Get free advice on all things IT


Looking at the Engine: How Does Ransomware Work?


Ransomware has been on a rampage, infecting computers all over the world and encrypting large volumes of vital data. Hackers have become increasingly brazen with their requests and the highest Ransomware demand ever paid was $1M when a South Korean web hosting company was attacked, in 2017. There are many types of Ransomware and although each one's end goal is the same (holding files to ransom), they tend to work in different ways. Here's an answer to your question of "How does Ransomware work?" and an explanation of the different types. 

KNOWLEDGE CHECK: Ransomware is a type of malicious software that's designed to block access to a computer system and its files until a sum of money (a ransom) is paid. Unlike malware which hides and steals valuable information without the user noticing, Ransomware encrypts files and notifies the user of its presence by making the demand. To see other useful IT terms explained in plain English, check out this blog.

How Does Ransomware Work?

In short:

  1. A Ransomware virus gets onto a user (your) system by conning them into installing/opening it or by sneaking in as part of another install.
  2. A user (you) logs in and sees an error screen demanding a ransom fee is paid in order to access the requested information/file/program.
  3. You pay the fee via the means outlined.
  4. The cyber-criminals provide the password to remove the Ransomware and you can access your files as normal.

And that's if the criminals are looking to make the ransom fee and move on. Sometimes, people release malware and viruses just to cause disruption or the destructive program can spread out of control.

Ransomware can access computers in a variety of ways. In its early days, Ransomware was typically spread via a phishing spam - where emails with infected attachments are sent to users, posing as a file or sender they should trust.  They would then download the content or be lured to websites containing malicious content. Newer variants of Ransomware have spread through removable USB drives or messenger apps. 

Phishing is still one of the most common delivery systems. Once the attachment has been opened or the link has been clicked on, the software takes over the computer. There are several things that might happen, but the most common action is to encrypt some or all of the computer's files. These files cannot be decrypted without the mathematical key held by the attacker. This is when the user will be presented with the ransom message.

Alternatively, the attacker may claim to be an official agency, such as law enforcement, shutting down the computer due to the presence of illegal content and demanding a "fine" in the process. They may also threaten to release sensitive information to the public unless the ransom is paid. However, finding and extracting such information can be a time-consuming and complex task so the most common method is to encrypt data. 

What are the Different Types of Ransomware?

With the recent rise in Ransomware attacks, it's tricky to keep track of the various strains but they tend to rely on similar tactics to hold your data hostage.

The most common and worst types of Ransomware are:


A strain that burst on to the scene in 2016, Cerber targeted cloud-based Office 365 users, infecting 150,000 Windows users and generating an estimated $195,000 in July of that year alone. Unlike other types of Ransomware, Cerber wasn't spread by just the creators. It also allowed other hackers the chance to cash in a portion of the profits. 


This Ransomware hacks into remote desktop services, scans a computer for certain files and encrypts them. CrySis is particularly dangerous because it can also delete shadow volume copies so you can't use them to recover your original data. 


The first documented case of Ransomware was the 1989 AIDS Trojan, but Ransomware really came to prominence in 2013 with CryptoLocker. CryptoLocker used a Trojan (a malicious computer program) that targeted computers running Microsoft Windows, encrypting data.

The original strain was shut down in May 2014 but hackers managed to extort nearly $3M from victims. Since then, many hackers have been copying the CryptoLocker approach and there have been various Trojan horses modelled after CryptoLocker, such as CryptoWall, CryptoBit, CryptoDefense and CryptoWall 2.0.  


Based on the horror film Saw, this dangerous malware encrypts and progressively deletes files until the ransom is paid. Typically, the victim is given a certain period of time in which they should pay the ransom and then the files are locked and deleted, one by one, until there are no more left. 


KeRanger is different from the other types of Ransomware because it's the first fully functioning Ransomware that was designed to lock Mac OS X applications. Discovered in 2016, the Trojan infected more than 7,000 Mac users by waiting three days before encrypting files and demanding ransom. 


Highly active in 2017, Locky is a Ransomware that was delivered via email with an attached Microsoft Word document that contained malicious content. When opened, it scrambles and renames your important files with the .locky extension. In order to decrypt them, you have to buy the key from the hackers via the dark web. 


An example of a front-door virus, Petya posed as a reputable company - a Ukrainian tax and accounting software package. Once downloaded, it proceeded to infect the user's system. NotPetya is a variant and wipes data from a system rather than demanding a ransom. 


As more and more people are preferring to use their mobile devices instead of their computers on a regular basis, it made sense for hackers and their viruses to move there too. Between late 2015 and early 2016, the number of Ransomware attacks on Android devices multiplied almost fourfold, with SimpleLocker being one of the first and most aggressive strains. SimpleLocker was also one of the first known Ransomware to deliver its payload via a Trojan downloader, which made it harder for security measures to catch up. 


Distributed through geographically targeted spam email campaigns, TorrentLocker typically targeted specific regions. Files weren't just encrypted - the virus also collected email addresses from the victim's address book to spread the malware beyond that computer. 


countries affected by wannacry

This map shows the extent of countries affected by the WannaCry malware attack.


This widespread Ransomware campaign affected over 125,000 organisations in over 150 countries. It currently affects Windows machines by exploiting a Microsoft vulnerability - the EternalBlue. Even the NHS was attacked in May 2017, with 16 Trusts affected across the UK. This cost them £180,000 in emergency fees and 6,900 appointments were cancelled. 

Removing and Preventing Ransomware

It's always better to take precautions to prevent Ransomware attacks from happening than to try and remove them. You should:


  1. Have a disaster recovery plan in place.
  2. Store your data in a centralised location to reduce the chance of mismanagement but keep your backups separate from the original data. It's wise to have a mixture of data in a cloud-based system and the hard copies. 
  3. Back up at regular intervals. You never know when hackers may strike.
  4. Ensure only authorised members of staff have access to the sensitive data and monitor that activity.

But if you are, unfortunately, hit by a malware attack, it's time to follow some data recovery steps. The first thing you should do is to look at your backups and decide what is worth salvaging from them. If you and your data have somehow magically escaped unscathed, then that's fantastic! Problem solved. But if you have experienced vital data loss, review your backups, see what can be restored and assess whether replicating that lost data will be an issue.

Then, call a recovery professional for help and advice. Avoid any DIY methods such as downloading your own anti-malware softwares. You don't want to do any more damage. 

Get In Touch With The Team

Try and avoid paying the ransom. There's no guarantee that you'll get your data back or that the hackers won't upload your sensitive business information all over the internet. Always seek professional advice first. 

Learn More About Ransomware in our Free Guide

As technology keeps developing, so will the threat and magnitude of cyber crimes. Ransomware will only continue to become more sophisticated and it will be even harder to treat and defend against their attacks. However, it's important that you have a disaster recovery plan in place - in case that happens. 

If you'd like to find out more about disaster recovery, what it is and how you can handle it, download our free guide. The threat's growing and a big Ransomware hit can mean disaster for your business. Find out more below...

Disaster Recovery CTA


FREE Case Consultation

Recent Posts