to burgle it.
First, the attackers (burglars) need to gain access, like finding an open door or window. In this step, they are looking for a weakness, a way in. They can exploit weaknesses in the organization (house) by looking at things like:
- Easily guessed passwords
- Fake websites asking for credentials
- Application or hardware vulnerability
- Password stuffing (trying a successful password across many logins)
- Lack of firewalling (similar to leaving the keys in the door when you leave the house)
- Malicious attachment (i.e., “Please run this file”)
- Phishing attempts
VPN endpoints are becoming a very common target for phishing attempts. Attackers can also find their way into a public API’s email servers and start altering emails. Even poorly-coded websites can leave an organization open to exploitation; if the website was not developed with security in mind, it can leave the organization vulnerable.
Once the burglars have opened the door, they’ll go for a wander around the house. The first thing they’ll do is gain a command-and-control state, where the attacker deploys downloads that can perform functions without the knowledge of the user. Once they gain control, they’ll start scanning the network to discover anything that can be exploited or used as a target of high value. Much like a burglar cracking a safe to find the jewels inside, they’ll force their way to the admin level they require by exploiting loopholes, poor security, and poor design.
The Impact: Stealing and Destroying
Once they’ve found your valuables, you will feel the impact. The attackers will infiltrate and export anything of valuable information, and that is what they will hold ransom. They will also destroy or purge the backups so you can’t recover or restore it. Their final step is then to make your data unusable and demand the ransom.
Dealing With an Attack: No Guarantees
Obviously, ransomware is an illegal practice, but due to the anonymous nature of the internet it’s very difficult to track down cyber attackers. Within New Zealand, all agencies share the same message: DO NOT PAY THE RANSOM. As this is a financially motivated attack, if you take away the money, you take away the motivation.
Unfortunately, it’s not always as simple as that. Targets – especially large corporations – often see the ransomed files and data as more valuable than the recovery costs. Therefore, they will often pay the ransom in hopes of retrieving this information.
However, paying the ransom is no guarantee of regaining access to your files. Even if you do pay, the attacker may not unlock your infrastructure; or if they do, there’s no guarantee you’ll get everything back. There’s also the risk that they will simply re-activate the ransomware and demand another ransom, as the malicious file will still be on your computer.
Much like with your health, prevention is the best medicine. Your best line of defense is to stop ransomware from entering your system in the first place.