Ransomware is a kind of malware that denies access to data to users of infected computers. The attackers then move to demand a ransom from their victims. Promises to restore access to data once payment is complete are also the norm. In many cases that access is never provided, so users shouldn't take these promises at face value.
Users are given instructions to pay the required fee so they can receive a decryption key. The cost may range from hundreds to thousands of dollars, payable to cybercriminals in the form of cryptocurrency. The most often used currency is Bitcoin.
How does Ransomware operate?
There are various infection vectors ransomware may take when it finds access to a computer. The most commonly seen method of infection includes phishing spam. These are most often attachments to emails that pretend to be a trusted file. Once the files are downloaded and then opened, they can have free reign on a victim's machine. In some cases they also have social engineering tools built into the ransomware, which fool users into giving it admin access. In other cases, the more aggressive kinds of ransomware tend to exploit security loopholes. Those allow them to infect computers without the need for social engineering.
There are various actions malware may perform once it takes over a victimized computer. One of the most commonly seen tactics today is the encryption of a user's files. The thing to remember is that these files are impossible to decrypt without the correct decryption key known to the attackers. The ransomware presents the user with a with a message, a ransom note that warns them that their files are inaccessible. The note claims they can only undergo decryption if the victim pays with untraceable cryptocurrency payments.
In some cases the attacker may even claim to represent law enforcement agencies. Shutting down the computer because of pirated software, child pornography, and claiming the ransom is a fine are all valid tactics.
There are variations of ransomware that threaten to publish sensitive personal data the users may have. This is a move that is known as doxing.
Who becomes the most common target of Ransomware
There are different methods used by attackers for their ransomware campaigns. Sometimes the attacks are aimed at targets of opportunity with weaker cybersecurity. Universities or small companies are often part of those campaigns.
In other cases, larger organizations with better security may be a more tempting target. They would have the ability to pay their ransom faster, which makes them a preferred choice. Medical facilities are also being targeted by ransomware, as their data carries can be sold on the dark web. In many situations, organizations with sensitive data may be willing to pay, rather than risking their data ending up in the open.
Some ransomware may spread without a specific target and completely automatically all across the internet.
How does Ransomware infect a system?
For cybercriminals, email happens to be an open vector of attack. Emails sent disguised as seemingly legitimate messages make it possible for ransomware authors to fool users. Opening infected attachments or clicking on a link that leads to infected websites - both lead to the same outcome.
This approach is known as phishing, luring users to take the bait to infect their system. Although spam emails may be glaringly obvious, phishing usually takes on a stealthier approach, especially with specific targets in mind. Many of the phishing emails today happen to be more sophisticated than expected.
Phishing tends to be more of a targeted nature, so attackers take their time to research their chosen victims. The public domain contains enough information in most cases to help with social engineering. An e-mail from a friend or a business associate will often cause less suspicion than one that comes from a stranger. This is referred to as spear phishing, when the attackers are choosing a specific person or a group. Infected attachments may be disguised as anything, ranging from contracts, regulatory forms, invoices and more, the more ordinary-looking, the better.
The most significant difference between the previous example lies in exploit kits. Those are used to compromise websites with no email attachments involved. One visit to the compromised site and cybercriminals can infect with no clicks needed. Exploit kits allow the attackers to upload malicious code directly to any vulnerable web page. That code is specially made to exploit vulnerabilities in software or browsers the visitors may be using.
If a vulnerability is present in the system, the exploit kit may download and automatically install windows ransomware. Unfortunately, avoiding visits to websites with a questionable reputation may not solve the issue. Sometimes even visits to mainstream and legitimate sites may be a risk when their security is compromised, as was the case with the Angler exploit kit attacks in 2016, used to spread malware in a 2016 campaign.