Ransomware

Ransomware definition

Ransomware is malware that prevents people or organizations from accessing systems or files, then demands payment in exchange for restoring access. Ransomware ranges from “locker” variants that lock devices to sophisticated cryptoviral extortion that encrypts critical data and threatens to leak sensitive information. While attackers often demand payment, there is no guarantee data will be returned.

What Is
Ransomware?

Ransomware is a type of cryptovirology malware that attackers use to block access to victim data until a ransom is paid. In addition, some ransomware allows hackers to publish the victim’s data if they do not receive the ransom.

Simpler ransomware attacks may not be difficult to reverse. However, more advanced cryptoviral extortion techniques coupled with digital currencies such as Bitcoin and other cryptocurrencies render ransomware an intractable challenge.

How Does Ransomware Work?

Young and Yung first presented the concept of file-encrypting ransomware or cryptoviral extortion in 1996 at Columbia University at the IEEE Security and Privacy conference. Ransomware is based on the three-step protocol of cryptoviral extortion that happens between attacker and victim.

Cryptoviral Extortion

In step one, the attacker generates a key pair and stores the public key secretly in the malware. The attacker then either releases the malware generally into the world or targets the victim specifically with that ransomware. Step one is in the direction of an attacker to the victim.

In step two, the attacker needs the victim’s system to respond to carry out the cryptoviral extortion attack and waits for the response. The ransomware encrypts data by generating a random symmetric key and encrypts that key using its public key.

This hybrid encryption process generates the symmetric ciphertext of the victim’s data and a small asymmetric ciphertext. To prevent recovery, it zeroes the original plaintext data and the symmetric key.

The victim receives the ransom demand message that includes asymmetric ciphertext and payment instructions.

Finally, in step three, the attacker either does or does not receive the demand payment. They may or may not return the symmetric key to the victim or use their key to decipher the asymmetric ciphertext. In other words, the victim may pay the ransom or not, and either way still never recover.

Unfortunately, symmetric keys cannot help other victims because they are randomly generated. The attacker’s private key is never exposed to victims.

Delivery of Ransomware

Typically, attackers enter a system and deliver ransomware payloads using a trojan of some kind, such as a malicious email attachment, an embedded phishing link, or a network service vulnerability. Once the trojan pierces the system, the program runs a payload.

The ransomware payload either locks the system somehow or claims to, for example, display a fake warning about pirated media or illegal activities. Simpler payloads restrict or block the system unless or until the victim pays. They might do this by modifying the partition table and/or master boot record to stop the OS from booting until the attacker repairs it, or by setting the Windows Shell to itself. More sophisticated payloads actually encrypt files using strong encryption.

Since payment is usually an attacker’s goal, it is essential for them to find a convenient digital payment system that is difficult for law enforcement agencies to trace. Possibilities include digital currencies like Bitcoin, premium-rate text messages, pre-paid voucher services such as paysafecard, and wire transfers — although cryptocurrencies have quickly become the payment option of choice. 

Types of
Ransomware

There are several common types of ransomware:

  • Crypto-malware — Crypto-malware such as the WannaCry ransomware attack from 2017 simply targets and encrypts folders, files, and hard drives. This is a classic ransomware attack, and in the case of WannaCry, it targeted systems running Windows OS and demanded ransom in Bitcoin.
  • Doxware — Doxware, extortionware, or leakware is all the same subset of ransomware that demands ransom or threatens to publish your stolen information online. This is the kind of attack typically linked to personal photos and other sensitive files.
  • Locker ransomware — Locker ransomware is so named because it infects the target operating system to lock out the user entirely. This kind of ransomware is most often Android-based and makes it impossible to access any applications or files. CryptoLocker, which generated a 2048-bit RSA encryption key pair, is an example of this kind of ransomware virus.
  • Mac ransomware — Since 2016, ransomware has been spotted on Mac operating systems. This form of ransomware infects Apple systems and encrypts victims’ files through an app called Transmission.
  • Mobile ransomware — Mobile ransomware has been present at scale since about 2014. It works basically the same way but is delivered through apps, leaving users with “locked” messages and non-functional mobile devices.
  • Ransomware-as-a-Service (RaaS) — Ransomware-as-a-Service is malware anonymously hosted on the dark web and offered by cyber criminals. These hackers manage each step, including distributing the payload, managing ransomware decryptors, and collecting payments, for a share of the ransom.
  • Scareware — Scareware imitates an antivirus tool, “detecting” problems on your system, and then demanding a ransom to resolve them. Some scareware locks victim systems, while other types flood the screen with pop-ups.

Although these ransomware examples are fairly comprehensive as of this writing, hackers are continuously refining phishing techniques to improve the yield from ransomware.

How to Prevent Ransomware

Preventing ransomware requires multiple layers of defense — technical controls, best practices, and resilient backups.

Minimum prevention checklist:

  1. Air-gapped, immutable backups. Store backups off-network and mark critical snapshots immutable so they can’t be altered by attackers.
  2. Automated, cloud-native backups with role-based access and MFA. Limit admin access, use RBAC and MFA/SSO to harden backup admin controls.
  3. Continuous patching and SaaS operational security. Reduce exploitable surface area by using a 100% SaaS vendor that automatically applies security patches.
  4. Behavioral detection and anomaly monitoring. Monitor backups for anomalous deletes/encryptions and alert from backup telemetry (not just endpoint telemetry).
  5. Proactive scanning and threat hunting. Implement continuous scans of snapshots plus on-demand hunting to locate IoCs and quarantine infected restore points.
  6. Tested ransomware playbooks. Practice restores; use algorithms that stitch last-known-good files to speed recovery and avoid reinfection.
  7. Don’t rely on paying ransoms. Paying does not guarantee recovery and incentivizes attackers. Emphasize backup and recovery readiness instead.

What Should Ransomware Protection Include?

  • Immutable, air-gapped backups — Prevent attacker access to backup stores.
  • Zero-trust admin controls — Protect backups even from admin misuse; Data Lock can only be undone by Druva support, balancing security and governance.
  • Managed Data Detection and Response for backups (MDDR) — Always-on monitoring and analyst-driven response included for customers.
  • Threat Insights (Threat Watch + Threat Hunting) — Continuous snapshot scans, quarantine, retrospective rescans, and on-demand hunts.
  • Rollback Actions — Temporary cached copies to recover deleted data even after authorized deletion.
  • Automated, curated recovery and recovery scans — Stitch last-known-good versions while filtering files that match AV or IOCs.
  • SaaS security and certifications — Automatic patching and compliance (SOC2, HIPAA, FedRAMP, FIPS as applicable).

Druva Ransomware Recovery

Druva’s 100% SaaS Data Security Cloud couples air-gapped, immutable backups with continuous security scanning and automated recovery workflows. Druva’s Data Lock, Managed Data Detection and Response for backups, Threat Insights (Threat Watch + Threat Hunting), Rollback Actions, and Accelerated Recovery let organizations detect attacks early, quarantine infected snapshots, and rapidly restore a last-known-good environment without re-infecting systems. Druva also maintains third-party certifications and automatic platform patching to operationalize security.

Assess Your Recovery Readiness

Druva’s Cyber Resilience Maturity Model provides a practical framework for assessing readiness. Answer 5 quick questions to receive a personalized score — identify gaps and get strategies you can put into place NOW to be ready for cyber threats.

thmb-Blog

FAQs

What is ransomware?

Ransomware is malware that encrypts or locks data and demands payment for access; some variants also threaten to leak data.

How does ransomware reach my systems?

Common vectors include phishing attachments/links, compromised credentials, unpatched vulnerabilities, and Ransomware-as-a-Service (RaaS).

Should we ever pay the ransom?

Paying is risky — it does not guarantee recovery and encourages attackers. Prioritize recovery readiness with immutable off-site backups.

How does Druva help with recovery?

Druva provides air-gapped immutable backups, automated scans for threats, threat hunting, rollback actions, and Curated Recovery to stitch last-known-good files and avoid reinfection.

What is Druva Curated Recovery?

Druva streamlines recovery by automatically creating a clean restore point using the latest known good file versions within a selected time range. It scans for threats, excludes malicious content, and delivers a verified snapshot for fast, secure restoration.

What certifications does Druva hold?

Druva lists SOC 2 Type II, HIPAA, FIPS (GovCloud), FedRAMP moderate ATO (GovCloud), among others.

Related terms

Now that you’ve learned about ransomware, brush up on these related terms with Druva’s glossary: