You have probably seen news of businesses and institutionsbeingattacked by ransomware, and having to pay tens of thousands of dollars to get rid of it. Names like CryptoLocker, FusobandWannaCry have floated by. But, whatis ransomware? How does it work? How can I avoid being stung?

Simply defined, ransomware is a specific type of malware that denies its victims the use of their data until a ransom is paid.

Ransomware attacks typically operate as follows:

  • The trojan is installed on the victim computer system
  • It collects a list of the files it can access that it will encrypt
  • It contacts a central server, operated by the attacker
  • The server generates a unique encryption key for that victim, which will be stored on the server and sent to the trojan program on the victim machine
  • The trojan encrypts the targeted files using that key. In modern examples, this encryption is quite strong
  • Once the encryption is complete the trojan destroys its local copy of the key
  • The trojan then communicates to the victim that the files have been encrypted,
  • It offers to provide decryption after a payment is made, usually within a fairly narrow time window.

Ransomware gains access to victim machines through the usual malware routes: users click on dodgy links inemail,or open malicious file attachments. Web pages or banner ads that have been compromised can provide “drive-by” downloads of all kinds of malware. Whereas other malware may join victim computers to botnets, get them to start mining cryptocurrency, or participate in distributed denial-of-service attacks, ransomware has the simple goal to get money to its operators immediately.

The files that ransomware encrypts are usually documents and spreadsheets, images, music and video files, HTML and source code files, and ZIP archives. Ransomware does not typically attack the other software on the system. Thus, a victim’s copy of Office and Photoshop may be undamaged, but all their work in those systems will be unusable. Also of note: most ransomware encrypts files on all available network shares as well as the local disk. So a small office can be wiped out from just one infected computer, since small offices often only have a single hierarchy of file shares and everyone can get to them.

If implemented well -- and it frequently is -- the server-to-trojan protocol of generating a key, encrypting with it and then discarding the local copy of that key is extremely difficult to crack. When a business confronts a ransom demand, often the cheapest way to get back into operation is to pay the attacker. Despite all the larger reasons that this is a horrible idea, the equation of paying $X to get the decryption key against a possible $X00 to $X000 to recreate all the data makes the decision to pay a no-brainer. The sole glimmer of good news here is this: the vast majority of attackers, when paid, actually provide the key and allow recovery of the data. In some cases, they have even provided technical support to assist “customers” having difficulty doing the decryption. Why? If they do not keep up a reputation for providing what is paid for, the “market” will stop paying them and seek alternate means of recovery. And they just want the money.

There is one strong defense against ransomware: backups. The backups should be as current as is practical. Real-time backups are ideal but not always feasible. But if a business is only facing the prospect of recreating one or two days of data as opposed to weeks or years, then a decision not to pay off criminals becomes much more reasonable. To be safe from the encryption of a ransomware attack, backups should be stored somewhere that is not constantly connected to the main systems, or in any case not accessible as a normal file share. So if you run a backup system in the office that places all the backups on a server, do not also use that server to host file shares.

With good recent backups in hand, the strategy for responding to a ransomware attack is much less stressful: clean or re-image the machines affected, restore the data, get back to work. As I am fond of saying, security, done correctly, is almost boring.

This article was updated on 2023-08-05 04:27:37


Infosec geekosaurus.  All opinions my own.

Information security since 2005.  IT... well into my second millenium.