What is

Ransomware is a type of malware that encrypts files and information on a system and prevents access to the information until a ransom is paid via cryptocurrency to decrypt them. The hallmark of ransomware has been the conspicuous ransom note that appears on victims’ computer screens indicating files have been encrypted. Victims are often given a specified amount of time to pay the ransom prior to their files being destroyed. For example, CryptoWall gave victims three days to pay.

How Does Ransomware Work?

Now that your question, “What is ransomware?”, has been answered, let's look at something else you might be wondering. “How does ransomware work?”

Ransomware screenshotRansomware begins by gaining an initial infection on the system of an individual or employee at work. There are two common ways for ransomware to infect a device: through malicious emails or URLs.

Malicious emails, often called phishing or malspam emails, often contain an infected attachment. Attachments have intriguing or urgent names to encourage users to open them, often related to taxes, false invoices, fake package tracking or current events.

Sometimes malicious URLs are used in emails to lure users into clicking in order to deliver web-based attacks with drive-by downloads or malvertising.

Let’s look at how an early version of ransomware, CryptoWall, works once it gains a presence on an endpoint. With the laptop infected, CryptoWall corrupts explorer.exe, the part of Windows with the start menu, taskbar, desktop, and file manager, and restarts it. It then deletes the shadow copies, installs malware, disables services, and so on. It will establish persistence, so restarting the device won’t get rid of it.

Then CryptoWall communicates with its command and control server to get the encryption key to lock up files. With the key, all files are encrypted on the local system, as are any files reachable on connected network drives. Because of how ransomware works, the only way to regain access to them is with the encryption key obtained by paying the ransom to the group behind CryptoWall.

Ransomware Worms Its Way into the Enterprise

In 2016, SamSam ransomware gave the world an unpleasant surprise when it unveiled a new fearsome capability: built-in lateral movement or self-propagation. Why? Attackers can effectively target entire enterprise networks to encrypt vast amounts of mission-critical data and, in turn, demand larger ransom payments. In the case of SamSam, attackers found their way in via exploitation of a dated server vulnerability. Once inside, SamSam moved laterally by seeking out additional network connected systems in order to encrypt them.


WannaCry is ransomware that spreads on its own. The attack leveraged the EternalBlue exploit, developed by the NSA, used to compromise machines, load malware, and propagate to other machines. Specifically, it took advantage of a vulnerability in Microsoft Server Message Block (SMB) used for tasks like file sharing between Windows computers. EternalBlue would then install DoublePulsar to execute malicious code on an infected system.

Microsoft had released patches at the time of the attack. However, many organizations targeted had not patched these older systems past their end-of-life.

Given its ability to spread, it is estimated to have infected more than 200,000 systems globally.


With the world still reeling from WannaCry, NotPetya made an appearance in late June 2017, and became the most devastating attack the world had seen to date.

NotPetya appeared to be ransomware at first glance, but turned out to be wiper malware designed only to destroy, with irreversible encryption. The attack began by bad actors compromising the Ukrainian tax accounting software called MeDoc. MeDoc had hundreds of thousands of customers, primarily in Europe, who used the software to do business in Ukraine. Like all software, MeDoc pushed out an unknowingly compromised update to customers, who implicitly trusted this vendor update. This was a supply-chain attack, exploiting trust between software vendors and customers, that leveraged a compromised piece of software, MeDoc, as a beachhead on systems. The attack was then launched with an updated version of the Petya ransomware, dubbed NotPetya.

The attack spread laterally using EternalBlue and EternalRomance for unpatched systems or stolen credentials via password harvesting techniques to enable the use of tools like PsExec and WMI to spread to more systems. Total global damages tied to NotPetya, now seen as a geopolitical cyber weapon, have been estimated to be in the $10 billion dollar range.

Live Off the Land with Existing Systems

RansomwareRansomware that is capable of spreading on its own has generated considerable attention, however, many recent attacks seem to be more methodical and attacker-controlled.

These attacks don’t move as quickly as ransomware with lateral movement built-in, but they are just as devastating due to long dwell time for surveilling an environment. US municipalities have reported a wave of attacks in recent years – and many more were likely not reported at all. In most cases, attackers case environments for weeks prior to the ransomware encryption.

These attacks gain a foothold, via phishing or brute-forcing poorly-configured services like Remote Desktop Protocol (RDP), used for remote access to Windows. Once inside, attacks are methodical, attempting peer to peer lateral movement via open ports, for example exploiting RDP or WMI, to ideally reach a domain controller.

Credential harvesting, also present in NotPetya, is also used to move laterally. Tools like Mimikatz facilitate this, allowing for privilege escalation, so attackers have greater levels of permission in the network.

Either way, attackers often reach domain controllers, making them an IT admin in the company they are attacking.

At this point, they “live off the land,” using existing IT admin frameworks like PsExec, used to execute processes on other systems, or PowerShell, used to automate tasks operating system management tasks, to drop malicious files onto systems.

Double Extortion

What does Lady Gaga have to do with new ransomware attack techniques?

Her unsuspecting role in double extortion.

Ransomware attacks have become even nastier as some attacks may now add additional extortion. First, attackers will gain a foothold, find sensitive data, and exfiltrate it to their own servers. With sensitive data stolen, attackers then proceed to encrypt systems. Not only are systems locked up, but the sensitive information can be leaked publicly unless victims pay up, amounting to additional pressure for organizations to pay ransoms.

Recently, attackers targeted an entertainment law firm, stealing data related to high-profile clients like Lady Gaga, Bruce Springsteen, and Christina Aguilera. They initially released contracts related to Lady Gaga as proof of their possession of sensitive information.

The group behind the attack threatened to release more celebrity data if the law firm declined to pay the ransom ask, which reached some $42 million.

How to Prevent Ransomware Attacks

How you can protect yourself? It is a tall order seeing that many attacks use newly created malware or live-off-the-land to largely evade detection. There are a few best practices to reduce the risk of major ransomware attacks.

Here are some of the leading ways to reduce ransomware risk, according to US-CERT:

  • Segment your laptops and networks to ensure the first laptop infected is also the last so attacks can’t move beyond the initial system.
  • Patch all systems regularly to avoid vulnerable applications and OSs from being targeted.
  • Use effective email and endpoint security tools to stop as many phishing emails from reaching inboxes or malicious activity associated with ransomware from reaching endpoint and encrypting files.
  • Train users to open email attachments carefully and be wary of email attachments from unknown senders.
  • Back up systems often and store backups separately to be able to restore to previous states if need be, with backups that cannot be accessed from a network.

Act Fast After Being Infected with Ransomware

If you suspect that your device has been infected with malware, there are a few steps you should take to prevent further damage. First, disconnect the infected device from the network and other devices as quickly as possible. This will stop the spread of the ransomware from one device to another. Companies can prevent malware from spreading quickly by using micro-segmentation to isolate workloads from each other.

The next step is to contact the authorities. Infecting devices with ransomware is against the law. They may also have tools that will help you get your files back.

If you’ve backed up your files to a different location, then you’ll be able to get your files back. This is one of the many reasons why regular file backups are crucial. If you don’t have backups, then research online to try and find a ransomware decryption key. Unfortunately, if you aren’t able to find the right key you may have to accept that your files are gone.

Never pay the ransom to get your files back. There is no guarantee that they’ll actually give you the decryption key, and you’ll be funding criminal activities. Paying will also make you a recurring target. Now that the criminals know they can get money from you, they’ll continue infecting your devices in the future.

Being able to identify potential malware in phishing emails and malicious URLs could save your files from being destroyed. After reading this article, you can answer the next time someone asks you, “What is ransomware?” You’re also prepared to prevent attacks and know the steps to take if your devices are infected.

Learn more

Get the "Security Risks 2021: Ransomware and the Return to the Office" report to understand how organizations are addressing top security risks related to hybrid work in 2021.