Ransomware

What it is: A type of malware that employs encryption to render a victim’s data inaccessible until a ransom is paid to the attacker. Modern ransomware variants often incorporate additional malicious functionalities, such as data exfiltration prior to encryption (double extortion), or the encryption of virtual environments and backups.

How it works: Ransomware typically gains initial access through vectors like phishing emails, software vulnerabilities, or drive-by downloads. Once executed, it scans the local system and network shares for targeted file types and encrypts them using strong cryptographic algorithms (e.g., AES, RSA). Upon completion, a ransom note is displayed, providing instructions on how to pay the ransom, typically in cryptocurrency, for the decryption key. Some advanced ransomware also utilizes techniques to disable or delete shadow volume copies and other backup mechanisms to hinder recovery without paying the ransom.

Example with key data: The WannaCry ransomware attack in 2017 exploited a vulnerability in the Server Message Block (SMB) protocol in Microsoft Windows, known as EternalBlue, which was allegedly developed by the NSA. It rapidly spread across networks, encrypting files and demanding a ransom of $300 in Bitcoin. WannaCry infected hundreds of thousands of computers globally, impacting organizations across various sectors, including healthcare (e.g., the UK’s National Health Service). While a kill switch was eventually discovered, the attack caused significant disruption and financial losses, highlighting the rapid propagation and widespread impact capabilities of network-wormable ransomware.