What is Ransomware? | How it Works? & How to Remove it?


Ransomware attacks have become an increasingly imposing threat to organizations with implications reaching beyond information security to governance, operations, finance, customer and public relations, and more.

The heightening popularity of these attacks and their potential for damage, from school shutdowns to compromised critical infrastructure and interruptions in healthcare delivery, has sparked broader conversations on combating this globally pervasive threat.

For organizations looking to protect themselves against ransomware, it is helpful to understand what it is, how and why ransomware is evolving, and what measures organizations can take to stop it. Taking proactive measures against ransomware attacks helps businesses safeguard their valuable data and ensure the continuity of their operations.

What is Ransomware?

Ransomware is malicious software (malware) that leverages data encryption to extort organizations for substantial ransoms. Once paid, ransomware attackers theoretically restore access to or unencrypt affected data using a decryption key.

Ransomware attacks often begin with a social engineering tactic, such as phishing emails or watering hole attacks, which trick users into downloading the malware. The attackers may then demand payment in cryptocurrency, credit card payments, or wire transfers.

In most ransomware attacks, encryption restricts access to critical fines, systems, and applications. Refusing or failing to pay the demanded amount may result in permanently blocking those assets or leaking valuable data to public shaming sites and dark markets.

Today, ransomware attacks are the most financially and informationally detrimental cyber threat to enterprises and agencies. Recent data on ransomware from the United States Federal Bureau of Investigation’s Internet Crime Complaint Center (IC3) estimated that combined losses from ransomware attacks reported to the IC3 totaled $30 billion in 2020 alone. In 2021, ransomware demands in the United States and Canada tripled from $450,000 to $1.2 million on average. These numbers continue to rise as ransomware attacks grow in sophistication and scale.

How Does Ransomware Work?

For cybercriminals, creating and distributing ransomware is not complicated. The encryption functions needed for ransomware exist natively on Windows and Unix-based machines like macOS and Linus. Attackers can also use open-source projects or buy off-the-shelf malware from Ransomware-as-a-Service (RaaS) providers like SMAUG RaaS and Shifr RaaS. These portals are becoming more widespread and easily accessible to less-sophisticated hackers.

Once attackers have their ransomware, they only need to decide how to distribute it. Common infection vectors include social engineering tactics like phishing emails or malicious files downloaded from websites. Attackers can also deliver malware through fake software installers or via scripts on maliciously-crafted websites.

Once a victim has authorized the malicious file, the encryption process happens silently in the background and the victim may not realize they’re infected for some time. Some ransomware can delay the encryption process, creating a window of opportunity for criminals to cover their tracks and making it harder for security researchers to trace the attack.

However, not all ransomware requires user interaction. For example, the SamSam ransomware that emerged in 2016 targeted weak passwords on connected devices, and some ransomware strains can exploit zero-day vulnerabilities to execute themselves without any user interaction.

Additionally, a popular Oracle WebLogic Server vulnerability allowed attackers to send ransomware directly to computers and run it without user interaction. The frequency and scale of such attacks continue to increase, with some estimates that the cost of ransomware attacks could reach $265 billion by 2031.

The Short Evolution of Ransomware

Ransomware started as a simple extortion method targeting individual users but has since developed into a complex enterprise operation. Cybercriminals have shifted their focus to large-scale attacks against businesses and organizations, utilizing advanced tactics such as zero-day exploits, ransomware-as-a-service (RaaS) platforms, and affiliate programs. The next stage in the evolution of ransomware involved data theft and threats of releasing or selling it, making extortion even more effective. Some nation-states have even embraced ransomware to fund their governments and conduct espionage.

Ransomware on Windows

Ransomware has historically been predominantly Windows-based, with attackers targeting the operating system’s built-in backup mechanism, Volume Shadow Copies (VSS). This focus on Windows is primarily due to its widespread use and easy exploiting of its vulnerabilities.

Ransomware on Linux

As cloud computing expands, ransomware groups have increasingly targeted Linux devices. Recent examples of Linux-targeting ransomware include Cl0p and Icefire, both of which have been extensively researched by SentinelLabs. Although these attacks on Linux systems are on the rise, they still represent a smaller proportion of ransomware incidents than Windows.

Ransomware on macOS

While macOS is gaining popularity, ransomware attacks on the platform are relatively rare. Instead, cybercriminals targeting macOS typically focus on stealing information and gaining unauthorized access. A notable exception to this trend is the EvilQuest ransomware, which combined ransomware, spyware, and data theft in a single attack. However, this type of malware is still not a widespread issue on macOS.

Ransomware on Cloud

The shift to cloud computing has brought about new challenges in ransomware attacks. Many Linux-based ransomware campaigns can potentially target cloud instances, but the nature of cloud workloads often makes them less attractive targets for cybercriminals. Instead, attackers have turned to other methods to exploit cloud environments, such as leveraging the powerful APIs provided by cloud services.

How Ransomware Has Changed

One of the most significant changes in ransomware is the emergence of new tactics in cyber extortion, including double and triple extortion, beyond traditional ransomware. These tactics include data corruption, Distributed Denial of Service (DDoS) attacks, and even physical threats.

Data corruption involves threat actors gaining access to an organization’s systems and tampering with critical data. Instead of encrypting files, the attackers manipulate or delete essential information, making it unusable until the target pays the ransom. This approach can be more damaging and harder to recover from than traditional ransomware attacks.

Another significant change is the targeting of supply chains and cloud service providers. These attacks aim to infect multiple organizations by compromising a single provider. This approach has led to large-scale attacks that can affect various businesses and result in significant financial losses.

Overall, the evolution of ransomware and cyber extortion tactics has made it challenging for organizations to protect themselves. As a result, businesses must implement robust cybersecurity measures and have contingency plans to respond to attacks.

What is Ransomware-as-a-Service (RaaS)?

Ransomware-as-a-Service (RaaS) has become a popular business model for cybercriminals to launch ransomware attacks without technical expertise. In a RaaS model, ransomware developers sell fully-formed variants to non-technical buyers at a flat rate or a percentage of profits. Transactions occur on the dark web with little to no risk for the buyers.

Developers who use the RaaS model benefit from avoiding the risk of infecting targets and gain increased efficiency and profitability through the division of labor and craft between different skill sets. This model has steadily gained popularity in recent years due to the widespread success of ransomware attacks and the availability of high-quality RaaS kits.

While RaaS is not a new delivery model, its demand has increased due to the low upfront cost relative to a possible return. RaaS has allowed criminals with different levels of expertise to combine their efforts, making attacks more efficient and profitable. The rise of RaaS has also contributed to the growing scale of ransomware attacks and increased the potential threat to businesses of all sizes.

Recent Ransomware Attack Examples

Ransomware attacks continue to threaten businesses worldwide, with attackers continually evolving their tactics to maximize their impact. There have been several high-profile ransomware attacks in recent years that have caused significant damage and disruption. Particularly relevant and educational examples of recent ransomware attacks include:

  • Colonial Pipeline: In May 2021 there was a ransomware attack on Colonial Pipeline, one of the largest fuel pipelines in the United States. The attack caused significant disruptions to fuel supply across the eastern seaboard, leading to panic buying and fuel shortages. The DarkSide ransomware gang claimed responsibility for the attack and the company reportedly paid $4.4 million to regain access to their systems.
  • Merseyrail: Also in May 2021, a ransomware attack targeting the UK rail operator Merseyrail caused significant service disruptions. The attackers, believed to be the group BlackMatter, demanded a ransom of $10 million in exchange for a decryption key. The attack led to the cancellation of hundreds of trains and affected thousands of passengers.
  • Kaseya: In July 2021, a ransomware attack targeting the software provider Kaseya affected over 1,000 businesses. The attackers, believed to be the Russian-speaking group REvil, exploited a vulnerability in Kaseya’s VSA software to distribute ransomware to its clients. The attackers demanded a $70 million ransom for a universal decryption key.
  • Costa Rica Government: In April 2022, Costa Rica declared a national emergency after multiple government institutions suffered ransomware attacks. Russian ransomware group Conti claimed responsibility for the attack and encrypted hundreds of gigabytes of sensitive information. Costa Rica eventually refused to pay the ransom, and the attackers released 50% of the encrypted data to the public.
  • Optus: In September 2022, Australian telecommunications company Optus suffered a ransomware attack that encrypted 11.2 million customers’ data, including highly sensitive information such as addresses, passport details, and birthdates. A lone threat actor eventually claimed responsibility for the attack, posted 10,000 stolen data entries online, and threatened to release more if the company did not pay the $1 million ransom. However, the attacker rescinded the ransom shortly after and deleted the stolen data.
  • Royal Mail: In January 2023, Royal Mail reportedly detected a ransomware attack, hired outside forensic experts to help with the investigation, and reported the incident to UK security agencies. In February 2023, the LockBit ransomware operation claimed responsibility for the ransomware attack and stated they would only provide a decryptor and delete stolen data after the company paid the ransom.
  • Tallahassee Memorial Healthcare: In February 2023, Tallahassee Memorial Healthcare took its IT systems offline and suspended non-emergency procedures following a suspected ransomware attack. While the FBI confirmed it is working with the hospital to assess the situation, the source of the attack is still unknown.

How Ransomware Spreads

Understanding how ransomware spreads is crucial for businesses to take the necessary steps to protect their networks, devices, and data from potential attacks.

1. Phishing & Social Engineering

Ransomware attacks can be spread through phishing and social engineering tactics. Cybercriminals use sophisticated methods to trick victims into downloading malicious attachments or clicking on links that lead to malware infections.

Phishing emails, designed to look like legitimate correspondence from trusted sources, lure unsuspecting recipients into clicking on a link or downloading a malicious attachment. These emails may appear to be from a bank, a business partner, or a government agency and often use social engineering tactics to create a sense of urgency or fear, prompting the victim to act quickly.

In addition to phishing, social engineering attacks can also spread ransomware. Social engineering attacks can take many forms, such as phone calls or instant messages, and often involve manipulating the victim into giving up sensitive information or downloading malware. These attacks exploit human weaknesses and often involve impersonating someone with authority or expertise, such as an IT administrator or a software vendor.

Businesses can educate their employees on recognizing and avoiding phishing and social engineering attacks. Implementing security measures like multi-factor authentication, spam filters, and regular software updates can also help prevent ransomware infections.

2. Compromised Websites & Drive-bys

Ransomware can also spread through compromised websites and drive-bys. These attacks occur when attackers take advantage of vulnerabilities in website code or advertise malicious links to unsuspecting users. Drive-by attacks use this technique to automatically download and install malware onto a user’s computer, often without their knowledge or consent.

The process begins with attackers compromising a website or creating a fake one that looks legitimate. They then inject malicious code into the site, which can infect any visitor who clicks on the link or lands on the page. In some cases, attackers may also use search engine optimization (SEO) techniques to increase the likelihood of a user finding the malicious site.

Once a user visits the site, the malicious code downloads and executes the ransomware payload onto their device. Often, this is done without the user’s knowledge, making it difficult to detect the infection until it’s too late. In addition to being spread through compromised websites, attackers can also deliver ransomware through drive-by downloads, which occur when a user visits a site and malicious code is downloaded and unknowingly installed on their device.

Businesses can update all software and systems with the latest patches and train users to recognize and avoid suspicious links and downloads to protect against ransomware spread through compromised websites and drive-bys.

3. Malvertising

Malvertising, or malicious advertising, is a technique where cybercriminals inject malware into legitimate online advertisements. When users click on a malicious ad, it redirects them to a website that downloads and installs the ransomware onto their computer. Malvertising campaigns often target high-traffic websites and use sophisticated techniques to evade detection and infect as many users as possible.

One standard method is “watering hole” attacks, where hackers compromise a legitimate website that the target audience will likely visit. Once the website is compromised, the attackers inject malicious code into the displayed ads, which can then infect users who click on them.

Another method used in malvertising is to use “drive-by downloads.” In this technique, attackers use a compromised ad network to deliver malicious ads to legitimate websites. When users visit the website, the ad automatically downloads and installs the ransomware onto their computer without their knowledge or consent.

Malvertising is a highly effective way for cybercriminals to spread ransomware since it relies on unsuspecting users clicking on seemingly legitimate ads. Businesses can protect themselves by implementing ad blockers, keeping their antivirus software up to date, and educating employees about the risks of clicking on unknown links and ads.

4. Malware Kits

Malware kits are tools, scripts, and other components packaged together to create custom malware. These kits can be purchased on the dark web and are often user-friendly, allowing cybercriminals with limited technical skills to develop and distribute malware, including ransomware.

Attackers often use malware kits in combination with social engineering tactics to trick users into clicking on a malicious link or opening a malicious attachment. Once a user has inadvertently downloaded the malware, it can quickly spread throughout their system and potentially infect other machines on the same network.

Malware kits often include built-in obfuscation techniques to avoid detection by antivirus software and may also come with instructions on evading security measures such as firewalls and intrusion detection systems. These kits are constantly evolving, with new versions being released regularly with updated features and improved stealth capabilities.

5. Infected File & Application Downloads

Attackers can embed malicious code within seemingly legitimate files and applications, tricking users into downloading and installing them. An attacker may distribute an infected version of a popular software or tool that appears legitimate, but when downloaded and installed, it executes the ransomware.

Attackers often use social engineering tactics to convince users to download and install infected files or applications. This method can include disguising the files or applications as necessary updates, security patches, or even enticing software or media downloads.

In some cases, attackers may also use file-sharing platforms or peer-to-peer (P2P) networks to distribute infected files or applications. Users downloading files or applications from these platforms may unknowingly download ransomware and infect their systems.

Businesses can implement strong security measures to protect against infected file and application downloads, such as using reputable software download sources, regularly updating software and applications, and training employees to identify and avoid suspicious downloads. Businesses can also use antivirus and anti-malware software to scan and identify potential threats before infecting systems.

6. Messaging & Social Media

This method often involves cybercriminals exploiting users’ trust and curiosity to entice them to click on malicious links or download infected files. These attacks can come as a direct message from a contact or a fake account that looks legitimate.

In some cases, attackers disguise ransomware as a harmless link or file attachment, such as a photo or a video, that appears to come from a friend or colleague. Ransomware can be disguised as scalable vector graphics (SVG) that, when opened, downloads a file that bypasses traditional extension filters. Since SVG is based on XML, cybercriminals are able to embed any kind of content they please. Once accessed, the infected image file directs victims to a seemingly legitimate site. After loading, the victim is prompted to accept an install, which if completed distributes the payload and goes on to the victim’s contacts to continue the impact.

Attackers can also use social media platforms to spread ransomware through phishing scams. For example, a user may receive a message purporting to be from a well-known brand or organization, asking them to click on a link or download an attachment. The link or attachment may contain ransomware, which can then infect the user’s device and spread throughout their network.

Businesses can educate their employees about the risks and provide training on identifying and avoiding malicious links and attachments to avoid falling victim to ransomware spread through messaging and social media. Maintaining up-to-date security software and regularly backing up critical data is also helpful.

7. Brute Force Through RDP

In a brute force attack, threat actors try many password combinations until they discover the right one. Attackers often use this method to target remote desktop protocol (RDP) endpoints, typically found on servers or workstations and used by employees to connect to a corporate network remotely.

The attacker must first identify the target’s RDP endpoint to launch a brute force attack. They then use automated software to try out different password combinations until they find the right one, giving them access to the target’s network.

A brute force attack can be successful if the target uses weak passwords, such as “password123” or “admin123.” Businesses can enforce strong password policies, such as requiring complex passwords with a mix of uppercase and lowercase letters, numbers, and symbols and implementing multi-factor authentication to mitigate the risk of a brute force attack.

It’s worth noting that some ransomware variants are explicitly designed to exploit RDP vulnerabilities and can quickly spread once they gain access to a network. Businesses can keep their RDP endpoints secure and up-to-date with the latest security patches to avoid brute force attacks.

8. Cross-Platform Ransomware

Cross-platform ransomware is malware capable of infecting multiple operating systems such as Windows, macOS, and Linux. Once the ransomware infects a device, it can move laterally across the network to other connected devices, encrypting files as it goes. It can spread across various devices, regardless of the type of device or operating system they are running.

To prevent cross-platform ransomware attacks, businesses can ensure that all devices and operating systems are updated and have the latest security patches. Companies can also conduct regular backups of essential data and securely store backups offsite so that they can recover data without paying a ransom in the event of an attack.

Businesses can implement multi-factor authentication and strong password policies to prevent cross-platform ransomware attacks. Regular employee training and awareness campaigns can also help prevent employees from inadvertently downloading malware and falling victim to phishing scams that can lead to cross-platform ransomware infections.

Ransomware Protection

Ransomware protection involves various methods and techniques to prevent, detect, and mitigate the effects of ransomware attacks. Measures include regular backups, network segmentation, endpoint protection software, employee education, and incident response plans.

A comprehensive ransomware protection strategy is crucial to minimize the risk of falling victim to a ransomware attack. Attacks can result in costly downtime, loss of productivity, and the theft or compromise of sensitive information. It can also damage an organization’s reputation and lead to the loss of customer trust.

Protect Common Ransomware Attack Vectors

By understanding the different transmission methods, organizations can better prepare their defenses and implement the appropriate security measures to prevent or mitigate ransomware attacks.

Without a clear understanding of ransomware and how it spreads, critical system vulnerabilities might go unnoticed. Businesses may also be unable to detect and respond effectively, allowing the malware to cause significant damage to their operations, reputation, and finances.

Businesses must protect common attack vectors because ransomware can spread rapidly and silently, often evading detection until it has already caused significant damage. By protecting common attack vectors, businesses can make it much harder for ransomware to gain a foothold on their systems in the first place.

Endpoint Protection

Endpoint protection is a critical component for organizations to safeguard against cyberattacks. Endpoint protection focuses on securing endpoints, such as desktops, laptops, mobile devices, and servers, that can access an organization’s network. These endpoints are often the entry point for cybercriminals to launch ransomware attacks.

Endpoint protection software utilizes various technologies, such as antivirus, anti-malware, firewalls, and intrusion detection systems, to prevent, detect, and respond to cyber threats. Endpoint protection can block or isolate malicious files and prevent them from executing on the endpoint.

Modern Extended Detection and Response (XDR) solutions monitor local processes in real time and analyze their behaviors in detail, making it possible to identify malicious code with very high specificity and take immediate mitigation steps. An advanced XDR solution such as the SentinelOne Singularity platform takes this one step further by leveraging static and behavioral AI models—informed by ongoing threat intelligence into modern ransomware campaigns—to pinpoint abnormal activity and patterns that may be indicative of ransomware’s presence.

From there, an advanced XDR solution can neutralize the ransomware threat by deleting the code’s source, killing all relevant processes, quarantining suspicious files, or disconnecting the afflicted endpoint from the network altogether, depending on circumstance and organizational policies.

Ransomware Warranties

Ransomware warranties are insurance policies that offer financial compensation in the event of a ransomware attack. This can help mitigate the costs associated with downtime, lost data, and other damages

Ransomware warranties can provide peace of mind regarding the potential financial impact of a ransomware attack. They can also help incentivize companies to invest in solid cybersecurity measures since many warranties require that specific security protocols are in place to be eligible for compensation.

These warranties can also help to shift some of the risk associated with ransomware attacks from the business to the warranty provider. This can be especially beneficial for small and medium-sized companies that may need more resources to recover from a ransomware attack on their own entirely. Still, it’s always important to consider the terms and conditions of any warranty before purchasing and to ensure that it aligns with the specific needs and risks of the organization.

Data Backups

Data backups provide an effective way to mitigate the risks associated with ransomware attacks. By regularly backing up important files and systems, businesses can restore their data to a pre-attack state in the event of an attack. Backups can minimize downtime, reduce the attack’s impact on business operations, and ensure that critical data is not permanently lost.

Businesses must implement a comprehensive data backup strategy that includes regular backups, secure storage, and tested recovery procedures. It is essential to ensure that backups are stored offsite and in secure locations to prevent them from being impacted by the ransomware attack.

Moreover, businesses must ensure that their data backup systems are up-to-date and include all critical data. Organizations can test data backups regularly to ensure they are working correctly and can be restored quickly and efficiently during an attack.

Education & Training

Since ransomware attackers often use social engineering techniques to trick employees, comprehensive training on how to identify and avoid these types of attacks can help prevent the spread of ransomware. Regular training sessions and simulated phishing attacks can help reinforce the importance of staying vigilant against ransomware attacks.

Ransomware Detection & Removal

Unfortunately, paying the ransom does not always result in the safe return of the data, and it can encourage further attacks. Ransomware detection and removal is an essential aspect of cybersecurity that businesses cannot afford to ignore. Effective removal is a critical step that enables rapid recovery and helps businesses return to normal and continue their operations regardless of the scale or depth of the attack’s fallout.

Isolate and Disconnect Infection

Ransomware spreads quickly and efficiently through a network, which means it can quickly move to others once it infects one system. By isolating and disconnecting the infected system, businesses can prevent the ransomware from spreading to other parts of the network, limit the damage caused by the attack, and reduce the number of systems that need to be cleaned and restored.

Isolating and disconnecting the infected system also allows businesses to analyze the ransomware to gain insights into the malware’s behavior, determine the extent of the infection, and develop more effective strategies for removing it.

Identify and Report the Ransomware

Identifying the specific ransomware type can help companies determine the best course of action to remove it. Reporting the ransomware to relevant authorities, such as law enforcement or industry organizations, can help prevent future attacks. These organizations can use the information provided to investigate the source of the attack and take action to prevent similar attacks from happening to other businesses.

Reporting the ransomware can also help businesses stay compliant with regulations that require businesses to report data breaches or cyberattacks.

Restore Your Back Ups

Restoring backups is crucial for businesses to recover data and resume normal operations. Ransomware can encrypt or otherwise compromise valuable data, making it inaccessible until the company pays the ransom. However, paying the ransom is not recommended as it does not guarantee the safe return of the data and can encourage further attacks. Instead, businesses can regularly back up their data and restore it from a secure backup in case of a ransomware attack.

Restoring backups can also help businesses identify and remove any remaining traces of the ransomware. Eradicating ransomware can prevent the ransomware from infecting the system again or spreading to other parts of the network.

It’s important for businesses to regularly test their backups to ensure that they are complete and functional. If a backup is incomplete or corrupt, it may be unable to restore the data entirely, leaving the business vulnerable to data loss or prolonged downtime.

Use Extended Detection and Response (XDR)

Extended detection and response (XDR) is a comprehensive security solution that integrates multiple security technologies to provide enhanced visibility and protection across an organization’s IT infrastructure. XDR solutions can help businesses detect and respond to advanced threats by analyzing data from multiple sources and identifying patterns of behavior that indicate a potential attack.

XDR solutions also give businesses real-time visibility into their network, enabling them to quickly detect and respond to suspicious activity. Enterprises will be better equipped to prevent ransomware from spreading to other parts of the network and limit the damage caused by the attack.

Automatic reversion of all changes executed by malicious or suspicious code, no matter how small, gives administrators a safety net, protecting you and the entire domain from the potential chain effects of ransomware. An advanced XDR solution should be able to roll back any affected files that were encrypted to a previously-sound state, relieving you from the tedium of restoring from external backup solutions or fully re-imaging systems.

Detect & Prevent with SentinelOne

For businesses seeking a comprehensive and proactive cybersecurity solution that can detect and prevent ransomware attacks, the Singularity XDR platform by SentinelOne extends protection from the endpoint to beyond with unfettered visibility, proven protection, and unparalleled response.

Singularity XDR is an advanced security platform that leverages artificial intelligence and machine learning to provide businesses with enhanced visibility and protection across their entire IT infrastructure. It can detect ransomware early, before it can cause significant damage, and automatically isolate infected systems and restore backups to minimize the impact on operations.

Singularity XDR enables businesses to detect and respond to suspicious activity quickly. It can also proactively monitor the network for vulnerabilities and potential attack vectors, helping businesses address security gaps before cybercriminals can exploit them.

Discover a powerful and effective solution to protect against ransomware attacks, and schedule a demo today.

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform harnesses the power of data and AI to protect your organization now and into the future.