Halborn Logo

// Blog

InfoSec

Ransomware 101: What Is Ransomware and How to Spot It on Your Network


profile

Rob Behnke

October 12th, 2021


Ransomware attacks have become a growing problem, with the number of attacks more than tripling in just one year alone, and the Federal Bureau of Investigation (FBI) reporting that over 4,000 ransomware cases take place every single day. Ransomware and its effect on organizations have become such a big issue that even President Biden and Russian president Vladimir Putin were forced to come to the table earlier this year over an infamous Russian based ransomware operation targeting international organizations – including a number of organizations in the United States.

Ransomware, a form of malware, enables cybercriminals to target any device within an organization’s network or the device of any individual connected to the internet, posing huge threats against an entity’s information security and their ability to operate. Your sensitive information being restricted for just a short time can cause catastrophic damage to your operations, not to mention the high costs associated with being a victim of the ransomware attack. So, in this article, we’ll take a close look at what ransomware is, how to spot it on your network, and how to protect your information.

What Exactly Is Ransomware?

Ransomware has become one of the most popular types of malware for attackers, with some organizations paying in the millions to regain access to their data. Even the famous talk show host Trevor Noah recently ran a segment on ransomware in The Daily Show! But what exactly is ransomware and how does it work?

Simply put, ransomware is a form of malware that encrypts a user’s or entity’s information and holds it at ransom. When your information is encrypted by an attacker, you can no longer access files, applications, and databases unless the cybercriminal grants you access through decryption, which is paid for through the ransom.

How and Why Ransomware Attacks Occur

Attackers realize that if they can get away with it, there is a lot of money to be made through ransomware attacks. In fact, ransomware has become so popular among cybercriminals that it’s possible for attackers to access RaaS (Ransomware as a Service), which allows them to leverage the resources of established ransomware experts. This is one of the reasons ransomware attacks have exploded since 2020, so it’s worth taking a closer look into how ransomware attacks work.

5 Stages of a Ransomware Attack:

  1. Hacker scans for vulnerabilities: There are bugs and vulnerabilities in every system and network, and these are the kinds of things that ransomware attackers try to find and exploit to take over control of your information.
  1. Hacker checks if vulnerability is patched: Once one of these vulnerabilities is discovered by the hacker, they will check to see if the vulnerability is protected against, and if not, they will verify how the vulnerability can be exploited to make money.
  1. Malware is transmitted to your machine: At this point, the hacker will transmit some software over the internet to your machine that will sit idle until a future execution date. At this point you may not notice anything different happening on your machine or network.
  1. Ransomware is executed and files encrypted: This is where the attacker’s code executes and encrypts a large portion of files on the network or user’s machine. The code typically would encrypt all files, except those needed to run the actual device. So the machine will function, however all the files may be rendered inaccessible.
  1. Hacker sends ransomware message and instructions: At this point, you would see a message pop up on your screen explaining that you’ve been hacked, along with instructions on what the ransom payment is and how to pay it. The hacker will explain that once this ransom is paid, you can have access to the decryption tool, so you can access your files again.

During this process it’s important to note that cybercriminals rarely exploit zero-day vulnerabilities. Rather, they exploit vulnerabilities that have been known for some amount of time – sometimes months or even years.

How to Spot Ransomware on Your Network

One of the main things to understand about ransomware is that it knows no boundaries. Getting ransomware on your device from home is just as possible as getting it on a corporate level server. So below, we’ll review some of the common ways to spot ransomware on your device so you can take action and better protect your information.

Suspicious Emails

One of the most common ways ransomware attacks start is through phishing emails, where the hackers attempt to socially engineer users to open their message and click on links that execute malicious code.

Unusual Activity

Ransomware on your system may result in unusual activity such as log-in irregularities and failures, odd registry or system file changes, large numbers of requests for certain files, a high number of failed file modifications, sudden changes in file access permissions, and DNS request anomalies, among other things. The key here is to look for anything unusual that is happening on your device or network.

Anti-Ransomware Tools

There are a number of available options for anti-ransomware tools such as the suite of tools from Kaspersky for personal and enterprise use. These tools scan your system for known ransomware or what could potentially be ransomware.

Increased CPU and Disk Activity

If you see increased CPU activity for no apparent reason, this could be due to ransomware removing, encrypting or searching for files on your device.

Sudden Difficulty Finding Files

Ransomware can not only encrypt files, it can delete them, rename them and relocate them. 

Obviously, no business is immune to the threats of ransomware, but we encourage you to use the above suggestions to spot ransomware in addition to educating all the stakeholders in your organization on how to spot things like phishing emails, suspicious links and other signs of malware. Malware infecting just one machine can ultimately cause an entire network to go down, so educating users is a powerful strategy.

Protecting Yourself From Ransomware Attacks

Experiencing a ransomware attack can be catastrophic to your operations as well as extremely expensive and time consuming to recover from. But there are a number of things you can do to protect yourself from these dangerous attacks. Here are some options to consider:

Keep Devices and Software Updated

Your first line of defense against a bad actor getting onto your network or into your device is ensuring your system and devices are updated. Remember that bad actors look for known vulnerabilities – so the second an update is available for a vulnerability on your machine or software, be sure to update right away.

Secure Protocols and Password Management

We covered password management in depth in our Password Management Tools article but, for starters, you’ll want to make sure never to use default or weak passwords for anything related to your information, and whenever possible use hardware keys, such as a Yubikey.

Restrict User Permissions Where Applicable

This is all about restricting permission for certain users to install unwanted software applications or make unauthorized changes to operating system settings, among other things. Restricting these permissions helps prevent ransomware from entering your device and potentially spreading throughout your network.

Use Multifactor (2FA) Authentication Where Possible

Using 2FA on as many accounts as possible helps to defend against bad actors gaining access to your infrastructure and sensitive information. 

Filter Emails With Attachments

Consider implementing a system where emails with any attachments are automatically filtered and checked to ensure they are safe, before allowing the intended recipient to access those attachments. 

Use Discretion When Accessing Information

Beyond the above protections, you should always assume that any email, link, webpage or file can be malware. Never open unsolicited emails, even when they come from people in your network.

Have a Backup Strategy

Periodic backups will allow you to keep your data safely stored off your internet accessible network and machines, and they give you the certainty of maintaining ransomware-free data and information. In the event that your systems and information are infected with ransomware, your backup may be the only source to salvage your data and return to normal operations quickly.

Here are a few important notes on keeping proper backups:

  • Make Backups Periodically: Since malware on your system can execute later than it has entered your system, you won’t know exactly when the ransomware was first installed. Multiple backups will allow you to restore to a safe date before the installation of the malware, and you’ll likely only know what this date is after you’ve completed a thorough investigation.
  • Test Your Backups Periodically: Having a backup won’t be useful if it doesn’t work. That said, be sure to perform thorough tests of your backups being implemented. That way, if you become the victim of an attack, you can deploy the backup with certainty that it will work.
  • Isolate Backups: As most ransomware will enter through the internet, your backups should be kept offline to protect them from being encrypted as well.

What to Do if You Become the Victim of a Ransomware Attack

If you suspect you’ve been hacked, consider the following 4 steps:

  1. Disconnect from the network: Disable WiFi and Bluetooth, unplug ethernet cables, and put devices on airplane mode.
  2. Disconnect external devices: Since you may not know where the ransomware originated, remove USB keys, docking stations, and other external devices from your machines.
  3. Report the incident to the appropriate authorities: This process may differ depending on your local area. The United States government, for instance, launched a dedicated Hub for Ransomware Victims. Depending where you are, there may be specific services, however notifying law enforcement is also advised. 
  4. Investigate and run your backup: If appropriate, run your own internal investigation, and restore files from backups when you are certain that the backups do not also contain the ransomware.

Should You Pay the Ransom?

The answer to this question ultimately comes down to what’s at stake, however the FBI advises that you should avoid paying a ransom in ransomware cases, as there is no guarantee the attacker will decrypt your data and give you access. 

Further, only one in ten companies that pay a ransom get all their data back and paying the ransom could cause the name of your organization to make the rounds in cybercriminal circles and make you an attractive target for future attacks. Additionally, paying a specific attacker could set you up for bigger ransoms from that same attacker going forward.


The severity and scale of ransomware attacks is growing with no immediate signs of slowing down. And as this area of cybercrime grows, it becomes increasingly important to protect your devices, network and organization from falling victim to these malicious attacks. If you want to learn more about how to protect your sensitive information from ransomware attacks, reach out to our cybersecurity experts at halborn@protonmail.com