What Is Ransomware?
Understanding and Preventing Ransomware Attacks

How does ransomware work?

Ransomware uses asymmetric encryption. This is cryptography that uses a pair of keys to encrypt and decrypt a file. The public-private pair of keys is uniquely generated by the attacker for the victim, with the private key to decrypt the files stored on the attacker’s server. The attacker makes the private key available to the victim only after the ransom is paid, though as seen in recent ransomware campaigns, that is not always the case. Without access to the private key, it is nearly impossible to decrypt the files that are being held for ransom.

Many variations of ransomware exist. Often ransomware (and other malware) is distributed using email spam campaigns or through targeted attacks. Malware needs an attack vector to establish its presence on an endpoint. After presence is established, malware stays on the system until its task is accomplished.

After a successful exploit, the threat actor drops and executes a malicious binary on the infected system. This binary then searches and encrypts valuable files, such as Microsoft Word documents, images, databases, and so on. The ransomware may also exploit system and network vulnerabilities to spread to other systems and possibly across entire organizations.

Once files are encrypted, ransomware prompts the user for a ransom to be paid within 24 to 48 hours to decrypt the files, or they will be lost forever. If a data backup is unavailable or those backups were themselves encrypted, the victim is faced with paying the ransom to recover personal files.

Why is ransomware spreading?

Ransomware attacks and their variants are rapidly evolving to counter preventive technologies for several reasons:

• Cybercriminals leverage readily available malware kits to generate new malicious code, driven by significant financial incentives
• Use of known good generic interpreters to create cross-platform ransomware (for example, Ransom32 uses Node.js with a JavaScript payload)
• Use of new techniques, such as encrypting the complete disk instead of selected files

Today’s thieves don’t even have to be tech savvy. Ransomware marketplaces have sprouted up online, offering malware strains for any would-be cybercrook and generating extra profit for the malware authors, who often ask for a cut in the ransom proceeds.

Why is it so hard to find ransomware perpetrators?

Pinpointing the individuals behind ransomware attacks is a significant challenge due to a confluence of factors that shield cybercriminals from detection and prosecution.

Global reach and jurisdictional issues

Ransomware attackers can be located anywhere in the world. They often operate in regions that lack strong cybercrime laws or do not cooperate closely with international law enforcement. This creates “safe havens” where criminals can act with reduced risk of extradition or legal repercussions.

Anonymity and dark web tools

Cybercriminals rely on technologies designed to conceal their identities, such as the Tor network and other encrypted communication channels. These tools mask the origin of internet traffic, making it difficult to link an online persona to a specific individual or location.

Cryptocurrency and money laundering

Ransom demands are almost always in cryptocurrency (e.g., Bitcoin, Monero). While not untraceable, these currencies are often laundered through mixers and crypto exchanges with lax regulations. This makes the money trail more difficult—but not impossible—to follow.

Use of obfuscation and “bulletproof” hosting

Criminals frequently use hosting providers that ignore or fail to enforce takedown requests. These so-called “bulletproof” services allow attackers to hide malicious command-and-control servers or data drop points beyond the reach of law enforcement.

Technical sophistication

Ransomware groups often have the resources to employ advanced techniques. They may use multi-layered attacks, exploit zero-day vulnerabilities, or conduct extensive recon on targeted networks before deploying malware. This level of technical skill helps them avoid detection and cover their tracks.

Frequent shifting of infrastructure

Attackers regularly move their infrastructure (servers, domains, and IP addresses), making them a fast-moving target. By the time law enforcement identifies a server or domain, criminals may have already moved operations elsewhere.

Organized crime networks

Ransomware is sometimes part of a larger organized crime operation. In these scenarios, attackers are well-funded, maintain a supply chain of specialists (developers, negotiators, money launderers), and can replace compromised assets quickly if part of their operation is shut down.

Delayed deporting and under-reporting

Victims may delay or avoid reporting ransomware attacks out of fear of reputational damage or concern over legal implications (e.g., data privacy regulations). This limited visibility reduces the amount of evidence available to investigators.

What is ransomware-as-a-service (RaaS)?

Ransomware-as-a-service is a cybercrime economic model that allows malware developers to earn money for their creations without the need to distribute their threats. Other criminals buy their wares and launch the infections, while paying the developers a percentage of their take. The developers run relatively few risks, and their customers do most of the work. Some instances of ransomware-as-a-service use subscriptions while others require registration to gain access to the ransomware.

What are the Top Ransomware Concerns?

Ransomware attacks pose a multitude of risks and complex challenges businesses face when targeted and extorted:

Data encryption and loss
Ransomware encrypts critical data, making it inaccessible without the decryption key, which attackers often only provide after receiving payment. Even if you pay the ransom, there's no guarantee that you'll fully recover your data, and some might be permanently lost.

Double extortion
Many ransomware attacks now involve stealing sensitive data before encrypting it. Attackers then threaten to release the stolen data if the ransom isn't paid, increasing pressure on victims.

Business disruption
Ransomware attacks can cripple operations by preventing access to critical systems and data, leading to lost productivity and potential customer dissatisfaction.

Reputational damage
Public disclosure of a ransomware attack can significantly harm a company's image, especially if sensitive customer data is leaked.

Legal and regulatory implications
Depending on the type of data compromised in a ransomware attack, companies may face legal consequences and regulatory penalties for data breaches.

How to defend against ransomware

To avoid ransomware and mitigate damage if you are attacked, follow these tips:

Educate & Train Employees: Employees are the first line of defense against ransomware. Stress the importance of strong cyber hygiene and vigilance in spotting potential threats. Implement rigorous training programs to educate employees to recognize phishing attempts and suspicious emails, and promote safe online behavior while discouraging risky actions.

Implement a Zero-Trust Strategy: Adopting a zero-trust approach to security means trusting no one by default. Verification and continuous authentication are essential components of this strategy, and micro-segmentation can help isolate critical assets from potential threats.

Enhance Email Security: Email is the primary vector for initial access in ransomware attacks. To enhance email security, deploy email filtering and anti-phishing measures. Regularly train employees on email security best practices to ensure they can identify and respond to threats effectively.

Maintain Offline Backups: Ensure data recovery in case of a ransomware attack by regularly backing up critical data. Keep these backups offline and isolated to prevent them from being compromised. Regularly test data restoration procedures to ensure they work as intended.

Create an Incident Response Plan: Being prepared to respond swiftly and effectively to a ransomware incident is crucial. Develop a clear incident response plan that outlines roles and responsibilities. Regularly update and test the plan to ensure it functions as intended in a crisis.

Fortify Your Endpoints with EDR (Endpoint Detection and Response): Protect your devices and networks with advanced endpoint security. Implement real-time monitoring and response capabilities, utilize behavior-based threat detection, and be prepared to isolate infected devices to prevent lateral movement within your network.

Keep Systems Up-to-date and Patch Known Vulnerabilities: Regularly update your software and systems to stay ahead of attackers. Apply patches promptly to fix known security vulnerabilities, and conduct vulnerability scanning and assessment regularly to identify and address potential weaknesses.

Key incident response ransomware data points

The following trends are commonly seen by our frontline incident response experts when investigating and remediating ransomware.

Median Dwell Time for Ransomware Attacks (in Days)

The median dwell time for ransomware attacks is 72.75 days, in comparison to all threats at 56 days (including ransomware).

Popular Days of the Week for Ransomware Deployment

Days of the week highlighted above represent when deployment and execution of the ransomware attack begins, not when the attacker gains initial access.

Minimize Risk and Reduce Ransomware Dwell Time

Focus on attacker behavior to reduce the average dwell time of a strategic ransomware actor
from 72 days to only 24 hours or less.

9 steps for responding to a ransomware attack

If you suspect you’ve been hit with a ransomware attack, it’s important to act quickly. Fortunately, there are several steps you can take to give you the best possible chance of minimizing damage and quickly returning to business as usual.

1. Isolate the infected device: Ransomware that affects one device is a moderate inconvenience. Ransomware that is allowed to infect all of your enterprise’s devices is a major catastrophe, and could put you out of business for good. The difference between the two often comes down to reaction time. To ensure the safety of your network, share drives and other devices, it’s essential that you disconnect the affected device from the network, internet and other devices as quickly as possible. The sooner you do so, the less likely it is that other devices will be infected.
2. Stop the spread: Because ransomware moves quickly—and the device with ransomware isn’t necessarily Patient Zero— immediate isolation of the infected device won’t guarantee that the ransomware doesn’t exist elsewhere on your network. To effectively limit its scope, you’ll need to disconnect from the network all devices that are behaving suspiciously, including those operating off-premises—if they’re connected to the network, they present a risk no matter where they are. Shutting down wireless connectivity (Wi-Fi, Bluetooth, etc.) at this point is also a good idea.
3. Assess the damages: To determine which devices have been infected, check for recently encrypted files with strange file extension names, and look for reports of odd file names or users having trouble opening files. If you discover any devices that haven’t been completely encrypted, they should be isolated and turned off to help contain the attack and prevent further damage and data loss. Your goal is to create a comprehensive list of all affected systems, including network storage devices, cloud storage, external hard drive storage (including USB thumb drives), laptops, smartphones, and any other possible vectors. At this point, it’s prudent to lock shares. All of them should be restricted if possible; if not, restrict as many as you can. Doing so will halt any ongoing encryption processes and will also keep additional shares from being infected while remediation occurs. But before you do that, you’ll want to take a look at the encrypted shares. Doing so can provide a useful piece of information: If one device has a much higher number of open files than usual, you may have just found your Patient Zero. Otherwise…
4. Locate Patient Zero: Tracking the infection becomes considerably easier once you’ve identified the source. To do so, check for any alerts that may have come from your antivirus/antimalware, EDR, or any active monitoring platform. And because most ransomware enters networks through malicious email links and attachments, which require an end user action, asking people about their activities (such as opening suspicious emails) and what they’ve noticed can be useful as well. Finally, taking a look at the properties of the files themselves can also provide a clue—the person listed as the owner is likely the entry point. (Keep in mind, however, that there can be more than one Patient Zero!)
5. Report the ransomware to authorities: As soon as the ransomware is contained, you’ll want to contact law enforcement, for several reasons. First of all, ransomware is against the law—and like any other crime, it should be reported to the proper authorities. Secondly, according to the United States Federal Bureau of Investigation, “Law enforcement may be able to use legal authorities and tools that are unavailable to most organizations.” Partnerships with international law enforcement can be leveraged to help find the stolen or encrypted data and bring the perpetrators to justice. Finally, the attack may have compliance implications: Organizations must be aware of compliance obligations under regulations like GDPR, which may require reporting data breaches to regulatory authorities—such as the ICO—within strict timeframes to avoid significant penalties."
6. Evaluate your backups: Now it’s time to begin the response process. The quickest and easiest way to do so is to restore your systems from a backup. Ideally, you’ll have an uninfected and complete backup created recently enough to be beneficial. If so, the next step is to employ an antivirus/antimalware solution to ensure all infected systems and devices are wiped free of ransomware—otherwise it will continue to lock your system and encrypt your files, potentially corrupting your backup. Once all traces of malware have been eliminated, you’ll be able to restore your systems from this backup and—once you’ve confirmed that all data is restored and all apps and processes are back up and running normally—return to business as usual. Unfortunately, many organizations do not realize the importance of creating and maintaining backups until they need them and they aren’t there. Because modern ransomware is increasingly sophisticated and resilient, some of those who do create backups soon find out that the ransomware has corrupted or encrypted them, too, rendering them completely useless.
7. Research your decryption options: If you find yourself without a viable backup, there’s still a chance you can get your data back. A growing number of free decryption keys can be found at No More Ransom. If one is available for the variant of ransomware you’re dealing with (and assuming you’ve wiped all traces of malware from your system by now), you’ll be able to use the decryption key to unlock your data. Even if you’re fortunate enough to find a decryptor, however, you’re not done yet—you can still expect hours or days of downtime as you work on remediation.
8. Move on: Unfortunately, if you have no viable backups and cannot locate a decryption key, your only option may be to cut your losses and start from scratch. Rebuilding won’t be a quick or inexpensive process, but once you’ve exhausted your other options, it’s the best you can do.

Why shouldn’t I just pay the ransom?

When faced with the possibility of weeks or months of recovery, it might be tempting to give in to a ransom demand. But there are several reasons why this is a bad idea:

• You may never get a decryption key. When you pay a ransomware demand, you’re supposed to get a decryption key in return. But when you conduct a ransomware transaction, you’re depending on the integrity of criminals. Many people and organizations have paid the ransom only to receive nothing in return—they’re then out tens or hundreds or thousands of dollars, and they still have to rebuild their systems from scratch.
• You could get repeated ransom demands. Once you pay a ransom, the cybercriminals who deployed the ransomware know you’re at their mercy. They may give you a working key if you’re willing to pay a little (or a lot) more.
• You may receive a decryption key that works—kind of. The creators of ransomware aren’t in the file recovery business; they’re in the moneymaking business. In other words, the decryptor you receive may be just good enough for the criminals to say they held up their end of the deal. Moreover, it’s not unheard of for the encryption process itself to corrupt some files beyond repair. If this happens, even a good decryption key will be unable to unlock your files—they’re gone forever.
• You may be painting a target on your back. Once you pay a ransom, criminals know you’re a good investment. An organization that has a proven history of paying the ransom is a more attractive target than a new target that may or may not pay. What’s going to stop the same group of criminals from attacking again in a year or two, or logging onto a forum and announcing to other cybercriminals that you’re an easy mark?
• Even if everything somehow ends up fine, you’re still funding criminal activity. Say you pay the ransom, receive a good decryptor key, and get everything back up and running. This is merely the best worst-case scenario (and not just because you’re out a lot of money). When you pay the ransom, you’re funding criminal activities. Putting aside the obvious moral implications, you’re reinforcing the idea that ransomware is a business model that works. (Think about it—if no one ever paid the ransom, do you think they’d keep putting out ransomware?) Bolstered by their success and their outsized payday, these criminals will continue wreaking havoc on unsuspecting businesses, and will continue putting time and money into developing newer and even more nefarious strains of ransomware—one of which may find its way onto your devices in the future.

Trellix: Critical coverage across the entire ransomware kill chain

Trellix provides critical coverage for all stages of a sophisticated ransomware campaign — from reconnaissance to recovery — offering unmatched visibility and reduced time to detection and response.

Minimize Time to Detect and Respond

With Trellix, you can minimize the mean time to detect (MTTD) and respond (MTTR) to ransomware threats. The Trellix Security Platform offers AI-powered speed, reducing cost and increasing SOC analysts’ productivity with automatic prioritization, guided response, rollback actions, and ready-to-use playbooks.

Leverage Rich Threat Intelligence

Trellix’s Advanced Research Center analyzed more than 9,000 real-world ransomware attacks to develop a kill chain model that helps combat ransomware and reduce time to value, cost, complexity, and overall risk. Leverage rich threat intelligence from Trellix’s Advanced Research Center to decrease false positives and ensure your SOC spends time fighting attackers instead of chasing alerts.

Comprehensive, Open Platform

The AI-powered Trellix Security platform, provides comprehensive native controls, offering a one-platform, best-of-breed tool to replace five or more point products. The open platform integrates over 1,000 third-party data sources, providing quick time to value with more than 500 out-of-the-box integrations.