What Does Ransomware Allow Hackers to Do?

Kurt Baker - December 5, 2022

What Does Ransomware Allow Hackers to Do?

In a ransomware attack, hackers use malware to encrypt, delete or manipulate data, intellectual property or personal information. This allows attackers to hold the information, device or system digitally hostage until the victim meets the cybercriminal’s ransom demands, which usually involve secure, untraceable payment.

Ransomware remains one of the most profitable tactics for cybercriminals, with increasing ransom demands often ranging from $1 million to $10 million USD. It is important to note that paying the hacker’s ransom demand is no guarantee that the system will be restored or that stolen data will not be shared or sold on the dark web.

Ransomware Hacker Techniques

Ransomware allows hackers to persuade victims to pay them money through two methods:

  1. Data Encryption
  2. Data Theft

1. Data Encryption

Ransomware attacks are centered on the hacker encrypting the victim’s files to leverage receiving a ransom payment to decrypt such files. The manner in which the files are encrypted varies by ransomware variant, but they typically enter a system and search through files of specific types. In order to recuperate files, the victim must pay ransom to retrieve a decryption key, which does not always work.

Many ransomware variants now have self-spreading capabilities, meaning they can penetrate other devices within the network exploiting their vulnerabilities.

2. Data Theft

Data encryption is no longer enough for the ransomware hacker to make a profit. Victims of ransomware attacks are instructed not to make ransom payments, report the attack to authorities, and accept their losses. This led hackers to incorporate data theft alongside data encryption.

Prior to encrypting the victim’s data, the hacker browses the infected device for valuable and confidential documents/data to send themselves a copy. Then, they use the stolen data as additional leverage to get ransom payment from the victim, which, depending on what the data is, can be detrimental to the victim’s business and/or customers.

Types of Ransomware and What They Do

As mentioned above, ransomware variants take many forms. Here we review some of the most common types of ransomware and the different ways they encrypt or steal data:

  1. Crypto ransomware or encryptors encrypt files and data within a system, making the content inaccessible without the decryption key.
  2. Lockers completely lock the user out of their system, rendering files and applications inaccessible. A lock screen displays the ransom demand.
  3. Scareware is fake software that claims to have detected a virus or other issue on the computer or mobile device and directs the user to pay to resolve the problem. Scareware can also lock a computer or flood the screen with pop-up alerts without actually damaging files.
  4. Doxware or leakware threatens to distribute sensitive personal or company information online, thus motivating victims to pay the ransom to prevent private data from falling into the wrong hands or entering the public domain. One variation is police-themed ransomware, wherein the cybercriminal masquerades as law enforcement and warns that illegal online activity has been detected and urges users to avoid jail time by paying a fine.
  5. RaaS (Ransomware as a Service) refers to malware hosted anonymously by a “professional” hacker who handles all aspects of the attack, from distributing ransomware to collecting payment and restoring access.
  6. Fileless Attacks or fileless ransomware are attacks in which the initial tactic does not result in an executable file written to the disk. Fileless ransomware uses pre-installed operating system tools, such as PowerShell or WMI, to allow the hacker to perform tasks without requiring a malicious executable file to be run on the compromised system.

Learn More

Fileless ransomware is a popular technique because fileless attacks are able to bypass most legacy AV solutions. For a detailed explanation of how fileless ransomware works:How Fileless Ransomware Works Infographic

How to Protect Against A Ransomware Attack

Once ransomware encryption has taken place, it’s often too late to recover that data. That’s why the best ransomware defense relies on proactive prevention.

Ransomware is constantly evolving, making protection a challenge for many organizations. Follow these best practices to help keep your operations secure:

  1. Train all employees on cybersecurity best practices
  2. Keep your operating system and other software patched and up to date
  3. Implement and enhance email security
  4. Continuously monitor your environment for malicious activity and IOAs
  5. Integrate threat intelligence into your security strategy
  6. Develop ransomware-proof offline backups
  7. Implement an identity and access management (IAM) program

Preventing Ransomware Attacks with CrowdStrike

CrowdStrike Falcon® offers protection against ransomware. This feature becomes increasingly valuable as the popularity of ransomware continues to rise. Our approach with this feature is to actually stop ransomware from infecting a system and encrypting its files. We believe a prevention approach is absolutely necessary because decryption is often impossible, and because nobody wants to pay the ransom or restore from backups.

CrowdStrike uses its endpoint sensor to detect ransomware behaviors and then terminates the offending process before it can accomplish its goal of encrypting files. This is done using CrowdStrike indicator of attack (IOA) patterns on the endpoint. These work both online and offline, and are effective against new variants and polymorphic variants of ransomware that often bypass legacy antivirus signatures.

Learn More

For more information about how CrowdStrike helps prevent ransomware attacks, please review our related blog:How to Prevent Ransomware with CrowdStrike Falcon® Endpoint Protection


Kurt Baker is the senior director of product marketing for Falcon Intelligence at CrowdStrike. He has over 25 years of experience in senior leadership positions, specializing in emerging software companies. He has expertise in cyber threat intelligence, security analytics, security management and advanced threat protection. Prior to joining CrowdStrike, Baker worked in technical roles at Tripwire and had co-founded startups in markets ranging from enterprise security solutions to mobile devices. He holds a bachelor of arts degree from the University of Washington and is now based in Boston, Massachusetts.