How Malware Works
Since malware covers a wide range of malicious functionality, there are many different types. Some common types of malware include:
- Cryptominers
- Mobile malware
- Botnets
- Infostealers
- Trojans
- Ransomware
All of these malware variants have different goals, but they use many of the same techniques to achieve them. For example, phishing emails are a common delivery mechanism for all types of malware, and different types of malware can all use the same techniques to hide themselves on a computer.
How Ransomware Works
Putting it simply, all ransomware is malware, but not all malware is ransomware. The goal of ransomware, which is made possible by encryption technology, is to deny the victim access to their files and demand a ransom in exchange for restoring that access.
Once ransomware gains access to a computer, it works its way through the filesystem checking the types of files that it finds. If a file matches a built-in list of file extensions, the malware encrypts the data that it contains, replaces the original with the encrypted version, and wipes any record of the original from the system.
Many ransomware variants will also work to spread beyond their initial target. This enables the attacker to expand the number of infected systems, access higher-value systems, and increase their payoffs.
After the ransomware has completed the encryption process, it presents a ransom demand to the user. If the user pays the ransom demand, then the attacker provides them with a copy of the encryption key for their files. Using this key and attacker-provided decryption software, the ransomware victim should be able to decrypt most or all of their files, restoring access to them.
Ransomware and Other Malware
As ransomware has evolved over the years, the lines between ransomware and other types of malware have blurred, creating hybrids such as:
- Ransomware Worms: A worm is malware that spreads itself by exploiting vulnerabilities, sending emails, etc. Ransomware worms are malware such as WannaCry that combine the capabilities of ransomware and worms: encrypting files and spreading themselves to new computers.
- Data Breaching Ransomware: Ransomware’s profit model is based upon its victims paying the ransom; however, some victims refuse to pay and try to recover independently instead. To address this issue, some ransomware variants are designed to steal sensitive data and send it to the attackers before beginning encryption. This gives an attacker additional leverage to coerce their victims into paying the ransom.
- Ransomware Wipers: In fact, ransomware wipers are not true ransomware at all. Malware such as NotPetya was designed to look like ransomware but has no intention of providing the decryption key if the ransom is paid. In the case of NotPetya, the malware never even sent the encryption key to the ransomware operators, making it impossible for them to provide it in exchange for a ransom payment. The entire purpose of this type of malware is to destroy access to files or computers by encrypting important files.
From a core functionality standpoint, all of these different types are similar: they use encryption to achieve their goals. However, the addition of extra “features” or masquerading as ransomware can be profitable to the attacker.
How to Protect Against Malware
The best way to manage a malware attack is via prevention. However, malware prevention can be complex because ransomware can be delivered via a number of different attack vectors, including:
- Phishing Messages: Phishing is one of the most common delivery mechanisms for malware in general and also for ransomware in particular. Closing this potential attack vector requires a robust email security solution that scans emails and identifies malicious links and attachments.
- Malicious Downloads: Ransomware and other types of malware can also be delivered over the Internet via trojans (malware that masquerades as a legitimate program) or by exploiting browser vulnerabilities. Blocking these attacks requires an endpoint security solution that detects and eradicates malware on a device.
- Network Spread: Some malware variants are designed to spread over the network by identifying and exploiting vulnerable systems. A network security solution can help to detect and block this attempted lateral spread.
- Mobile Malware: Mobile devices can also be high-value targets for malware attacks. Mobile security solutions are essential to identifying and blocking mobile malware and ransomware attacks.
Organizations require a comprehensive malware prevention solution to minimize the malware and ransomware threat. To learn more about protecting against malware, contact us. You’re also welcome to schedule a demo of one or more of our products to see how Check Point solutions help to close malware attack vectors.
