What is Ransomware?

Ransomware is a type of malware that denies access to an organization’s data, usually by encrypting the data with a cryptographic key known only to the hacker who deployed the malware. Ransomware is not a single thing that can be patched for, or defended against in a single way. It is the end stage of a multifaceted attack by an entire ecosystem of people who patiently invade and take over an organization's electronic assets with the intention of holding them hostage for money, stealing intellectual property, and extorting the primary victim AND that victim's customers.

Malware commonly enters through malicious downloads, email links, malicious advertisements, phishing attacks, social network messages, and websites. More recently, ransomware has been distributed through aggressive worms using unpatched vulnerabilities and targeted brute force attacks against public-facing software and services, such as the Remote Desktop Protocol (RDP). Once the end user has executed the malicious content the attackers gain a foothold into the organization from that endpoint and that user account, both compromised. The attackers "establish persistence" and "move laterally" to attack other targets from inside the organizational network's perimeter security defenses.

Once ransomware is deployed on a system it begins encrypting files or complete file systems. It blocks user access until requests for payments, which are often displayed in warning messages, are fulfilled. The ransom note usually threatens permanently losing access to their data, and publicly releasing intellectual property or embarrassing content. Beyond ransoms, these criminal enterprises also exfiltrate and steal data from their victims, to sell directly, and to extort the victim’s customers, too. This “double extortion” threatens to publicly expose confidential details of the victim’s customers unless another fee is paid. This type of threat is particularly effective against organizations whose customers have sensitive or confidential data, such as law firms, accounting firms, and so on. Unfortunately, there is no guarantee that the cryptographic keys needed to break the encryption will be provided upon payment, or the decryption process will work correctly or promptly. Nor is there any guarantee that, if paid, they will not steal data or further extort the victims or the victims' customers. These are criminals, after all.

Ransomware targets all organizations, including individuals, for-profit companies, nonprofits, governmental agencies, health care services, and educational institutions of all size. While these criminal enterprises use various "strains" of ransomware and ransomware toolkits, they have common attack vectors for compromise, such as brute force attempts at public-facing services including RDP, the exploitation of outdated public-facing software, and known vulnerabilities that have not been remediated. Defending against ransomware is a holistic effort, involving people, process, and technology to detect and contain attacks before they cause major harm and disruptions.