How Does Ransomware Work? [Infographic]

Submitted by Chris Gaines on Thu, 06/ 28/ 18 - 12: 48 PM

How Does Ransomware Work


Hackers have been a threat almost as long as the internet has been around. Today, they use incredibly sophisticated methods to collect information without your permission, and ransomware threats have been steadily growing since 2012.

So, how does ransomware work and what are some ways to protect your business from an attack? We help companies every day with ransomware protection, and we are happy to provide this article below to help you become more educated and assist in securing your network.

Ransomware is exactly what it sounds like – a form of malware (malicious software) that encrypts personal or company data and threatens to publish, destroy or sell it if their (the hacker’s) monetary demands are not met.

Unfortunately, once you have been hit with ransomware, the outlook can be bleak, but we will get into that later. To better understand ransomware, we need to first understand the threats that make our personal data vulnerable. 

Not a lot of time? Jump to:

How Does Ransomware Work
Tips on How to Prevent Ransomware Breaches
The Cost of Ransomware


New call-to-action


Ransomware Statistics

As if you needed more encouragement to be concerned about ransomware, here are some statistics about the current state of the threat in our hyper-connected world:

Ransomware Statistics-3


List of Ransomware:

The following is a comprehensive list of currently known ransomware provided by our partner, Datto:

  • Bad Rabbit: Spreads through a fake Adobe Flash update on compromised websites. Once infected, users are directed to a payment page demanding a bitcoin payment.

  • Cerber: Targets Office 365 users who utilize cloud-based technology, emphasizing the need for Servers as a Service (SaaS) backup technology.Cerber Ransomware Example in Matrix-min

  • Crysis: Encrypts files on fixed, removable and network drives, and uses intricate encryption algorithms that makes it difficult to break within a useful amount of time.

  • CryptoLocker: One of the grandparents of ransomware. CryptoLocker has been around for over two decades but wasn’t prominent until 2013. Today, it does not pose a significant threat, but at one point, was responsible for $3 million dollars worth of extortion in a single year.

  • CryptoWall: If CryptoLocker is the grandfather, CryptoWall is the grandson. This malware came on the scene in 2014 after the fall of CryptoLocker and is distributed via spam and exploit kits.

  • CTB-Locker: This innovative ransomware is distributed through partners. Hackers outsource the infection process in exchange for a percentage of the profits. As a result, large volumes of malware infect systems at a proven, faster rate.

  • Emotet: The newest form of ransomware to plague networks. The US government reports that the cost to remediate Emotet is up to $1 million per incident. Spread by emails containing malicious links or attachments, it has recently been used to imitate PayPal receipts, shipping notifications, or "late" invoices. More here

FREE Emotet Webinar

  • GoldenEye: Spread through massive campaigns that affect human resource departments. A file is attached to a phishing campaign that, once downloaded, encrypts data on the computer infected. It then modifies the user’s hard drive Master Boot Record (MBR) with a custom boot loader.

  • Jigsaw: Jigsaw is a textbook example of ransomware. After encrypting files, Jigsaw progressively deletes the files until ransom demands are met. The deletion of files snowballs, beginning with one and progressively deletes an increasing quantity for 72 hours – at which point all remaining files are destroyed.

  • KeRanger: Known best as the first ransomware that can lock Mac OS X applications

  • LeChiffre: Required to be loaded manually by a hacker through a flash drive. Hackers using this virus search for poorly secured remote desktops. Hackers have been able to download sensitive information in hospitals by using a flash drive to infiltrate their networks through copiers that are connected to them.

  • NotPetya: Not to be confused with Petya (as the creators so cleverly indicated), researchers believe it to be a form or malware known as a “wiper” with the purpose of destroying data instead of obtaining a ransom.

  • Petya: Encrypts an entire computer system by overwriting the master boot record, rendering the operating system unbootable.

  • SamSam: A strain that has recently seen an uptick in activity, SamSam attacks target RDP and JBoss servers and uses "brute force" tactics to gain access to an organization's network.

  • Spider: Hidden in Microsoft Word documents, Spider spreads via spam email. Typically, a document is disguised as a debt collection letter that installs malicious macros on a victim’s computer once the document is downloaded. Once executed, the malware downloads and encrypts the victim’s data.

  • TeslaCrypt: A newer form of ransomware that uses an AES algorithm to encrypt files. It specifically attacks Adobe vulnerabilities.

  • TorrentLocker: Traditionally distributed through spam email and geographically targets. Often referred to as CryptoLocker and uses an AES algorithm to encrypt files. Its main differentiator is its ability to collect email addresses to assist in spreading the malware further.

  • WannaCry: As of the writing of this article, this form of malware is still targeting organizations across the globe. The attack works by using a flaw in Windows' server message block (SMB) protocol, allowing nefarious packets to make it to a machine undetected. Famous organizations such as Boeing, FedEx, Honda and various state governments in India have been hit by the malware.

  • ZCryptor: Malware that exhibits worm-like behavior. It spreads by infecting external drives like flash drives.

Ransomware and Phishing: How Does Ransomware Work?

Phishing is the fraudulent practice of sending emails posing as a reputable entity - usually financial institution - to encourage a victim to willingly reveal their personal or company’s information to them.

How does it work?

Hackers create an email that is designed to look authentically from the company it is misrepresenting. From there, a link is disguised as a download or the user is directed to a “secure” web page that will then ask for personal information.

With ransomware, the phishing technique will involve a disguised link and a Trojan virus. Trajan viruses get their names from the ancient Greece mythological fall of Troy, where members of the Spartan army hid within a wooden horse (disguised as a peace offering). When the city retired for the evening, the soldiers opened the gates of Troy and the city fell in battle.

Trojan viruses are viruses disguised as something harmless but carry a malicious payload. An example of such a payload could be ransomware.


Tips on How to Prevent Ransomware Breaches

There is new technology available like Sophos' Intercept X that will stop ransomware in real-time and avoid the encryption of data.

Additionally, data back-up through a managed IT services provider (MSP) can virtually back-up your sensitive information in the cloud so that if a breach were to happen, your company can be protected.

If you don’t have the resources necessary to do the above suggestions, but still want to stay as protected as possible, make sure to diligently educate employees on the hazards of the internet – especially phishing.

There are companies that offer phishing education services by sending out random phishing-test emails to your employees. If an employee clicks on a phishing test email, they are enrolled in a course that will better educate them on the threats of the internet and cyber security best practices (including best practices for ransomware).

This “penalty” for clicking on a fake email is a much better result than your employee actually clicking on a live email that cripples your entire business.

READ: Here’s Why Your Employees Are a Major Security Threat

Invest in cyber security insurance. You may not have realized it existed, but it does - which isn’t surprising since there's such a thing as “alien abduction insurance."

Cyber security insurance protects a company financially should they be attacked by a hacker and incur financial loss. But security is costlier the less protected you are (or impossible if you aren’t protected at all). It is also costlier once you have been attacked, and the likelihood of a repeat attack is high.


The Cost of Ransomware: What happens if I am attacked?

So, let’s pretend that we didn’t take the advice above and are unfortunately attacked by ransomware. What happens if you pay the ransomware ransom? What happens if you don’t pay the ransomware ransom?

What Happens If You Don't Pay the Ransomware Ransom-1

I admire your principals and not allowing your company to be bullied by thug hackers (I really do). Unfortunately, if you choose this option I would hope that the data that was encrypted isn’t extremely valuable, or something that could lead to a lawsuit.

The catch is that if you allow a hacker to release personally identifiable information (PII) to the public, you are exposing your company to lawsuits that will be costlier than the ransom you refused to pay in the first place.


What Happens If You Pay the Ransomware Ransom

The good news is that you got your information back for $500 - $2,000 (on average).

But wait! What if I pay and they don’t give me my information? I’m just supposed to trust a hacker?

The short answer is - yes. The reason for this is unfortunately more bad news, though. Once a hacker discovers your company is willing to pay the ransom, they’ve make you a customer for life. They'll give you the information back, but that doesn’t mean they are going to remove the malware inside your network.

The next time they need a new car, guess who’s “door” they're knocking on looking for a handout?

The only solution here is to completely overhaul your network (like the city of Atlanta did above), but that isn’t an option for many businesses.


So, what can be done?

For the cost of an $8-$14 per hour position at your company, you can receive the support of an entire IT team through a managed IT services provider. If they are a quality provider, they will have solutions that will keep your network from harm and assume all the risk for you.

The only real question you must ask yourself is: “Is my business worth the investment?”


Want to Learn More?

Superior Solutions - for IT on a Budget
How Much Do Managed IT Services Cost?
The True Cost of Downtime
Why Small Businesses Are More Prone to Cyber Attacks

Get Your Questions Answered Now


Posted by Chris Gaines