Ransomware isn't just a threat to big corporations anymore. It affects everyone, from small businesses to everyday users. And it’s evolving so quickly that it’s difficult for the average person to keep up with the associated lingo.
This blog briefly explains attack terminology in a way that anyone can understand. The more you know, the better equipped you are to protect yourself and those around you.
1. What is a Zero-Day Exploit?
A zero-day exploit is an attack that takes advantage of a software flaw developers haven’t discovered yet, meaning no patch or fix exists to protect against it. Because the exploit targets an unknown weakness, it has a very good chance of bypassing all of the victim's cybersecurity defenses, leaving systems completely exposed until the flaw is identified and fixed. Zero-day exploits are particularly dangerous because they often go undetected for extended periods, giving attackers a significant head start.
2. What is a Botnet?
A botnet is a network of hacked computers that are remotely controlled by attackers. They can be used to distribute ransomware across a wide range of devices simultaneously, overwhelming defenses and spreading the attack quickly. Attackers often use botnets to launch large-scale phishing campaigns, sending out malicious emails containing ransomware to unsuspecting users.
3. What is a Brute Force Attack?
A brute force attack is when hackers gain access to accounts or systems by systematically trying every possible password combination until they find the correct one. Once attackers gain access, they can install ransomware to encrypt files and demand payment. Attackers use automated tools to speed up this process, allowing them to try thousands or even millions of passwords in a short period of time, using massive lists of commonly used passwords or variations to increase their chances of success.
4. What is a Distributed Denial of Service (DDoS) Attack?
A DDoS attack is when hackers overwhelm a server, website, or network by flooding it with an enormous amount of traffic, causing it to slow down or crash entirely. This is often done using a botnet to send massive amounts of data simultaneously. While DDoS attacks don’t directly deliver ransomware, they are frequently used as distractions to disable security systems or overwhelm IT teams, allowing ransomware to be deployed unnoticed.
5. What is a Living of the Land (LotL) Attack?
A Living off the Land (LotL) attack is when ransomware uses legitimate system tools, such as PowerShell or Windows Management Instrumentation (WMI), to carry out malicious activities. Since these tools are already present on most systems, the ransomware doesn’t need to download new files, making the attack much harder to detect. By leveraging existing software, attackers hide their activities from traditional security measures, allowing the ransomware to avoid detection and spread unnoticed.
6. What is a Supply Chain Attack?
A supply chain attack is when attackers infiltrate an organization by compromising third-party vendors or software suppliers. Instead of targeting a company directly, attackers breach the systems of a trusted supplier and inject ransomware into the software or services they provide. Once the target organization installs or updates compromised software, the ransomware spreads through their network.
7. What is a Drive-By Download?
A drive-by download is when ransomware is automatically downloaded onto a device without the user’s knowledge or interaction. This occurs when a user visits a compromised website or views a malicious ad (“malvertising”). The ransomware is silently installed, often exploiting vulnerabilities in the user’s browser or plugins. Drive-by downloads are particularly dangerous because the victim doesn't need to click a link or download a file for the attack to succeed.
8. What is Fileless Ransomware?
Fileless ransomware is a type of attack that doesn’t need to install traditional malware files. Instead, it runs malicious code directly in the computer’s short-term memory (RAM), which is used to process active tasks. Since the ransomware doesn’t leave files on the hard drive, it’s much harder for traditional security tools to detect. And because RAM stores data temporarily and clears when the computer restarts, fileless ransomware can disappear completely after execution, making it particularly difficult to trace or analyze after the fact.
9. What is SQL Injection?
SQL injection is when an attacker types malicious code directly into a web application's input fields, like username or the search bar. This tricks the system into executing unintended commands, allowing attackers to bypass authentication and gain access to databases containing sensitive information. Advanced attackers use SQL injection to access a company's systems and plant ransomware by compromising the database or back-end systems instead of interacting with unsuspecting users.
10. What is Credential Stuffing?
Credential stuffing is when attackers use lists of stolen usernames and passwords—often from data breaches—to try and gain unauthorized access to systems. Many users reuse passwords across different platforms, making this technique highly effective. Once the attacker successfully logs in using valid credentials, they can deploy ransomware or escalate their access to break into higher-value systems. Credential stuffing is particularly dangerous because it doesn't involve exploiting system vulnerabilities—it simply takes advantage of weak or reused passwords.
11. What is a Dropper?
A dropper is malware designed to install other malicious software onto a victim's system. The dropper itself often doesn’t cause harm directly but acts as a delivery mechanism for ransomware. Droppers can be hidden in seemingly harmless files, downloads, or email attachments. Once executed, they quietly install additional malware in the background without the user’s knowledge, making it difficult to detect the full extent of the infection.
12. What is a Locker?
A locker is malware that completely locks users out of their device or system by blocking access to the operating system. Often, a ransom demand is displayed on the victim’s locked screen. For cybercriminals, the advantage of using a locker is that it creates immediate panic and urgency for the victim, increasing the likelihood of payment. Additionally, locker malware is often easier and quicker to deploy compared to more sophisticated attacks that involve file encryption.
13. What is a Wiper?
A wiper is malware designed to permanently erase or destroy data, making it impossible to recover. Unlike data encryption, where the goal is financial gain through extortion, a wiper attack aims to cause maximum damage by wiping out critical information. In some attacks, wipers are disguised as ransomware, tricking victims into paying for recovery when the data is already destroyed. Cybercriminals may also use wipers to cripple an organization, disrupt operations, or cover their tracks after data theft. By erasing all evidence, it leaves the victim unable to recover their data or determine the full extent of the attack.
Closing Thoughts
Taking time to understand how attackers operate is an investment. Familiarizing yourself with key terms makes you better equipped to recognize potential threats and take action before they can cause damage. As ransomware continues to mutate and spread, staying informed is one of the best defenses we have.
How Arms Cyber Can Help
The Arms Cyber ransomware solution employs a comprehensive, multilayered defense-in-depth approach that combats ransomware at every stage of execution. Utilizing a mix of cutting-edge strategies, traditional defenses are transformed into a moving maze, designed to disorient and effectively disrupt even the most advanced attackers. From initial intrusion, through attempts at evasion, to malicious payload execution, Arms Cyber identifies and neutralizes ransomware threats earlier and more effectively compared to signature-based and behavioral methodologies.