Ransomware: How it works and how to stop it (without any hype or fearmongering)

The ransomware threat

The dreaded word malware, shorthand for "malicious software," means exactly what it says: some sort of rogue computer program created specifically to cause harm to you, your computer and your digital life.

Malware comes in many forms, typically named after the type of cybercriminal activity it carries out, such as keyloggers that keep track of passwords, and spyware that snoops on your webcam, screen and microphone.

But the malware type that commands the biggest media headlines is undoubtedly ransomware.

As the name suggests, ransomware essentially kidnaps your computer, or, more precisely, the data on it, and then demands money for its return.

Worse still, most contemporary ransomware attackers don't go after victims one by one, but instead try to kidnap the data from every computer in an organisation at the same time, to create the worst disruption they can.

As a project manager, having your own computer out of action for a while would be alarming, even if your IT department could rustle up a reasonable temporary replacement.

But if everyone who feeds information to you is similarly affected at the same time, and if all the staff who work with them can't do anything either because their computers are out of action, then even a well-oiled IT team with an enormous budget might struggle with getting your project (or, indeed, any other part of the business) moving again.

In most ransomware attacks, therefore, the criminals want everyone in the company to know exactly what happened, just how severe things are, and what they expect the business to do next.

In many cases, the attackers litter every hard disk with copies of a file such as Help Restore Your Files.txt, and change every laptop's background image to an eye-catching ransom note for added drama.

In some attacks, ransom demands have been sent to every available printer on the network and left as chilling voicemail messages for the IT and cybersecurity teams.

Why is recovery so hard?

The obvious question, of course, is, "Why can't you just 'unkidnap' your own data?"

After all, the criminals don't literally break into homes, offices and data centres across the country and steal every laptop and every server belonging to the business.

Instead, the trick that most ransomware attackers use to 'kidnap' your files is simply to scramble those files in place on your hard disk, using the same sort of secure encryption algorithms that we rely on to keep our web browsing safe.

Then they offer to sell you, or your company, the decryption keys needed to liberate the files from their imprisonment right there in plain sight on every computer.

Ironically, you will probably still be able to boot up your computer and open your favourite applications, as though nothing were amiss.

You'll probably see all your precious files sitting there on your hard disk or the network, tantalisingly within reach, though typically renamed from something like Projects2025.PDF to Projects2025.PDF.!Gotcha.

You can even try to open those files, only to find that they won't load into the relevant app at all, or that they load up but look like the digital equivalent of shredded cabbage.

So near, and yet so far!

Intriguingly, ransomware criminals originally came up with this 'imprison the files in place' approach because the average user either wasn't on the internet at all, or didn't have anywhere near enough bandwidth to upload the files to a secret, off-site hiding place.

Believe it or not, the first known ransomware appeared 35 years ago last month (December 1989), scrambling victims' hard disks and demanding a $378 money order sent to Panama in return for a decryption program.

Double blackmail

These days, many users and most companies have plenty of internet bandwidth available - enough, at least, for attackers to upload what's known in the jargon as 'trophy data' such as customer databases, sales records and HR information.

As a result, many ransomware attackers today take a double-pronged approach: they first steal enough trophy data to constitute a significant and embarrassing data breach that will need reporting to the authorities, and then scramble as much data as they can to cause company-wide disruption that conventional IT tools and recovery methods may simply not be able to handle.

They then carry out what is commonly referred to in the media as double extortion, because the blackmail payments they demand now serve a double purpose, and exert two different sorts of criminal leverage.

Firstly, the ransom is a form of hush money, on receipt of which the criminals promise to delete the stolen trophy data and thus to 'undo' the data breach.

Secondly, the ransom is a kidnap payment, which some companies may be forced to make to save their business if they have no other way of recovering their scrambled laptops and servers.

What to do?

Prevention is better than cure, and if prevention doesn't work, then a well-planned response is vital:

An injury to one can be an injury to all. Ransomware criminals often need only one security loophole to give them a beachhead inside an organisation's network. Don't take cybersecurity shortcuts yourself, lest you be that point of failure, and actively encourage everyone in your projects to do the same .

If you see something, say something. Cybercriminals don't generally give up and go elsewhere if they fail at any hurdle; they simply try again. Attacks often leave behind numerous telltales or suspicious signs that would have given away the criminals if only someone had reported them promptly.

Prepare and practise all recovery plans well in advance. Some companies end up paying ransomware demands even though they have data backups available, and computer recovery tools that could do the job in theory. But their plans are either insufficiently well-developed or just too slow to be applied to the entire company.

Interested in ransomware? Fascinated by its history? Wondering how the ransomware cyber-underground works? Want to learn more about staying safe (and earn CPD points at the same time)? Don't miss our RANSOMWARE: HOW IT WORKS AND HOW TO STOP IT webinar on Tuesday 21 January 2025 at 10am UK time. Sign up for free now.