Thanks to Sophos Next Generation and their article “How to Stay Protected Against Ransomware” for the research and technical information used within this blog post. For more information on this subject, visit: https://secure2.sophos.com/en-us/security-news-trends/whitepapers/gated-wp/sophos-ransomware-protection.aspx

How does a ransomware attack happen?

There are two main ways that a ransomware attack starts: 1) through an email with a malicious attachment, or 2) by visiting a compromised website (note: this can even be a legitimate and mainstream site).

Malicious email
Cyber criminals are creating emails that are indistinguishable from genuine ones. These emails are grammatically correct with no spelling mistakes, and are often written in a way that is relevant to you and your business.

However, when the file is executed the ransomware is downloaded and installed onto your computer. In this example it’s actually a JavaScript file disguised as a .txt file that’s the Trojan Horse, but there are many other variations on the malicious email approach, such as a Word document with macros, and shortcut (.lnk) files.

Malicious websites
Another common way to get infected is by visiting a legitimate website that has been infected with an Exploit Kit. Even popular websites can be compromised. Exploit kits are black market tools that criminals use to exploit known or unknown vulnerabilities.

You browse to the hacked website and click on an innocent-looking link, hover over an ad or in many cases just look at the page and that’s enough to download the ransomware file onto your computer and run it, often with no visible sign until after the damage is done.

What happens next?
After initial exposure such as via the email and web examples, the ransomware takes further action:

-It contacts the attacker’s Command & Control server, sending information about the infected computer and downloading an individual public key for it.

-Specific file types (which vary by ransomware type) such as Office documents, database files, PDFs, CAD documents, HTML, XML, etc.are encrypted on the local computer, removable devices and all accessible network drives.

-Automatic backups of the Windows operating system (shadow copies) are frequently deleted to prevent data recovery.

-A message appears on the desktop explaining how the ransom can be paid (typically in Bitcoins) in the specific time frame.

Sources:

Sophos, “How to Stay Protected Against Ransomware.” Retrieved from https://secure2.sophos.com/en-us/security-news-trends/whitepapers/gated-wp/sophos-ransomware-protection.aspx