What is ransomware, what it does and how to defend yourself in the event of a ransom hacker attack

THE ransomware they are a particular type of malware that blocks access to a victim’s data through complex encryption, making the files unusable until paid, usually via a cryptocurrency, a ransom (in English, “ransom”). They represent a cyber threat capable of bringing private users, companies and even entire public sectors to their knees. To defend yourself, simply creating backups is no longer a sufficient defense, as modern attackers also aim to compromise these backups, preventing data recovery. The situation is made even more serious by extortion tactics that threaten to spread stolen information. In this article we will explain in more detail how a ransomware attack workswhat are the main phases in which it occurs and, above all, what to do to protect yourself and/or react in the event of an attack.

What ransomware does and how the malware attack occurs

As we have seen, ransomware are malicious programs that limit access to digital devices (PCs, smartphones, tablets, smart TVs, etc.) or to specific data (videos, files, etc.) with a subsequent ransom request (ransom in English it actually means “ransom”). The data shows that these malware are one of the most important cyber threats of recent years. According to 2023 Data Breach Investigations by Verizonin 2023 ransomware was present in the 24% of all data breaches and the investigation The State of Ransomware 2023 Of Sophos found that the 66% of organizations had suffered at least one attack in 2023. According to the 2024 Ransomware Trends Report by Veeamfurthermore, the 96% of ransomware attacks affected backup data and only the 28% of those who had paid the ransom (less than a third) had managed to regain possession of the data taken hostage.

But how is it possible for all this to happen? How does a ransomware attack happen? Some security experts schematize this type of attack as 6 different phases.

  1. Distribution: this phase is perpetrated through phishing messages and emails that induce victims to click on dangerous links or download malicious attachments. Other avenues of entry include insecure remote access protocols and unpatched software vulnerabilities.
  2. Command and control: Once the system is infected, the malware communicates with a command and control server, also called C&Cwhich is configured and operated by the cybercriminals who perpetrate the attack, using it to receive encryption instructions and keys. In this way, any other malware is installed, making the other life stages of the ransomware easier for attackers.
  3. Discovery: in this phase hackers explore the system they have infiltrated in search of important (or compromising) data and move between devices and thus spread the infection.
  4. Encryption: at this point the files are blocked and the stolen data is sent to the C&C server.
  5. Extortion: it is at this stage that criminals ask for a ransom. As some of the statistics mentioned above demonstrate, paying does not guarantee that your files will be restored, as in some cases the malware is programmed to destroy them, regardless of the ransom.
  6. Resolution: at this point the victim must decide whether or not to negotiate with the attackers, whether to restore the data via backups (provided that these too have not been compromised) or even rebuild the entire system from scratch.

How to protect yourself in the event of a ransomware attack

Let’s “zoom” on the last phase of the attack, i.e. the resolution, to see what to do in case of a ransomware attack. Below we provide you with a sort of “handbook” that could be useful to you in such a complex situation.

  • Contact the authorities: ransomware is in effect acyber extortion. Contacting the Postal Police and reporting the incident could not only increase your chances of regaining possession of the encrypted data, but you could also protect others from violations such as those you have unfortunately suffered.
  • Take a photo of the ransomware message: this way you can attach the photo to the report you will present to the authorities.
  • Stop incoming and outgoing connections: this means disconnecting from Wi-Fi, disconnecting the Ethernet cable from the computer, or doing any other action necessary to terminate the connection. In fact, interrupting the Internet connection is the best way to quarantine the infected device.
  • Disconnect external storage devices: if you have created backups of your files, you must immediately disconnect them to prevent them from also being taken hostage by the cyber criminals who are perpetrating the attack.
  • Do a “clean” reinstallation of the operating system: If you have safe backups, wiping your hard drive and reinstalling your operating system may be the only way to eradicate the malware.
  • Use antivirus decryption tools: if you have a good antivirus, it may be that it has a tool of this type, designed specifically to regain possession of the files encrypted by the ransomware without paying any ransom.
  • Identify the ransomware strain: this can put you in a position to trace the encryption code needed to unlock the device. You may find some useful ones for this purpose on the NoMoreRansom.org website. Finding the strain of ransomware that affected you can be another valuable piece of information to share with authorities when you approach them.
  • Reset all your passwords: this also applies if you have managed to eradicate the ransomware. Don’t just reset a few passwords, but take action on all the ones you have, including those saved in your web browser or operating system keychain.

In addition to the suggestions indicated in the previous points, we invite you to read the checklist released by CISA (Cybersecurity and Infrastructure Security Agency), which is present in a joint guide that was produced together with FBI (Federal Bureau of Investigation), NSA (National Security Agency) And MS-ISAC (Multi-State Information Sharing and Analysis Center).

How to prevent a ransomware attack

If you haven’t had any problems with ransomware so far, be careful not to be overconfident. On the contrary, you would do well to learn to mitigate the risks of ransomware attacks which, let’s reiterate, can strike whoever.

In this regard, IT security experts recommend implementing, at a minimum, essential cybersecurity tools and strategiesincluding the use of anti-malware, multi-factor authentication, firewalls, email security filtering, web filtering, network traffic analysis, secure remote access technologies (such as VPN), and so on.

It’s important too keep software updatedtherefore both the operating system and the application programs. When the ransomware attack WannaCry (one of the most famous in history) struck for the first time in May 2017, exploiting a known vulnerability for which Microsoft had released a patch two months earlier. Those who had installed it were able to avoid the worst.

Another important thing, create multiple backup copies. More importantly, especially in a business setting, make sure there is backup inaccessible from the primary IT environmentreminding you that cybercriminals try to spread the infection throughout the entire IT infrastructure.