Ransomware - How It Spreads and How to Stop It
About 2 min read
Ransomware is a type of malware that encrypts the files on an infected computer to render them unusable and demands a ransom in exchange for their recovery. It targets a wide range of victims, from individuals to large enterprises, medical institutions, and government agencies, causing damages on the scale of billions of dollars per year worldwide. According to a 2024 Chainalysis report, although the total amount of ransom payments is trending downward year over year, the number of attacks themselves is increasing, and double-extortion attacks (which, in addition to encrypting data, threaten to publish stolen data) have become mainstream.
Historical Background
The first ransomware is considered to be the 1989 "AIDS Trojan," which was distributed on floppy disks. However, it became a serious threat only from CryptoLocker in 2013 onward. The spread of cryptocurrencies such as Bitcoin made it easy to receive ransoms anonymously, which drove a sharp rise in attacks. The 2017 WannaCry attack caused damage in over 150 countries worldwide and made the ransomware threat widely known to the general public. Today, a business model called RaaS (Ransomware as a Service) has become established, creating a situation in which even criminals without technical skills can carry out ransomware attacks.
Infection Vectors
The most common infection vector is attachments or links in phishing emails. Macro-enabled Office documents and executable files disguised as legitimate software are used. Intrusions that exploit vulnerabilities in the Remote Desktop Protocol (RDP) are also frequent. Infections via exploit kits that abuse software vulnerabilities and via supply-chain attacks have also been reported.
The threats and countermeasures of ransomware are explained in detail in ransomware defense books on Amazon.
Real-World Use Cases
"At 2 a.m., a ransomware alert was triggered and we convened the emergency response team. We immediately isolated the infected device from the network and began recovery from offline backups."
Infection Flow
Practical Prevention and Countermeasures
The basics of prevention are keeping the OS and software always up to date, not opening suspicious email attachments, and making regular backups. It is important to store backups on offline storage that is disconnected from the network. A common pitfall is the expectation that "if you pay the ransom, your data will come back," but there are many reported cases in which data was not recovered even after payment, or in which the victim was attacked again. By protecting RDP and cloud service accounts with strong random passwords and enabling two-factor authentication, you can greatly reduce the risk of initial intrusion.backup and recovery guides (Amazon) are also helpful references for minimizing damage.
Was this article helpful?