This content is part of the Essential Guide: Recovering from ransomware: Defend your data with best practices


Ransomware is a subset of malware in which the data on a victim's computer is locked, typically by encryption, and payment is demanded before the ransomed data is decrypted and access is returned to the victim. The motive for ransomware attacks is nearly always monetary, and unlike other types of attacks, the victim is usually notified that an exploit has occurred and is given instructions for how to recover from the attack. Payment is often demanded in a virtual currency, such as Bitcoin, so that the cybercriminal's identity is not known.

Ransomware malware can be spread through malicious email attachments, infected software apps, infected external storage devices and compromised websites. Attacks have also used remote desktop protocol and other approaches that do not rely on any form of user interaction.

How ransomware attacks work

Ransomware kits on the deep web have allowed cybercriminals to purchase and use a software tool to create ransomware with specific capabilities. They can then generate this malware for their own distribution and with ransoms paid to their bitcoin accounts. As with much of the rest of the IT world, it is now possible for those with little or no technical background to order up inexpensive ransomware as a service (RaaS) and launch attacks with minimal effort. In one RaaS scenario, the provider collects the ransom payments and takes a percentage before distributing the proceeds to the service user.

Types of ransomware

Attackers may use one of several different approaches to extort digital currency from their victims. For example:

  • Ransomware known as scareware will try and pose as security software or tech support. Victims may receive pop-up notifications saying malware has been discovered on their system (which, an un-owned security software would not have access to this information). Not responding to this will not do anything except lead to more pop-ups.
  • Screen lockers, or lockers, are a type of ransomware designed to completely lock a user out of their computer. Upon starting up the computer a victim may then see what looks to be an official government seal, leading the victim into believing they are the subject of an official inquiry. After being informed that unlicensed software or illegal web content has been found on their computer, the victim is given instructions for how to pay an electronic fine. However, official government organizations would not do this; they instead would go through proper legal channels and procedures.
  • In encrypting ransomware, or data kidnapping attacks, the attacker will gain access to and encrypt the victim’s data and ask for a payment to unlock the files. Once this happens, there is no guarantee that the victim will get access to their data back- even if they negotiate for it.
  • Similar to encrypting ransomware, the attacker may also encrypt files on infected devices and will make money by selling a product that promises to help the victim unlock files and prevent future malware attacks.
  • In doxware, an attacker may also threaten to publish your data online if the victim does not pay a ransom.
  • Mobile ransomware is ransomware which affects mobile devices. An attacker can use mobile ransomware to steal data from a phone or lock it and require a ransom to return the data or unlock the device.  
  • The victim may also receive a pop-up message or email ransom note warning that if the demanded sum is not paid by a specific date, the private key required to unlock the device or decrypt files will be destroyed.

While early instances of these attacks sometimes merely "locked" access to the web browser or the Windows desktop -- and did so in ways that often could be fairly easily reverse-engineered and reopened -- hackers have since created versions of ransomware that use strong, public-key encryption to deny access to files on the computer.

Ransomware attack prevention

To protect against ransomware attacks and other types of cyberextortion, experts urge users to back up computing devices regularly and update software, including antivirus software, regularly. End users should beware of clicking on links in emails from strangers or opening email attachments. Victims should do all they can to avoid paying ransoms.

While ransomware attacks may be nearly impossible to stop, there are important data protection measures individuals and organizations can take to ensure that damage is minimal and recovery is as quick as possible. Strategies include compartmentalizing authentication systems and domains, keeping up-to-date storage snapshots outside the primary storage pool and enforcing hard limits on who can access data and when access is permitted.

How to remove ransomware

There is no guarantee that a victim can stop a ransomware attack and regain their data; however, there are methods that may work in some cases. For example, a victim can stop and reboot their system in safe mode, install an anti-malware program, scan the computer and restore the computer to a previous, non-infected state.

Victims could also restore their system from a backup stored on a separate disk. If in the cloud, then victims could reformat their disk and restore from a previous backup.

Famous ransomware: CryptoLocker and WannaCry

Perhaps the first example of a widely spread attack that used public-key encryption was Cryptolocker, a Trojan horse that was active on the internet from September 2013 through May of the following year. The malware demanded payment in either Bitcoin or a prepaid voucher, and experts generally believed that the RSA cryptography used, when properly implemented, was essentially impenetrable. In May 2014, however, a security firm gained access to a command-and-control server used by the attack and recovered the encryption keys used in the attacks. An online tool that allowed free key recovery was used to effectively defang the attack.

In May 2017, an attack called WannaCry was able to infect and encrypt more than a quarter million systems globally. The malware uses asymmetric encryption so that the victim cannot reasonably be expected to recover the (private and undistributed) key needed to decrypt the ransomed files.

Payments were demanded in Bitcoin, meaning that the recipient of ransom payments could not be identified, but also meaning that the transactions were visible and thus the overall ransom payments could be tallied. During the thick of the week in which WannaCry was most virulent, only about $100,000 in bitcoin was transferred (to no avail: There are no accounts of data having been decrypted after payment).

The impact of WannaCry was pronounced in some cases. For example, the National Health Service in the U.K. was heavily affected and was forced to effectively take services offline during the attack. Published reports suggested that the damages caused to the thousands of impacted companies might exceed $1 billion.

According to the Symantec 2017 Internet Security Threat Report, the amount of ransom demanded roughly tripled from the previous two years in 2016, with the average demand totaling $1,077. Overall, it's difficult to say how often these demands are met. A study by IBM found that 70% of executives they surveyed said they had paid a ransomware demand, but a study by Osterman Research found that a mere 3% of U.S.-based companies had paid (though percentages in other countries were considerably higher). For the most part, payment seems to work, though it is by no means without risk. A Kaspersky Security Bulletin from 2016 claimed that 20% of businesses that chose to pay the ransom demanded of them didn't receive their files back.

Internet of things (IoT) ransomware may not be far behind. Two researchers, Andrew Tierney and Ken Munro, demonstrated malware that attacked, locked and demanded a one-bitcoin ransom on a generally available smart thermostat at the 2016 Def Con conference.

WannaCry ransomware attack
How WannaCry ransomware works

This was last updated in April 2019

Continue Reading About ransomware

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Should blockchain-based currencies be banned so that it isn't possible to demand ransom payments in a way that can't be traced? Would such a step be effective?
Whats is the limit to privent to Ransomware for cisco iron port C380,c680,X1070 & M1070 models
Hi @ramashish88, I'm not sure I understand quite what you're asking, but essentially with a network malware scanner you're limits are pretty much whatever the throughput is of the interfaces your unit will support. Ransomware, from a network anti-virus point of view, is just more malware. 

Blockchain technology is gaining attention as a revolutionary technology that will change the way we operate not only monetary transactions but more applications in different domain where it can be applied. Banning blockchain-based currencies will affect other legitimate transactions. However, I am of the opinion that more proactive strategies should be designed to reduce and if possible eradicate ransomeware attacks. Machine learning is of the strategies that is promising.


File Extensions and File Formats

Powered by: