Cybersecurity in Plain English: How Does Ransomware Work?

I get a lot of great questions from people in all different areas of business, but one comes up more than most: “How does ransomware even work?” Granted, we know what the goal of ransomware is – to get paid to unlock files that are locked down by a threat actor – but how does it operate, function, do what it does? Let’s dive into this topic.

Ransomware is a generic term to refer to any cyber attack where data is encrypted in order to make it unusable to a person or organization until a payment to the threat actor is made. Because locking up the data by encrypting it renders most businesses partially or totally unable to conduct business, it is a devastatingly effective form of attack, and a preferred method of threat activity these days. How it does what it does, however, is a bit more complicated; as the methods and scope of ransomware have changed over the 20-plus years we’ve been dealing with it as a security community.

Modern ransomware can be broken down into two broad categories: Single-extortion ransomware that just locks the data down, and double-extortion ransomware that also steals a copy of all the impacted data before locking it down. Each has evolved to reduce the ability of an organization to recover from backup or otherwise fix things without having to pay the threat actor, but each category is equally popular among criminal groups. 

Single-extortion ransomware works by first gaining access to a desktop, laptop, or server. This can be through one of many initial access methods, but the more commonly used techniques these days are subterfuge and exploiting a vulnerability. See the previous post at for more info on initial access. Subterfuge includes things like tricking a user into visiting a booby-trapped website, hiding malware in what appears to be a valid software application, or otherwise getting a user (or automated system) to install the threat actor’s software on a machine/virtual machine, etc. Exploitation of a vulnerability requires less (or no) interaction by a user, but rather tricks/forces an application or platform into doing something malicious by taking advantage of a weakness in the software or hardware itself. Note that threat actors are aware that anti-malware exists, and so will attempt to hide what they are doing for as long as possible and avoid triggering the anti-malware whenever possible (see dwell time below). This is referred to as “evasion,” and there are many different techniques that are used to different levels of effectiveness, depending on what anti-malware defenses are in place.  

Once they have the first device compromised, the threat actor then will typically attempt to spread their influence to as many other machines as possible (referred to as “propagation”). Since most organizational systems now use some form of Endpoint Detection and Response (an advanced type of anti-malware system), this has to be done carefully and cautiously to evade tripping detection and defensive systems. In fact, a threat actor can take weeks or even months just moving around a victim network in search of more devices and systems to take control of before they do anything like encrypting data. This is most commonly referred to as “dwell time,” with the average being about 10 days in 2023 but many sticking around for far longer to gain control of more systems. It isn’t uncommon to see dwell times stretching into months as double-extortion attacks become more common.

More commonly these days, threat actors will also attempt to disable backup solutions and try to weaken or disable anti-malware solutions as they go. This allows them to spread further, and to ensure that once they do spring the trap, the organization won’t have recent backups to restore from. Both actions make it more likely that the victim organization will pay to have their data unencrypted. Remember that ransomware is a business – a criminal business, but still a business – so the more likely a victim is to make a payment, the more money the criminal business generates. Additionally, many modern threat-actors will install back-door systems which will allow them to re-enter the organization’s systems if the organization does choose not to pay – so that the threat actor can re-encrypt over and over until they get money. 

Once the threat actor has gotten onto as many systems as possible and made sure things like backups have been rendered useless, then single-extortion ransomware enters its final stage. Some, most, or all of the data on each infected machine is encrypted using a key only known to the threat actor. Without going into too much detail here, threat actors use a theory known as asymmetrical encryption – meaning that the key that encrypts the data cannot be used to decrypt it. So even if the organization captures the encryption key, it won’t be useful in getting back to business. Once done, the threat actor either displays a message on the infected systems and/or directly contacts the organization to demand a ransom in exchange for the decryption key; and the attack is then finished.

For double-extortion ransomware, the game changes a bit. While all of the above steps still happen, there is another step added in between the propagation phase – where the threat actor tries to compromise as many systems as possible without being caught – and the encryption phase. As they move across the organization’s systems, the double-extortion ransomware threat actor begins stealing a copy of the data that they discover. There are many methods for performing this step, but the most common involve sending a copy of each file to cloud storage that the threat actor has access to. Many have asked why cloud providers don’t prohibit this activity and stop double-extortion ransomware, and the answer to that question will be in an upcoming article, but suffice it to say that currently; they really can’t police this type of data transfer in order to stop it. Data exfiltration can occur quickly, or very quietly – with different threat actors preferring different techniques in a trade-off between getting everything fast or evading defenses but taking longer to get the job done. 

This dataset is held until after the threat actor encrypts the original data on the organization’s systems, and the data theft can go on for as long as the threat actor is able to dwell within the organization. This means that not only can all current data be stolen, but any new data can also be siphoned off and stolen as the attack progresses. With dwell times adding up to potentially months, this can mean a great deal of current data can be stolen as it is created and modified by employees. 

Once the trap is sprung and the original data is encrypted, the threat actor now has two threats they can use to extort a payout from the victim organization. First, they will offer the decryption key in much the same way as with single-extortion ransomware. Secondly, they offer to destroy their copy of the data if the ransom is paid; but threaten to release that data to the general public if the ransom is not payed. So, even if an organization can recover without paying the ransom, they still must contend with the fact that highly privileged data could be released to the outside world unless they pay. For organizations like law firms, healthcare companies, payment processors, and other organizations that hold extremely privileged information, such public release of the info could be devastating and even trigger massive regulatory fines and penalties. Even a business that writes off the encrypted data as a loss may not be able to weather all of that data becoming public knowledge to anyone who wishes to view it. The hit to customer trust, regulatory fines, impact to stock prices, loss of investors, and other factors make such a release of data something many companies cannot withstand without going out of business. 

Some ransomware threat actors have even taken things a step further with so-called triple-extortion attacks. The data itself is encrypted, the stolen data is threatened to be released to the general public, and the threat actor also threatens persons and companies that appear in the data to try to get them to pay in addition to the company the data came from. For example, if a ransomware actor compromises a hospital, the data on the hospital data-systems is encrypted, a the threat actor threatens to release the copy of that data which they hold to the general public, and the threat actor reaches out to individual patients and demands that they also pay money to keep their own data that was in the stolen data-set from becoming public. This maximizes the payout the threat actor can get, and makes it even more likely that the original victim organization (the hospital in this scenario) will pay them to make the whole problem go away. 

Many have asked me if they should pay the ransom. While I can’t speak to every situation that ransomware can create, my overall recommendation is not to pay if there is any other way to get back to business. Paying the ransom has several negative effects: First, you’re giving money to one or more people who admit they are criminals. There’s no guarantee that they’ll do what they say they’ll do if you pay them, and they may have back-door access to continue harming your organization even if they do give you the decryption keys. There’s also no way to validate that they deleted their stolen copy of the data, and in fact law enforcement was able to find supposedly deleted data on threat actor systems they took control of in raids and shutdowns []. Second, every time the threat actor is paid, it encourages more threat actors to get into the ransomware business to make money. Third, depending on who the threat actor is and where you are, it might be against the law to send money to the threat actor at all and therefore expose your organization to even more regulatory and/or legal issues. Some information on this for US companies can be found here: . While there are some cases where paying the threat actor is the only way to resolve the situation, every organization should think long and hard about the repercussions to their own business and to the greater business world if they do so. 

Ransomware is an insidious threat that is growing every day. With double- and triple-extortion techniques growing in popularity, even the ability to recover without paying the ransom doesn’t remove the threat that the criminals can hold over an organization and its customers. That being said, it is not all doom and gloom. By keeping software updated, not interacting with links in emails or attachments that come in with them, and practicing basic online hygiene; users can thwart a large number of ransomware attacks. Exploitation of weaknesses in software will still be a problem, and organization must address these by utilizing additional security controls to compensate for the weakness, but effective strategies do exist for minimizing the potential to be struck by ransomware. Together, we can make it less lucrative for a threat actor to use ransomware, causing their business models to break and making the net a safer place. 

Cybersecurity in Plain English: IAM What?

A reader recently asked, “What is IAM and why is it important?” This is a bit of a complex question, but we can definitely dive into some of the higher-level concepts and details to de-mystify Identity and Access Management (IAM).

IAM is simply the series of technologies that control who is allowed to access what on your corporate systems. The complexity comes about because – while the idea is simple – the actual implementation of IAM is one of the most complex operations that many companies will ever undertake. The reason is straight-forward, humans are not generally logical and orderly beings. Because of that, systems which enable humans to do their jobs also tend to be complicated and intertwined, meaning making sure only the right people have access to the right systems and data is often difficult at best. So, let’s have a look at the basic ideas behind IAM and what they do.

First, the Principle of Least Access is the starting ground for any IAM solution set. As its name would imply, this principle says that each user should be first given the absolute minimum amount of access to systems and applications, regardless of any other factor. When a user needs access to something more, they get it quickly and efficiently, but they only get the bare minimum access to that “something more” and no more than that. As an example, a new user needs access to things like file servers, email, and some applications. This access would be very specifically defined, giving them access to just the folders on the file server they require; for example. They get an email box, but don’t get access to shared mailboxes automatically. They get read-only access to applications, not full access. Then, based on the needs of the user and the approvals of management, the user can request and gain additional access as and when required. While this process can be cumbersome – especially when a user is first starting with an organization – it also avoids over-provisioning access that later must be pulled back. Provisioning and de-provisioning solutions can greatly aid with this process, allowing IT teams to quickly add and remove access as needed with a minimum of manual steps. Note that de-provisioning is as critical as provisioning. When an employee changes roles or leaves the organization, or when an application is reconfigured or replaced, access must also be updated to maintain the principle in action; ensuring users have the access they need but no more. 

Second, one source of truth per organization. While it is very possible for every application and site to have their own identity data store, that is a recipe for disaster as a company grows and evolves. Instead, a single source of truth for identity – like Microsoft’s Active Directory or a similar solution – allows for much tighter and effective control over identity and access. Each application would then use that single source to confirm the identity of the person logging in and what they’re allowed to have access to. The most common form of this idea in organizations today is Single Sign-On (SSO) – where you go to log in to an application (like SalesForce) and see your browser re-direct to your company login page. SalesForce is checking with your company’s single source of identity truth, instead of keeping its own database of users within the app. This is a bit of an oversimplification, as the methods and technologies used to do SSO are complex, but the basic theory of using one source of truth to identify users is the goal.

Third, the concept of zero trust. Zero trust has become a bit of a buzzword in the cybersecurity industry of late, but the actual operational methodology is extremely valuable. Zero trust says that whenever a user, systems, application, etc. attempts to access anything; they/it must prove that they are who they are and must have been granted access for that specific operation. This means that even if the user had been logged into an application already, their identity would still be challenged if they attempted to access other areas of the application. A system talking to another system might have to pass an authentication challenge if it tried to access data in another database. This is significantly different than traditional access methods which say that a user who can use an application has all of their access rights “pre-cached” and ready to go. The reason for zero trust is that a user’s device (or a data system itself) could be used in a way that is not appropriate – either because the user is attempting to do something they shouldn’t on purpose or by accident, or because the device has been compromised by a threat actor. This could easily result in access to data and systems that shouldn’t be accessible, or where access has been removed, but that removal hasn’t yet filtered down to the application in question. In short, zero trust gets its name from the fact that a user – even a user who already logged into something – isn’t trusted as they move around applications and systems. They must pass identity checks (which often happen invisibly to the actual user) to gain access to additional resources. 

Identity and Access Management attempts to implement all these theories and more, and so can be a complicated strategy for any organization to undertake. By giving users access to only what they require, forcing all applications and systems to use a single source of identity truth, and ensuring that access requests are dynamic and not static; organizations can begin to tame the beast that is IAM without keeping users and systems from effectively doing their jobs. 

Cybersecurity in Plain English: What is a Firewall?

A reader recently asked, “What is a firewall? How does it work, and what is it doing?” Both good questions, so let’s dig in and uncover what this critical network defense system does.

Most of us that have owned a car know that in an automobile, the firewall is the heavy metal panel that sits between the passenger compartment and the engine. Since the engine (in gas-powered and hybrid vehicles) works by exploding petroleum products, the chance that something could cause a fire is not insignificant. Especially in a crash or after taking damage from other sources, engine fires could pose a huge threat to anyone in the car itself. Therefore, the physical firewall does exactly what it says on the tin – it serves as a barrier between a fire in the engine compartment and everyone sitting in the passenger compartment. Physical firewalls are not uncommon in many other areas, such as in boats, different types of home/office areas, etc.

Digital firewalls are one of those things in cybersecurity that sound incredibly confusing, but the basic functions are actually straightforward. While there are advanced firewall platforms which do a ton of additional things, the primary function of a firewall is to control what comes into and goes out of a network. In essence, it serves the same function as the physical firewall – it keeps something burning through the Internet from getting in to your controlled networks at home or in the office. It does this by looking at the traffic that is being moved into and out of the network itself, trying to find systems and patterns that just don’t belong there and blocking them from entering. The firewall also acts as a boundary to keep internal traffic from going out across the Internet as well, so that network information doesn’t leak. Note that we’re not talking about keeping confidential data from getting stolen here – the firewall deals with network traffic and cannot, alone, stop someone from sending a file outside the org if they’re sending it to a non-malicious target like Dropbox or OneDrive. 


One bit of clarification before we move on: Commercial firewalls are designed to be used in corporate networks and are capable of seeing and filtering massive amounts of information – up to several gigabytes of data per second or more. They also can optionally have many of the advanced features that the rest of this post will describe. Home firewalls are significantly more limited, both in the speed of data they can process and in the features that are available. Your home firewall (most likely built into the router/modem you got from your cable provider or phone company) can cover the basics described below, but most likely can’t process more than one gigabyte of data per second or handle IDS/IPS and other advanced feature-sets. 


Most of this blocking activity is based on allow and block lists that are updated regularly within the firewall itself. Most commercial (and some home) firewalls come with subscriptions to threat intelligence feeds that provide them with constantly-updated lists of known malicious websites, IP addresses, and known malware file signatures to help make sure that any inbound our outbound traffic isn’t coming from/going to somewhere that is known to be a threat to the org. Most commercial and home firewalls can block traffic that doesn’t conform to known-safe patterns as well, such as when an application attempts to reach out over a weird port and/or some external website or app tries to communicate to your computer without your computer first communicating with that site or app. 

Threat actors haven’t ignored how firewalls act, though, and have begun to take steps to overcome the protection a basic firewall can provide. For example, since most websites now use the more secure “HHTPS” protocol instead of the plainly visible HTTP, threat actors have started to also use HTTPS communication for their malicious actions. As HTTPS transmissions are encrypted, it’s very difficult – if not impossible – for a basic firewall to see if the communication is moving malicious files or performing other forms of bad behavior. While it is still possible to block connections by port or by originating site/URL, the firewall can no longer see the traffic itself, and therefore loses some important functionality. So, how do firewalls evolve to help with this?

Modern firewalls have many additional features, though generally they’re only available on more expensive commercial firewalls or very high-end home firewalls costing about as much as a commercial firewall. These include things like SSL decryption and inspection and Intrusion Detection Systems/Services (IDS) and Intrusion Prevention Systems/Services (IPS). These tool-sets make it significantly more difficult for a threat actor to succeed in getting across the firewall, but also add layers of complexity to cybersecurity that require trained and knowledgeable staff to set up and maintain.

SSL decryption and inspection is exactly what it says on the packet. HTTPS communications are encrypted between the website and the browser/application, and therefore appear as meaningless garbage when viewed by a normal firewall. With SSL decryption, these streams of data are decrypted by the firewall, examined for malicious content or intent, then re-encrypted and passed to the user’s device that requested them. Outbound data is also examined in this way, to look for signs that a user’s device is compromised, or potentially than an insider threat action is happening. Because of the nature of HTTPS, you can’t just decrypt and then re-encrypt data. That would result in major errors in the applications and browsers communicating over HTTPS and create a lot of headaches for users and app creators as well – as apps and browsers automatically look for and block this kind of activity thinking it is a threat action. So, to set up SSL decryption and inspection, the IT/Cybersecurity team must configure both the network itself and also every device that will communicate over it with policies and security certificates which tell the devices that if traffic is re-encrypted by that known firewall, it should be treated as if it was never decrypted in the first place. This is, of course, very specific to the network in question, and only works if the end user device can confirm that the specific firewall in question was the only device to decrypt and then re-encrypt the data. By implementing SSL decryption and inspection, malware and other malicious traffic can be properly examined before it reaches the end-user device, allowing the firewall to resume its duties even where sites and apps are now sending/receiving data over HTTPS. As you might guess, this system requires not only knowledgable IT/Cybersecurity staff; but also help from Legal, Regulatory, Compliance, and often HR teams to make sure that no privacy or data regulations are being violated – as the organization can now see what would otherwise be unreadable data transmissions to banks, medical providers, and other sensitive/confidential communications.  

IDS/IPS are systems which look at data packets are being moved into and out of the network like a basic firewall, but they also seek out known patterns and behaviors that are malicious. This is accomplished by keeping track of what is being sent and received, and comparing that information to updated lists of data flows and behaviors which would indicate suspicious or outright malicious behaviors. A common example is a compromised endpoint getting data that is identifiable as Command and Control (C2) information from a threat tool or platform like a ransomware operator or criminal threat group. This would indicate that the end-user device is likely being subverted for use by a threat actor. As with blocking known bad websites and URL’s, this requires continuously updated data on what activity and network traffic is considered to be such an indicator of compromise, and IDS/IPS service providers will also provide threat feeds that supply this information to the firewall on an ongoing basis. IDS/IPS can be used in conjunction with SSL decryption and inspection to perform even more effective scanning activities, and it isn’t uncommon for both functions to be part of a next-generation firewall platform, while still allowing the IT team to decide if they will use one, the other, or both. The names (Intrusion Detection vs. Intrusion Prevention) refer to two forms of this kind of protective feature. IDS will alert staff if indicators of compromise are detected, but will not actively block traffic. While IPS will both alert and block traffic when it sees suspicious activity. A firewall may offer one or the other, but rarely both because IPS includes IDS detection features as part of its basic operations. Blocking benign traffic can create massive disruptions to business, so IT/Cybersecurity teams must properly configure and regularly tune these systems to make sure the bad stuff gets blocked, good stuff gets through, and anything else is reported and quickly evaluated to determine what to do next. 

Finally, firewalls can be extended to work with other cybersecurity tools and platforms. Endpoint protection solutions can work cooperatively with firewalls to help detect and deal with malware or other activities that involve more than one stream of data and/or multiple endpoints. Data Loss Prevention tools can integrate with a firewall to block the transmission of data outside of extremely restricted endpoints and business applications. The potential list of integrations is nearly limitless, and your IT/Cybersecurity team can set up the right combination of tools, with the right configurations, to best protect the business while still letting users get their work done. 

So, a firewall is a device (usually physical but sometimes virtual) that sits between your internal network and the outside world. Its job is to make sure any communications coming into the network conform to known traffic patterns and aren’t coming from known malicious sites/URLs. Firewalls can be extended to do additional cybersecurity tasks such as decrypting and examining HTTPS communications, and to detect and block known forms of malicious traffic even if they’re coming from otherwise benign sites and services. They can also be extended by integrating firewalls with other cybersecurity systems to enhance all of your cyber resilience plans. This is a bit of an oversimplification of the full depth and breadth of what modern firewalls can do, but it is a good way to visualize their operations and functionality in your networks.