📹 Join the wait list

FULL SECURITY+ IN 31 DAYS COURSE 📹 Join the wait list - https://certbros.kit.com/01730e35f7 BOSON PRACTICE EXAMS ✔ Best practice exams - https://www.certbros.com/security-plus/exsim HAVE A QUESTION? 💬 Discord - https://www.certbros.com/discord Disclaimer: Some of these are affiliate links. If you purchase using these links, I'll receive a small commission at no extra charge to you. --------------------------------------------------------------------------------------------------------------- Ransomware is one of the most disruptive cyber threats because it can take everything you care about on a device or network and hold it hostage. What Is Ransomware? Ransomware is a type of malware designed to encrypt a victim’s files, making them inaccessible, or to lock the victim out of their system entirely. Once access is blocked, the attacker demands a ransom payment in exchange for a decryption key, or to restore access to the system. Ransomware has been around for many years, but it has become one of the most prevalent cybersecurity threats in recent years. For many IT teams and security professionals, ransomware is a constant concern because it can shut down operations and cause severe financial and reputational damage. How Ransomware Works Most ransomware attacks follow a similar chain of events, from infection to encryption to a ransom demand. Infection Ransomware can enter a system in several ways. A common method is phishing emails containing malicious attachments or links. Another is tricking a victim into downloading an infected program or tool. Ransomware can also enter through Windows Remote Desktop Protocol, often shortened to RDP. If Remote Desktop is enabled and exposed to the internet, attackers may attempt to gain access by guessing credentials, making it a frequent entry point for ransomware attacks. Lateral Movement After the initial infection, some ransomware strains can spread across a network with worm like behaviour. This means the ransomware can self propagate by scanning the local network for devices with known vulnerabilities, then exploiting those weaknesses to infect additional systems. These strains are sometimes referred to as cryptoworms. Fast lateral movement maximises impact by spreading quickly through an entire environment before defenders can respond. Encryption Once ransomware has spread, it typically begins encrypting data on infected systems. Attackers focus on valuable files such as pictures, spreadsheets, databases, and other data that organisations cannot afford to lose. Encryption converts readable information into an unreadable format called ciphertext. To do this, ransomware relies on encryption keys. Symmetric Encryption Symmetric encryption uses one key to encrypt and decrypt data. It is fast, which makes it useful for encrypting large volumes of files during an attack. The challenge is that the same key can decrypt the data, so the attacker must keep control of it. If a victim obtains the key, they may be able to recover their files. Asymmetric Encryption Asymmetric encryption uses two keys, known as a key pair. A public key encrypts the data. A private key decrypts the data. Because the public key cannot decrypt, it can be embedded in the ransomware without revealing the private key. The attacker keeps the private key on their own systems, ensuring the victim cannot decrypt files without access to it. This approach can also work offline, because the private key does not need to be shared. The trade off is speed. Asymmetric encryption is slower and can struggle with very large files. Why Modern Ransomware Uses Both Modern ransomware commonly combines both methods. It uses fast symmetric encryption to lock the data quickly. Then it uses asymmetric encryption to encrypt the original symmetric key. That makes recovery impossible without the private key stored by the attacker. Ransomware often deletes Volume Shadow Copy backups in Windows and may also target additional backups it can find, all to prevent recovery without paying. System files are often left untouched so the victim can still use the computer, see the ransom instructions, and attempt payment. Ransom Demand After encryption, the attacker presents a ransomware note. This might appear as a changed desktop background or as text files placed throughout the system. The note explains that files have been encrypted and claims there is no way to recover them without the private key owned by the attacker. The attacker typically offers tools or instructions to recover the data if the ransom is paid, often within a limited time window. Payment does not guarantee recovery, but attackers have an incentive to provide decryption when they can. If victims believe payment never works, future victims will refuse to pay. In some cases, attackers have even provided technical support to help victims restore access.