October is National Cybersecurity Awareness month, so you will likely see a lot of discussion around the topic of ransomware. Too often, conversations go directly on how to address ransomware, but we’d like to start by talking a bit about what it is, how it works, and how it is delivered.
What is it?
The use of the word “ransom” is entirely appropriate, since the goal of an attack is to access and hold data hostage until, and unless, a ransom is paid. Attacks most frequently try to gain access to financial data, customer information, trade secrets, employee records, and other information of value. Once an attacker has access to your company data, they will threaten to make sensitive information public, sell it to competitors or others with nefarious intentions (often on the Dark Web) or simply destroy it if you do not pay the ransom they demand.
Obviously, this can be terrifying and crippling for most companies. Add to this the very real possibility that even once paid, the attacker may not return access to your data as promised, instead asking for a higher amount. It is far better to not fall victim in the first place.
How does it work?
First, the attack blocks access to important files by taking control of your network or computer. Secondly, the victim receives a note demanding a certain amount of money – typically paid via some sort of cryptocurrency – to return access to those files. The reason cryptocurrency is the currency of choice is that it is very difficult to trace and therefore the criminals don’t worry nearly as much about suffering repercussions.
In almost all attacks, the victim’s data is encrypted (locked) so they no longer have access to it in one of two ways. Most commonly, the attack makes files unreadable by converting them into ciphertext. In these cases, the attacker promises to send the decryption code when payment is received and threatens to destroy that same code if they are ignored. The alternative is non-encrypting ransomware that locks your entire screen and posts the ransom note with the promise to remove the lock when paid.
Most attacks are not discovered until a user notices that certain systems are no longer accessible or until the attacker sends a message shortly before or after the lockout.
How does it gain access to your system?
In the vast majority of cases, up to 95% according to a variety of sources, ransomware is sent through phishing emails, where the sender is posing as a legitimate sender. Attackers spend a good deal of time making these emails look authentic, so recipients are easily fooled into clicking a link or opening a file. Less often, entry is gained when employees visit malicious websites. Regardless of how they gain access, once they are in, it is often too late to reverse the process set in motion.
In our next post, we discuss what you can do to avoid attacks and how you can prepare for ransomware to mitigate its impacts.
Leave a Comment