Ransomware - Erevio Notes

> [!abstract] In short: Ransomware is malware that encrypts a victim's files and demands payment for the decryption key. It attacks **availability**: your data is still there, you just can't reach it. And paying guarantees nothing. ## What it is Ransomware is malicious software that infects servers, computers, and networks, encrypts files, and compromises availability. The attackers then demand a ransom in exchange for the decryption key needed to restore access. Beyond the financial cost and the uncomfortable fact that the key sometimes isn't provided even after paying, the impact can disrupt essential services, break trust, damage reputation, and even cost lives when critical services like hospitals are hit. ## How it works 1. **Access.** The attacker gets into the victim's system through deceptive methods like phishing. Those emails carry malware that installs the ransomware on the device. 2. **Encryption.** The ransomware encrypts files using complex algorithms, scrambling the data so it's unreadable without the key. 3. **Ransom demand.** A message tells the victim how much to pay and where to get the decryption key. > [!warning] Paying is a double-edged sword: Paying also marks the victim as someone willing to pay, making them a more attractive target for future attacks and it still doesn't guarantee the data comes back. ## Impact - Operational shutdowns - Financial losses - Data loss - Reputation damage ## Double extortion > [!danger] Backups alone may not save you: Modern ransomware often uses **double extortion**: before encrypting, attackers exfiltrate sensitive data and threaten to leak it publicly if the ransom isn't paid. So even a victim with solid backups, who could restore everything, still faces pressure to pay just to avoid the leak. ## Defenses The best defenses are prevention-focused: - **Regular offline backups**, so encrypted files can be restored without paying. - **Keeping systems and software updated**, closing the holes ransomware rides in on. - **Employee training against phishing**, since that's the usual entry point. - **Network segmentation**, so one infected machine can't easily spread across the whole environment. > [!tip] On paying the ransom: Law enforcement and most security agencies advise against paying. It funds the criminal ecosystem and doesn't guarantee recovery. The real win is making the attack survivable in advance, through backups and segmentation, so paying never becomes the only option.