There’s been a lot of talks lately about ransomware, and if you’re like a lot of people, you might be wondering what it is. Ransomware is a type of malware that locks your computer or mobile device until you pay a ransom. In this guide, we’ll walk you through the basics of ransomware removal so that you can get your device back to normal.

What is Ransomware?

Ransomware is a type of malware that locks your computer or mobile device until you pay a ransom. The amount of the ransom can vary, but it is usually around $200-$400. The attackers will typically demand payment in Bitcoin, which is a type of digital currency that is difficult to trace.

Ransomware is a class of malware that, once executed on a victim’s computer, renders the system and/or its data inaccessible until a ransom payment is completed. This is typically achieved by either:

Locker Ransomware

Locker ransomware prevents users from accessing their system by locking the screen or encrypting the entire hard drive. The attacker will then demand a ransom in order to unlock the device or provide a decryption key.

Crypto Ransomware

Crypto ransomware encrypts specific files on the victim’s computer, making them inaccessible. The attacker will then demand a ransom to provide the victim with a decryption key.

What does ransomware cost companies?

According to a recent study, the average cost of a ransomware attack is $133,000. The study found that the median time to resolve a ransomware attack is 41 days. The cost of downtime can also be significant, as it can lead to lost productivity and revenue.

How is ransomware distributed?

From the first widely distributed attacks using a floppy disk to the use of botnets in the mid to late 2000s, ransomware distribution methods have evolved over the years. The most recent ransomware families and their associated variants most frequently employ the following techniques:


The most common method of ransomware distribution is through phishing emails. The email will typically contain a malicious attachment or link that, when opened, will install the ransomware on the victim’s computer.

Drive-By Downloads

Drive-by downloads can occur when a victim visits a malicious website or clicks on a malicious ad. The site or ad will exploit a vulnerability in the victim’s web browser or plugin, which will then download and install the ransomware.

Malicious Ads

Malicious ads, also known as malvertising, are advertisements that contain malicious code that can redirect victims to a malicious website or download and install ransomware.


Botnets are networks of infected computers that can be controlled remotely by an attacker. The attacker can use the botnet to distribute ransomware to the computers in the network.

What are the stages of a ransomware infection?

Once a target has been identified, the ransomware lifecycle can be observed through the following stages:

Initial Access/Distribution

The initial access stage is when the attacker gains access to the target’s computer or network. This can be done through phishing emails, drive-by downloads, or malicious ads. The attacker will then install the ransomware on the system.


This can be completed by making a call to a hardcoded URL or as an automated second stage of the initial infection vector. At this point you may see network traffic to suspicious IPs or domains that hold the malicious files. Once downloaded, the executable is typically placed in a local Windows %temp% directory (may also end up in the root or a subdirectory of C:\ such as C:\Windows), the original dropper file is removed, and the downloaded malicious file is executed.

Payload Staging

The main goal of this stage is to ensure completion of ransomware attacks and persistence through system shutdowns. Some actions the ransomware may take during this stage include but are not limited to:

  • Running checks to see if ransomware has previously been deployed on the system
  • Checking, adding, and modifying Registry values
  • Discovering user accounts and their associated privileges
  • Attempting privilege escalation
  • Identifying mapped network shares
  • Deleting system backups
  • Disabling recovery tools
  • Compiling encryption/decryption keys
  • Adjusting system boot settings (some variants reboot victims in ‘Safe Mode)
  • Depending on the malware variant, C2 communication may be established.


The scanning stage is conducted to identify systems and files that can be encrypted by ransomware. The attacker will also check for file types and processes that should not be encrypted, such as system files.

Data Encryption

The data encryption stage is when the attacker will encrypt files on the local system and any mapped network drives using the asymmetric encryption key. The key is then encrypted with a public key, which is unique to each victim. The public key is then sent to a C2 server.

Ransom Demand

The ransom demand stage is when the attacker will present the victim with a ransom note, typically demanding payment in cryptocurrency. The note will instruct the victim on how to make the payment and often includes a deadline.

Are You Looking For A Computer Security Service You Can Finally Trust?

Managed Technology Solutions, also known as ManagedTEK – IT Security Services & Monitoring, is a managed service provider that provides IT support and security solutions for businesses throughout the greater San Francisco Bay Area. ManagedTEK, was founded on an urgency to empower and protect our community from the digital war on personal security and privacy. We focus and specialize in protecting businesses from falling victim to increasingly complex cyber threats. We use cutting-edge technology along with proven cybersecurity practices to provide support and protection for small businesses. Contact us today for your free consultation!