What is Ransomware?
Ransomware is a piece of malicious code that is designed primarily for the purposes of encrypting files on a compromised system. This malware may be delivered through phishing, or droppers or downloaders, but is more commonly delivered by actors gaining access to systems through active compromise (such as reusing valid credentials to gain access to exposed RDP). This type of malware can usually be subdivided into several groups.
Standard Encryption – Network Connection Required – Ransomware
The first category of this malware is what might be termed “standard” variants. This type of ransomware was more common in the early uses of ransomware. It is relatively unsophisticated, with the ability to encrypt all, or a subset, of files. Once it begins the encryption, it uses a network connection to transmit the private key to the attacker’s infrastructure that can then be provided once the ransom has been paid to decrypt the files. Because of the network connection, problems can arise if the system being encrypted loses its network connection (or does not have a network connection in the case of air gapped systems).
Standard Encryption – Network Connection Not Required – Ransomware
The second type of this malware can be also described as “standard,” and as with the case above, this type of malware is relatively unsophisticated. The difference with this variant is that unlike above no network connection is required. This is because the private key is already known and enables the ransomware to begin the encryption process on systems that may not have a network connection. Because this ransomware often contains the private key within its programming, however, it is susceptible to interrogation by debuggers and decompilers.
Stand Alone Encryptor Ransomware
The third type of this malware might be termed a “stand alone encryptor.” This is malware that is typically hand delivered by an actor upon gaining access to a system. These malware payloads are often generated through an admin console and can have various settings enabled or disabled. This could include different persistence mechanisms, defense evasion techniques, and execution guardrails (for example keyboard language).
Common Ransomware Families