ランサムウェア

セキュリティ

定義

被害者のファイルを暗号化したりシステムをロックし、復号鍵と引き換えに身代金(通常は暗号通貨)を要求するマルウェアの一種です。現代のランサムウェアは、二重恐喝のために暗号化とデータ流出を組み合わせることが多いです。

The Attack Lifecycle

Ransomware follows a predictable kill chain. Initial access typically comes via PhishingA social engineering attack that uses fraudulent emails, websites, or messages to trick users into revealing credentials, financial data, or installing malware. Spear phishing targets specific individuals with personalized content. emails, exposed SSH services with weak credentials, or unpatched vulnerabilities. Once inside, the malware spreads laterally, identifies valuable data, and exfiltrates a copy before encrypting files — giving attackers double leverage: pay to decrypt, pay again to prevent publication.

Network-Level Indicators

Security teams hunt ransomware using network telemetry. Key signals include unusual SMB traffic (lateral movement), large outbound transfers to unfamiliar IPs, DNSDomain Name System. The hierarchical, distributed naming system that translates human-readable domain names (e.g., example.com) into IP addresses (e.g., 93.184.216.34). Often called the "phonebook of the internet." queries to newly registered domains, and communication with command-and-control infrastructure over non-standard TCP ports. A HoneypotA decoy system or network resource designed to attract and trap attackers, allowing defenders to study attack techniques and divert threats from production assets. Honeypots provide early warning of intrusion attempts. share with fake sensitive files can trigger early alerts the moment ransomware begins scanning.

Defense in Depth

No single control stops ransomware. Effective defense layers include:

IP Blacklist Check can verify whether known ransomware C2 IP ranges are already blocked at your perimeter.

関連用語

セキュリティの関連項目