What is Ransomware?

Ransomware is a growing threat to organizations around the world as cybercriminals use it in targeted and damaging attacks. It is a type of malicious software that prevents the victims from accessing their documents, pictures, databases and other files by encrypting them and demanding a ransom to decrypt them back. A deadline is assigned for the ransom payment, and if the deadline passes, the ransom demand doubles or files are permanently locked.

How Ransomware Works?

An understanding of what is ransomware and how it works is essential in preparing to protect against it. Ransomware is malware that encrypts a victim’s files and then demands a ransom to restore access to these files. In order to be successful, ransomware needs to gain access to a target system, encrypt the files there, and demand a ransom from the victim.

Step 1 – Infection and Distribution Vectors

Ransomware, like any malware, can gain access to an organization’s systems in a number of different ways. However, ransomware operators tend to prefer a few specific infection vectors. One of these is phishing emails. A malicious email may contain a link to a website hosting a malicious download or an attachment that has downloader functionality built-in. If the email recipient falls for the phish, then the ransomware is downloaded and executed on their computer.

Another popular ransomware infection vector takes advantage of services such as the Remote Desktop Protocol (RDP). With RDP, an attacker who has stolen or guessed an employee’s login credentials can use them to authenticate to and remotely access a computer within the enterprise network. With this access, the attacker can directly download the malware and execute it on the machine under their control.

Step 2 -File Encryption

The encryption of a user’s files is what sets ransomware apart from other malware variants. By encrypting sensitive and valuable data, the ransomware operator can demand a ransom in exchange for the decryption key with a reasonable belief that the victim will pay.

Ransomware typically makes use of two types of encryption: symmetric and asymmetric. Symmetric encryption requires the same key for encryption and decryption, while asymmetric cryptography uses a public key for encryption and a private key for decryption.

Ransomware variants carry a list describing the types of files that they should encrypt, whether listing certain file extensions, directories, or both. For each of these files, the ransomware uses symmetric encryption on the file and saves a copy of the symmetric key encrypted with a public key. The corresponding private key – which is needed to decrypt the symmetric key used to decrypt the files – is known only to the ransomware operator.

Step 3 – Ransom Demand

Once file encryption is complete, the ransomware is prepared to make a ransom demand. Different ransomware variants implement this in numerous ways, but it is not uncommon to have a display background changed to a ransom note or text files placed in each encrypted directory containing the ransom note. Typically, these notes demand a set amount of cryptocurrency in exchange for access to the victim’s files.

If the ransom is paid, the ransomware operator will either provide a copy of the private key used to protect the symmetric encryption key or a copy of the symmetric encryption key itself. This information can be entered into a decryptor program (also provided by the cybercriminal) that can use it to reverse the encryption and restore access to the user’s files.

Latest Ransomware Attacks

On April 2020, Cognizant, one of the largest tech and consulting companies in the Fortune 500, has confirmed it was hit by a Maze ransomware attack.

The maze is not like typical data-encrypting ransomware. Maze not only spreads across a network, infecting and encrypting every computer in its path, it also exfiltrates the data to the attackers’ servers where it is held for ransom. If a ransom isn’t paid, the attackers publish the files online. However, a website known to be associated with the Maze attackers has not yet advertised or published data associated with Cognizant.

The FBI privately warned businesses in December of an increase in Maze-related ransomware incidents.

Since the warning, several major companies have been hit by Maze, including cyber insurer Chubb, accounting giant MNP, a law firm and an oil company.

Most Popular Ransomware Variants


Ransomware that started as a Cryptolocker doppelgänger, but eventually surpassed it. After the takedown of Cryptolocker, CryptoWall became one of the most prominent ransomware to date. CryptoWall is known for its use of AES encryption and for conducting its Command & Control communications over the Tor anonymous network. It is widely distributed via exploit kits, malvertising and phishing campaigns.


Ransomware which was spread in a large scale attack in May 2017 utilizing a Windows SMB exploit called EternalBlue in order to propagate within and between networks. It infected more than 100,000 computers by taking advantage of an unpatched Microsoft Windows vulnerability.


Ransomware which began being distributed by the Necrus botnet in May 2017, via spam emails containing a PDF attachment which contains an embedded DOCM file. As the malware first emerged, it was massively spread at an infection rate of approximately 10,000 emails sent per hour.


Ransomware which started its distribution in February 2016, and spreads mainly via spam emails containing a downloader disguised as a Word or Zip attachment, which then downloads and installs the malware that encrypts the user files.


Ransomware that encrypts user documents, pictures and other types of files. Victims are requested to pay up to 4.1 Bitcoins (approximately US $1800 at the time) to the attackers to decrypt their files.


Offline ransomware, meaning that it does not need to communicate with its C&C server before encrypting files on an infected machine. It is spread mostly via malvertising campaigns which leverage exploit kits, but also through spam campaigns. It is operated by its author as a ransomware-as-a-service; the author recruits affiliates to spread the malware for a share of the ransom payment.

Protecting From and Preventing Ransomware

Proper preparation can dramatically decrease the cost and impact of a ransomware attack. Taking the following steps can reduce an organization’s exposure to ransomware and minimize its impacts:

Malware is often spread using phishing emails. Training users on how to identify and avoid potential malware attacks is crucial. As many of the current cyber-attacks start with a targeted email that does not even contain malware, but only a socially-engineered message that encourages the user to click on a malicious link, user education is often considered as one of the most important defences an organization can deploy.

Malware’s definition says that it is a malware designed to make it so that paying a ransom is the only way to restore access to the encrypted data. Automated, protected data backups enable an organization to recover from an attack with a minimum of data loss and without paying a ransom. Maintaining regular backups of data as a routine process is a very important practice to prevent losing data, and to be able to recover it in the event of corruption or disk hardware malfunction. Functional backups can also help organizations to recover from ransomware attacks.

Patching is a critical component in defending against ransomware attacks as cyber-criminals will often look for the latest uncovered exploits in the patches made available and then target systems that are not yet patched. As such, it is critical that organizations ensure that all systems have the latest patches applied to them, as this reduces the number of potential vulnerabilities within the business for an attacker to exploit.

Accessing services like RDP with stolen user credentials is a favourite technique of ransomware attackers. The use of strong user authentication can make it harder for an attacker to make use of a guessed or stolen password.

The need to encrypt all of a user’s files means that ransomware has a unique fingerprint when running on a system. Specialized anti-ransomware solutions can use this to identify and terminate potentially malicious processes, minimizing the damage caused.

What to do when your system infected malware?

A malware message is not something anyone wants to see on their computer as it reveals that a ransomware infection was successful. At this point, some steps can be taken to respond to an active malware infection, and an organization must make the choice of whether or not to pay the ransom.

Follow us on by clicking Instagram, Facebook, Linkedin and Twitter to get more updates

1 Comment

  • Abanob Salama August 23, 2021

    Hello team,

    Kindly advise and assist me if I can get my files back?
    I’ve been hacked ( my laptop ) by a virus called .hoop and encrypt my files.

Comments are closed.

WeCreativez WhatsApp Support
Our customer support team is here to answer your questions. Ask us anything!
👋 Hi, how can I help?
Skip to content