Understanding Ransomware: Basics and Protection
Key Points
- Ransomware has surged in the news, affecting everything from pipelines to schools, and it poses a threat to both corporate networks and personal computers.
- Attackers exploit unpatched security vulnerabilities by delivering dormant malicious code that later activates to encrypt a victim’s files while leaving core operating‑system files untouched.
- The primary motive behind ransomware is financial gain; cyber‑criminals scan for exploitable flaws, infiltrate systems, and then demand payment to restore encrypted data.
- Because no system is immune, every IT professional—and even home users—must stay vigilant, keep software patched, and implement protective measures to mitigate ransomware risk.
Full Transcript
# Understanding Ransomware: Basics and Protection **Source:** [https://www.youtube.com/watch?v=imNfrtvYYbw](https://www.youtube.com/watch?v=imNfrtvYYbw) **Duration:** 00:12:48 ## Summary - Ransomware has surged in the news, affecting everything from pipelines to schools, and it poses a threat to both corporate networks and personal computers. - Attackers exploit unpatched security vulnerabilities by delivering dormant malicious code that later activates to encrypt a victim’s files while leaving core operating‑system files untouched. - The primary motive behind ransomware is financial gain; cyber‑criminals scan for exploitable flaws, infiltrate systems, and then demand payment to restore encrypted data. - Because no system is immune, every IT professional—and even home users—must stay vigilant, keep software patched, and implement protective measures to mitigate ransomware risk. ## Sections - [00:00:00](https://www.youtube.com/watch?v=imNfrtvYYbw&t=0s) **Understanding Ransomware Basics and Protection** - Bradley Knapp of IBM Cloud outlines what ransomware is, why it’s dominating headlines, and how both corporate and home users can safeguard their systems against it. ## Full Transcript
hello there and thanks so much for
clicking on the video today my name is
bradley knapp with ibm cloud and the
question that we are here to answer
today is a pretty basic one but it's one
that's very timely it's been in the news
a lot lately and that question is
what is ransomware
been in the news right between various
attacks against things like the colonial
pipeline attacks against local
governments school systems police
departments
city halls public schools
ransomware is everywhere in the news and
the question of course is what is this
ransomware thing what is it how does it
matter how can i protect myself against
it this is a question that needs to be
on the mind of every corporate it
employee in the world additionally you
need to worry about it for home machines
too ransomware knows no boundaries you
are equally vulnerable to it on a home
pc
as a corporate internet is on their
internet
so let's talk about first what is it at
its most basic the idea behind
ransomware is you have a computer of
some kind right and so we've got a
computer we got a little monitor on it
we got a little keyboard right
got our keys on the keyboard
and our computer is humming along right
we're doing our computer things
doing everything that we need to
and
in the operating system there are always
going to be security vulnerabilities of
various kinds it's just inherent to
computing we are never going to find
every bug the best we can do is as we
find bugs we fix them
but
these security vulnerabilities can be
exploited right there are large groups
of malicious actors out there that are
constantly scanning looking at code
looking for these vulnerabilities
looking for the ability to access
systems so
when one of these vulnerabilities is
discovered
what a malicious actor will do is
they'll figure out all right first of
all
is this protected against if it's not
protected against how can i exploit this
how can i use it to make money because
at the end of the day these malicious
actors most of them aren't doing it for
fun they're doing it to get paid so what
do they do
they take that vulnerability in your
machine
and they're going to transmit some
software
over the internet into the machine and
that software is then going to sit
dormant and idle
until it gets executed and so it may
have a time delay of a day a week a
month whatever but there will be some
sort of a time delay between when the
malicious actor accesses the machine and
when that code executes now
what happens when the code executes the
answer is that code is going to encrypt
a very large proportion of the files on
the machine now what is it not going to
encrypt it doesn't encrypt the core
operating system files because if it
does the second part won't work
so it's going to encrypt all of the data
that's not necessary to boot the machine
up and get it running so if it's a
windows machine it's going to in boot
it's going to encrypt everything that's
not in the windows directory it's going
to encrypt all of the games all the
spreadsheets all of the files all of the
pictures all of the everything on that
machine
and then
it's going to pop something up on the
screen that's going to say you've been
hacked you've been owned your machine is
compromised
and the only way to get your data back
is to pay a ransom that's the ransom
part of ransomware
to the malicious actor that has
encrypted your machine that ransom is
almost always paid via a cryptocurrency
of some kind that has to be transferred
to the attacker's wallet
and so what i've just described is how
it works on
a consumer grade machine but frankly
everyone it's exactly the same thing
on a server or on a fleet of servers so
again malicious actors scanning for code
vulnerabilities they're looking for
problems the difference being since it's
not a consumer level machine they're in
servers themselves so they're first
looking for holes in your network
security and then once they can get
around your network or if they find
machines that are exposed directly to
the public internet then they're
scanning for vulnerabilities on the
machines themselves again they're
looking for that exploit that nobody
knows about but let's be very honest
here
the incidence of attacks using a zero
day or a previously unknown exploit are
actually really really really small the
vast majority of these malicious actors
are not using zero-day exploits they're
using exploits that have been known
sometimes they're exploits that have
been known for months or years and so
we're going to talk about remediation
over here keep this point in mind
because it's a very important one but
back to our compromise system so we're
over here we've got you know one or two
or 10 or 15 different servers the
servers have been compromised the
malicious actor has spread through the
network he's gotten access to a number
of servers in it he's installed the
ransomware and the only way to get any
of that data back again is to is to pay
the ransom you have to pay the guy in
hopes that he will send you the
decryption tool that you need in order
to get your data back now as to whether
or not you pay the ransom no one can
answer that question for you hopefully
you have sufficiently prepared yourself
that you never experienced this to begin
with but if you do experience it only
you can answer the question do i pay
this ransom or not
now
there are ways to avoid it and that's
what we're going to talk about next so
you have been owned worst case scenario
now let's get into how do we keep
ourselves safe all right so in order to
avoid
letting those malicious actors letting
those hackers get access to your system
the first and most important thing you
can do
is have good network policies
it all comes down to the network
this includes both your home network and
any kind of an enterprise or commercial
network if your network is properly set
up it is configured if you are regularly
installing all of the patches and all of
the firmware upgrades in order to keep
your network equipment up and running
safely that is your first line of
defense against any kind of a malicious
actor getting into your machine
second line of defense
once you get to the physical machine
itself
so let's get to our you know server here
you must follow proper security
protocols and practices to secure your
servers
this is so so so important and this goes
beyond just user access control although
obviously user access control is
incredibly important please don't ever
use default passwords for anything
please always use secure passwords if
you must use a password use keys if at
all possible a key management system is
superior to a user password in every
possible manner in addition to using
keys you must keep your machines updated
software patches hardware firmware
patches are constantly being released
they are protecting you against these
malicious vulnerabilities and like we
talked to a minute ago the majority of
these bad actors are using exploits that
have been known for a while if you are
on the enterprise side if you are not
regularly checking the cve for
vulnerabilities in the systems you run
on a regular basis
you have got to add that to your best
practice you've got to do it on a
regular basis if you don't have the time
or the money or the staff to do it on
your own please engage with a vendor
that is going to constantly be checking
your systems all of the operating
systems and as much of the software as
you run against that cve list you have
to be checking it and you have to be
getting things updated just because it's
annoying to take some down time to
update firmware and update software on
those servers doesn't mean you can annoy
you can ignore it don't put it off you
have to keep these things modern and
current don't run old versions of
operating systems and if you absolutely
have to run an old version of an
operating system air gap the system make
it impossible to access that system from
the public internet it is not safe to
leave old windows machines connected to
the public internet they will be
compromised there's just no other way
around it so please use modern hardware
use modern software keep all of your
security patches and your firmware
patches up to date
next piece
let's assume that you have a malicious
actor that's a little better than most
and they have found a zero-day
vulnerability a previously undisclosed
vulnerability one that's not yet on the
cve list
and this is one of the more interesting
topics
you must back up your machines
now
backup restore is not the most fun thing
to do on the planet as a matter of fact
there's nothing fun about it
but if you are not regularly testing
your backups for your ability to restore
from them you don't have a backup
strategy
you must test those backups all the time
once a year is not often enough these
backups are your only way to get back up
and running if you've been compromised
it's the only way you're going to get
back up without having to pay a ransom
if you're a home user the backups are
how you're going to get your photos back
that's i mean just frankly you're going
to lose whatever has been compromised
whether or not you pay that ransom in
many cases because the decryption tool
may not work or this particular
malicious actor may not care they may
just take the money and run
they have no obligation to provide you
with what you've paid for again they're
criminals this is how they get started
in the first place so
have a backup strategy have a restore
strategy have a good network map of all
of your systems and their
interconnections
because if somebody can compromise one
server they can probably compromise
multiples and so let's imagine here our
enterprise network right so we've got
server here one and we've got you know
an active directory server over here
and we've got servers you know three
four five six seven whatever so on and
so forth everything is all
interconnected right active directory is
going to get all of the controls let's
say that the server that gets
compromised is your active directory
server
this is kind of like worst case scenario
stuff here once they're into your active
directory server if they can get some
credentials they can start getting into
everything else that you have running in
your environment
they're going to compromise everything
and so
once they have compromised it once they
have encrypted everything they've sent
you their ransom message you then have
to make the decision all right are we
going to try to restore from a backup
well
remember at the beginning when i said
that the malicious actor they were going
to install code but they weren't going
to trigger it yet
do you know when you were compromised
because you have to restore to a backup
that exists before you were compromised
because if you restore a backup your
backup strategy is great you've got good
systems images you can bring everything
back from a backup from last week but oh
wait you were compromised six weeks ago
all you're going to do is you're going
to restore good backup copies that still
have the malicious code in them and if
that's the case do you have the ability
to find that malicious code and
eliminate it before it activates itself
again otherwise you're going to find
yourself in exactly the same spot no
access to systems no ability to process
workloads no ability to run applications
you are down
so that is what ransomware is these are
some ways to protect against it please
please please i implore you learn about
ransomware learn how to protect yourself
against it
engage companies that have expertise you
know folks that know a lot about the cve
folks that know a lot about network
security that know about secure server
security engage with your operating
system vendors to be sure that you're on
a regular patch and maintenance cycle to
be sure that you are protecting yourself
against these kinds of attacks
hopefully you found the information
today valuable if you have any questions
please feel free to leave them in the
comments and we'll talk to you later
thank you so much for stopping by the
channel today if you have any questions
or comments please feel free to share
them with us below if you enjoyed this
video and you would like to see more
like it in the future please do like the
video and subscribe to us so that will
know to keep creating for you