Why does ransomware keep evading your defenses?

Ransomware has long been a menace for organizations and consumers. Global damage cost estimates reach about 10 billion USD per year. After all these years, why does ransomware continue to be so good at being so bad? The answer is a combination of the security industry’s history of largely ineffective responses to ransomware and how ransomware developers use psychology to trick users into thinking they’re responding to requests from a colleague or even donating Bitcoins to a children’s charity.

Ransomware is hardly new and unknown since it has been around since 1989. Yet it remains one of the most common and successful attack types. According to reports, there were over 180 million ransomware attacks in the first six months of 2018 alone. The adoption of cryptocurrencies and Tor have served to amplify the prevalence of ransomware dramatically.

minimising the ransomware threat

Every 14 seconds, an organization somewhere in the world falls prey to a ransomware attack. But the bad actors are not narrow in their focus and typically target many organizations and users at once. For example, think back to the global WannaCry attack that resulted in losses of almost $4 billion.  

How ransomware works

The details of how one attack gets inside a system or an organization, i.e., its “attack vector” are irrelevant. It can be phishing, exposed RDP or any other avenue that ransomware developers leverage to get in.  

Instead, let’s take a look at what happens when ransomware actually interacts with your file system and encrypts data. First, ransomware process(es) locates the files it wants to encrypt. These are most often based on file extensions and target your most valuable assets such as Microsoft Office documents or photos, while leaving operating system files intact to ensure that system will still boot. Then the malware encrypts that data in memory and destroys the original file. 

One route ransomware takes is to save encrypted data into a new file and then delete the original. 

Another option, and probably the most devious one, is to write that encrypted data into the original file itself. In this case, the original file name is left intact, complicating the recovery by making it difficult to distinguish between encrypted files and those that haven’t been encrypted. 

A third method is for ransomware to create a new file like in the first option, but then instead of the delete operation use rename to replace the original file.

After completing the encryption process, the infamous ransomware note is displayed. We know that part of the story quite well from the news coverage.