What Is Ransomware, and How Does It Work?

system hacked ransomware encryption

One of the most malicious and destructive types of cyber attacks is ransomware. This malware encrypts your sensitive data, making it inaccessible until a ransom is paid.

Knowing what ransomware is, how it works and how to protect against it can help you create the best defense strategy and reduce your vulnerabilities.

What Is Ransomware?

Ransomware is a popular type of malicious software, or malware, designed to extort money, often in the form of cryptocurrency, from victims. It either encrypts files or locks the victim out of their systems, making the sensitive data inaccessible. The cyber criminal then demands a ransom in return for the decryption key or access. Ransomware often comes with a deadline, so if you don’t pay in time, your data is gone forever.

Ransomware can cause data loss, financial loss, downtime, operational disruptions, reputational damage and further malware. Most attackers target companies with either low security and numerous vulnerabilities, like small-to-medium-sized businesses (SMBs), or companies that seem more likely to pay the ransom because they need immediate access to their files, like healthcare or financial businesses.

Ransomware surged during the COVID-19 pandemic when businesses were pivoting to remote work, leaving gaps and vulnerabilities wide open. Remote workers also didn’t have enterprise-level cybersecurity to protect against these attacks.

In recent years, ransomware-as-a-service has revolutionized the ransomware landscape. Deploying ransomware requires a high level of technical expertise, so ransomware developers have started creating and selling the malware to novice cyber criminals in exchange for part of the ransom. This makes RaaS accessible to a broad range of cyber criminals.

Examples of ransomware include:

How Does Ransomware Work?

Understanding how ransomware works can help prevent it from happening. Here are the six main steps that ransomware takes.

  1. Infection: Ransomware usually enters a system through deceptive email attachments, infected downloads or vulnerabilities in outdated software. Social engineering techniques like phishing can also trick users into clicking on malicious links.
  2. Secure key exchange: Once inside the targeted system, the ransomware communicates with the hacker’s central command and control server to generate a key exchange so the encryption key can lock the sensitive data files and systems.
  3. Exploration: After the lock is established, the hacker will explore the system and see what files they can encrypt, as well as potentially gain access to other systems, which is known as lateral movement. Some hackers will try and encrypt any and all data they find, while others will only focus on sensitive data like login credentials, personally identifiable information (PII) and intellectual property.
  4. Encryption: Ransomware starts encrypting the files, rendering them unreadable without a decryption key. This process is fast and efficient, so the victim doesn’t know what’s happened until it’s too late. Some hackers will also delete or encrypt any obvious backups to make recovery without the decryption key more difficult.
  5. Ransom demand: After encrypting the files, the attacker leaves a ransom note somewhere on the device, providing instructions on the amount and how to pay the ransom in exchange for the decryption key. Some may also detail the consequences if the ransom isn’t paid in time.
  6. Payment or restoration: Victims are given a deadline for the ransom, which is typically in cryptocurrency. However, it might be best for some to restore the files and systems from a clean backup instead of paying the ransom.

Should You Pay the Ransom?man deciding to pay or not ransomware should you pay

Most cyber criminals will charge a ransom that is high enough to satisfy them but not so much that the company would rather start from scratch. Though it’s ultimately up to your company, most are advised now to pay the ransom.

First, even if you pay the ransom, you aren’t guaranteed the decryption key. One in four companies in one report said that they paid the ransom but weren’t able to recover their data. You could be out thousands of dollars and still have all your files encrypted.

Second, by paying the ransom, companies incentivize cyber criminals to continue their ransomware attacks. Cyber criminals won’t go through the work of holding files hostage if there isn’t a payout in the end.

Third, you are more likely to be targeted again in the future if you pay the ransom. If the hacker knows you will pay, they could try to reinfect your files for more money, or they could tell other hackers to target your company.

How to Protect Against Ransomware

Proper prevention is the most effective strategy against ransomware. Here are some crucial steps on how you can protect your company against ransomware:

  • Regularly backup data at multiple locations: Regularly backup your data to multiple places, including an offline, secure system via air gapping. Follow the 3-2-1 rule, which is three data sets on two different media and one in a separate location. Secure backups are a sure-fire way of recovering data without paying the ransom.
  • Keep software updated: Ensure all software, including operating systems, applications and programs, are up to date with the latest security patches to try and stop hackers from taking advantage of any existing vulnerabilities.
  • Use antivirus and antimalware: Install reputable antivirus and antimalware software, and keep it updated to detect and block ransomware before it infects your entire system.
  • Practice good cyber hygiene: Since emails are the main way for ransomware attacks to be distributed, secure your email. Be cautious with email attachments and links; don’t open anything from unknown sources or click on suspicious links.
  • Train employees: Training employees to recognize phishing attempts and social engineering tactics can help deter ransomware. Keep employees aware of best practices.
  • Implement security measures: Employ the latest security measures, like firewalls, VPNs, intrusion detection systems (IDSs), strong passwords and two-factor authentication.
  • Limit access control: Limit local admin rights to the least privilege necessary for staff to perform their jobs.

But What if You Already Have Ransomware?

If you unfortunately already have ransomware, don’t panic. There are some steps you can take for your recovery process so you can minimize damages and quickly return to business.

  • Isolate and contain: Disconnect the infected device(s) from the network to prevent the malware from spreading. Disable Wi-Fi and Bluetooth, lock shared drives and unplug from any local area network (LAN) or storage device.
  • Assess the damage done: Create a comprehensive list of all affected systems, networks, storage and devices. This helps you know what needs to be fixed.
  • Consult with experts: Talk to cybersecurity professionals specializing in ransomware recovery and see what they recommend. If possible, identify the data of infection and the type of ransomware to see if a decryption tool is available; knowing the type can help you understand how it propagates, the targeted files and your options for removal. Sites like ID Ransom or No More Ransom Project can help identify the strain or offer free decryptors.
  • Report to authorities: Report the ransomware attack to the proper law enforcement agencies, like the FBI or your local cybercrime unit. More reports from affected businesses can give these agencies more information on how cyber criminals get into systems and what can be done to stop them from doing it again. Plus, many cybersecurity compliance measures require that you notify authorities of breaches, or your company could face fines and penalties.
  • Restore or restart: From here, you have to make a big decision – restore from backups or restart from scratch. If you have backups, use them to restore as much of your data as possible, but ensure the ransomware is completely removed from your system before doing so. If you don’t have backups, it might be time to set up a new system from scratch. Do a complete wipe of all devices, reinstall everything and format the hard disks in your system.
  • Improve your security: After recovering from the ransomware attack, you should assess your security measures and identify vulnerabilities. From there, you can establish robust security measures (look at the previous section) to prevent future attacks.

How Thriveon Can Help

At Thriveon, we know how important it is to keep your company safe and secure from ransomware and other cyber attacks. That’s why we offer managed IT and cybersecurity compliance services to help mitigate risks and keep your company secure.

Schedule a meeting with us today.

New call-to-action


Subscribe to our email updates


Subscribe to our email updates