Ransomware Glossary: Understanding Key Terms
Ransomware is a type of malicious software, or malware, that threatens to publish the victim’s data or perpetually block access to it unless a ransom is paid. It’s a prevalent and serious threat in the realm of cybersecurity, with far-reaching implications for individuals, businesses, and even governments. This glossary entry will delve into the intricacies of ransomware, what types of ransomware there are, how they works, the history, prevention methods, and much more.
A ransomware gang is a coordinated group that executes ransomware attacks, often functioning similarly to a business with organized structures like help desks and branding.
Early forms of ransomware, such as the Archiveus Trojan that emerged in 2006, used ransomware code to employ RSA encryption for file linking and encryption, marking a significant evolution in ransomware tactics.
Understanding ransomware is crucial in today’s digital age. With an increasing amount of sensitive information being stored online, the potential damage that can be caused by ransomware is immense.
What is ransomware?
Ransomware is a form of malware that encrypts a victim’s files. Crypto ransomware is a type of malware that locks up your important files, like documents and photos, by encrypting them. You can’t access them unless you pay a ransom to the attackers. Attackers often use countdown timers to pressure victims into compliance. The attacker then demands a ransom from the victim to restore access to the data upon payment. Users are shown instructions for how to pay a fee to get the decryption key. The ransom demands can range anywhere from a few hundred dollars to thousands, usually paid to cybercriminals in Bitcoin.
It’s important to note that paying the ransom does not guarantee that the users can eventually access the locked data. In many cases, users may not even get the decryption key after paying the ransom. Furthermore, by paying the ransom, the victims are encouraging the cybercriminals’ malicious activities.
Types of ransomware
Ransomware comes in three main types, each with different levels of severity: scareware, screen lockers, and encrypting ransomware. Scareware involves a strategy of intimidation, with victims receiving pop-up messages claiming that malware has been discovered on their computer, and they need to pay to remove it. However, there's usually no real threat.
Screen lockers, as the name suggests, lock the user out of their computer interface, displaying an official-looking page that claims illegal activity has been detected on the computer and payment is required to unlock it. Encrypting ransomware, the most dangerous type, involves sophisticated software that encrypts the victim's files, demanding payment in return for the key to unlock the data.
Locker Ransomware
Locker ransomware is a type of malicious software that locks a victim’s computer or mobile device, rendering it unusable until a ransom is paid. Unlike crypto ransomware, which encrypts files, locker ransomware prevents access to the entire device. Victims are typically presented with a screen locker or message demanding payment in exchange for a decryption key or unlock code.
This type of ransomware can spread through various means, including phishing attacks, infected software downloads, and exploited vulnerabilities. For instance, a phishing attack might trick a user into downloading an attachment that installs the ransomware, or an outdated software vulnerability might be exploited to gain access to the device.
Once a device is infected, the ransomware will display a message or screen locker, often mimicking official warnings or notifications to appear legitimate. The message will demand payment, usually in cryptocurrency, to restore access to the device. This can be particularly devastating for individuals and organizations that rely heavily on their devices for work or personal activities.
To protect against locker ransomware, it’s crucial to implement strong cybersecurity practices, such as keeping software up to date, being cautious with email attachments, and using reliable security software. Regularly backing up data can also mitigate the impact of an attack, allowing users to restore their systems without paying the ransom.
How Does ransomware work?
Ransomware can infect a computer in several ways, but one of the most common methods is through phishing spam. This involves attachments that come to the victim in an email, masquerading as a file they should trust. Once they’re downloaded and opened, they can take over the victim’s computer, especially if they have built-in social engineering tools that trick users into allowing administrative access. These types of attacks are part of a broader category of cyber threats that organizations must be vigilant against.
Another popular method is through exploit kits. These are tools used by cybercriminals to take advantage of software vulnerabilities. They scan for security holes in popular software such as Java, Adobe Reader, and Flash, and then use these holes to download and launch the ransomware. Advanced security solutions like Managed Detection and Response (MDR) and Endpoint Detection and Response (EDR) are designed to proactively seek out and mitigate these cyber threats, ensuring organizations can protect their critical data and manage incidents effectively.
The encryption process
Once the ransomware has been executed on a system, it starts encrypting files. It uses an encryption algorithm to scramble the data in the files, making them unreadable. The files can only be decrypted using a unique key, which is held by the attacker. The victim is then presented with a ransom note, explaining that their files have been encrypted and how much they need to pay to get them back.
A ransomware victim not only faces the immediate threat of losing access to their data but also the risk of double extortion, where attackers may threaten to expose sensitive information if additional ransom demands are not met.
The encryption process is usually very quick, often taking only a few minutes to encrypt all the files on the system. This is because the ransomware typically targets the most common types of files, such as documents, spreadsheets, and multimedia files, which are likely to hold valuable information.
Ransomware Attack Vectors
Ransomware attack vectors refer to the various methods that ransomware attackers use to infiltrate systems and deploy their malicious software. Understanding these vectors is crucial for implementing effective ransomware protection strategies.
One of the most common methods is through phishing attacks. In a phishing attack, cybercriminals send emails or messages that appear to be from legitimate sources but contain malicious links or attachments. When unsuspecting users click on these links or download the attachments, they inadvertently install ransomware on their systems.
Exploited vulnerabilities are another significant attack vector. Ransomware hackers often scan for weaknesses in software or hardware, such as outdated operating systems, applications, or firmware. Once they identify a vulnerability, they exploit it to gain access to the system and deploy the ransomware.
Infected software downloads also pose a significant risk. Cybercriminals can embed ransomware in pirated software or software downloaded from untrusted sources. When users install these infected programs, they unknowingly introduce ransomware into their systems.
Infected websites are another common vector. Attackers can compromise legitimate websites or create malicious sites that exploit vulnerabilities in visitors’ browsers or plugins. Simply visiting these sites can result in a ransomware infection.
Lastly, social engineering tactics are frequently used by ransomware attackers. These tactics involve tricking users into divulging sensitive information or performing actions that compromise their security. Phishing attacks, pretexting, and baiting are all examples of social engineering techniques that can lead to a full ransomware attack.
History of ransomware
Ransomware has been around in some form or another for over 30 years. The first known ransomware attack occurred in 1989 and was called the AIDS Trojan. The malware was spread through floppy disks that were mailed to AIDS research organizations and encrypted files after the system had been rebooted a certain number of times. However, this early form of ransomware was relatively easy to overcome.
It wasn’t until the mid-2000s, with the rise of anonymous payment systems like Bitcoin and improved encryption algorithms, that ransomware really started to become a major problem. The first modern ransomware, CryptoLocker, appeared in 2013 and was a game-changer. It used strong, unbreakable encryption and demanded payment in Bitcoin, making it almost impossible to recover the files without paying the ransom. Additionally, the rise of threat intelligence has become crucial in identifying and mitigating ransomware threats, enhancing detection and response capabilities.
Notable ransomware attacks
There have been several notable ransomware attacks over the years. The WannaCry ransomware attack in 2017 was one of the most widespread, affecting hundreds of thousands of computers in over 150 countries. The ransomware exploited a vulnerability in Microsoft’s Windows operating system, encrypting files and demanding a ransom in Bitcoin.
The NotPetya ransomware attack, also in 2017, initially targeted Ukraine but quickly spread worldwide. Unlike other ransomware attacks, NotPetya was designed to cause disruption rather than to extort money, as it encrypted files without any way of recovering them, even if the ransom was paid. This highlights the importance of securing and recovering backup data effectively during such incidents to mitigate the impact of the attack.
Ransomware protection
Preventing ransomware involves a combination of good cybersecurity practices and the right technology. One of the most effective ways to prevent ransomware is to regularly back up your data. Cybercriminals often target and compromise backup data to disable or delete existing backup solutions. Therefore, securing and recovering backup data effectively is crucial. This means that even if your files are encrypted by ransomware, you can restore them from a secure backup without having to pay the ransom.
Another crucial prevention method is to keep your software and operating system up to date. Many ransomware attacks exploit vulnerabilities in outdated software, so by keeping your software updated, you can reduce the risk of an attack. It’s also important to be wary of unsolicited emails with attachments or links, as these can often be phishing attempts.
Security software
Having the right security software can also help to prevent ransomware attacks. This includes antivirus software, which can detect and remove malware, and a firewall, which can block unauthorized access to your computer. There are also specific anti-ransomware tools available that can detect and block ransomware before it can encrypt your files. Incorporating threat intelligence into these solutions can enhance their effectiveness by identifying unusual patterns and alerting teams proactively.
However, it’s important to remember that no security software can provide 100% protection against ransomware. Cybercriminals are constantly developing new types of ransomware and finding new ways to bypass security measures. Therefore, a combination of good cybersecurity practices and the right technology is the best defense against ransomware.
Responding to a ransomware attack
If you become a ransomware victim, the first thing to do is to disconnect the infected device from the network to prevent the ransomware from spreading to other devices. Then, report the incident to your local law enforcement agency and notify your cybersecurity provider if you have one.
It’s generally advised not to pay the ransom, as this doesn’t guarantee that you’ll get your files back and it encourages the cybercriminals. Instead, if you have a recent backup of your files, you can restore them once the ransomware has been removed from your system. If you don’t have a backup, there are some tools available that can decrypt certain types of ransomware, although these are not always successful. Additionally, be aware of the threat of double extortion, where ransomware victims may face the risk of having sensitive information exposed if they do not comply with additional ransom demands.
Detecting Ransomware Attacks
Detecting ransomware attacks early can significantly mitigate their impact. There are several methods and tools available to help identify and respond to ransomware threats.
Monitoring system logs is a fundamental practice. System logs provide detailed records of system activity, including login attempts, file access, and network connections. By regularly reviewing these logs, administrators can spot unusual patterns or suspicious activities that may indicate a ransomware attack.
Using antivirus software is another essential measure. While antivirus programs can detect and remove many types of ransomware, they are not infallible. Ransomware attackers often use techniques like code obfuscation to evade detection. Therefore, it’s crucial to keep antivirus software updated and to use it in conjunction with other security measures.
Intrusion detection systems (IDS) are also valuable tools. An IDS monitors network traffic for suspicious activity and can alert administrators to potential ransomware attacks. This real-time monitoring can help stop an attack before it causes significant damage.
Conducting regular backups is a critical component of ransomware protection. By maintaining up-to-date backups of critical data, organizations can restore their systems to a pre-attack state without paying the ransom. It’s important to store backups offline or in a secure cloud environment to prevent them from being compromised during an attack.
Implementing a Security Information and Event Management (SIEM) system can further enhance detection capabilities. A SIEM system aggregates and analyzes security-related data from various sources, providing real-time insights and alerts. This comprehensive view helps administrators quickly identify and respond to ransomware threats.
Removing ransomware with a decryption key
Removing ransomware from your system can be a complex process, and it’s usually best to seek professional help. Some antivirus software can remove ransomware, but this often requires a certain level of technical knowledge. The complexity of ransomware code presents significant challenges in removal, making it difficult to ensure complete eradication. In some cases, it may be necessary to wipe your system and reinstall your operating system.
It’s important to remember that removing the ransomware doesn’t decrypt your files. The encryption used by ransomware is usually very strong and can’t be broken without the decryption key. Therefore, the best defense against ransomware is prevention, through good cybersecurity practices and regular backups of your data.
Ransomware is a serious threat in the digital world, with the potential to cause significant damage to individuals and organizations. Understanding what ransomware is, how it works, and how to prevent and respond to attacks is crucial in protecting your data and maintaining your digital security.
The key to defending against ransomware is a combination of good cybersecurity practices, such as regular backups and software updates, and the right technology, including antivirus software and firewalls. However, as cybercriminals continue to evolve their tactics, it’s important to stay informed about the latest threats and how to combat them.
The Future of Ransomware Attacks
As technology evolves, so do the tactics of ransomware attackers. The future of ransomware attacks is likely to see increased sophistication and new methods of exploitation.
One emerging trend is the use of artificial intelligence (AI). Ransomware hackers may leverage AI and machine learning algorithms to identify and target vulnerable systems more effectively. AI could also be used to create more convincing phishing attacks, making it harder for users to distinguish between legitimate and malicious communications.
The rise of cloud services presents another potential threat. Attackers may use cloud-based infrastructure to host ransomware command and control servers, making it easier to launch and manage attacks. Additionally, as more organizations move their data to the cloud, the potential impact of a ransomware attack on cloud services increases.
The proliferation of Internet of Things (IoT) devices also introduces new vulnerabilities. Many IoT devices have weak security measures, making them attractive targets for ransomware attackers. Compromised IoT devices could be used to gain access to larger networks or to launch attacks directly.
Social engineering tactics are expected to become even more sophisticated. Attackers will continue to refine their techniques to trick users into divulging sensitive information or performing actions that compromise their security. Phishing attacks, pretexting, and other social engineering methods will likely become more prevalent and harder to detect.
Finally, the concept of ransomware-as-a-service (RaaS) is gaining traction. RaaS allows cybercriminals to rent ransomware tools and infrastructure, lowering the barrier to entry for launching attacks. This model makes it easier for less technically skilled attackers to deploy ransomware, potentially leading to an increase in the number and frequency of attacks.
By staying informed about these emerging trends and continuously updating their security measures, individuals and organizations can better prepare for and defend against future ransomware threats.
This post has been updated on 17-11-2023 by Sofie Meyer.

About the author
Sofie Meyer is a copywriter and phishing aficionado here at Moxso. She has a master´s degree in Danish and a great interest in cybercrime, which resulted in a master thesis project on phishing.