Ransomware is malware that employs encryption to hold a victim’s information at ransom. A user’s critical data is encrypted so that they cannot access personal files and a ransom is demanded to provide access to the files.

Ransomware uses asymmetric encryption. This is cryptography that uses a pair of keys to encrypt and decrypt a file. The public-private pair of keys is uniquely generated by the attacker for the victim, with the private key to decrypt the files stored on the attacker’s server. The attacker makes the private key available to the victim only after the ransom is paid, though as seen in recent ransomware campaigns, that is not always the case. Without access to the private key, it is nearly impossible to decrypt the files that are being held for ransom.

Why is it so hard to find ransomware perpetrators?

Use of anonymous cryptocurrency for payment, such as bitcoin, makes it difficult to follow the money trail and track down criminals. Increasingly, cybercrime groups are devising ransomware schemes to make a quick profit. Easy availability of open-source code and drag-and-drop platforms to develop ransomware has accelerated creation of new ransomware variants and helps script novices create their own ransomware. Typically, cutting-edge malware like ransomware are polymorphic by design, which allows cybercriminals to easily bypass traditional signature-based security based on file hash.

How is ransomware distributed?

Many variations of ransomware exist. Often ransomware (and other malware) is distributed using email spam campaigns or through targeted attacks. Malware needs an attack vector to establish its presence on an endpoint. After presence is established, malware stays on the system until its task is accomplished. After a successful exploit, ransomware drops and executes a malicious binary on the system. This binary then searches and encrypts valuable files, such as Microsoft Word documents, images, databases, and so on. Once files are encrypted, ransomware prompts the user for a ransom to be paid within 24 to 48 hours to decrypt the files, or they will be lost forever. If a data backup is unavailable, the victim is faced with paying the ransom to recover personal files.


McAfee Labs Threats Report: August 2019

In this edition, we highlight the significant investigative research and trends in threats statistics and observations in the threat landscape gathered by the McAfee Advanced Threat Research and McAfee Labs teams in Q1 2019.

Download Now

Why is ransomware spreading?

Ransomware attacks and their variants are rapidly evolving to counter preventive technologies for several reasons:

  • Easy availability of malware kits that can be used to create new malware samples on demand
  • Use of known good generic interpreters to create cross-platform ransomware (e.g., Ransom32 uses Node.js with a JavaScript payload)
  • Use of new techniques, such as encrypting the complete disk instead of selected files

Additionally, today’s thieves don’t even have to be tech savvy. Ransomware marketplaces have sprouted up online, offering malware strains for any would-be cybercrook and generating extra profit for the malware authors, who often ask for a cut in the ransom proceeds. This blog looks at innovations and trends in ransomware that are helping to fuel its spread.

What is ransomware-as-a-service?

Ransomware-as-a-service is a cybercrime economic model that allows malware developers to earn money for their creations without the need to distribute their threats. Non-technical criminals buy their wares and launch the infections, while paying the developers a percentage of their take. The developers run relatively few risks, and their customers do most of the work. Some instances of ransomware-as-a-service use subscriptions while others require registration to gain access to the ransomware. Read this blog to learn more about ransomware-as-a-service.

Recent ransomware research from McAfee Labs

McAfee threat researchers are continually looking at new ransomware variants. Some of the latest research can be found here:

How to defend against ransomware

Keep in mind that paying a ransom is no guarantee of receiving a decryption key. McAfee advises that you never pay a ransom. You can find further information and help on unlocking some ransomware threats at No More Ransom, an initiative that McAfee is a part of and that has a suite of tools to help you free your data, each tailored to a specific type of ransomware. If your device gets held for ransom, start by researching what type of ransomware it is. Then check out No More Ransom’s decryption tools and see if one is available for your specific strain of ransomware.

To help steer clear of ransomware, follow these tips:

  • Back up your data. The best way to avoid the threat of being locked out of your critical files is to ensure that you always have backup copies of them, preferably in the cloud and on an external hard drive. This way, if you do get a ransomware infection, you can wipe your computer or device free and reinstall your files from backup. This protects your data and you won’t be tempted to reward the malware authors by paying a ransom. Backups won’t prevent ransomware, but it can mitigate the risks.
  • Use security software and keep it up to date. Make sure all your computers and devices are protected with comprehensive security software and keep all your software up to date. Make sure you update your devices’ software early and often, as patches for flaws are typically included in each update.
  • Practice safe surfing. Be careful where you click. Don’t respond to emails and text messages from people you don’t know, and only download applications from trusted sources. This is important since malware authors often use social engineering to try to get you to install dangerous files.
  • Only use secure networks. Avoid using public Wi-Fi networks, since many of them are not secure, and cybercriminals can snoop on your internet usage. Instead, consider installing a VPN, which provides you with a secure connection to the internet no matter where you go.
  • Stay informed. Keep current on the latest threats. This way you know what to look out for. Finally, in the case that you do get a ransomware infection and have not backed up all your files, know that some decryption tools are made available by tech companies to help victims.

The McAfee advantage

McAfee products leverage a number of technologies that help prevent ransomware. The following is a sampling of McAfee products that offer configurations designed to stop many types of ransomware.

  • McAfee Endpoint Security keeps .DAT files up to date and leverages McAfee Global Threat Intelligence (McAfee GTI), which contains millions of sensors that monitor for unique ransomware signatures.
  • McAfee Web Protection uses website reputations to prevent or warn users of websites where ransomware is distributed.
  • McAfee Threat Intelligence Exchange employs policy configuration that can identify and tag suspect processes.
  • McAfee Application Control offers a dual-layer defense of whitelisting technology and memory protection that can help prevent the execution of binaries coming from untrusted source and block zero-day exploits.

Ransomware resources



What is Fileless Malware?