The Five W’s (and How) of Ransomware


Ransomware is quickly becoming the weapon of choice used by hackers against consumers and businesses alike.  Its impact can be especially devastating to businesses as an infection on one single machine can spread to other computers and shut down an entire network.  Ransomware may be lurking inside an email attachment or online advertisement, and the simple act of clicking a mouse can set the wheels in motion for your data to soon be held hostage.

This article will discuss the Five W’s (Who, What, When, Where, and Why) and How of Ransomware so that consumers and businesses will be better prepared to protect themselves and their data.

WHAT is ransomware and how does it work? Cryptolocker

Ransomware is malicious code that infects a computer with the intention of extorting money. There are two main types of ransomware. The first has the ability to lock a user out of the computer, making it inaccessible. The second, and most common form, will encrypt files stored on the computer.

In each instance, a ransom note will appear providing instructions on the cost associated with retrieving the data or unlocking the computer and a time frame for which to pay it. The ransom amount and consequences will vary depending on the type of ransomware that has infected the computer and the hacker deploying the script.

For example, Jigsaw, a well-known type of ransomware, will begin deleting a random file from a person’s computer on a specified increment until either the ransom is paid or the computer is wiped clean. Others will provide a grace period, after which time the cost of the ransom will increase significantly. If left unpaid, the hacker has the option to delete the encryption key, making the data unattainable.

WHO is being targeted by ransomware?

Though everyone can be considered a target of ransomware, hackers have recently begun specifically targeting small to medium sized businesses as well as healthcare organizations, financial institutions, schools, and governmental agencies. Many believe that large corporations are the primary target for hackers because they have the financial means to pay ransoms. While that may be true, it is much more difficult to infiltrate a large corporation that has a healthy cybersecurity budget to prevent the attack or, in the case of infection, has the ability to restore their data from backups.

Even if cybersecurity has been prioritized, many companies simply do not have the same budget as their larger counterparts. With that in mind, a hacker has the potential to infect ten or more computers for the same amount of effort that it would take to infect one at a large corporation. When it comes to ransomware, quantity matters.

WHEN can a person or company get infected with ransomware?

If a person or company has access to the Internet, or has their computer linked to a cloud or file sharing software, they can be targeted by ransomware. That is why it is important to always be mindful and maintain good security practices when using a computer, smart phone, tablet or other device.

WHERE does ransomware hide?

Ransomware can be found all over the internet including email links and attachments, online advertisements, smart phone and tablet apps, in the cloud, and through injection via system vulnerabilities.

Phishing emails generally contain links that, once clicked, will reroute the user to an infected website. Unless the email is from a trusted source, Phishing or if there is any doubt, never click on the link or the attachment.

Online advertisements connected to a ransomware attack are known as malvertising. By clicking on an advertisement, the user can unknowingly begin installing the malware.  Or, the ads contain a script that checks the computer for vulnerabilities which will allow the download and installation of the ransomware.

Smart phone and tablet applications are common targets, especially when downloading from a third-party. Unless the app is from a trusted source such as Google Play or the App Store, don’t download it. Once infected, if the phone or tablet is connected to a cloud-based file sharing platform, the ransomware can potentially spread from the infected device to the user’s other devices.

Lastly, ransomware can enter a system the old fashioned way – through vulnerabilities. By not maintaining Windows or OS X system updates, a computer is left open to an attack.

WHY do hackers use ransomware?

Ransomware provides a low risk, high reward business model for hackers. Assume a hacker using ransomware successfully infects ten computers in one week. If they are demanding $100 per computer to unencrypt the data, they can make up to $1,000. Even if payment is only made on half of the infected computers, that is still $500 a week with very little effort.

There are so many versions of ransomware available on the Dark Web, and once deployed, it is extremely difficult to trace the attack to a single group or individual. When it comes to compensation, the hacker will demand that payment be made in Bitcoins, an anonymous way to transfer money, which further reduces the risk of being identified.

HOW can you protect yourself from ransomware?

Unfortunately, even the most cautious and diligent computer users can still fall victim to a ransomware attack. However, by understanding the who, what, when, where and why of ransomware, and by implementing the following security best practices, the likelihood of being infected with ransomware drops precipitously.

  1. Maintain a backup copy of the data. This is the number one way to combat ransomware. It is essential that this copy is not connected in any way to the Backupcomputer hosting the data. Otherwise, when the computer gets infected and the files become encrypted, there is a good chance that the back-up copy will become infected as well.
  2. Ensure all operating systems, browsers, and programs are up-to-date. Microsoft and Apple release patches on a regular basis to ensure their systems remain up-to-date on the latest security threats. It is essential to keep up with these system patches, as well as maintain updates for your browsers and other programs like Flash and Java.  For businesses, one of the best ways to identify vulnerabilities in their network is through penetration testing.
  3. Use security software. Running up-to-date security software such as email, web, and endpoint protection can greatly reduce the chances of a malware infection.
  4. Learn how to recognize security threats. Employees are the number one cause of accidental data breaches. By training them to recognize security threats, a company can turn their number one liability into a valuable first line of defense.
  5. Engage a trusted security advisor. Ransomware threats are constantly changing so it is important to have a trusted security advisor to help guide your organization on best practices for mitigating the threat of an attack or assisting in the event a breach does occur.

Ransomware will not be disappearing anytime soon. By taking these simple precautions, businesses and consumers can better defend their data from being held hostage.

Request Info

TCDI | Computer Forensics | Cybersecurity | Litigation Technology