Request Information

Request Information

or Call 1.877.459.4347
What is Ransomware and how does it work?

What is Ransomware?

Topics Covered in this Ransomware whitepaper:

  • How does Ransomware work?
  • How much do Ransomware Attacks Cost?
  • Early Ransomware Attacks
  • Notorious Ransomware Attacks
  • Why Business Need to be Protected from Ransomware
  • Why Antivirus Programs don’s stop Ransomware Attacks
  • What to do if you get Attacked
  • How to stop Ransomware Attacks from Occuring

Ransomware is a thriving marketplace plaguing individuals and businesses alike. It is a malicious and sophisticated malware attack that leverages a computer virus designed to hold a user’s data hostage. While ransomware is not a new technique, it has become increasingly notorious in recent years. Once imagined to be one clever hacker operating from his basement, it has now grown into a booming business.

Ransomware attacks are becoming more prevalent for several reasons. One is that most people today are incredibly dependent on their computers, with precious photos, important files, and more stored on them and are therefore willing to pay to get lost files back. And, in the case of businesses, most literally cannot afford to be locked out of their computers or files for any significant period of time. Considering that ransomware can spread to other PCs connected to a local network, it can be particularly catastrophic for businesses.

Another reason is simply that more and more people are able to access the ability to create and launch a ransomware attack. With the opportunity to become a lucrative business, there’s plenty of incentive to get into it.

There are two basic different types of ransomware. The first is locker ransomware, which locks the user out of their entire system and only unlocks it when the creator receives the ransom he has demanded. The other type is encrypting ransomware, which encrypts the user’s files and where the creator demands a ransom from the victim in exchange for a decrypting key.

How does Ransomware work?

As its name indicates, Ransomware works just like a kidnapping, except that you are paying the ransom for your data instead of for a loved one.

There are several different methods hackers use to launch their ransomware. It often begins when the cybercriminal behind the act designs an email that looks convincingly like a real email, such as a UPS package tracking email that baits the user to click a URL. When the user clicks the link, it launches malware that infects his computer with a virus. Alternately, when users unknowingly visit a compromised or malicious website, ransomware can be downloaded onto their systems. Additionally, it can be spread via infected software apps or infected external storage devices.

This virus then locks or encrypts everything on the user’s computer hard drive, literally locking the user out of all the files on the computer. The user is notified by a screen popping up that informs him that his files will all be destroyed unless he pays a ransom through an online payment to get access to a decrypt key.

Typically, the ransom is made with a specific deadline and if the victim goes past the deadline without paying, either the ransom will increase, or the user’s data is permanently destroyed.

It has become much more prevalent in recent years thanks to the dark web, which has made it possible for people even with very limited technical experience to get their hands on kits known as ransomware as a service (RaaS). Basically, just about anyone can create and launch a ransomware attack if they know where to look for RaaS.

Cybercriminals enjoy the challenge and the thrill of their malicious activities. But, layer on the fact that they can make fast, easy cash and it’s clear that ransomware isn’t going away anytime soon.

How much do Ransomware Attacks Cost?

According to Symantec, the amount of ransom demanded in 2017 was nearly three times what it was in 2016, averaging $1,077. The cybercriminals responsible for these attacks most commonly demand payment via cryptocurrency such as Bitcoin, though some other payment methods include Amazon and iTunes gift cards.

However, paying the ransom doesn’t always guarantee you’ll get your decryption key. In fact, a 2016 Kaspersky Security Bulletin indicates that 20 percent of companies that paid a ransom in response to an attack never recovered their files.

Early Ransomware Attacks

According to Symantec, the first known ransomware attack called AIDS Trojan occurred in 1989 for a payment of $189 and was spread via shared floppy discs. It was created and distributed by biologist Dr. Joseph Popp, who claimed to be using the funds collected to fund AIDS research.

In Russia, cases of ransomware attacks began to occur in 2005. In these early years, ransomware was mostly focused on encrypting the most commonly used file types such as  .PDF, .DOC, .XLS, .JPG. While ransomware attacks originally were prevalent in Russia, they soon moved into Europe before the infections began to spread across North America.

The first ransomware strand to use RSA encryption in the mid-’00s was called Archiveus. Very difficult to decode, an RSA encrypted file requires a specific alpha-numeric string of digits to unlock.

Some Notorious Ransomware Attacks


In the early ’10s, a type of ransomware known as Reveton, or “Police Ransomware” packages hit the scene. These police trojans impersonated law enforcement agencies with notification pages informing the victims that they were caught doing illicit activities online and demanded the payment of “fines”. Reveton tracked the geolocation of its victims in order to know which local law enforcement agency to impersonate.


Named after its ability to encrypt files as well as lock the files, CryptoLocker appeared in 2013. At its peak, CryptoLocker was infecting about 150,000 victims monthly.

This threat was powerful because even if the victim was able to delete the malware, they would still have to pay the ransom to receive a decryption key for their encrypted files. A spam campaign was identified to be the cause behind the CryptoLocker infections, which used a small file size and simple downloading function.

While CryptoLocker was taken down by a white-hat campaign, CryptoLocker got the foot in the door for variations of file-encryption ransomware, such as the widely-known imitators CryptoWall and TorrentLocker.


TeslaCrypt originally targeted gamers of several specific and extremely popular games: Call of Duty, World of Warcraft, Minecraft, and World of Tanks. TeslaCrypt targeted the ancillary files associated with those video games that are commonly stored on the local hard drive.

In 2015-2016 TeslaCrypt was responsible for nearly half of all ransomware attacks. Surprisingly in 2016, the cybercriminals behind TeslaCrypt not only provided the master decryption key publicly, ending the threat, they even apologized.


In late 2015, the Android platform was targeted by SimpleLocker, the first Android-based attack to encrypt files. Additionally, it was the first ransomware to use a Trojan downloader mimicking a legitimate app to deliver the ransomware. The majority of victims were infected when they attempted to download porn or other shady apps from sources other than the Google Play store.


In mid-May of 2017, the WannaCry worm literally made ransomware life-threatening when it shut down hospitals in Ukraine and striking Britain’s National Health Service (NHS). Originally spread through malicious Dropbox URLs embedded in spam, WannaCry spread rapidly through a number of computer networks by infecting a Windows computer and encrypting files on the PC’s hard drive. Considered one of the worst ransomware attacks of all time, it was detected in more than 115 countries.


The Petya ransomware package originated in 2016 and was a standard package aimed at extracting Bitcoin from its victims. An updated version—named “NotPetya” to signify its advanced state from its predecessor—became prevalent while the world was still reeling from the WannaCry outbreak.

It is widely speculated that NotPetya was actually a state-sponsored Russian cyberattack on Ukraine, disguised as a ransomware attack.


Cerber appeared in March 2016 and was notorious for its creepy voice component, which reads out the ransom message. It was responsible for an attack on millions of Microsoft Office 365 users who were potentially exposed.


The GoldenEye ransomware attacks reported in Ukraine in late June of 2017, targeted Kiev’s largest airport, Ukraine’s national bank, and its state power company. Unlike most ransomware just encrypting files, GoldenEye attacked the entire computer preventing the system from booting up by encrypting the Master File Table. When the victim attempted to reboot their machine, a skull and crossbones splash screen appeared displaying the ransom demand.


Locky was especially notorious because it encrypted not just data files but also Volume Snapshot Service (VSS) files to stop victims from attempting to restore files using it. It also encrypted Bitcoin wallets. Its name comes from the fact that while encrypting the user’s files, it also renamed them to have the extension “.locky”.

Why Business Need to be Protected from Ransomware

Once cybercriminals realized that the real money was not in targeting individual home users, but in targeting companies, because of the major disruptions an attack would cause, the shift moved in that direction. In fact, nearly 70 percent of companies pay the ransom to recover their data.

Complex networks in businesses are often more vulnerable and many businesses are reluctant to report attacks because they fear it would damage their brand and cause customer losses.

Why Antivirus Programs don’s stop Ransomware Attacks

Antivirus software can’t detect ransomware because it is designed to stay hidden. While Antivirus programs can stop any known ransomware from attacking your business by reading the signature of the known ransomware, it can’t protect your business new ransomware attacks. Because stealth is critical to ransomware being a lucrative business, these cybercriminals are employing talented developers to ensure that their attacks remain undetected.

What to do if you get Attacked

Step 1: Disconnect from the network and stop backing data up immediately. Disconnect the infected machine from the network immediately after the infection is discovered.

Step 2: Remove ransomware and clean computers of malicious software. If you have a good restore, remove all traces of the ransomware using antivirus software or an appropriate malware remover before proceeding.

Step 3: Restore from the most recent clean backup. Provided  that  you  maintain  consistent  backups,  locate  a  clean  version  of  the  files,  and  restore  to  your  most  recent  backup  set.

How to stop Ransomware Attacks from Occuring

There are two key ways to combat ransomware and keep it from affecting your business.

The first is to have your staff educated on what to watch for and trained to be diligent since most ransomware attacks are launched via phishing emails. Train your associates to avoid opening unverified emails or clicking links embedded in unverified emails. Provide employees with examples of what phishing emails look like, so that the next time they receive an email from “FedEx” with a “tracking link” for a “package” they know nothing about, they will think twice before clicking the link and send it to the helpdesk.

Your associates should also adhere to such best practices such as keeping macros turned off in the Microsoft Office suite of software and avoiding the use of browser plug-ins including Adobe Flash, Adobe Reader, Java, and Silverlight except on an ad-hoc basis.

Secondly, evaluate your technical infrastructure and the way your IT pros build and maintain that infrastructure. With a solid, cloud-based business continuity plan, you can successfully avoid ransomware damage for your company.

Most security vendors are constantly working on updates to catch and stop ransomware before it infects your files. If you use antivirus or anti-malware services, be sure you are running the most recent versions of these products and do regular updates. And, setting up a next-generation firewall can combat numerous threats—in fact, some can even detect zero-day threats before they infiltrate the system.

If your business does become the victim of an attack, it can be a manageable event when your data is backed up and easily recoverable.

For more information on ransomware, download Evolve IP’s Ultimate Guide to Ransomware.

Recognized by:

Certified by:


Contact Us

or Call 1.877.459.4347