What Is Ransomware?

Kurt Baker - January 7, 2021

Ransomware Definition

Ransomware is a type of malware that denies access to your system and personal information, and demands a payment (ransom) to get your access back.

Payment may be required through cryptocurrency, credit card or untraceable gift cards — and paying doesn’t ensure that you regain access. Even worse, victims who do pay are frequently targeted again. And just one infection can spread ransomware throughout an entire organization, crippling operations. It’s maddening, panic-inducing — and effective.

Learn More

While its explosive growth over the past few years may make it seem otherwise, ransomware didn’t come out of nowhere. Follow along as we outline how ransomware has evolved over the years into a sophisticated weapon for adversaries. Read the History of Ransomware

How Does Ransomware Spread?

There are several ways ransomware can get into your computer or system. One of the most common is via email phishing and spam — messages that include either a malicious attachment or a link to a malicious or compromised website. Once an unsuspecting user opens the attachment or clicks the link, the ransomware can infect the victim’s computer and spread throughout the network.

Another route is using an exploit kit to take advantage of a security hole in a system or program, like the infamous WannaCry worm that infected hundreds of thousands of systems worldwide using a Microsoft exploit. It can also take the form of a fake software update, prompting users to enable admin capabilities and install malicious code.

How Does Ransomware Work?

ransom letter from hackers demanding bitcoin

Ransom letter demanding payment in bitcoin

Once the system is infected, ransomware allows hackers to either block access to the hard drive or encrypt some or all of the files on the computer. You may be able to remove the malware and restore your system to a previous state, but your files will remain encrypted because they’ve already been made unreadable, and decryption is mathematically impossible without the attacker’s key.

The ransom itself is set at a level that’s low enough to be payable, but high enough to make it worthwhile for the attacker, prompting companies to do a cost-benefit analysis of how much they’re willing to pay to unlock their systems and resume daily operations. Cyber criminals may also target certain organizations or industries to exploit their specific vulnerabilities and maximize the chances of a ransom being paid.

Expert Tip

See real-world examples of ransomware in action, the sophisticated tactics being used by a variety of advanced persistent threats (APTs), and what you can do to detect them: Learn More

What Are the Different Types of Ransomware?

Ransomware takes many forms, but they all have one thing in common — they demand a ransom in exchange for restored access to your system or files. It’s also important to remember that you’re dealing with criminals, they don’t always follow through with their end of the “deal.” Ransomware attacks are designed to prey on people’s desperation and fear in order to convince victims to pay.

WannaCry ransom message demanding $600 in bitcoin

WannaCry ransom message

Here are the most common types:

1. Crypto malware or encryptors are one of the most well-known and damaging variants. This type encrypts the files and data within a system, making the content inaccessible without a decryption key.

2. Lockers completely lock you out of your system, so your files and applications are inaccessible. A lock screen displays the ransom demand, possibly with a countdown clock to increase urgency and drive victims to act.

3. Scareware is fake software that claims to have detected a virus or other issue on your computer and directs you to pay to resolve the problem. Some types of scareware lock the computer, while others simply flood the screen with pop-up alerts without actually damaging files.

4. Doxware or leakware threatens to distribute sensitive personal or company information online, and many people panic and pay the ransom to prevent private data from falling into the wrong hands or entering the public domain. One variation is police-themed ransomware, which claims to be law enforcement and warns that illegal online activity has been detected, but jail time can be avoided by paying a fine.

5. RaaS (Ransomware as a Service) refers to malware hosted anonymously by a “professional” hacker that handles all aspects of the attack, from distributing ransomware to collecting payments and restoring access, in return for a cut of the loot.

Ransomware Examples

Below are just a few examples of some infamous ransomware detected over the last few years:

  • BitPaymer
  • Dharma
  • DoppelPaymer
  • GandCrab
  • Maze
  • MeduzaLocker
  • NetWalker
  • NotPetya
  • REvil
  • Ryuk
  • SamSam
  • WannaCry

Learn More

Explore some of the most infamous ransomware attacks and the threat actors that operate them.

Who Does Ransomware Target?

Organizations of all sizes can be the target of ransomware. Although big game hunting is on the rise, ransomware is frequently aimed at small and medium-sized organizations, including state and local governments, which are often more vulnerable to attacks.

Small businesses are targeted for a number of reasons, from money and intellectual property (IP) to customer data and access. In fact, access may be a primary driver because an SMB can be used as a vector to attack a larger parent organization or the supply chain of a larger target.

The success of ransomware attacks on small businesses can be attributed to the unique challenges associated with smaller size and also the more ubiquitous challenges faced by organizations of any size: the human element. While a work-issued computer is common and even expected in larger organizations, smaller organizations do not always provide work computers and instead can rely on employees using their personal devices.

These devices are used both for work-related purposes, including accessing and storing privileged documents and information, along with personal activities such as browsing and searching. These dual-purpose machines contain high volumes of both business and personal information, including credit card information, email accounts, social media platforms, and personal photos and content.

Universities, for example, often have smaller security teams and a large user base that engages in a lot of file sharing, so defenses are more easily penetrated. Medical organizations may also be targeted because they often need immediate access to their data and lives may be at stake, leading them to pay right away. And financial institutions and law firms may be more likely to pay the ransom because of the sensitivity of their data—and to pay it quietly to avoid negative publicity.

Targeted Industries During COVID-19

The global pandemic has caused ransomware actors to prey on certain industries. One of their main targets are healthcare organizations. Data from the 2021 CrowdStrike Global Threat Report shows that over 100 healthcare organizations have already been targeted by Big Game Hunters during COVID-19. 

This comes after Big Game Hunters such as TWISTED SPIDER claimed they would refrain from infecting medical organizations until the pandemic has stabilized. As it turns out, TWISTED SPIDER was responsible for at least 26 successful healthcare ransomware infections with their Maze and Egregor families. 

Another interesting trend is the increasing number of attacks that use data extortion tactics. This is summarized within CrowdStrike’s Ransomware During 2020 Infographic. There were 1,430 attacks detected by CrowdStrike Intelligence services that used data extortion according to the 2021 CrowdStrike Global Threat Report. These attacks have been broken done by industry below: 

bubble chart displaying ransomware data extortion by industry

Industrials & engineering was the most attacked industry by data extortion tactics in 2020 (229 incidents). This was closely followed by manufacturing (228 incidents), technology (145 incidents), retail (142 incidents), and healthcare (97 incidents). 

Targeted Countries During COVID-19

Survey Data from the 2020 CrowdStrike Global Security Attitude Survey reveals that the following countries have been the most impacted by all types of ransomware attacks during 2020:

Table Showing The Countries Most Impacted By Ransomware During COVID-19

India has the most respondents reporting at least one ransomware attack in 2020 (74%). This is closely followed by Australia (67%), France (60%), Germany (59%), and the U.S. (58%).

In terms of data extortion, it’s clear there is a bias towards North America. According to CrowdStrike Intelligence & the 2021 CrowdStrike Global Threat Report, there were 947 incidents identified here, 117% higher than second place Europe (342 incidents). 

Global Map Showing The Distribution Of Ransomware Attacks That Used Data Extortion In 2020

Similar trends are expected in 2021, in fact 72% of recent surveyed cybersecurity experts in the 2020 CrowdStrike Global Attitudes Survey have said they are more worried about ransomware attacks as a result of COVID-19.

Should You Pay the Ransom?

The FBI does not support paying a ransom in response to a ransomware attack They argue paying a ransom not only encourages the business model, but it also may go into the pockets of terror organizations, money launderers, and rogue nation-states. Moreover, while few organizations publicly admit to paying ransoms, adversaries will publicize that info on the dark web – making it common knowledge for other adversaries looking for a new target.

Paying the ransom doesn’t result in a faster recovery or a guaranteed recovery. There may be multiple decryption keys, there may be a bad decryption utility, the decryptor may be incompatible with the victim’s operating system, there may be double decryption and the decryption key only works on one layer, and some data may be corrupted. Less than half of ransomware victims are able to successfully restore their systems.

How to Prevent Ransomware

Once ransomware encryption has taken place, it’s often too late to recover that data. That’s why the best defense relies on proactive prevention. Robust backup is, of course, a foundational best practice to prepare in case of an attack, but newer malware variants can also delete or damage backups.

Learn More

Discover which ransomware defense approaches are the most effective by downloading our detailed white paper on: Download: Ransomware Defense: The Do's and Don'ts

Ransomware is constantly evolving, making protection a challenge for many organizations. Follow these best practices to help keep your operations secure:

1. Train all employees on cybersecurity best practices:

Your employees are on the front line of your security. Make sure they follow good hygiene practices — such as using strong password protection, connecting only to secure Wi-Fi and being on constant lookout for phishing — on all of their devices.

2. Keep your operating system and other software patched and up to date:

Hackers are constantly looking for holes and backdoors to exploit. By vigilantly updating your systems, you’ll minimize your exposure to known vulnerabilities.

3. Use software that can prevent unknown threats:

While traditional antivirus  solutions may prevent known ransomware, they fail at detecting unknown malware threats. The CrowdStrike Falcon® platform provides next-gen antivirus (NGAV) against known and unknown malware using AI-powered machine learning. Rather than attempting to detect known malware iterations, Falcon looks for indicators of attack (IOAs) to stop ransomware before it can execute and inflict damage.

4. Continuously monitor your environment for malicious activity and IOAs:

CrowdStrike® Falcon Insight™ endpoint detection and response (EDR) acts like a surveillance camera across all endpoints, capturing raw events for automatic detection of malicious activity not identified by prevention methods and providing visibility for proactive threat hunting.

For stealthy, hidden attacks that may not immediately trigger automated alerts, CrowdStrike offers Falcon OverWatch™ managed threat hunting, which comprises an elite team of experienced hunters who proactively search for threats on your behalf 24/7.

5. Integrate threat intelligence into your security strategy:

Monitor your systems in real time and keep up with the latest threat intelligence to detect an attack quickly, understand how best to respond, and prevent it from spreading. CrowdStrike Falcon X automates threat analysis and incident investigation to examine all threats and proactively deploy countermeasures within minutes.

What’s the Next Step?

CrowdStrike is a leader in next-generation endpoint security, threat intelligence and incident response. CrowdStrike’s core technology, the CrowdStrike Falcon platform, stops breaches by preventing and responding to all attack types.

Watch the video below to learn how CrowdStrike Stops WannaCry Ransomware:

To find out more about how CrowdStrike prevents ransomware, click the button below:

CrowdStrike vs. Ransomware

Get to Know the Author

Kurt Baker is the senior director of product marketing for Falcon Intelligence at CrowdStrike. He has over 25 years of experience in senior leadership positions, specializing in emerging software companies. He has expertise in cyber threat intelligence, security analytics, security management and advanced threat protection. Prior to joining CrowdStrike, Baker worked in technical roles at Tripwire and had co-founded startups in markets ranging from enterprise security solutions to mobile devices. He holds a bachelor of arts degree from the University of Washington and is now based in Boston, Massachusetts.