What Is Ransomware? How It Works and How To Prevent It

Ransomware has grown into a leading cyberthreat. Here’s everything you need to know about ransomware and how to protect your systems and data.

Brien Posey

April 14, 2023

6 Min Read
padlock symbol with word ransomware on red technology background
Alamy

Table of Contents

What Is Ransomware?

Ransomware is a general name for a class of malware that holds a victim’s data hostage until a ransom payment is made to the attacker.

Ransomware is probably best known for its ability to encrypt a victim’s data. The encrypted data will typically remain encrypted until the victim pays for a decryption key. Not all ransomware aims to encrypt a victim’s data, however. Doxware, for example, threatens to publicly expose the victim’s data instead.

How Does Ransomware Work?

Ransomware infections can occur through various means. These can include users engaging with phishing emails, downloading software from untrustworthy sources, or visiting infected websites. With email, the victim may receive a message that prompts them to click a malicious URL or open an infected attachment.

At a broad level, there are two categories of ransomware: automated ransomware or human-operated ransomware. Automated ransomware is ransomware that is installed as a result of something that the user did (e.g., opening an infected email attachment). Once installed, it operates autonomously. Human-operated ransomware, meanwhile, is executed by an attacker that has created a backdoor in the victim’s system. After the attacker uses the backdoor to thoroughly explore and possibly steal data, they will then plant ransomware on the compromised system.

Types of Ransomware and Examples

Countless types of ransomware exist in the wild today. Some of the more common categories of ransomware include the following.

Crypto ransomware

Crypto ransomware is probably the best known of all ransomware types. Crypto ransomware encrypts a victim's files and demands a ransom payment for a decryption key.

Locker ransomware

Locker ransomware prevents the victim from accessing their device until a ransom is paid. Locker ransomware might prevent access by changing the device’s password, effectively locking out the device’s owner.

Doxware

Doxware, sometimes known as leak ware, steals the victim’s data and threats to expose the data to the public unless a ransom is paid. Unlike traditional ransomware that encrypts files or locks the device, doxware exfiltrates data for extortion purposes.

Scareware

Scareware is a type of fake ransomware that displays an ominous warning on the victim’s device and demands a ransom payment. It is designed to trick the victim into thinking their device has been compromised but is ultimately harmless. The attacker’s goal is to deceive the victim into paying a ransom.

Ransomware as a service

Ransomware as a service is an online service that cybercriminals can use to create ransomware even if they lack technical skills. It is essentially a do-it-yourself ransomware kit, and the ransomware as service’s owner gets a percentage of each ransom paid. Ransomware as a service can create any of the previously discussed ransomware types.

How To Prevent Ransomware Attacks

Unfortunately, there is no magic formula for preventing ransomware attacks. However, you can take important steps to reduce your chances of falling victim.

1. Install and maintain antivirus software

Antivirus software acts as a first line of defense against ransomware, although it’s not guaranteed to catch all threats. It’s important to use reputable antivirus software, as some free options found online may contain malware.

2. Keep your computer software updated

It’s critical to install software updates as soon as they become available. More specifically, you need to update your operating system, antivirus software, and applications.

3. Avoid suspicious emails and websites

The most common way ransomware attacks occur is through email messages and websites. To avoid such attacks, never open suspicious email attachments or click on links within messages unless they are verified to be legitimate. Additionally, you must avoid downloading anything from unfamiliar websites.

4. Use strong passwords

Some human-operated ransomware attacks use stolen passwords. As such, make sure that you are using strong, unique passwords for each account.

5. Enable security settings on your computer

By using the available security settings on your computer, you may be able to prevent or minimize the damage caused by a ransomware infection. It's important to enable the security settings that are appropriate to your situation.

6. Have regular system backups

Backups are the most effective way to recover from a ransomware infection. Make sure that you are regularly backing up your computer.

7. Keep a copy of your important data in a secure location

To protect your data during a ransomware attack, it is recommended to use an offline backup, also known as an air-gapped backup. An air-gapped backup is often the last resort for recovering your data following a severe ransomware attack.

8. Be alert to any ransomware activity on your computer

Ransomware typically needs time to complete its mission and so doesn’t display its ransom demand until after the damage is done. During that time, there are often subtle signs that an attack is underway. Signs can include large amounts of unexplained disk activity, unrecognized programs appearing on your computer, slow or unstable computer performance, or corrupted files.

FAQ

How is ransomware spread?

The most common way is a user clicking a malicious link in a phishing message. However, ransomware can also be spread by a user downloading and installing an infected application, opening an infected email attachment, or visiting a malicious website.

How do attackers gain access to a system through ransomware?

Some ransomware contains backdoors that an attacker can use to access the victim’s system. Other types of ransomware are designed to act as “droppers”: The ransomware will download and install additional malware, including backdoors.

What should I do if my system is infected with ransomware?

The best way to deal with a ransomware infection is to format the disk, reinstall clean copies of the operating system and applications, and restore data from backups. It is crucial to make sure that your system is entirely clean before restoring any data. Otherwise, your backup may become infected.

What are the risks of paying a ransom to an attacker?

It’s always best to avoid paying a ransom if possible. Paying a ransom emboldens the attacker and helps to fund future ransomware efforts. Besides that, paying the ransom doesn’t guarantee you will receive the decryption key (you’re dealing with criminals after all). Additionally, the attacker may demand even more money once you have paid the initial ransom.

How can I restore access to files that have been encrypted by ransomware?

The only guaranteed method to restore encrypted files is to restore them from a known good backup. If you do not have a backup, check to see if anyone has posted a decryption key online (but be careful not to be tricked into downloading even more ransomware in the process). Some websites offer decryption keys for common ransomware variants.

What measures can I take to help prevent ransomware attacks?

To prevent ransomware attacks, it is essential to avoid risky behavior like opening untrusted email attachments or clicking suspicious links. Using antimalware software and keeping your software up to date is also important. Application whitelists can be used to prevent unauthorized software from running on your system. For example, Windows operating systems include a tool called AppLocker that can help to prevent ransomware from executing.

About the Author(s)

Brien Posey

Brien Posey is a bestselling technology author, a speaker, and a 20X Microsoft MVP. In addition to his ongoing work in IT, Posey has spent the last several years training as a commercial astronaut candidate in preparation to fly on a mission to study polar mesospheric clouds from space.

http://brienposey.com/

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.