Resources > Security Terms Glossary > What is Zero Trust

What are Ransomware Attacks?

What are ransomware attacks?

Ransomware attacks occur when a type of malicious software (malware), known as ransomware, is installed onto a user’s device or within a network. 

That leads us to the next question: What is ransomware? Ransomware is a type of malware that “locks” a system or encrypts files, so that its data becomes inaccessible, then holds it for ransom until the victim pays a specific amount of money, usually in cryptocurrency. Once the ransom is paid, the victim is supposed to receive a decryption key to regain access to files and systems.

The evolution of ransomware attacks

While ransomware seems to be the malicious tool of choice among cybercriminals today, it has been around in various forms for decades.

The first known ransomware was introduced in 1989 by Dr. Joseph Popp. He mailed floppy discs titled AIDS Information Introductory Diskette to attendees of the World Health Organization AIDS conference in Stockholm. But the disk contained malicious code that installed itself onto MS-DOS systems and began counting the number of times users started up their machines. 

On the 90th time, Dr. Popp’s trojan hid all the directories and encrypted all the files on the drive, making it unusable. Victims then saw a note claiming to be from PC Cyborg Corporation, which said that the owner’s software lease had expired and, to regain system access, the owner had to send $189 to an address in Panama.

In the next wave of ransomware-style attacks came scareware. Users would receive a warning about a catastrophic error on their computer, then a command to pay for and download software to clean or fix their device. Of course, the software was merely more malware designed to steal information from the computer.

As the popularity of file sharing grew, another common form of ransomware developed, dubbed the Police Locker attack. Often hidden on peer-to-peer download sites or websites hosting pirated or adult material, this attack would change the user's desktop to display a note claiming that law enforcement had locked the computer due to suspected illegal activity. Fear led many victims to pay a few hundred dollars to have their computers unlocked. However, in many of these attacks, the locker could have been removed by simply restarting the system.

One this is for sure, ransomware won’t go away as long as the hackers keep making money using it.

Avivah Litan, Distinguished VP Analyst, Gartner

Consider ransomware infections as destructive attacks, not an event where you can simply pay off the bad guys and regain control of your network.

Cybersecurity and Infrastructure Security Agency

Ransomware and cryptocurrency

Ransomware attacks continued to evolve, beginning to encrypt data to make it more difficult for victims to get it back without paying. Even so, ransom demands were typically a few hundred dollars, as the targets were still mostly home users in the beginning. And since victims paid the ransom with standard currency, the criminal faced a much greater chance of being identified.

That all changed with the rise of cryptocurrency, such as Bitcoin. Criminals perpetrating ransomware attacks began demanding their ransoms in cryptocurrency—a digital currency that is based on anonymity and encryption. These transactions are nearly impossible to trace, shielding attackers from detection.

The ransomware attack chain

So, what happens during a typical ransomware attack?

The first phase of a ransomware attack is the delivery, usually by a phishing email designed to entice the user to open it. It often appears to be from a trusted source, such as a well-known brand—UPS, banks, and large retailers are commonly “spoofed” in phishing emails with messages about a delay in delivery, order status, low balance, and so on. Though the email is designed to look like it came from a familiar sender, it actually includes a malicious file, such as a PDF file or a link to a document on Google Drive. The malicious file contains the malware loader, which, if the file is opened, drops the malicious content onto the victim’s system and sets up the attack. 

The next phase is known as exploitation, which is the attacker’s way of spreading once the malware has been successfully loaded. If the infected device is on a network, the malware identifies the domain controller with which the device is communicating. Once identified, the malware begins to steal credentials to allow it to move throughout the network. With these stolen credentials, the malware can start infecting other devices on the network.

The next phase is the callback, in which the malware payload attempts to communicate with its command-and-control (C&C) servers, where it sends stolen data and receives instructions about what to do next. 

The final phase is known as detonation. Here, the malware can steal data and install the ransomware which encrypts and locks the system or data so an individual or company can’t access it. The victim typically has a limited amount of time to pay the ransom before the data is lost forever, and the ransom demands sometimes increase in the hours before the payment is due. If the ransom is paid, victims are supposed to get the decryption key, but they don’t always get the key and even when they do it doesn’t always work. In recent attacks, the criminals steal the data before encrypting it and threaten to expose it. This way, even if victims have good backups, they are more likely to pay the ransom.

In some recent cases of ransomware attacks, the victim organizations have paid huge amounts to the attackers, which can be one of the reasons these attacks are getting more popular.

Paul Webber, Senior Director Analyst, Gartner

Paying ransom will not ensure your data is decrypted or that your systems or data will no longer be compromised

Cybersecurity and Infrastructure Security Agency

Ransomware as a service

The popularity and success of ransomware attacks have led to the rise of ransomware as a service. Similar to other types of legal software-as-a-service offerings, ransomware as a service is offered on a subscription basis, providing a platform that gives anyone, including those without programming skills, the ability to launch an attack and hold computer files, information, or systems hostage. If an attack is successful, the ransom money is divided between the service provider, the coder, and the subscriber. These ransomware-as-a-service tools are often inexpensive and readily available on the dark web.


Ransomware attack families

Among the myriad ransomware families available in the wild, some of the most common and well known are:

  • WannaCry is an aggressive ransomware campaign that went viral on May 12, 2017, impacting more than 300,000 systems (and counting) worldwide.
  • Ryuk had a disturbingly successful debut, being used to hit at least three organizations in its first two months of activity for more than $640,000 in ransom.
  • CryptoLocker utilized a trojan that targeted computers running Microsoft Windows from September 2013 to May 2014. Though largely neutralized now, CryptoLocker’s success gave rise to a slew of copycats, most notably CryptoWall.
  • Maze was first found in May 2019 and used in a ransomware attack on Cognizant, which caused service disruptions for some of its clients.
  • Petya and its variants were first seen in March 2016, which propagated via infected email attachments. In June 2017, a new variant of Petya (dubbed NotPetya) was used for a global cyberattack, primarily targeting Ukraine.
  • Locky has been active since early 2016 and is delivered using spam emails. Locky activity increased in December 2017 with the resumption of spam activity by the Necurs botnet, which delivered up to 47 million spam emails per day over the holiday period.
  • Cerber has been frequently developed and distributed since its inception in February 2016, with at least six different versions developed.
  • DMA Locker, first detected in January 2016, differs from traditional ransomware variants as it does not add a file extension to encrypted files but instead adds an identifier to the file header.
  • SamSam has been active since at least December 2015 and was used in targeted attacks against high-profile victims and large organizations in the United States, Europe, and Asia.  

So, how safe are you against ransomware attacks? Run a free Internet Threat Exposure Analysis to find out.

Learn how ransomware attacks are being hidden inside encrypted traffic.

Download the report
Learn how ransomware attacks are being hidden inside encrypted traffic.

See 2020 ransomware trends and how to avoid becoming a victim

View the Infographic
See 2020 ransomware trends and how to avoid becoming a victim.

Discover the three secrets to stopping ransomware attacks cold

Watch the Webinar
Join Us Live: Three Secrets to Stopping Ransomware Cold