The Complete Guide to Ransomware

Written By: Ontrack

Date Published: 23 October 2023 4:28:01 AM

The Complete Guide to Ransomware

  • ransomware-1

    What is Ransomware? The Complete Guide

    Ransomware is a form of malicious software designed to either block access to a computer system or publishes a victim’s data online. The attacker demands a ransom from the victim, promising – not always truthfully – to restore access to the data upon payment.

    Around Since the 1980s, the last decade has seen an increase of various ransomware Trojans surface but the real opportunity for attackers has increased since the introduction of Bitcoin. This cryptocurrency allows attackers to easily collect money from their victims without going through traditional channels.

A ransomware attack begins when malicious software is downloaded onto a device. Examples of device types are laptops, smartphones or desktop computers. The malicious software is normally downloaded due to user error or inadequate security protocols.

Over the last few years, phishing attacks have become a popular way of distributing ransomware. A phishing attack is where a cybercriminal will attach an infected document or URL to an email, disguising it as legitimate mail, with the hope that it will trick the recipient into opening it. Once opened, the ransomware is installed on the device.

The ‘trojan horse’ is another popular style of attack that involves disguising ransomware as legitimate software, and then infecting devices after users install this software.

Once  ransomware has infected a system, it will take over the device's critical process; searching for files to encrypt; the virus will scramble all the data on the device or delete those files it can’t encrypt. It will also  infect any external devices attached to the host machine. The virus will also send signals to other devices on the infected network ti infect them as well.

There are many different variants of ransomware, with new ones being created all the time. Below are the most recurrent and famous ransomware types:


The most common delivery system for ransomware is via phishing spam – attachments that arrive in a victim’s email, masquerading as a file that they can trust. According to research from Trend Micro, a research security firm, 91% of cyber attacks and the resulting data breach begin with a spear-phishing email.

Once the attachment has been downloaded and opened, the malware can take over the victim’s computer, encrypting some of the user’s files. When this happens, the only way the files can be decrypted is through a mathematical key only known to by the attacker.

There have also been cases where malware will display a message claiming that the user’s ‘Windows’ is locked. The user is then encouraged to call a “Microsoft” phone number and enter a six-digit code to reactivate the system. The message alleges that the phone call is free, but this isn’t true. While on the phone calling the fake ‘Microsoft’, the user racks up long-distance call charges.


Another malware is called leakware or doxware. This is where the attacker will threaten to release sensitive data on the victim’s hard drive unless a ransom is paid. Often targeting emails and word documents, there have also been cases of mobile variants where private messages, pictures, and contact lists from users’ phones have been released.

Doxware is recognized as a more effective malware than ransomware – in terms of getting the money from the victim. With ransomware, you can maintain separate backups of data that is no longer accessible, but with doxware, once an attacker has information that the victim doesn’t want to be made public, there is little to be done apart from paying up.


A discovery for 2019 was the ransomware Anatova. This new, extremely advanced type of ransomware disguises itself as the icon of a game or application to trick the user into downloading it. An extremely advanced form of malware, it adapts quickly and uses evasion and spreading techniques to prevent its discovery. Due to its modular design, it can embed additional functionalities allowing it to thwart anti-ransomware methods. Fortunately, the McAfee Advanced Threat Research team discovered this new ransomware family in early 2019 before it became a significant threat.


A variant of CrySiS, Dharma ransomware has been around since 2018, but cybercriminals continue to release new variants, which are impossible to decrypt.


Malicious ransomware that uses AES encryption and drops a file called ‘GandCrab.exe’ onto the system. GandCrab targets consumers and businesses with PCs running Microsoft Windows. On May 31st, 2019, the cybercriminals behind GandCrab sent an announcement saying they were stopping all further GandCrab ransomware attacks claiming they had made over $2 billion in ransom payments and they were taking a “well-earnt retirement.”


Emotet was originally a malware that targeted banks – it would sneak onto your computer and steal sensitive and private information. First, on the scene in 2014, Emotet has gone through a variety of versions, evolving into ransomware that can evade detection even by some anti-malware products. Since its inception, Emotet has stolen banking logins, financial data, and Bitcoin wallets from individuals, companies and government entities across Europe and the USA.

Using worm-like capabilities to spread to other computers, hackers usually introduce Emotet by spam emails – made to look legitimate and with the use of tempting language to trick the victim into clicking on the link.

Accorind to the US Department of Homeland Security, Emotet is one of the most costly and destructive malware .The estimated cost of the average Emotet attack is upwards of $1 million to clean up.


Ryuk specifically targets large organizations for a high-financial return. According to CrowdStrike, between August 2018 and January 2019, Ryuk netted over 705.80 bitcoins across 52 transactions totaling a value of $3,701,893.98. It first turned heads with its attack on Tribune Publishing’s operations over the Christmas period of 2018. At first, the company thought the attack was just a server outage, but it was soon clear it was the Ryuk ransomware.

Another term for ransomware such as Ryuk that targets large enterprises for high ROI is ‘big game hunting.’ These large-scale attacks involve detailed customization of campaigns to best suit the individual targets, increasing the attack’s effectiveness. ‘Big game hunting’ therefore requires much more work from the hacker; it is also normally launched in phases. For example, phase one might be a phishing attack focusing on infecting’ an enterprises network with malware to map the system and identify crucial assets to target. Phases two and three will then be a series of extortion and ransom attacks/demands.

Am I a target for ransomware?

No vertical is safe from the effects of ransomware. Unfortunately, some are more susceptible to successful attacks than others. There are various reasons for this: the technology they deploy, the security they have in place, identity governance and privilege maturity, and their overall cybersecurity protocols.

Organisations from a variety of different sectors and industries have become victims of ransomware attacks. From healthcare to airlines, the attackers don’t seem to have a preference of who they target…or do they?

An attacker will normally choose an organisation to hit based on two things:

  1. Opportunity
  2. Potential financial gain


If an organization has a small security team, lacks IT resources, and has a user base that shares many files, i.e., a University, then an attacker may view this as an easy target.

Potential financial gain

Organizations that need immediate access to their files, e.g. Law firms or government agencies, may be more likely to pay a ransom quickly. Organizations with sensitive data may also be willing to pay to keep the news of the data breach quiet.

Should I pay the ransom?

You would think that paying a ransom to gain access to your data was bad enough, but that can pale in comparison to the actual damage costs involved with an attack. Additional implications include:

  • Damage and destruction (or loss) of data
  • Lost productivity
  • Post-attack disruption to the normal course of business
  • Forensic investigation
  • Restoration and deletion of hostage data and systems
  • Reputational harm
  • Employee training in direct response to the attacks

When you take the above into account, it is no wonder that ransomware damages are predicted to climb to $11.5 billion this year, with an attack projected every 14 seconds by the end of this year, up from every 40 seconds last year.

When you speak to cybercrime experts, most urge you not to pay the ransoms as funding ransomware attackers will only help create more ransomware.

Although, many organizations go against this advice weighing up the cost of the encrypted data against the ransom being asked. Last year, in the US, 45% of companies hit with ransomware paid their attackers. But why?

While refusing to pay ransomware is suggested for the wider business community, refusing to pay may not be the best course of action for the business itself. When there is a chance the business may permanently lose access to vital data, incur fines from regulators or go out of business altogether businesses’ options may seem bleak. The choice between paying a relatively modest ransom and staying in business or refusing to pay to help the wider business community is a no brainer for most.

In some ransomware cases, the ransom demanded is often set at a point that it’s worth the attacker’s while, but low enough that it is often cheaper than a victim paying to reconstruct their lost data. Discounts are also sometimes offered if the victim pays within a certain timeframe e.g., 3 days.

With that in mind, some companies are building up reserves of Bitcoin specifically for ransom payments. For example in the UK, organizations seem more likely to pay ransoms. According to Gotham Sharma, managing director at Exeltek Consulting Group, “About a third of mid-sized British companies report having Bitcoin on hand to respond to ransomware emergencies when other options can’t be immediately exhausted.”

What to do when you’re under a ransomware attack

If you find yourself infected by ransomware, first you need to find out what kind of ransomware it is. If you can’t get past a ransomware note on your screen, then you probably have been infected by screen-locking ransomware. If you can browse through your apps but can’t open your files, movies etc. you have been hit with encrypting ransomware – the worse of the two. If you can navigate your system and read all your files, then you have probably hit with a fake that is just trying to scare you into paying.

There is a great blog that goes into detail about what to do when you’re hit with both screen-locking and encrypting ransomware here.

Even with the best precautions and policies in place, you may still suffer from an attack. In the event your data is held hostage by Ransomware, the following is recommended:

  1. Remain calm.What to do when you’re under a ransomware attack
    Rash decisions could cause further data loss. For example, if you discover an infection and suddenly cut power to a server, versus powering it down properly, you could lose data in addition to the infected data.

  2. Never pay the ransom because attackers may not unlock your data.
    There are many cases of victims paying the ransom demanded and not receiving their data back in return. Rather than running this risk, companies should work with data recovery experts who may be able to regain access to data by reverse-engineering the malware.

  3. Check your most-recent set of backups.
    If they are intact and up-to-date, the data recovery becomes easier to restore them to a different system.

  4. Contact an expert to explore recovery options.
    An expert data recovery specialist will examine your scenario to see if they have a solution already in place; if not, they should be able to develop one in time.

How to prevent a ransomware attack

Ransomware variants will target different business verticals. The highest risk targets are healthcare, financial institutions, and government agencies. Those who are at risk should take precautions to reduce their risk and lessen the effects of an attack.

One of the most important plans your organization should have in place is a Disaster Recovery Plan. If you don’t have one in place, the chances are that the consequences will be severe. According to the National Archives and Records Administration, 93% of companies that experience data loss and downtime for ten or more days file for bankruptcy within 12 months.

A disaster recovery plan describes various scenarios for resuming work quickly after a disaster, i.e. a ransomware attack. A key part of an organization’s business continuity plan should allow for sufficient IT recovery and data loss prevention. A disaster recovery plan describes a variety of scenarios for resuming work quickly after a disaster i.e. a ransomware attack. A vital part of an organization’s business continuity plan, should include a disaster recovery plan that allows for sufficient IT recovery and data loss prevention.

If you don’t have a disaster recovery plan, you can download our free template here.

Other recommendations include:

    1. Ensure you have up-to-date backups - this way if anything does happen, restoration of your files from a backup is the fastest way to regain access to your data.

    2. Be prepared by testing backups regularly. Organizations must be familiar with what is stored in backup archives and ensure the most critical data is accessible should ransomware target backups.

    3. Implement security policies. Use the latest anti-virus and anti-malware software and monitor consistently to prevent infections.

    4. Develop IT policies that limit infections on other network resources. Companies should put safeguards in place, so if one device becomes infected with ransomware, it does not permeate throughout the network.

    5. Conduct user training to ensure all employees can spot a potential attack. Make sure employees are aware of best practices to avoid accidentally downloading ransomware or opening up the network to outsiders.

    6. Make sure you have content scanning and filtering on your mail servers. Scan every inbound email for known threats and block any attachment types that could pose a threat.

    7. Watch our ransomware webinar

Reducing your attack surface

The management of data across its lifecycle is often not a consideration for many organizations. But without a data lifecycle strategy in place, an organization is leaving itself exposed to serious security risks and costs. Today, the cost of ineffectively safeguarding data comes with ‘too high a price’.

It’s not just ransomware attacks organizations need to be wary of, data breaches, damaged reputation, lost customers, downtime, and large fines are all potential risks for an organization that doesn’t effectively manage its data’s lifecycle.

Those organizations that take the time to invest the necessary efforts and resources in data lifecycle management can minimize the risks and costs of their business-critical data at all stages.

How Ontrack has helped organisations hit by ransomware 

At Ontrack, we are continaually tracking 271 different types of Ransomware. Ransomware changes and develops all of the time, so we want to make sure we are watching and studying the latest changes and advancements. Studying ransomware and its ever-changing forms provide additional knowledge and experience, leading to a higher probability that we will recover data that has been lost as a result of an attack.

We currently have encryption abilities on 138 types of ransomware. Only a couple of years ago this figure was only six, so we have come a long way!

When it comes to inaccessible data, it is always best to contact an expert. If you find yourself under attack from ransomware contact an expert like Ontrack who potentially has the capability to help you gain access to your data.


Ransomware Recovery


KLDiscovery Ontrack Pty Ltd, Suite 9, 28 Donkin Street, West End, Brisbane, QLD 4101, Australia (see all locations)