Rise in Ransomware

by | Apr 10, 2022 | Uncategorized | 0 comments

In this article, we are going to learn about Ransomware.

Table of Contents

What is Malware?

Types of Malware

What is Ransomware?

Types of Ransomware

How does Ransomware Work?

Ransomware Detection

Ransomware Protection

What is Malware?

Malware is a piece of software that carries a payload that can exploit a vulnerability within a system and perform different actions on site. Malware is hostile, invasive, and malicious software that aims to infiltrate, damage, or destroy computers, computer systems, networks, and portable devices, frequently by gaining partial control over the device’s functions. 

Types of Malware


A virus is a self-replicating software that replicates itself using host files or code. Most Viruses infect files so that every time the host file is executed, the virus is executed. The virus can infect program files, boot sectors, hard drives partition, data files, memory, macro routines, and scripting files.


A computer worm uses its code to replicate, but it may rely on the existence of other related code to do so. The central part of a worm is that it does not directly modify other host code to replicate. Internet Bugbear was released in 2003, coming as a file attachment in a bogus email.


A Trojan is a piece of software that is often sent by email or is pushed to users when they visit an infected website. The Trojan must be executed by the target and often provides an attacker with remote access.


Scareware is a piece of malware that employs social engineering to fool people into believing their machine is afflicted with a fictitious infection and then suggests false harmful software as a solution. Purchasing worthless software. Downloading various sorts of malicious software or accessing websites that automatically download and install harmful software on their devices.

What is Ransomware?

Malware that encrypts system data and keeps it hostage in exchange for a cryptocurrency or other payment is known as Ransomware. Most of the time, you are unaware that your computer has been infected. You usually find out about it when you can’t access your data anymore or when you see computer messages informing you of the attack and demanding ransom money.

To date, most of the staff is working online since the Covid-19 pandemic the ransomware attacks have increased steadily during this pandemic condition. According to the FBI’s 2020 Cyber Crime Report, there were over 2400 ransomware-related occurrences in 2020, leading to the loss of approximately 29 million dollars. These figures are only growing worse, and they do not include harm caused by instances that were not reported to the FBI.

Types of Ransomware


The CryptoLocker botnet is one of the most ancient cyberattacks, dating back more than two decades. It was created in 2013 when hackers used the original Ransomware approach. CryptoLocker is the most dangerous type of Ransomware because it employs different encryption methods.


WannaCry is the most well-known Ransomware in the world. This affected roughly a thousand organizations in over 100 countries. It takes advantage of a vulnerability, uses a self-propagation method, and infects additional computers. It has caused significant harm to computers.

Petya and Non-Petya:

Petya is Ransomware that disturbs a machine and encodes an entire Hard-Drive. Due to this, the whole drive becomes inaccessible even though the files in the drive are not encoded. At first, it was seen in 2016, and it spread mainly through a fake job application, a message linked to an infected file stored in Dropbox.

It requires the user to agree and give permission to make any admin-level changes. As soon as the user gives access, it directly reboots the system, and a fake crash screen appears, and it starts encrypting the data or information from the disc behind the scenes.

NotPetya has a spreading method that can propagate without the assistance of humans. It has spread initially using a backdoor in software widely used in Ukraine and then used later in EternalBlue and EnternalRomance, vulnerabilities in the Windows SMB Protocol. It not only encodes the MFT but also other different files from the hard drive. While encoding the data, it damages it in such a way that you cannot recover the data.


The GoldenEye ransomware is analogous to the Petya ransomware. It spreads by a large amount of Social Engineering directed at human resource departments. When a user downloads a file infected with GoldenEye Ransomware, a macro is launched that encodes the file on the victim’s computer.

GoldenEye is a hybrid of the Petya and MISCHA ransomware viruses. GoldenEye, like Petya and MISCHA, is distributed by spam email. The email contains a bogus employment offer with text in German and two file attachments. The first is a bogus CV, while the second is a malicious MS Excel file.


Ryuk affects machines through phishing emails and any drive downloads. It also uses a dropper that extracts a trojan on the victim’s machine and creates a persistent network connection. It is also used for installing additional tools like keyloggers, performing privilege escalation, and lateral movement.

Once the trojan is installed on as many as machines possible, they activate the locker ransomware and encode the files. The ransomware stage of the attack is there till the time attackers have already done damage and stolen the files they need.

How does Ransomware Work?


As soon as a device is exposed to the malicious code, the assault proceeds as follows. It can remain inactive on a machine until the device is most vulnerable, at which point it will launch an attack.


Ransomware is successfully installed discreetly on the device.


Ransomware examines and maps locations for specific file types, including local database files and network-accessible systems that are mapped and unmapped. Some ransomware assaults also destroy or encrypt backup files and directories.

Encoding or Encryption: 

Ransomware exchanges keys with the Command and Control Server and fumbles all files discovered during the Completion stage with the encoded key. It also restricts data access.

User Message:

Ransomware includes instruction files that describe the pay-for-decryption process and then uses those files to show a ransom note to the user.


Typically, ransomware kills and eliminates itself, leaving just the payment instruction files.


When a victim hits the link in the payment instructions, the victim is taken to a web page with more information on how to execute the ransom payment. TOR services are frequently used to encapsulate these conversations to evade detection by network traffic monitoring.

Decoding or Decryption:

Once the victim pays the ransom, primarily by the attacker’s bitcoin address, the victim may receive the decoding key. But there is no surety that the decoding key will be given as promised.

Ransomware Detection:

  • To automate the detection of ransomware, use real-time alerting and blocking. We should keep users and endpoints safe from unauthorized access.
  • We can employ deception-based detection, which helps place hidden files on the file storage system and identify ransomware encoded activities with a good approach. Any write or rename operations on the hidden files automatically result in a block on the infected endpoint.
  • Reporting and analysis can also be used to give extensive audit trail support for forensic investigations.
Ransomware Protection:

The easiest method to avoid being vulnerable to ransomware is to start cautiously, as malware distributors have a lot of tech skills. The following are some effective strategies for preventing ransomware:

  • Maintain a frequent backup of your data to an external storage device. Try following the guideline of keeping three backup copies on two distinct media, with one backup stored in a different location.
  • Attempt to separate the hard drive from the device as much as possible to avoid encrypting the backup data.
  • Keep the device’s operating system and installed applications up to date, and apply security patches Run vulnerability scans to detect and remediate issues as soon as possible.
  • Make your employees recognize social engineering emails, and conduct a small test to see if employees can identify and avoid phishing. We should use spam protection and some endpoint protection technology to automatically block suspicious emails & block malicious links.