How does a Ransomware actually work?
Ransomware identifies the drives on an infected system and begins to encrypt the files.
Ransomware generally adds an extension to the encrypted files, such as: .aaa, .micro, .encrypted, .ttt, .xyz, .zzz, .locky, .crypt, .cryptolocker, .vault, or .petya, to show that the files have been encrypted.
Once the ransomware has completed file encryption, it creates and displays a file containing instructions on how the victim can pay the ransom. If the victim pays the ransom, the threat actor may provide a key that the victim can use to unlock the files, and recover them.
WE DON’T RECOMMEND PAYING FOR THE RANSOM, IT IS REALLY POSSIBLE THAT THEY WON’T GIVE YOU THE KEY, AND EVEN WORST, THEY WILL EXTORSION YOU AND ASK YOU FOR MORE MONEY
A specialised class of malware: ransomware is used to infect as many systems as possible, encrypting the data on the devices and holding it to ransom. If the victims pay the attackers within a set timeframe (usually via a cryptocurrency such as Bitcoin), the data is theoretically returned.
Ransomware usually spreads by exploiting known vulnerabilities in commonly installed software (e.g. the Microsoft Windows operating system); it can be extremely fast-spreading once an infection begins, and can demand millions in ransom money. The goal of a ransomware attack is to infect as many systems as possible, then make as much data inaccessible as possible by encrypting it with a key known only to the attacker. Once the attack is complete, the malware usually displays a window that looks something like this:
This window gives the victims the time limit and instructions on how to pay, as well as a rundown on what exactly has happened to their data. The example above is from the infamous Wannacry ransomware.
With the ransom paid, the malware may or may not decrypt the data and self-destruct, depending entirely on how nice the attackers are.
Follow Me on Medium: Shakhawat Hossain
