Ransomware is malicious software with one aim in mind: to extort money from its victims. It's one of the most prolific criminal business models in existence today, mostly thanks to the multimillion-dollar ransoms criminals demand from individuals and corporations. These demands are very simple: pay the ransom, or have your operations severely compromised or shut down completely.
Very often, the first an organization knows of an attack is when they receive an on-screen notification informing them that data on their network has been encrypted and will be inaccessible until the ransom has been paid. Only on payment will they be given the decryption key to access their data. Failure to pay could result in the key being destroyed, rendering the data inaccessible forever.
The good news is that ransomware does not usually appear on its own. It must be activated in order to deliver its payload, usually through a malicious link or attachment in an email.
There are generally five steps required for ransomware to achieve its objective:
The System Is Compromised
The majority of ransomware attacks start life as a social engineering exercise, usually in the form of an attachment or malicious link. The aim is to entice the user to click on these objects in order to activate the malware.
The Malware Takes Control
Once the malware has taken control of the system, certain file types will be encrypted and access will be denied to users.
The Victim Is Notified
For the ransom to be paid, the user must be aware of the demands of the criminals. At this point, they will usually receive notification on the screen explaining the demands and how they can regain access.
The Ransom Is Paid
Once they have system access, attackers will either identify and encrypt certain file types or deny access to the entire system.
Full Access Is Returned
In the majority of cases, attackers return full control to the victim. It is in their interest to do this; failure to do so would mean few organizations would be willing to pay if they didn't believe their data would be restored.
There are effectively two types of ransomware in the wild today: Crypto ransomware and Locker ransomware. Both prevent access to data and files, usually through the means of encryption.