General security

Malware spotlight: what is ransomware?

Fakhar Imam
September 30, 2019 by
Fakhar Imam


Ransomware is a type of malware that is used to digitally extort victims. It does this by preventing them from accessing their systems or files unless they pay a ransom to the extortionists.

There are two types of ransomware. The first is blocker ransomware, which locks or restricts access to systems. The second is crypto-ransomware, which obfuscates, encrypts or denies access to files. The ransom is typically demanded via credit card or cryptocurrency, such as Bitcoin.

In this article, we will delve into the ransomware execution process, some of the biggest ransomware attacks and effective techniques to prevent ransomware.

How does ransomware work?

A ransomware attack works in a sequence of steps. Each step involves specific techniques to make the attack successful. The following sections elaborate each step in more detail.

Step 1: Deployment

In the first phase, hackers install the components of ransomware that are employed to lock a system or encrypt files. They usually use the following techniques to perform these malicious operations:

  • Phishing emails: Extortionists typically use a phishing campaign to inject ransomware. According to CSO, “93% of phishing emails are now ransomware.” In December of 2018, researchers at Carbon Black launched a campaign in which the infected systems harvested credentials, gathered system and process information, and then encrypted data to ask for a ransom from its victims. The attack was carried out via phishing emails that contained an attached Word document with embedded macros. These macros involved the encoded PowerShell script and utilized various techniques to download and execute both GandCrab ransomware and Ursnif malware
  • Drive-by download: In this case, the system automatically downloads a piece of malware without the knowledge of the end user
  • Strategic web compromise: This is another name for a watering hole attack, which is a specific or targeted attack. Using this technique, extortionists use malicious code to compromise websites that a particular group of end users is supposed to visit unawares

Step 2: Installation

No sooner than the malicious components have been deployed does the infection start. Hackers can use several methods to deliver a malicious payload.

One of these methods is Download Dropper Methodology, whereby extortionists deliver the first file as a small piece of code. The purpose of doing so is to evade the most common detection techniques and communicate with scammers’ command-and-control channels. If the first file succeeds, it will receive commands to download the actual ransomware and infect the exploited system.

Step 3: Command-and-control

After the successful deployment and installation, extortionists need to establish a communication channel with ransomware to control the operations of a victim’s machine(s). Prior to the compromise, some ransomware variants report back a massive volume of information to scammers regarding the targeted system, including the operating system, any anti-malware software installed, browsers, domain name and IP address, as well as the type of files they want to infect.

Command-and-control channels can be just like web-based communications, supporting an unencrypted HTTP protocol to a complicated system that leverages embedded Tor services to establish anonymous communication. Tor is a complex system that can efficiently hide scammers’ whereabouts.

Step 4: Encryption

In the encryption phase, the ransomware executes using the command-and-control channel to lock the system or/and encrypt files. Ransomware can encrypt any number or any type of files, including Microsoft Office documents, GIFs, JPEGs and sundry others. The more dangerous ransomware not only encrypts files but also changes their names to prevent their recognition.

Step 5: Extortion

Once the encryption is done successfully, extortionists execute their final plan to demand a payoff. The notification of the compromised or ransom message is delivered to the victim’s machine.

Hackers use several methods to gain the trust of a harmed person. For example, they unlock a single file to show the victim that they can similarly unlock the other ones.

If a sufferer does not pay attention to the repeated notifications, malicious actors will demand a blackmail payoff or deliver a threatening message that may include the revelation of private data such as pictures or videos to the victim’s friends or family members, or even business secrets given to their company’s competitors. If the victim is a government or military agency, the revelation of information with regard to the national security can be even more disastrous.

Sometimes, cyber-pests double the payment of a ransom in the event of an unusual delay.

Should I pay the ransom?

This question is controversial among security analysts. However, most security professionals are not in favor of paying the ransom because cybercriminals don’t have moral or ethical boundaries. Therefore, there is no assurance that your system or files will be decrypted even after paying the ransom.

In 2016, the FBI reported that victims of ransomware should not give in to scammers’ demands and shouldn’t pay the ransom. Kaspersky Labs also reported that one in every five businesses that fell victim to a ransomware attack paid the ransom and didn’t receive the promised decryption key. McAfee also advises not to pay a ransom. On July 2019, Baltimore Mayor Jack Young announced that the U.S. Conference of Mayors (UCSM) passed a resolution calling on mayors to oppose paying a ransom to cyber-extortionists.

On the other hand, Forrester Research, in its recent research report, argued that paying a ransom to get files back should be viewed as a viable option. They provided the examples of Riviera Beach and Lake City in Florida, who paid ransoms in recent ransomware attacks.

Nevertheless, most opinions do not favor paying ransomware, as it doesn’t guarantee the recovery of systems or files. Rather, it encourages extortionists to carry out still more attacks.

What are the biggest ransomware attacks?

According to the Datto, an American cybersecurity and data backup company, ransomware triggers a loss of $75 billion per year to companies. It was discovered that $133,000 was the average cost of a ransomware attack on companies, as per the estimation of Sophos, a British security software and hardware company. Another cybersecurity company, Cybersecurity Ventures, also reported that a new enterprise will fall victim to a ransomware attack every 14 seconds in 2019 and every 11 seconds by 2021.

Let’s examine some of the biggest ransomware attacks that have occurred in recent years.

WannaCry on TSMC

TSMC (Taiwan Semiconductor Manufacturing Company), which is also the main supplier to the Apple iPhone, revealed that a variant of WannaCry brought down its fabrication plant on August 2018 and cost 3% of the company’s revenue.


By 2016, TeslaCrypt has made up 48% of ransomware attacks, as per CSO. The main victims of this attack are video games and their content such as maps, saved games and other downloadable content. In March and May of 2016, 11,674 users from India were attacked by the TeslaCrypt ransomware. This was reported by News18, a digital media group from India.


First appearing in 2016, the Petya ransomware was used by scammers to carry out attacks that denied victims access to their systems. Instead of encrypting the files, Petya encrypts a part of the hard drive that controls file location and prevents the system from booting up, making the system and its files inaccessible. The government of Ukraine, banks and the electricity grid were attacked, but organizations in Pennsylvania, Denmark, Pittsburgh and France were also hit.


SimpleLocker is Android-based ransomware that emerged in late 2015 and early 2016. Like other ransomware, SimpleLocker encrypts files but does so on Android-based mobile devices to deliver a malicious payload via a Trojan downloader, making it difficult to detect via standard security countermeasures. It first emerged in Eastern Europe; however, there have also been victims in the United States.

How do I protect my business from ransomware?

Preventing any kind of threat requires us to understand it from its source, its techniques and transmission mechanisms used by it. As far as ransomware is concerned, we have already discussed its complete execution process in the previous section on “How does ransomware work?”

In addition, we have offered an analysis of whether to pay or not pay a ransom. The result, by popular professional opinion, was in favor of not paying a ransom. If this is the case, then we should have zero tolerance for ransomware attacks. To make this true, various techniques should be exercised in organizations.

Below are some countermeasures that can be used to prevent ransomware infection.

What techniques are available to prevent the execution of ransomware?

The most used techniques are discussed below:

Prevent ransomware execution

Ransomware should be prevented from being executed if it has been downloaded successfully. Typically, ransomware’s malicious scripts execute in the Temp, %AppData% or Downloads directories.

One possible solution is to execute only digitally signed programs. Another way is to prevent any program from executing in those directories by using a Microsoft Group Policy Management Console (GPMC). You can also use AppLocker to decide what files should be executed or which shouldn't. In addition, ransomware must not reach Windows Registry. You can use Windows Resource Protection to disable writing to the registry.

Disrupting the command-and-control channel

This security measure also prevents attackers from being successful. Disrupting the command-and-control channel will prevent scammers from establishing communication with the victim’s machine. This can be done using several endpoint protection platforms such as Tanium, FireEye, Cylance or Carbon Black.

What are pre-attack ransomware prevention techniques?

These techniques can prevent the occurrence of a ransomware attack. They include:

Hardening the systems

Organizations must harden their servers and workstations to prevent ransomware. For this to be done effectively, those systems should be equipped with anti-malware programs as well as firewalls to stop malicious traffic. IPS and IDS security techniques should also be used.

In addition, patch all systems and update them regularly to avoid vulnerabilities that can be exploited by scammers. Do not install any software or give it administrative privileges unless you know it is harmless.


Malware can evade signature-based antiviruses. Therefore, a tool that performs behavioral analysis is necessary to deal with malware. This is the reason that sandboxes are so important.

As discussed in the previous sections, extortionists deploy a piece of malware in the form of a file to establish a communication channel with the victim machine. This file must be prevented from being downloaded.

A sandbox is an automated malware analysis system that has the ability to capture the behavior of a file and then associate this behavior with malware. Sandboxes involve both static and behavioral analysis engines. The main components of a sandbox include virtual machine, agent and controller.

A sandbox can create micro-virtualized instances where inbound files are checked for suspicious activity and then detonated if required.

Back up all data

Create a backup copy of all your sensitive data. If the attacker bypasses all security measures and encrypts files, you will simply restore your data to avoid loss.

Security awareness training

The employees must have appropriate security awareness training regarding malware and its execution. They should also be mindful of anti-phishing best practices to avoid phishing scams that occur via emails.

Deploy network segmentation

If a single part of the network has been compromised, network segmentation can prevent ransomware from exploiting the rest of the network. This is a crucial step that is surprisingly ignored by a number of large enterprises.

Only use secure networks

Don’t use any public Wi-Fi network, as they are insecure. It’s better to utilize a VPN that will provide you a secure connection to the internet.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.



  1. Allan Liska and Timothy Gallo, “Ransomware: Defending Against Digital Extortion,” O’Reilly Media, November 2016
  2. Phishing Campaign Delivers Nasty Ransomware, Credential-Theft Two-Punch, Threat Post
  3. 93% of phishing emails are now ransomware, CSO
  4. Ransomware attacks: Why and when it makes sense to pay the ransom, ZDNet
  5. Does Paying Ransomware Work?, COMODO
  6. What Happens When Victims Pay Ransomware Attackers?, TrendMicro
  7. To pay or not pay a hacker’s ransomware demand? It comes down to cyber hygiene, CSO
  8. TSMC says a variant of WannaCry virus brought down its plants, ZDNet
  9. 'Petya' ransomware attack strikes companies across Europe and the US, The Guardian
  10. India Among Top 5 Nations to Be Attacked by Ransomware, News18
  11. The 6 biggest ransomware attacks of the last 5 years, CSO
  12. 27 Terrifying Ransomware Statistics & Facts You Need to Read, phoenixNAP
  13. 10 ways to protect yourself from ransomware, Cisco
  14. How to defend against ransomware, McAfee
  15. Ransomware explained: How it works and how to remove it, CSO
Fakhar Imam
Fakhar Imam

Fakhar Imam is a professional writer with a master’s program in Masters of Sciences in Information Technology (MIT). To date, he has produced articles on a variety of topics including on Computer Forensics, CISSP, and on various other IT related tasks.