3 key steps of a ransomware attack

  • Ransomware is a type of computer virus, also called malicious software or malware, that locks your computer and sends out an alert demanding payment for the return of your data.
  • A ransomware attack can take the same core 3 stages, including infection and distribution vectors, data encryption, and ransom demand.
  • However, different ransomware can include different implementations or additional steps.

Cybercrime has been on the rise for years and shows no signs of slowing. While cyberattacks were once focused on large companies, now everyone—from small business owners to local government employees to individuals—has to be on the alert.

One of the most common types of cyberattack is ransomware. Ransomware can lock up your computer’s data and hold it hostage until you pay a ransom to the attacker. These attacks can be devastating if you’re not properly prepared.

What is ransomware?

Ransomware is a type of malware that reversibly encrypts files on your computer. While many individuals and businesses routinely encrypt their files for security, ransomware is problematic because the attacker—not the owner of the computer—has the decryption key. This means users can’t access their files unless the hacker decrypts them.

In a typical ransomware attack, the hacker will offer to decrypt your files for a price. This is the ransom in the attack, and it can range from hundreds of dollars for an individual to millions for a large corporation.

Some ransomware will delete your files after a specific, predetermined amount of time passes, which puts pressure on victims to pay up quickly. In other ransomware attacks, the attacker will also steal copies of your data and threaten to release them if you refuse to pay. This type of ransomware attack can be particularly problematic for large companies and government agencies that store sensitive data.

Also read: How many Regional Internet Registries (RIRs) are there?

How ransomware attack works?

To be successful, ransomware needs to gain access to a target system, encrypt the files there, and demand a ransom from the victim.

While the implementation details vary from one ransomware variant to another, all share the same core three stages.

1. Infection and distribution vectors

Ransomware, like any malware, can gain access to an organisation’s systems in a number of different ways. However, ransomware operators tend to prefer a few specific infection vectors.

Phishing: This is the most popular type of social engineering, and it continues to be the top attack vector for all types of malware. Attackers lace legitimate-looking emails with malicious links and attachments to trick users into unwittingly installing malware. Smishing, vishing, spear phishing and watering hole attacks are all forms of phishing and social engineering scams attackers use to deceive people into initiating malware installation.

RDP and credential abuse: This involves the use of brute-force or credential-stuffing attacks or the purchase of credentials of the dark web, to log into systems as legitimate users, then infecting the network with malware. RDP, a favourite of attackers, is a protocol that enables administrators to access servers and desktops from virtually anywhere and lets users remotely access their desktops. Improperly secured RDP implementations, however, are a common ransomware entry point.

Software vulnerabilities: These are also a frequent target for ransomware infections. Attackers infiltrate a victim’s systems by attacking unpatched or out-of-date software. One of the biggest ransomware incidents in history, WannaCry, is linked to the EternalBlue exploit, a vulnerability in unpatched versions of the Windows Server Message Block (SMB) protocol.

Also read: What to understand about APNIC IPv6 addresses?

2. Data encryption

After ransomware has gained access to a system, it can begin encrypting its files. Since encryption functionality is built into an operating system, this simply involves accessing files, encrypting them with an attacker-controlled key, and replacing the originals with the encrypted versions. Most ransomware variants are cautious in their selection of files to encrypt to ensure system stability. Some variants will also take steps to delete backup and shadow copies of files to make recovery without the decryption key more difficult.

3. Ransom demand

Once file encryption is complete, the ransomware is prepared to make a ransom demand. Different ransomware variants implement this in numerous ways, but it is not uncommon to have a display background changed to a ransom note or text files placed in each encrypted directory containing the ransom note. Typically, these notes demand a set amount of cryptocurrency in exchange for access to the victim’s files. If the ransom is paid, the ransomware operator will either provide a copy of the private key used to protect the symmetric encryption key or a copy of the symmetric encryption key itself. This information can be entered into a decryptor program (also provided by the cybercriminal) that can be used to reverse the encryption and restore access to the user’s files.

While these 3 core steps exist in all ransomware variants, different ransomware can include different implementations or additional steps. For example, ransomware variants like Maze perform file scanning, registry information, and data theft before data encryption, and the WannaCry ransomware scans for other vulnerable devices to infect and encrypt.


Fiona Huang

Fiona Huang, an intern reporter at BTW media dedicated in Fintech. She graduated from University of Southampton. Send tips to f.huang@btw.media.

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *