Blog/Infosec 101/

Ransomware explained: How it works and what to do about it

Elisa Armstrong

Elisa Armstrong


Aug 26, 2020


4 min read

Can you imagine having to pay someone for your own files? It may be difficult to believe, but computers get hijacked thousands of times per day. Their owners will all see a message that goes something like this:

"Oops, your data has been encrypted. Pay $3,000 in Bitcoin to get your data back."

Some feel confused, while others start panicking. But they all eventually realize what happened. Hackers are holding their data hostage, and unless the victims pay a ransom, they will never see their data again.

It’s estimated that hackers will extort over $5B in ransomware in 2020. As long as their crime continues to pay, they won't slow down. So what should you do to prevent becoming a ransomware victim? Read on to find out.

What is ransomware?

Ransomware is a malicious program that encrypts data on the victim's computer and sends a demand for ransom in return for a decryption key. Some ransomware can also threaten to publish the data online if the victim does not meet the demand.

What makes matters worse is that it’s not always the user who is responsible for getting the infection. Some ransomware exploits system vulnerabilities and spreads on its own. As you’ll see in the examples later, anyone could become a victim — individuals, corporations, institutions, and even cities.

How does ransomware work?

The fight against computer viruses never ends. When ransomware becomes public, researchers try to reverse-engineer it and get a decryption key. As soon as they do, criminals change the software code, and researchers have to go at it again.

Despite constant alterations, most ransomware operates in a similar way. Here’s how it unfolds:

Step 1. Infiltration

Hackers spread the ransomware. In around 90% of cases, the virus is sent via email. It can be a blanket attempt to infect as many people as possible or a targeted attack against someone in a company.

Step 2. Analysis

The very first ransomware didn’t start encryption immediately, but analyzed the data first: it counted computer boot-ups and only after the 90th time would it encrypt files on the computer. The malware would then display a ransom note, asking for $189 to be paid by post (yes, it was that long ago).

Today, hackers don't wait so long, and the encryption process often starts as soon as the ransomware gets on the computer. Except when it’s a targeted attack — in such cases, the hackers will first analyze the data they’ve just captured. To this end, ransomware will begin by scanning the network, looking for backups, or trying to find files with a specific file extension.

Step 3. Execute

If that didn't happen immediately, ransomware will eventually start encrypting your data. This often happens within seconds after contracting the infection, and much faster than you could imagine. To give you some context, it can encrypt 100 GB of data in under one minute.

Step 4. Notifying the user

Lastly, the criminals will alert the user. The message often includes a calm explanation of what happened, instructions on how to pay, and a timer. They may also warn you not to use antivirus software or delete the ransomware file because doing so would destroy the data. While most ransomware messages attempt to explain the situation calmly, some are bordering on disturbing:

"I want to play a game with you. Your personal files are being deleted. Every hour, I select some of them to delete permanently. “If you turn off your computer or try to close me, when I start next time, you will get 1,000 files DELETED as a punishment."

Fake ransomware

We all get distracted. Remember that time you tried to make a phone call from a TV remote? Some criminals bank on your inattention, thinking it will be enough to get paid.

Instead of actually encrypting your system, they might just say that they did, hoping you never check. So if you ever find a ransom message on your computer, don't panic — that's exactly what criminals want you to do.

Ransomware examples

Ransomware is not a new type of malware, but such attacks have been exploding recently, leaving no one safe. The demands may range from a couple of hundred dollars for individuals to a few thousand for small companies. But they exceed millions of dollars when the catch is big enough.

Ransomware requires user action, often a click on an email attachment. But some, like the infamous WannaCry and NotPetya viruses, acquire administrator rights by exploiting a Windows weakness, spread through the network, and infect every connected device. The first NotPetya attacks in 2017 took a lot of businesses by surprise. For example, it cost Maersk, a logistics giant, $300 million. Their ex-cybersecurity team member Gavin Ashton tells this remarkable story on his website.

But here’s what’s important to understand. While hackers may prefer big billion-dollar companies, Maersk was not targeted. The malware just happened to find them. Ransomware doesn’t pick and choose. Here are some more ransomware examples to illustrate the point:

  • An attack on educational institutions in September of 2019 infected data of 500 schools.
  • Health institutions sustain attacks every day. In fact, the hospitals have seen an increase in cyberattacks recently because they’re already under stress due to COVID-19.
  • Some ransomware, like Ryuk, is designed to carry out attacks against companies. On numerous occasions, enterprises paid over $1 million to get their money back.
  • Cities have become an increasing target for ransomware. Atlanta, Baltimore, Knoxville, and New Orleans are just a few that have suffered ransomware attacks.

How can you prevent ransomware?

You can't fully protect yourself from ransomware, but that doesn't mean you should allow hackers to just walk in. Basic cyber hygiene habits are a good start:

  1. Be wary of any emails from unknown sources, especially if the message contains gift cards or threats of any kind.
  2. Even when you know the sender, double-check before opening any attachments.
  3. Perform manual backups of your systems.
  4. Use strong passwords (a password manager can help with that). If your passwords are weak, hackers can break into your accounts and use them to spread malware.
  5. Manage your accounts better. Lots of data breaches start with a company account (like an ex-employee whose privileges haven’t been revoked) and move though the network until attackers hijack an administrator’s account. Check out our article about privilege escalation to learn more.
  6. Prepare for the worst and plan your response.
  7. If something does happen, don’t act spontaneously. Weigh your options: check whether ransomware has actually been installed, evaluate what data could be recovered via backups, and check for a free decryptor.

Protection from ransomware is much stronger when we act together. Share this article with your coworkers and friends by clicking on the social buttons below.

Elisa Armstrong

Elisa Armstrong

Verified author

Elisa’s all about languages. She speaks five, loves stand-up comedy, and is writing her first novel. Besides her extensive knowledge of cybersecurity, she’s an expert in persuasion techniques hackers use and strives to teach people how to avoid online scams.