Ransomware

Segurança

Definição

Um tipo de malware que criptografa os arquivos da vítima ou bloqueia seu sistema, exigindo pagamento (geralmente em criptomoeda) pela chave de descriptografia. O ransomware moderno frequentemente combina criptografia com exfiltração de dados para extorsão dupla.

The Attack Lifecycle

Ransomware follows a predictable kill chain. Initial access typically comes via PhishingA social engineering attack that uses fraudulent emails, websites, or messages to trick users into revealing credentials, financial data, or installing malware. Spear phishing targets specific individuals with personalized content. emails, exposed SSH services with weak credentials, or unpatched vulnerabilities. Once inside, the malware spreads laterally, identifies valuable data, and exfiltrates a copy before encrypting files — giving attackers double leverage: pay to decrypt, pay again to prevent publication.

Network-Level Indicators

Security teams hunt ransomware using network telemetry. Key signals include unusual SMB traffic (lateral movement), large outbound transfers to unfamiliar IPs, DNSDomain Name System. The hierarchical, distributed naming system that translates human-readable domain names (e.g., example.com) into IP addresses (e.g., 93.184.216.34). Often called the "phonebook of the internet." queries to newly registered domains, and communication with command-and-control infrastructure over non-standard TCP ports. A HoneypotA decoy system or network resource designed to attract and trap attackers, allowing defenders to study attack techniques and divert threats from production assets. Honeypots provide early warning of intrusion attempts. share with fake sensitive files can trigger early alerts the moment ransomware begins scanning.

Defense in Depth

No single control stops ransomware. Effective defense layers include:

IP Blacklist Check can verify whether known ransomware C2 IP ranges are already blocked at your perimeter.

Termos relacionados

Mais em Segurança