Resources > Security Terms Glossary > What is Ransomware Protection

What is ransomware protection?

Ransomware protection refers to the tools, technologies, and strategies used to prevent cybercriminals from delivering and executing malicious software that coerces businesses into paying a fee, usually in cryptocurrency, to regain access to their data, infrastructure, and network.

Cybercriminals have been using ransomware to threaten and extort businesses for profit for more than 30 years, but it became widely used in 2015. By June 2015, a strain of ransomware called CryptoWall had accrued more than US$18 million, according to the Federal Bureau of Investigation (FBI). Ransomware continues to dominate headlines worldwide, as legacy protection strategies haven’t been able to cope with cybercriminals’ ever-evolving tactics.

Modern anti-ransomware tools are highly effective and easy to deploy. Adequate ransomware protection begins with adopting a modern security posture—one natively built in the cloud to protect users, applications, and sensitive data from these attacks.


To keep up with today’s threats and protect your network and infrastructure from these attacks, an effective anti-ransomware strategy must include principles and tools that:

  • Use an AI-driven sandbox to quarantine and inspect suspicious content
  • Inspect all SSL/TLS-encrypted traffic
  • Implement always-on protection by following off-network connections

Pairing modern solutions with the emerging philosophy of preventing ransomware attacks before they happen is widely regarded as the most effective ransomware protection model in today's cybersecurity playbook. We'll take a closer look at this model shortly. First let's briefly cover ransomware in general.


How do ransomware attacks work?

Ransomware is most often introduced to a system like many other types of malware: when a user downloads a malware-laden email attachment, unknowingly interacts with a malicious link, or visits a compromised website. Once on a system, ransomware generally works by encrypting that system's important files or data, or locking the system altogether. Then, the attacker demands a payment—often in bitcoin or another cryptocurrency—in exchange for a key that will unlock the system or encrypted files. That's the basic idea. Several subtypes of ransomware exist that serve different purposes depending on the attacker's goals.


Types of ransomware

1) Crypto ransomware

Perhaps the best known type of ransomware, this variety encrypts a system's files and data, making them unusable without the attacker's decryption key. This and the locker subtype can be especially successful when targeting organizations that cannot afford downtime.


2) Locker ransomware

Lockerware is similar to crypto ransomware, but rather than encrypting files, it locks a user out of their entire system, usually showing the attacker's ransom demands on a "lock screen."


3) Leakware

Also called doxware, this variety targets individuals or organizations and threatens to publicly divulge sensitive data online, or sometimes sell it to a third party, if a ransom is not paid. Leakware is commonly delivered to enterprise networks through email phishing.


4) Scareware

Scareware preys on fear, uncertainty, and doubt by fraudulently claiming to have found a problem—such as malware—on a user's device, and then requesting payment to solve the fake problem.


5) Ransomware as a service

RaaS providers take payment from other cybercriminals in exchange for a license to use prebuilt ransomware. The "customer" criminal usually needs to do very little as the software conducts a complete ransomware attack automatically.


Typical targets of ransomware attacks

Whatever the type, ransomware is so effective in part because it can bypass common forms of data protection, such as basic antivirus and user authentication. Beyond that certain types of organizations are more vulnerable to ransomware: those that can't risk downtime because of critical services or costs, those with significant stores of sensitive data, and/or those that can afford to pay. As a result, some of the areas hardest hit by these attacks are healthcare, IT, education, and manufacturing.


Ransomware protection options

A whole range of different security solutions provide ransomware detection and remediation tools. Some of these are dedicated solutions that focus on a few specific capabilities, while others are part of broader threat protection suites.

Zscaler offers cloud native ransomware protection to secure organizations against ransomware in three key ways:

  • AI-driven sandboxing to quarantine and inspect suspicious content
  • Inspection of all SSL/TLS-encrypted traffic
  • Always-on protection that follows off-network connections

Let's look at each of these areas in more detail.


Using AI-driven sandbox quarantine

Because today’s ransomware variants are tailored to their targets, effective mitigation measures need to thwart new strains and zero-day threats before they can cause harm. Outdated approaches to ransomware protection rely on out-of-band malware analysis that passes unknown files to the user at the same time they’re being analyzed. Such “passthrough” approaches send an alert if they find a malicious file, but by that time, the file will have already reached its target, creating a significant risk of infection.

With an AI-driven sandbox quarantine built on a cloud native proxy architecture, files can be quarantined and fully analyzed before delivery, virtually eliminating the risk of patient zero infections. In contrast to legacy passthrough approaches, suspicious or never-before-seen files are guaranteed to be held for analysis and will not reach your environment.

A cloud native, AI-driven solution like Zscaler Cloud Sandbox delivers benefits beyond those of legacy anti-malware solutions, including:

  • Complete control over quarantine actions with a granular policy defined by groups, users, and content type
  • Real-time security verdicts on unknown files powered by machine learning and the Zscaler Zero Trust Exchange—the world’s largest security platform built for the cloud
  • Fast, secure file downloads, with any files identified as malicious marked for quarantine

Essentially, Zscaler Cloud Sandbox prevents ransomware attacks by ensuring that unrecognized or malicious files never make it to your network in the first place.


Inspecting all encrypted traffic

Up to 90% of internet traffic is now encrypted. Attackers are taking advantage of this to hide their attacks, including ransomware. To reduce risk, comprehensive ransomware protection must inspect all encrypted traffic. That said, full SSL inspection can be challenging with legacy technologies. Decryption, inspection, and re-encryption of traffic is compute-intensive, and most appliances (such as next-generation firewalls) lack the processing power to avoid slowing performance to a crawl. Moreover, it doesn’t matter if it’s an appliance or VM in the cloud; either takes a performance hit when inspecting SSL traffic.

So, what can keep up with the demands of top-to-bottom SSL/TLS inspection?

A cloud native proxy architecture like Zscaler's lets organizations perform complete SSL inspection at scale without worrying about impacting performance or expanding the processing power of costly appliances. Using a global cloud distributed across more than 150 data centers on six continents, SSL traffic can be thoroughly inspected for hidden ransomware threats with no dips in performance—even if user bandwidth dramatically increases.

All of this combines to eliminate any security gaps caused by the difficulty of analyzing ransomware hidden in encrypted traffic.


Following off-network connections

Many organizations struggle with always-on security when it comes to ransomware. By today’s standards, always-on security means extending your corporate security policies to keep your network safe even as users drop off VPN, use personal devices, and connect via home or public Wi-Fi networks. Relying on legacy approaches tied to data centers and regional gateways means security policies cannot follow your users off-network. That, in turn, allows attackers to deliver ransomware to those they know are operating outside of your security controls.

Zscaler can deliver the first two aforementioned strategies—AI-driven sandbox quarantine and complete SSL inspection—to users regardless of their location or device. Every connection over any network gets identical protection to uncover and thwart both known and unknown threats, keeping your organization free from patient zero ransomware infections. 

This approach to preventing ransomware starts with user connections being secured through the Zscaler Zero Trust Exchange. Off-net users simply add Zscaler Client Connector, our lightweight endpoint agent, to their laptops or mobile devices (with support for Android, iOS, macOS, and Windows operating systems) to enjoy the protection of the same security tools, policy enforcement, and access controls they would get in your headquarters.

Read the Zscaler Client Connector data sheet.


Strengthen your ransomware protection strategy today

As research and headlines show, ransomware isn’t going anywhere. Zscaler has already helped thousands of customers prevent ransomware and countless other cyberattacks from reaching their networks with unparalleled scalability and superb user experiences.

Here are some further resources to consider as you refine your overall security strategy: