Ransomware is based on the three-step protocol of cryptoviral extortion that happens between attacker and victim.
Cryptoviral Extortion
In step one, the attacker generates a key pair and stores the public key secretly in the malware. The attacker then either releases the malware generally into the world or targets a victim specifically. Step one is in the direction of an attacker to the victim.
In step two, the attacker needs the victim’s system to respond to carry out the cryptoviral extortion attack and waits for the response. The ransomware encrypts the victim’s data by generating a random symmetric key and encrypts that key using its public key.
This hybrid encryption process generates the symmetric ciphertext of the victim’s data and a small asymmetric ciphertext. To prevent recovery, it zeroes the original plaintext data and the symmetric key.
The victim receives the ransom demand message that includes asymmetric ciphertext and payment instructions.
Finally, in step three, the attacker either does or does not receive the demand payment. They may or may not return the symmetric key to the victim or use their key to decipher the asymmetric ciphertext. In other words, the victim may pay the ransom or not, and either way may not receive access to their data.
Unfortunately, symmetric keys cannot help other victims because they are randomly generated. The attacker’s private key is never exposed to victims.
Delivery of the Ransomware Payload
Social engineering is a common way attackers deploy ransomware and are often part of a multi-step cyberattack. Hackers research potential targets using various social media platforms to find security vulnerabilities. Attackers will seek out ways to gain the target’s trust so they can successfully deliver ransomware and gain access to information.
Phishing emails are a common form of social engineering attack that trick the victim into opening an attachment or clicking a link by claiming urgency. Typically, attackers enter a system and deliver ransomware payloads using a trojan of some kind, such as a malicious email attachment, an embedded phishing link, or a network service vulnerability. Once the trojan pierces the system, the program runs a payload.
The ransomware payload either locks the system or claims to do so — for example, by displaying a fake warning about pirated media or illegal activities. Simpler payloads restrict or block the system unless or until the victim pays. They might do this by modifying the partition table and/or master boot record to stop the OS from booting until the attacker repairs it, or by setting the Windows Shell to itself. More sophisticated payloads actually encrypt files using strong encryption.
Since payment is usually an attacker’s goal, it is essential for them to find a convenient digital payment system that is difficult for law enforcement agencies to trace. Typically these include digital currencies like Bitcoin, premium-rate text messages, pre-paid voucher services such as paysafecard, and wire transfers — although cryptocurrencies have quickly become the payment option of choice.