Ransonware is computer malware that prevents you from being able to access your data, demanding a ransom to regain access to your data. This can happen to individuals on a single computer or the IT infrastructure at a large organization.
The way this works is that the attackers get malicious software onto a target machine. This software then encrypts files so that no one can access them without a key that is only known to the ransomer. They then ransom the key to the victims so that the victim can regain access to their data. The ransom key has to work most of the time otherwise, there is little chance that the victims would pay the ransom.
The ransom is often based on the victim’s ability to pay. For an average person, the ransom might be a few hundred dollars, but for large organizations, it can be tens of millions of dollars. The attackers generally require the ransom to be paid in Bitcoin to allow the money to be more easily moved around. In Hernando County’s case, the ransom would most likely be closer to millions than hundreds of dollars.
To further put pressure on the victims, the ransomers often threaten to release some of the information that only they have access to. Often, while the data is encrypted, the ransomers are also exfiltrating data out of the network. They might release people’s credit card information or purchase information unless the ransom is paid.
To make the ransomware attack work, it is necessary to erase or encrypt all backups. If the victim has backups, they can restore them and be back in business without paying the ransom. This means that a major component of a ransomware attack is to make all the backups unusable. If there is a redundant site, that, too, needs to be encrypted.
Usually, if backups are available, recovery from a ransomware attack takes a few days, rarely more than a week. As time drags on, the pressure to pay the ransom continues to build.
The goal is to leave the victim powerless and then extort significant money out of them. This is modern-day piracy and the tactics are similar. They used to seize a merchant’s ships and ransom them back to them. Now, they seize their IT infrastructure and ransom it back to them.
Often, different groups work together to gain the ransom. One group might be good at gaining access to networks. Another group might purchase those network accesses and use them to deliver ransomware. Finally, another group may be brought in to do the actual ransoming.
Every time a ransomware attack is successful in producing a ransom, it means that the attackers now have the means to perform more attacks. This is why paying the ransom is often frowned upon. However, with cyber insurance, paying the ransom might even be covered by insurance.
Rocco Maglio is a Certified Information Systems Security Professional.