What is Ransomware?

Kurt Baker - March 15, 2022

Ransomware Definition

Ransomware is a type of malware that encrypts a victim’s data until a payment is made to the attacker. If the payment is made, the victim receives a decryption key to restore access to their files. If the ransom payment is not made, the threat actor publishes the data on data leak sites (DLS) or blocks access to the files in perpetuity.

Ransomware remains one of the most profitable tactics for cybercriminals. According to CrowdStrike’s annual Global Security Attitude Survey, the average ransom payment is $1.79 million.

How a Ransomware Attack Works

  • Step 1. Infection: Ransomware operators often using phishing emails and social engineering techniques to infect their victim’s computer. In most cases, the victim ends up clicking a malicious link in the email, introducing the ransomware variant on their device.
  • Step 2. Encryption: After a device or system has been infected, ransomware then searches for and encrypts valuable files. Depending on the variant, the malicious software may find opportunities to spread to other devices and systems across the organization.
  • Step 3. Ransom Demand: Once the data has been encrypted, a decryption key is required to unlock the files. In order to get the decryption key, the victim must follow the instructions left on a ransom note that outline how to pay the attacker – usually in Bitcoin.

ransom letter from hackers demanding bitcoin

Ransom letter demanding payment in bitcoin

Types of Ransomware

Encrypting Ransomware: In this instance the ransomware systematically encrypts files on the system’s hard drive, which becomes difficult to decrypt without paying the ransom for the decryption key. Payment is asked for using BitCoin, MoneyPak, PaySafeCard, Ukash or a prepaid (debit) card.

Screen Lockers: Lockers completely lock you out of your computer or system, so your files and applications are inaccessible. A lock screen displays the ransom demand, possibly with a countdown clock to increase urgency and drive victims to act.

Scareware: Scareware is a tactic that uses popups to convince victims they have a virus and directs them to download fake software to fix the issue

Example Ransomware Variants

CryptoLockerCryptoLocker ransomware was revolutionary in both the number of systems it impacted and its use of strong cryptographic algorithms. The group primarily leveraged their botnet for banking-related fraud.
NotPetyaNotPetya combines ransomware with the ability to propagate itself across a network. It spreads to Microsoft Windows machines using several propagation methods, including the EternalBlue exploit for the CVE-2017-0144 vulnerability in the SMB service.
RyukWIZARD SPIDER is a sophisticated eCrime group that has been operating the Ryuk ransomware since August 2018, targeting large organizations for a high-ransom return.
REvil (Sodinokibi)Sodinokibi/REvil ransomware is commonly associated with the threat actor PINCHY SPIDER and its affiliates operating under a ransomware-as-a-service (RaaS) model.
WannaCryWannaCry has targeted healthcare organizations and utility companies using a Microsoft Windows exploit called EternalBlue, which allowed for the sharing of files, thus opening a door for the ransomware to spread.
ContiConti’s utilization of compiler-based obfuscation techniques, such as ADVobfuscator, provide code obfuscation when the ransomware’s source code is built. Portions of Conti’s source code are restructured or rewritten regularly with the intention of avoiding detection and disrupting automated malware analysis systems.

2022 CrowdStrike Global Threat Report

Download the 2022 Global Threat Report to find out how security teams can better protect the people, processes, and technologies of a modern enterprise in an increasingly ominous threat landscape.

Download Now

Should You Pay the Ransom?

The FBI does not support paying a ransom in response to a ransomware attack. They argue paying a ransom not only encourages the business model, but it also may go into the pockets of terror organizations, money launderers, and rogue nation-states. Moreover, while few organizations publicly admit to paying ransoms, adversaries will publicize that info on the dark web – making it common knowledge for other adversaries looking for a new target.

Paying the ransom doesn’t result in a faster recovery or a guaranteed recovery. There may be multiple decryption keys, there may be a bad decryption utility, the decryptor may be incompatible with the victim’s operating system, there may be double decryption and the decryption key only works on one layer, and some data may be corrupted. Less than half of ransomware victims are able to successfully restore their systems.

Ransomware Prevention and Defense Tips

Once ransomware encryption has taken place, it’s often too late to recover that data. That’s why the best ransomware defense relies on proactive prevention.

Ransomware is constantly evolving, making protection a challenge for many organizations. Follow these best practices to help keep your operations secure:

1. Train all employees on cybersecurity best practices:

Your employees are on the front line of your security. Make sure they follow good hygiene practices — such as using strong password protection, connecting only to secure Wi-Fi and never clicking on links from unsolicited emails.

2. Keep your operating system and other software patched and up to date:

Cybercriminals are constantly looking for holes and backdoors to exploit. By vigilantly updating your systems, you’ll minimize your exposure to known vulnerabilities.

3.Implement and Enhance Email Security

CrowdStrike recommends implementing an email security solution that conducts URL filtering and also attachment sandboxing. To streamline these efforts, an automated response capability can be used to allow for retroactive quarantining of delivered emails before the user interacts with them.

4. Continuously monitor your environment for malicious activity and IOAs:

Endpoint detection and response (EDR) acts like a surveillance camera across all endpoints, capturing raw events for automatic detection of malicious activity not identified by prevention methods and providing visibility for proactive threat hunting.

5. Integrate threat intelligence into your security strategy:

Monitor your systems in real time and keep up with the latest threat intelligence to detect an attack quickly, understand how best to respond, and prevent it from spreading.

6. Develop Ransomware-Proof Offline Backups

When developing a ransomware-proof backup infrastructure, the most important idea to consider is that threat actors have targeted online backups before deploying ransomware to the environment.

For these reasons, the only sure way of salvaging data during a ransomware attack is through ransomware-proof backups. For example, maintaining offline backups of your data allows for a quicker recovery in emergencies.

7. Implement a Robust Identity Protection Program

Organizations can improve their security posture by implementing a robust identity protection program to understand on-premises and cloud identity store hygiene (for example, Active Directory, Azure AD). Ascertain gaps, and analyze behavior and deviations for every workforce account (human users, privileged accounts, service accounts), detect lateral movement, and implement risk-based conditional access to detect and stop ransomware threats.

How to Respond to a Ransomware Attack

Once ransomware penetrates a device on your network, it can wreak havoc – causing disruption that grinds business operations to a halt. With company and client data, financial wellbeing and brand reputation at stake, knowing what to do if you get ransomware is critical.

If you do encounter ransomware, it’s important to:

1. Find the infected device(s): if ransomware penetrates your network, it’s important to identify and isolate any infected devices immediately – before the breach spreads to the rest of the network.

Firstly, look for any suspicious activity on the network, such as file renaming or file extensions changing. It’s likely that the system was breached by human error – for example, an employee clicking a suspicious link on a phishing email – so, employees can be a useful source of information. Ask if anyone has received or spotted any suspicious activity that may help pinpoint infected devices.

2. Stop ransomware in its tracks: the difference between a business-sinking infection and a minor network interruption can come down to reaction time. Businesses must swiftly cut or restrict network access to stop the spread from infected devices.

If possible, every device connected to the network – both on and off-site – should be disconnected. If necessary, disable any wireless connectivity, too – including Wi-Fi and Bluetooth – as this helps stop a ransomware infection from traversing the network, seizing, and encrypting crucial data.

3. Review the extent of the problem: it’s important to understand the extent of the damage caused by the breach to prepare an appropriate response.

Examine all devices connected to the network. Initial symptoms of ransomware encryption include file name changes and employees struggling to access files. Any devices displaying these signs should be noted – and immediately disconnected from the network – and may lead you to the gateway device where the infection first gained access to the network.

Build a list of infected devices and data centers. The business’ remediation process should include decryption of every compromised device, to stop the encryption process from restarting when you return to work.

4. Look to your backups: in a day and age where cybersecurity risks lurk around every corner, having backups of all your digital data – separated from the centralized network – is crucial to getting things up and running again quickly, and minimizing downtime, in the event of a breach.

Once all devices have been decrypted and fitted with antivirus software, it’s time to turn to your backup data to restore any compromised files.

However, before you do, run a quick check on any backup files. The increasing sophistication and resilience of modern ransomware means these files may also have been corrupted and rolling this data out to the network could simply put you back to step one.

5. Report the attack: while the immediate priority post-breach is to stop the spread and start the recovery phase, consideration must also be given to the wider consequences of the attack. Compromised data not only impacts the business but also its employees and clients.

As ransomware typically involves the threat of data leaks, any attack should be reported to the relevant authorities as soon as possible.

American data legislation doesn’t really exist on the federal level. However, a mix of individual states and some federal regulations issue strict fines to those data compliance regulations. If you suffer a data breach in California for example, you must report it to the CCPA, and any individual violation results in $7,500 fines per violation.

Ransomware and other forms of malware should also be reported to law enforcement authorities, who can help identify those responsible and prevent future attacks.

Ransomware Removal – What to do After a Ransomware Attack

If the worst happens and individual company devices or even your entire network is compromised by ransomware, there are a few recovery options available.

Common strategies for ransomware removal include:

  • Attempting to remove ransomware using software
  • Paying the ransom
  • Resetting infected devices to factory mode

It’s not recommended you pay the ransom. Cybercriminals cannot be trusted to decrypt and return access to the data, even after you’ve paid. And at worst, you may even be listed as a target for future malware attacks, if malicious actors know you’re likely to give in to their demands.

Plus, successful ransomware attacks only encourage more criminals to enter a potentially lucrative space, worsening the problem for everyone.

Instead, restrict network access to any compromised devices – and those displaying suspicious behavior – and aim to stop the further spread of the ransomware.

Tips for ransomware removal include:

  • Reboot to safe mode – depending on the type of ransomware, rebooting the device and restarting it in safe mode can halt the spread. Although some trojans like ‘REvil’ and ‘Snatch’ can operate during a safe-mode boot, this isn’t true of all ransomware and safe mode can buy you valuable time to install anti-malware software. However, it’s important to note that any encrypted files will remain encrypted even in safe mode and will need to be restored via data backup.
  • Install anti-ransomware software – once the infected device(s) have been identified and disconnected from the network, the ransomware needs to be removed using anti-malware software. If you attempt business as usual before the devices are fully decrypted, you risk a resurgence of the undetected malware, resulting in further spread and more compromised files.
  • Scan for ransomware programs – when you believe your devices are clear of any ransomware or other worms, make sure you scan the system – both by manually searching for any suspicious behaviour like file extension changes, and using next-generation firewalls. A thorough scan should reveal any hidden trojans that could wreak havoc again once you restore your computer.
  • Restore the computer – businesses should always keep backups of their files, isolated away from the network. This way, any encrypted files can be quickly restored from a safe source once the ransomware is removed, minimising downtime and disruption.
  • Report the attack to law enforcement – ransomware attackers are cybercriminals. Any attack needs to be documented and reported – it shouldn’t be something companies simply let slide once they’ve managed to restore their devices. Log screenshots or take pictures of any ransom notes and gather all available evidence – like emails or websites that could potentially be the source of the malicious malware – and report the breach as soon as possible. You can report ransomware to:

Ransomware Resources


Kurt Baker is the senior director of product marketing for Falcon Intelligence at CrowdStrike. He has over 25 years of experience in senior leadership positions, specializing in emerging software companies. He has expertise in cyber threat intelligence, security analytics, security management and advanced threat protection. Prior to joining CrowdStrike, Baker worked in technical roles at Tripwire and had co-founded startups in markets ranging from enterprise security solutions to mobile devices. He holds a bachelor of arts degree from the University of Washington and is now based in Boston, Massachusetts.