What does ransomware do? How does it work?
The primary goal of ransomware is to lock down information and devices and then extort a payment from the user. It promises to return the information or device after payment, but it will sometimes exfiltrate the data or delete it instead.
Without proper device protection, this is how the typical ransomware process goes:
Attackers plant ransomware on a device or network
Ransomware often hides within malicious links in phishing emails or ads to gain access to a device or network. It will deliver malicious encryption software onto the device or network.
If the ransomware’s goal is data exfiltration, that will also happen at this stage.
The ransomware installs itself
Like many types of malware, ransomware will install itself remotely without a user’s knowledge.
The software encrypts or locks files
Once activated, ransomware will use its own encryption methods to lock devices and data, preventing users from accessing it.
Victims receive notifications of a ransom or payment required to gain access
Users will see an on-screen notification letting them know what’s happened and requesting a ransom. Attackers typically use anonymous web pages and cryptocurrency for these demands.
How do I remove ransomware?
You can remove ransomware, but it isn’t an easy task. It depends on the type of ransomware and how quickly you react to the situation, and it may cause permanent data loss even with successful removal.
Most law enforcement discourages paying the ransom, as there’s no guarantee it will work, plus paying may make you a more obvious target for future attacks.
- Remove your device from your network and the internet.
- Contact your IT administrator and ask for a ransomware decryption tool.
- Run the ransomware decryption tool on your device.
- Deeper infections may require you to wipe your device entirely and reinstall your operating system.
- Restore your device from a backup made before the ransomware infection.
- Connect to a safe network and reinstall your software, starting with an antivirus program.
- Run a scan with your antivirus software to ensure the infection is gone.
- Update any compromised passwords on another device and turn on two-factor authentication.
8 common types of ransomware
Though most forms of ransomware will want the same thing—a payment—there are a few different ways to achieve that goal. Understanding the various types will help you keep your devices and data safe.
1. Crypto ransomware
Crypto ransomware, or cryptomalware, encrypts data and files and then demands a ransom in cryptocurrency to unlock it.
2. Locker ransomware
Locker ransomware blocks users from accessing devices or applications, rather than files, preventing even basic functions until the user pays the ransom.
3. Scareware
Scareware uses social engineering techniques to trick users into believing their device is infected with ransomware, even if it hasn’t. To resolve the issue, users must buy more malicious software from the attacker.
4. Ransomware-as-a-Service
Ransomware-as-a-Service is a business model for cybercriminals, rather than a specific type of software, where ransomware developers will sell code to other hackers to help them run attacks. This can make attacks more difficult to deal with.
5. Doxware or leakware
Doxware and leakware are variants of ransomware that threaten to release sensitive information publicly if the victim doesn’t pay the ransom.
6. Double extortion ransomware
Double extortion ransomware is a combination of ransomware and extortionware in which an attacker will exfiltrate data, then encrypt it. The attacker can demand a ransom first for the encrypted files and then for the exfiltrated data to be returned, often in multiple payments.
7. Hybrid encryption ransomware
Hybrid encryption ransomware uses a combination of symmetric and asymmetric encryption methods to speed up the process of locking a user’s device or data.
8. Wiper malware
Wiper malware is considered a cousin of ransomware. Similar to ransomware, it will target data and files to make them inaccessible to the user—but rather than release the data, wiper malware destroys it.
9 signs of a ransomware infection
Ransomware is designed to run in the background until it’s ready to make its demands, so it may not be obvious when a device has been infected. Be sure to run scans with your antivirus software often.
Some of the signs you may notice include:
1. Unexpected crashes
If your computer crashes suddenly, especially in the middle of processes that typically run fine, it could be a sign of an infection.
2. Your device is locked
If your computer stays locked or doesn’t let you log in, ransomware could be blocking your access.
3. Your files are scrambled or inaccessible
You may notice that files you can normally access suddenly won’t open. Files you already had open may close unexpectedly.
4. Unexpected pop-ups, even when you’re offline
You may start seeing pop-up ads and alerts on your computer, even if you’re not connected to a network.
5. Unusually poor performance
Your computer may start experiencing drops in processing speed or struggle to perform otherwise normal tasks.
6. Changes to your homepage
You may notice that your browser’s homepage has changed to a site you don’t recognize.
7. Changes to your default search engine
Your device’s browser could start defaulting to a search engine you don’t recognize or didn’t authorize.
8. Sudden changes in storage space
If your computer’s hard drive suddenly and unexpectedly starts running out of space, but you can’t see what’s causing the problem, it could signal ransomware taking up space.
9. Your security software stops working
You may notice that your security or antivirus software isn’t working or has even been turned off without your knowledge or permission.
How do ransomware attacks happen? What are the threat vectors for ransomware?
Understanding what causes ransomware attacks to succeed and what opens the door is the first step toward preventing them. Ransomware can reach your device and network in multiple ways, from methods that trick users like phishing messages to those that directly impact the device like drive-by downloads.
Social engineering
Social engineering is the technique of using social interaction to infect a device or network. Hackers will pretend to be a trusted person like a new employee or a contractor so they can ask questions and gain access.
They may target more than one person in an organization simultaneously.
Phishing emails
Phishing emails are malicious messages disguised to trick the recipient into trusting them. They often include malicious URLs that, when clicked, will distribute ransomware onto the victim’s device.
These messages often pretend to come from sources like banks or popular services.
Known vulnerabilities or exploits
Hackers may use reported vulnerabilities or exploits for popular browsers as a gateway into devices and networks.
Drive-by downloads
Visiting compromised web pages can cause ransomware to self-install on your device, even if you don’t click or download anything.
RDP (remote desktop protocol) attacks
Hackers can use vulnerabilities in RDP software to sneak into an organization’s devices and networks to plant ransomware.
Malvertising or malicious advertising
Ransomware and other malware may hide behind infected ads on otherwise safe websites, installing themselves onto devices when users click.
Infected documents
Attackers sometimes hide malicious code in seemingly safe documents, a technique called fileless ransomware. These documents use scripts and macros to infect devices directly through their memory.
6 ways organizations can stay protected from ransomware
It’s all too easy to fall victim to a ransomware attack—all it takes is a wrong click or a browser you forgot to update. But with the right approach and a strong defense strategy, you can keep your organization safe.
1. Zero Trust network access
With a Zero Trust approach to network access, devices, users, and networks must always be verified before you trust them.
2. Remote browser isolation (RBI)
RBI solutions are designed to protect against browser-based threats like ransomware.
They do this by isolating browser sessions in a cloud-based environment, away from the device, and streaming a safe image of the site to the end user. This way, malware stays in the cloud and cannot reach the device.
3. Cybersecurity training and awareness programs
Training employees to recognize and avoid malicious activity like phishing scams and dangerous sites reduces the effectiveness of these scams and protects your organization.
4. Virtual private networks (VPNs)
VPNs protect the data on your organization’s devices and networks by encrypting it. This prevents ransomware from accessing and encrypting it with malicious software.
5. Endpoint monitoring tools
Endpoint monitoring tools allow administrators to access and see into every endpoint on an organization’s network. They also alert admins to any suspicious activity on the network’s endpoints.
6. Formal incident response plans
Because ransomware typically targets an organization’s finances or sensitive information, it’s important to have a plan in place to handle demands.
Organizations should also consider what steps they will take if information does get leaked.
See how Parallels Browser Isolation can help your organization stay protected from ransomware.
Resources
Zero Trust and secure web access
The definitive cybersecurity implementation guide
Why RBI is the superior defense for today’s workspace
Take the next step
Parallels solutions give your organization a customizable way to protect itself with cybersecurity software that works together to meet your needs.
With core security protocols like secure browsing, a Zero Trust approach, policy control, and insights into activity, Parallels Browser Isolation keeps organizations like yours safe from cyber threats like ransomware.