What is Ransomware?
Ransomware is a type of malware that denies access to a user’s or organization’s data, usually by encrypting the data with a cryptographic key known only to the hacker who deployed the malware. The organization’s data is held hostage until the ransom is paid. Once ransomware enters a system, it begins encrypting files or complete file systems. It blocks user access until requests for payments, which are often displayed in warning messages, are fulfilled. Unfortunately, there is no guarantee that the cryptographic keys needed to break the encryption will be provided upon payment.
This malware typically enters through malicious downloads, email links, phishing attacks, social network messages, and websites. More recently, ransomware has been distributed through aggressive worms and targeted brute force attacks against public-facing remote access services, such as the Remote Desktop Protocol (RDP). Once the end user has executed the malicious content, which often masquerades as legitimate files, the encryption takes place, and a message is displayed demanding a ransom.
The ransom note usually threatens permanently losing access to their data, and publicly releasing intellectual property or embarrassing content. Beyond ransoms, these criminal enterprises also exfiltrate and steal data from their victims, to sell directly, and to extort the victim’s customers, too. This “double extortion” threatens to publicly expose confidential details of the victim’s customers unless another fee is paid. This type of threat is particularly effective against organizations whose customers have sensitive or confidential data, such as law firms, accounting firms, and the like.
Ransomware targets all organizations, though, including nonprofits, governmental agencies, health care services, and educational institutions of all size. While these criminal enterprises use various strains of ransomware, they have common attack vectors for compromise, such as brute force attempts at public-facing services including RDP, the exploitation of outdated public-facing web software, and known vulnerabilities that may have not been remediated.