Understanding Ransomware, and how to Protect Against It

Ransomware has increasingly become a constant threat to all organizations. As we work on ramping up our defenses and building a strategic plan to counter cyberattacks, malicious actors launch even more sophisticated attacks, increasing the difficulty to defend.

Ransomware is often designed to paralyze an organization, by expanding throughout the network. This threat costs organizations millions of dollars. To defend against ransomware, it’s important to know what it is, how it’s launched, how to respond to it, and how to mitigate risk.

What is ransomware and how does it work?

Ransomware is malware that encrypts crucial data, files and operating systems of individuals, organizations, or institutions, and demands a sum of ransom money to decrypt it. It is a form of cyber manipulation, where malicious actors find vulnerable surfaces and use them against the organization, such that they lose access to their computers, databases, servers, applications, and files.

Ransomware takes hold of a system via any number of means, like a phishing email, or a targeted attack. Once it identifies an attack vector and establishes its hold on an endpoint, it will remain there until its task is completed.

After the ransomware establishes a stronghold inside the system, it drops a malicious binary, which in turn, discovers and encrypts data files, like documents, PDFs, multimedia files, and database storage. The ransomware may also exploit network or server vulnerabilities to spread across other systems, and may attempt to infect the entire organization.

When the attacker holds the organization’s data at their mercy, they attempt to extort the company to pay a demanded ransom to decrypt the files, or otherwise face serious consequences of data and potential system loss. If the organization does not have a reliable and timely data backup, and refuses to pay the ransom, the only option for them is to bear the lost time, resources, and potential damage to customer relationships, brand erosion, shareholder lawsuits and regulatory fines.

Why ransomware is so common

While there are many reasons that increase the possibility of a ransomware attack, the COVID-19 pandemic certainly played an important role in causing a significant rise in ransomware attacks. It forced individuals, businesses, and public sector agencies to quickly shift to digital technologies to continue their business operations. However, even without the vulnerabilities introduced by COVID-19, ransomware had become a growing threat.

Despite multi-layered security infrastructure and other sophisticated defensive measures, the threats of ransomware attacks prevail. Here are some factors that disable the sophisticated counter technologies to prevent a ransomware attack:

  • Cyber criminals are now highly sophisticated and have the latest resources, tools and technologies at their disposal.
  • The marketplace provides cybercriminals with malware kits that enable even the most minimally-skilled hackers to deploy it against their victims.


Ransomware-as-a-Service (RaaS) is a ransomware distribution model offered as a service for a fixed price. It is a subscription-based paid service that provides people of malicious intent with the necessary tools to deploy a ransomware attack. As surreal as it sounds, it’s a highly effective and practical approach to deploy a ransomware attack.

RaaS operators are affiliated with cybercriminals, providing them with the necessary gear, tools, payment portal to receive ransom payments, and occasional technical support. The RaaS provider either receives a part of the gained ransom profit through a contractual agreement, or by a pay-per-use agreement.

Why it’s hard to catch ransomware perpetrators?

Cybercriminals usually use crypto currencies like bitcoin for monetary transactions. With all its benefits, crypto currency is untraceable, which makes it advantageous for criminals. Money trails are one of the most effective ways to track down crimes and criminals involved. Because crypto currency offers anonymity, it’s difficult for legal authorities to track money flows.

Furthermore, ransomware is polymorphic by design, leaving no residue and easily bypassing traditional signature-based protection. Cybercriminals often operate in groups, making it even more difficult to trace an attacker.

Protective measures against ransomware

There are certain practices that can greatly help mitigate a ransomware attack. Some common practices include:

Data backup - Keeping regular backups of crucial data is the first step of defense against ransomware perpetrators. To ensure organizations never get locked out of their systems and data files, they should always, and often, store data backup copies within an external hard drive or cloud storage. In the event of a ransomware infection, though it may take a long time, computers can be formatted, and data files upload all the intact through backup. This way, losses can be avoided because of a ransom demand. Although backing up data won’t prevent these attacks, it may offer some degree of protection.

Secure the backups - Cybercriminals are devising strategies to corrupt, encrypt, or delete backup systems as well. Therefore, only depending upon backup is an inadequate defense. Many organizations use a privileged access solution to secure their backup, so only certain authorized people can access or modify it.

Install and maintain security software - Older software versions provide attackers with vulnerable access points to take hold of a system. This is why it is crucial to configure comprehensive security software across the organization to secure all systems and software. Keep all of devices and software updated as early and often as possible.

Safe surfing - This practice means users don’t click on unnecessary links, and respond only to legitimate emails. Most often, ransomware enters through phishing, tricking users into opening dangerous files containing malware or another virus.

Secure networks– Unsecured public Wi-Fi networks also present a threat, as everyone can access them, including malicious actors. The installation of a Virtual Private Network (VPN) can provide a secure Internet connection, no matter where users are. However, a VPN will not protect against a hacker that managed to get inside the internal network.

Stay aware - Stay informed and vigilant regarding the latest ransomware threats so the organization can be watchful for potential attacks. Additionally, learn about decryption tools available in the market which will help if the organization is victimized by ransomware.

Cybersecurity awareness programs- Many employees may not fully understand the concept of cybersecurity and how some of their activities can increase the risks of an attack. Hence, it is beneficial for companies to conduct regular drills, simulation activities, and training employees so they can be vigilant to phishing and other social engineering attacks.

How to respond during a ransomware attack

In the event of an attack, quick action is essential in order to limit the impact. There are certain steps to follow for mitigation:

Isolate the attacked device(s) to stop the spread- When ransomware infects one system, it can pose a moderate threat. However, the devastation begins when it spreads across the organization. Incident response time decides the extent of damage caused. So, reacting quickly to isolate the infected devices and disconnect them from the network, servers and other devices is critical. Wireless connectivity (e.g., Bluetooth, WiFi, Hotspots, etc.) should be immediately shut down to limit the infection.

Assess the damage- As the ransomware might have made its presence in other devices, it’s recommended to assess all data files and any suspicious activity. For instance, files that are recently encrypted with strange extensions, reports having odd file names, or the files that users have trouble opening. Once infected items are discovered, disconnect them from the network to contain the infection.

The objective is to make a comprehensive report of all potential attack vectors, end-point devices, storage, etc. so appropriate protection measures can be taken. Locking down all file shares will halt ongoing encryption, to keep it from spreading further.

Identify Patient Zero - Patient Zero is the source of infection. It’s the device or system which was first targeted by the cybercriminals, and through which the ransomware infection entered the environment. Until Patient Zero is located, the chase to contain the infection will continue. To gain visibility, check for any alerts issued by the anti-malware software and other monitoring platforms.

As phishing emails and malicious attachments generally initiate an attack, ask employees about any suspicious email they might have received and opened. Take a close look at the file properties, which will provide clues about the entry point.

Identify the ransomware variant - Before going deeper into defense, it helps to know about ransomware variants that might attack systems. There are several tools available that will scan encrypted files and provide insights about the variant involved. Conduct research to understand it better, and alert all employees about its behavior and signs to identify to discern if they’ve become a target.

Report to federal authorities - A cyberattack is a legal offense and should be brought to the attention of authorities as soon as possible. Law enforcement needs timely and accurate details so they can begin a thorough investigation.

Restore data backups - Now that all the precautionary measures have been taken, it’s time to continue the response process. Following the above steps correctly and quickly, will provide a complete and infection-free backup. The next step is to employ an anti-malware to eliminate the ransomware to prevent further spreading. Once all traces of the ransomware are eliminated, restore the system data with backup.

Consider other decryption options – Many organizations find themselves without a viable backup, either because it has been corrupted by ransomware, or they failed to backup data in a timely manner. In either case, even without backup, there is a small chance to regain access to the data with decryption tools. There are several keys and applications available which can decrypt data locked by ransomware. However, it’s a long process, and if luck favors you, the data may be restored within a few days.

The final step - Without a viable backup, and with no help from the decryption tools, it becomes a very difficult situation. The loss can be huge, and rebuilding from scratch will not be easy. Losses will have to be dealt with, as well as time, resources and investments in the rebuilding process.

Why not pay the ransom?

The long and complicated process of dealing with data recovery for weeks or months can dilute resources. This is why some organizations choose to pay the ransom. However, it’s not a wise decision, and here’s why:

  • Even if the ransom is paid, there is no guarantee the hacker will send the decryption key in return. There are numerous examples where companies were deceived after paying a ransom. When you’re playing by the criminal’s rules, there’s no guarantee they will stick to the deal.
  • Often, cybercriminals will demand more money once the demanded ransom is paid. They know there’s an urgency and willingness to get the attack resolved, and you’re at their mercy.
  • Even if the criminals hold up their end of the deal and provide you with a decryption key, there is no guarantee the key will work, especially if the corruption has gone too far and beyond repair.
  • If ransom is paid, organizations are targeting themselves for another attack, as bad actors will find them easy prey.
  • Paying a ransom encourages criminal activity, and validates ransomware as a viable business model. If organizations refuse to pay ransom, cybercriminals will have to find other means of generating income.

Resource Guide :



Contact Details

Contact RevBits

Message icon Request a Demo