What Is Ransomware?

Let's start with one of the most pressing questions.

What exactly is ransomware?

Ransomware is a piece of malicious software designed to infect a computer and then block user access until a ransom is paid.

For many years, various ransomware versions have been identified, and most often they try to extort money from victims by showing an on-screen alert.

How does ransomware operate?

One of the more common tactics used by ransomware is asymmetric encryption.

In this case the attacker uses a pair of unique public-private keys for the victim. These are used to encrypt and, afterwards decrypt the data that has been affected.

The attacker usually only provides the victim with the private key once the ransom is paid but, as recent ransomware operations have shown, this is not always the case.

It's extremely difficult to decode the data being held for ransom without having access to this secret key.

There are many different types of ransomware. Ransomware (and other malware) is frequently spread through email spam campaigns or targeted attacks.

In order to get to the client’s computer and infect it, the malware requires a so-called attack vector. After establishing its presence, malware remains on the system until its mission is completed.

Ransomware drops and executes a malicious payload on the affected machine after a successful attack. This program then looks for and encrypts important files including Microsoft Word documents, photos, databases, and so on. The malware might potentially spread to other systems and perhaps across large enterprises by exploiting system and network flaws.

Once data have been encrypted, ransomware will demand payment of a ransom within 24 to 48 hours or the contents would be permanently lost. If a data backup isn't accessible, or, if the backups are encrypted, the victim will have to pay the ransom to get their information back.

Defend Yourself Against Ransomware

Follow these steps to avoid ransomware and minimize damage if you are harmed:

Make a copy of your data.

The easiest approach to avoid getting locked out of your important information is to keep backup copies of them on hand, preferably in the cloud and on an external hard drive. If you do become infected with ransomware, you may wipe your computer or device clean and restore your contents from backup. This safeguards your data, and you won't be tempted to pay a ransom to the virus creators. Backups won't stop ransomware from infecting your computer, but they can help you lessen the hazards.

Make sure your backups are safe, and that your backup data isn’t accessible from the systems where it's stored for editing or elimination. Because ransomware will hunt for and encrypt or erase data backups, making them unrecoverable, employ backup methods that do not enable direct access to backup files.

Use and maintain security software up to date.

Make sure all of your computers, all your terminals, all your mobile phones, tablets or other gadgets are guarded by a good security software that is up to date in terms of latest security patches.

Make sure you update your devices' software frequently and early, as defect patches are usually included in each release.

Use precaution when surfing.

Be cautious about where you click. Do not reply to unsolicited emails or SMS messages, and only download apps from reputable sources; especially since malware authors are using social engineering frequently to convince you to install malicious files.

Use only secure networks.

This means that using public Wi-Fi networks should be avoided. The main reason for this being that many of them are not secure; this can allow attackers to easily track your activities online. Instead, try using a VPN, which will provide you a secure internet connection no matter where you travel.

Keep yourself up to date.  If you suffer a ransomware attack and haven't backed up all of your files, remember that IT companies have made decryption tools available to aid victims.

Make security awareness a priority.

Every person in your company needs to get regular security awareness training. This is mostly to help them prevent phishing and other social engineering attacks. Regular drills and testing should be a part of your ongoing security strategy.

Some of the most important ransomware groups you should know about


Ryuk is a ransomware family that primarily targets big, public-sector cyber systems. It usually encrypts data on compromised systems, making it unavailable until a ransom in untraceable bitcoin is paid. 

Unlike many other dangerous computer hackers, the Ryuk criminal group's main goal is to extort ransom payments in exchange for the data that its software has encrypted and rendered worthless.

How it works?

Ryuk employs Trickbot computer virus to install itself after it has access to a network's servers. It has the capacity to circumvent a wide range of anti-malware defenses and can fully shut down a computer network. If backup files are maintained on shared servers, it can even look for them and disable them. Ryuk hackers utilize Emotet as the initial loader or "Trojan horse" to get access to systems. 

Some thorough documentation and information on how Ryuk infect and takes charge on a network is provided by the CISA website – the specialized US Cybersecurity and Infrastructure Security Agency.

The online resource states that access can be gained during phishing campaigns with malware attachments included in the attack strategy; these can easily be substituted by links to malicious websites that host the malware.

As the thieves dig further into the network to inflict maximum harm, days or weeks may pass from the time hackers first obtain access to a system and the massive encryption. Ryuk is particularly dangerous since it searches for and encrypts network drives and resources. It also disables Microsoft Windows' System Restore tool, which allows you to restore the computer's system data, apps, and Windows Registry to their former, unencrypted state.


Petya is a crypto-malware family that was originally discovered in 2016.

How it works?

The virus infects the master boot record of Microsoft Windows–based computers, executing a payload that encrypts a hard drive's file system table and stops Windows from starting. In order to restore access to the system, it then requests that the user pay a fee in Bitcoin. During the first year after its introduction, the Petya virus affected millions of users.

Petya variants were initially discovered in March 2016, and spread via infected e-mail attachments. A new form of Petya was used in a worldwide cyberattack in June 2017 that primarily targeted Ukraine. The new form spreads via the EternalBlue vulnerability, which was employed earlier this year by the WannaCry ransomware and is thought to have been designed by the US National Security Agency (NSA).


REvil (Ransomware Evil but it also go by the name of Sodinokibi) is thought to be a ransomware-as-a-service (RaaS) organization that is not affiliated with any state and either resides in Russia or is just a Russian speaking organization.

How it works?

REvil would threaten to post the information on their Happy Blog website unless the ransom was paid after an assault. REvil targeted a supplier of the computer giant Apple and stole sensitive designs for forthcoming products in a high-profile case.

REvil hires associates to spread the ransomware on their behalf. Affiliates and ransomware developers divide revenue from ransom payments as part of this agreement. It's impossible to establish their actual location, but they're assumed to be located in Russia because they don't target Russian or former Soviet-bloc groups.
Avatar photo
Amar Basic


No Comments

Post a Comment