Back to the Blog

How Ransomware Works

Tristen Cooper

How Ransomware Works


Cyberattacks are no longer a matter of if they will happen but when. For SMBs, an attack can easily knock out productivity and result in thousands of dollars in lost time and business. What makes the threat of a cyber-attack even more challenging for such companies is the limited IT resources on hand to deal with security incidents. 

As an SMB leader or IT manager, the adage ‘to be forewarned is to be forearmed’ applies, as knowledge may very well be the critical edge needed to thwart an attack. 

In this article, we look at what, for most IT personnel, is the Bogeyman in the closet, ransomware. We unpack all the information you need to understand how it works and how to protect your organization effectively. 

What Is Ransomware?

Ransomware is malware (malicious software) that encrypts files and demands a ransom payment through a ransom note to decrypt them. It typically infects connected devices like computers, mobile devices, and servers using multiple methods like email phishing, Remote Desktop Protocol (RDP) compromise, malvertising (malicious advertising), social engineering, or software vulnerabilities. 

Once a machine is infected, the software can quickly spread to networked machines and devices, compromising all devices in an organization and making it even more of an emergency to resolve the issue so the company can resume operations. 

How Much Do Criminals Demand? 

The average ransom demand almost doubled from US$115,123 in 2019 to $312,493 in 2020, marking a staggering 171% YoY increase. While larger companies get demands running into the millions of dollars, the average mid-sized company ransom demand was $170,404. 

Security researchers believe that more sophisticated attackers demand higher amounts from bigger companies while extorting smaller amounts from SMBs. In general, they require amounts that they know the company can pay on short notice. 

For most SMBs, paying a relatively small ransomware demand might make economic sense, but, in some cases, the criminals might take the money and run, leaving the victim with encrypted files that they can never recover. 

That’s why it’s always best to think of preventive measures over simply considering the cost of paying off the attackers. 

Ransomware Types

For the criminals behind ransomware, how the software works is a matter of economics. 

Some ransomware types (crypto-ransomware) will encrypt non-critical files like Word, Excel, and JPEG, leaving the company with adequate computing functionality to pay the ransom. 

Some are more malicious (locker ransomware) and will block essential computer functions, making it impossible to control and operate the computer entirely. 

While there are tens of ransomware varieties, they all operate within this narrow band of possibilities. The endgame is to compel the victim to pay to get their files decrypted. 

Ransomware Variant Examples

Since its emergence in 2012, ransomware has evolved and adapted to evade detection and thwart network defenses. 

Here’s a brief list of notable ransomware variants: 

WannaCry (Inactive)

Also called WannaCrypt, WCry, Wana Decrypt0r 2.0, WannaCrypt0r 2.0, and Wanna Decryptor, this worm emerged in 2017 and exploited the EternalBlue vulnerability in Microsoft Windows OS. 

CryptoLocker (Inactive)

Compiled as a Trojan horse and released in 2013, CryptoLocker spread through email attachments and the Gameover ZeuS botnet, netting its operators $3 million before its takedown in 2014. 

Petya and NotPetya (Inactive)

Petya appeared in 2016, and encrypted local system files rendering affected machines unusable while demanding payment for decryption. NotPetya appeared in 2017 and similarly encrypted local files but without an option to decrypt, which resulted in billions of dollars worth of losses for businesses worldwide. 

CryptoWall (Active)

Released in 2013, it spread through malicious ads, phishing emails, and exploit kits and primarily targeted local hard drives and mounted drives. CryptoWall 3.0, released in 2015, is the most pervasive and lucrative version for attackers.

REvil/Sodinokibi (Active)

Linked to the authors of GandCrab, this ransomware is considered the epitome of malware sophistication due to the sheer number of measures it takes to evade detection and deletion. 

Ryuk (Active)

The cybercrime group Wizard Spider runs this ransomware that relies on spear-phishing methods that leveraged the now-defunct EMOTET botnet (it now uses the TrickBot modular malware). To date, it has gained $3.7 million from 52 known transactions. 

GandCrab (Inactive)

Believed to have originated in Russia, it first appeared in 2018 and operates as a Ransom-as-a-Service, with payments split between the attacker and the ransomware owners. 

Reveton (Active)

Commonly referred to as the ‘Police Trojan,’ it uses social engineering to trick victims into thinking a law enforcement agency has locked their files and they must pay a fine to unlock them. 

Locky (Active)

Locky (not to be confused with the God of Mischief) appeared in 2016 as a Microsoft Word file with malicious macros and relied on social engineering to compel users to enable macros, which would activate the ransomware.

Ransomware Statistics

Ransomware is an ever-increasing threat for thousands of businesses and organizations globally. To put this in perspective, there have been over 4000 daily ransomware attacks in the United States since 2016. 

Here are nine more ransomware statistics you should be aware of: 

  1. Ransomware remains the most prevalent and prominent malware threat. (Datto, 2019)
  2. Estimates show that in 2021, a ransomware attack will occur every 11 seconds. (Cybercrime Magazine, 2019) 
  3. Around 1 in 6,000 emails contain suspicious links, including ransomware. (Fortinet, 2020)
  4. Twenty-one days is the average downtime a company experiences after a ransomware attack. (Coveware, 2021)
  5. Email phishing, RDP vulnerabilities, and software vulnerabilities are the most common methods hackers use to carry out ransomware attacks. (Cybersecurity & Infrastructure Security Agency, 2021)
  6. Ransomware attack costs surpassed $7.5 billion in 2019. (Emsisoft, 2019)
  7. Total ransomware costs are projected to exceed $20 billion in 2021. (Cybercrime Magazine, 2019) 
  8. Data modeling predicts that ransomware will peak at $6 trillion annually. (Cybersecurity Ventures, 2020)
  9. Cybercriminals will focus on targeting remote workers throughout 2021. (Security Magazine, 2020)

How Does Ransomware Work?

At a fundamental level, ransomware works like any other type of software; it is a set of programming commands (software code) that make administrative changes to an infected machine. 

Think of it as someone sneaking into your home and hiding your keys or your wallet and then asking you to make them a cup of tea so they can tell you where they are (the audacity!)

Now, let’s break down how a ransomware attack starts and how it can spread to other networked computers: 

Getting In

Infiltration is the most challenging part for attackers. They will use various techniques to try and access your network, including email phishing, malicious advertising, exploiting RDP connection weaknesses, and attacking software vulnerabilities head-on. It only takes one user on your network making a mistake and executing the ransomware code for the attackers to infiltrate the system. 

Instantiation, Privilege Escalation, and Proliferation

At this point, the ransomware attack has started, but there’s no evidence it has begun. Your computers are working fine, and all your files are available. 

As you continue working, the ransomware infections will initiate three processes in the background:

  • Instantiation: establish a communication line with the attacker (usually through DNS tunneling) and, in some cases, download further malware. 
  • Privilege escalation: try and gain additional privileges (mostly admin level) to execute at a higher level. 
  • Proliferate: move laterally through the network and infect as many machines and systems as possible. 

Find, Exfiltrate and Lock Sensitive Data

Depending on the type of attack, the ransomware will scan your system for target files and either lock them only or exfiltrate them (send them to the attacker), then lock the local files. In a locker attack, system files will be encrypted, and the machine will be unusable, while only non-system files will be locked in a crypto-ransomware attack. In both cases, the files will be useless unless the attacker releases the decryption key.  

Get Paid for The Decryption Key

In most cases, a ransomware attack will come with instructions on paying the ransom and getting the decryption key. Since cryptocurrencies are untraceable, most attackers demand payment in Bitcoin or other popular cryptocurrencies. As the victim, paying the ransom can seem like a quick fix, but in some cases, paying isn’t the end of the attack.

Extort Additional Money by Threatening to Publish Exfiltrated Data

Data shows that 80% of organizations that paid a ransom were hit by a second attack, and almost half were hit by the same threat group. In cases where the attackers exfiltrate sensitive data, they can demand additional payments under the threat of releasing this information to the dark web for further exploitation. For business owners, this continued exploitation can turn into a never-ending nightmare with no easy remedy.

Common Targets for Ransomware Attacks

As the business world has gone remote in the wake of the COVID-19 pandemic, attackers have also shifted their focus. 

Now targeting SMBs with remote operational technology (OT) networks, they are going after insecure non-office devices employees use while working from home.

In addition, they are looking for companies to apply a blend of data theft, ransom, and extortion techniques. 

Although attacks are targeting a wide range of businesses, these are the top three targets for ransomware attacks in 2020 and 2021: 

  • Professional services: Small and mid-sized professional services like law firms and accounting firms typically do not have a robust IT department yet handle sensitive client data, making them a prime target for ransomware and extortion attacks. 
  • Healthcare: Attackers are increasingly targeting healthcare businesses like medical practices due to the sensitive nature of the data they hold. Attackers know that a high percentage of these healthcare organizations will opt to pay rather than deal with regulatory repercussions if the data leaks.
  • Education: Education facilities like schools are a prime target due to many users and relatively limited IT staff. In addition, remote learning has made it even more difficult for education IT departments to enforce security protocols making schools a soft target for ransomware attacks

How Can Your Company Get Ransomware?

We’ve covered a lot of ground so far in unpacking what ransomware is and how it works. Now, let’s bring it a little closer to home; how can your company get ransomware? 

If you look at all the ransomware variants outlined earlier in this article, you may notice a pattern: they all rely on human error or a lapse in human judgment to work. Or, as Accenture puts it rather candidly, humans are still security’s weakest link.

Your employees, contractors, and anyone else with access to your network are the primary entry point of any ransomware attack that occurs. It might be an employee clicking on a malicious advertisement link or falling victim to a spear-phishing attack. 

Besides the human factor, two other entry points attackers might use are software vulnerabilities and RDP attacks. 

With software vulnerabilities, three factors that might make you or your company a target: 

  • Your devices are no longer state-of-the-art
  • They have outdated software
  • Browsers and operating systems have not been recently patched

RDP brute force attacks, on the other hand, rely on weak password policies and misconfigured endpoint security that give attackers privileged access to your network and servers. If you have employees working from home, this presents an even greater risk for RDP attacks because they use RDP protocols to access the office network.

How To Protect Yourself and Your Organization from Ransomware

Prevention is better than cure, so protecting yourself and your organization from ransomware is the best place to start. As part of a comprehensive cybersecurity policy framework, these are the top ways you can push back against ransomware attackers:

Secure Privileged Access Credentials

Attackers always seek admin-level credentials before and during an attack. As a best practice, avoid storing such passwords and other credentials in unencrypted format. Also, ensure you do not use default passwords like ‘admin123’ or ‘companyadmin’ as attackers try these first. An excellent option is to use a third-party password manager that securely inputs passwords with no need to store them on your network. 

Train Users to Recognize Phishing and Other Attacks

Train your users to never click on unsafe links, reveal personal information or passwords via email, or open suspicious emails. What’s surprising is that just these three measures can significantly improve your odds against ransomware. Other areas you should train your users on are only using trusted download sources, never using unknown USB drives, and always using a VPN when on public Wi-Fi or when connecting remotely. 

Implement Zero Trust Policies

Zero trust policies assume no one can be trusted. That means no IP address, endpoint device, machine, or anything else can connect to the network without verification. One application restricts employees from connecting to the company network with a personal/unverified device or an unverified IP address. 

Update Everything, Always

We know software operating system updates and patches can be tedious, mainly because they are released almost weekly. But don’t skip that update because, on the other side of the fence, attackers are following update releases religiously, looking for vulnerabilities they can attack through Zero-Day exploits.

Always Maintain Secure Backups

Removing ransomware is the easy part; getting back your files is the impossible part. Backups are the only way to avoid worst-case ransomware scenarios. Think of having no backups like putting an expensive alarm in a car that has no insurance. Get an automatic and secure backup solution as an insurance policy in the unlikely (or likely) event that you do experience a ransomware attack.

Vulnerability Management

Patching or updating is critical, but in addition to that, you also need to scan the network and the attached devices as “systems” looking for exploitable vulnerabilities. Scanning helps detect vulnerabilities in assets and apply the remediation as early as possible. Get a third-party vulnerability management solution from which you can automate and accelerate vulnerability management tasks with ease.  Such an automated approach implements continuous scanning of your network’s assets and activities, prioritizes threats, provides the required remediation and many security capabilities with ease. 

What To Do If You Get Ransomware

Let’s assume the worst has happened, and you get ransomware; what do you do? 

First, don’t panic. 

The situation might appear dire but take a deep breath and take the following steps: 

  1. Take your entire system offline: Ransomware needs to communicate with the attacker to know what to do. Taking your system offline will stop this communication and prevent further damage.
  2. Identify the type of ransomware: Is it screen-locking, file locking, or system locking ransomware? Usually, how it behaves will tell you what type it is. This information will help you decide what to do in the following steps. 
  3. Decide whether to pay the ransom (skip if you have backups): The FBI strongly recommends against paying, but it might make sense to pay in some cases. For instance, if you have sensitive client data, intellectual property, or unique imagery, you might consider paying a small ransom to get them back.
  4. Remove the ransomware: Use antivirus software or any other malware removal tool to remove the ransomware from your computers and network. 
  5. Restore your files or system: Restore the files to your computers and systems if you have backups. If the ransomware has locked your machines, a clean reinstall or system restore will do the trick. 

Last Words

Ransomware can be scary and frustrating, especially when it affects your business operations. You can imagine being busy at work, and suddenly your critical files have strange extensions, you cannot open them, and a note pops up asking for payment. Despite all the attacks you see in the news, it is possible to beat attackers and keep your files and systems safe. Hopefully, after reading this post, you now know that although ransomware is a severe threat, you can protect yourself and your organization with a better understanding of how it works.