Ransomware: what it is and how it works?

Ransomware (an acronym of the words ransom and software) is a type of malware that hijacks information to extort money from the victims after compromising a computer. Thus, requesting the payment of a sum of cryptocurrencies to recover the data.

Ransomware | Image by Gerd Altmann from Pixabay

Below, you will get to know everything about this computer threat that in recent times has had significant growth and is generating a significant impact on cybersecurity. Thus affecting small, medium, and large companies in various industries worldwide.

How does ransomware work?

There are different types of ransomware depending on the actions they perform on the computer and according to the extortion method they use:

Encrypting ransomware or crypto-ransomware uses cryptography to encrypt the files on the compromised computer, preventing the user from accessing them. This type of ransomware is the most common, the most modern, and the most effective. Although it can be easily removed from the computer, the information that has been compromised is difficult or -mostly- impossible to recover.

It usually seeks to attack file extensions of interest to users, such as office files, multimedia files, databases, etc. The main symptom of a computer compromised by crypto-ransomware is the change of file extensions and the inability to open them.

Lockscreen ransomware is not very common nowadays, although it is popular in architectures such as Android phones and tablets. The objective of this type of ransomware is to prevent the use and access of the computer until the ransom payment is made. Early mass-spreading ransomware fell into this category and used simple techniques to take control of the computer’s screen.

This early form of ransomware is easier to remove and usually has minor consequences for users.

How does ransomware come to infect a computer?

Broadly speaking, in the world of cybercrime, we find malware campaigns that seek to distribute malware massively and randomly and targeted attacks that employ malicious code to affect companies and organizations in all types of industries.

The most common form of ransomware distribution is phishing emails with attachments or links that attempt to trick users through social engineering to convince them to download the threat. Other forms of distribution are through attacks on remote connections, such as Remote Desktop Protocol (RDP), exploiting weak passwords.

 What do we do if we are already suffering from this threat?

After being compromised by ransomware, the course of action will depend on the security measures taken before the incident. If you have a backup, it is possible to restore the information from there. If the backup is outdated, it is worth assessing how much information can be restored and, if it is sufficient, avoid paying for it.

If there is no backup or the backup has been compromised, it is up to the victims to decide whether they want to risk paying. As mentioned above, this is a practice that we discourage.

If we have the necessary skills, we can extract the ransomware sample from the computer to identify which specific variant has managed to sneak into the system, using services such as VirusTotal to analyze the file.

If we don’t already have one, we can also scan our computer with a security solution to detect the malicious code and tell us which ransomware family it belongs to. Once we have this information, we can use search engines to see if a tool will allow us to recover the files.

In any case, one thing that should always be done after a data recovery from a ransomware incident is to analyze the incident to determine why it occurred and correct the situation in the future to prevent further attacks.

The key to combating ransomware is prevention.

Best ransomware protection tips for business

The best ransomware protection for businesses to secure a computer without technical knowledge is by installing a security solution that allows us to block attempts to exploit vulnerabilities, execute malware, or access dangerous sites.

It is important to update all apps and operating systems to install the latest security patches. In addition, having an up-to-date backup of information is crucial to be able to deal with ransomware.

It is also recommended to be careful with email attachments and other links we may encounter while surfing the Internet. Fraudulent sites will try to gain the user’s trust by pretending to be reputable entities, offering prizes and promotions, or appealing to users’ fear.

For example, malware spreading campaigns used the pandemic to spread Trojans posing as local health authorities.

As a final tip, using encryption tools for sensitive files, such as photos, videos, and personal documents, can help evade the extra pressure if attackers decide to extort money from victims by publishing the files online.

How can companies protect themselves against this threat?

The concept of a secure system has been changing as technology and cybercrime have evolved. Today we know that information security is achieved due to a combination of carefully deployed layers of protection. The isolated act of installing a security solution alone will not be enough, as the exposure surface of companies and individuals has increased dramatically.

In particular, some basic tips for ransomware defense include the following:

 Have an up-to-date backup.

The most important tool we have for ransomware defense is to have a regularly updated backup. In this way, it is possible to restore the system to a previous snapshot or disinfect the computer and restore from the backup copy the infected documents.

In addition, it should be taken into account that the backup can be compromised if it is connected to the computer where the infection started, so a good backup policy should be designed to avoid this situation.

Install a security solution

It is always good to have anti-malware software and a firewall to identify threats or suspicious behavior. Cybercriminals often release new variants of known code to evade detection, so it is important to have both layers of protection.

 Use file encryption tools.

Ransomware mostly encrypts only files with certain extensions, such as images, videos, databases, or office documents. Using an encryption solution, we may ensure that a file survives a ransomware infection intact.

Of course, there are other ways to defend your computer against ransomware and they include:

  • Training staff on the risks
  • Show hidden extensions by default
  • Scan email attachments
  • Disabling files executed from AppData and LocalAppData folders
  • Disable RDP when not needed

Leave a Comment