What Is Ransomware? A Quick Guide
Learn about how ransomware works and what steps you can take to prevent having your data compromised and used against you.
This article will provide an overview of ransomware and explain its definition. We’ll discuss how it works, who the typical victims are, and the steps you can take to protect yourself.
So, what is ransomware? Simply put, it is malware that encrypts the victim’s files and computer systems until a required ransom is paid. Individuals or businesses that fall prey to this type of threat cannot access their applications, files, or databases. Worse still, paying the ransom money will often not guarantee the safe return of one’s files, and unless there is a backup, they may be lost forever.
Ransomware is usually designed so that it spreads and affects the entire organization. This is a growing problem, and the damage can be immense. Billions of dollars are collected by criminals who extort money in this way from individuals and businesses.
Ransomware encrypts the user’s data and threatens to delete or publish it unless the ransom is paid. Usually, there is a deadline, and if not met, the information is destroyed or published. Sometimes, if users fail to pay quickly, the money needed to restore the data increases.
Ransomware threats are pretty common. While some may believe that this type of malware targets only individuals, a few of the most reputable companies from Europe and North America have also been victims of ransomware. Many of these companies belong to tech-savvy industries such as IT, yet ransomware still managed to infect their systems. These attacks take place all over the world, within all industries.
The most relevant government agencies, along with the FBI, recommend not paying the ransom, and so does the “No More Ransom Project.” It is estimated that half of the affected users who follow the instructions and pay the required amount are more likely to be affected by ransomware again, especially when the threat is not removed from their computer(s).
Knowing how to define ransomware is one thing, but fighting the culprits is something completely different. We need to emphasize here that distributing and using ransomware is a serious criminal offense and that you should definitely involve the authorities if your data gets compromised.
History of Ransomware
The beginnings of ransomware date back to 1989, and the “AIDS Trojan” virus, commonly known as the PC Cyborg virus. The victims of ransomware had their funds extorted using this malware. The ransom collection was done by mail. The recipients of the ransomware were required to mail the money to a PO box in Panama, and in return, the decryption key was sent back to them.
In 1996, Adam and Moti Yung from Columbia University came up with ransomware called “cryptoviral extortion.” They shared their findings with colleagues and demonstrated the first attack.
The malware (or ransomware, to be precise) they created contained the attackers’ public key and encrypted the victim’s files. After that, it would prompt the user to send asymmetric ciphertext to the attacker. The attacker would decrypt it and give back the decryption key to the user - if they pay for it.
Cybercriminals introduced many new payment methods to help keep their identities private. Bad actors who go after unsuspecting victims rely on creativity and wit because the transactions need to be untraceable. For instance, the ransomware Fusob asks its victims to pay in Apple iTunes gift cards instead of dollars, British pounds, or euros.
With the rising popularity of cryptocurrencies, ransomware virus threats have become more common. Bitcoin, like other cryptocurrencies, uses encryption to verify transactions. Due to the relative anonymity of cryptocurrencies and the fact they’re easily obtainable, many attackers are opting for Bitcoin, Ethereum, and Litecoin as their preferred payment method for the ransoms.
How Does Ransomware Work?
Ransomware attacks take control of a user’s computer or data in two ways: encryptors and screen lockers. As the name suggests, encryptors encrypt information so the users cannot make sense of anything until they get the decryption key. Lockscreens lock the computer, leaving users unable to use it and perform any actions until the ransom is paid.
The attackers often give the victims detailed instructions to retrieve their data. These instructions usually explain how to buy cryptocurrencies with which they will pay the ransom. Once the required money is paid, users will supposedly get a decryption key. This, however, is no guarantee that the attacks won’t be repeated or that the decryption will be successful at all.
In some cases, users don’t even get the decryption key, and some attackers install further ransomware on the computer even after the payment is completed and data restored.
At first, ransomware mainly targeted individual users, but lately, there has been an increase in attacks against businesses since they are often more likely to pay a larger amount of money to retrieve data and continue their business operations.
Ransomware infection usually starts with an email that contains malware. When the user opens an attachment or visits the website from the email, the malware encryption has already begun. Once the encryption is done, the computer will show a message which explains the type of threat and how much money is needed to remove it.
The most notorious ransomware examples include Locky, WannaCry, Bad Rabbit, Ryuk, Shade, Jigsaw, CryptoLocker, and Petya.
Why Is Ransomware Spreading?
The COVID-19 pandemic forced more people to work from home, which resulted in more phishing scams. Phishing is a common tactic for ransomware scammers. It is done by infecting emails with files or links on which victims click. Ransomware cybercriminals rely on emails because they’re so widespread and used by everybody. This method ensures that the ransomware threats are more successful in their goals and can reach a large number of people easily.
Who Is at Risk?
Virtually any device with internet access can become infected with ransomware. It scans a local device and any network-connected storage, meaning that the infected device can potentially infect the entire local network. If the local network is a business organization, a ransomware attack could compromise essential data, seriously impacting productivity and putting the company at risk of having confidential data leaked.
Devices that use the internet should always have anti-malware installed. Ideally, these protection tools should have the ability to protect from attacks ever happening. Failing that, work computers should at least have some decryption software to deal with the aftermath of an attack.
Why Is It So Hard To Find the Ransomware Cybercriminals?
As previously mentioned, the perpetrators resort to cryptocurrencies as a payment method, making it hard to trace the money back to the cybercriminals responsible for the attacks.
Additionally, these criminal groups are constantly working on elaborate plans and ransomware schemes so that they can make more profit in the easiest way possible, with minimal risk. Finally, the very process of creating ransomware is easier than ever, with many open-source code platforms, so there are more bad actors to worry about than ever before.
Who Are the Perpetrators?
In the past, ransomware attackers were typically the people who created the malware in the first place. However, these days attackers are not always the authors of ransomware. Very often, the actual creators lease their ransomware or sell it.
The software can also be leased as malware-as-a-service, in which case those who paid for it manage their own campaigns but have nothing to do with the coding aspects. This is why we see more and more malware attacks these days: it’s all too easy for people with ill intent to pull off successful scams, even if they have no real coding knowledge.
Ransomware Impact on Businesses
Businesses that fall prey to ransomware risk losing lots of money. Even so, that’s only the tip of the iceberg. Along with encrypting the data and never giving the access back, the attacker can publish the information, resulting in severe brand damage and even possible legal consequences. For this reason, some organizations simply opt to pay the ransom right after the attackers start blackmailing them.
The moment the data is encrypted, productivity stops, so the first step businesses need to think about is containment. Only after the threat has been identified and contained can a plan for restoring access to data be enacted, but even that doesn’t guarantee safety from the bad actors leaking stolen confidential company information.
Steps for Preventing a Ransomware Attack
Users can take several measures to prevent ransomware attacks and protect their devices from potential threats. These simple pre-emptive steps could make a big difference because removing ransomware is a much more complex endeavor that might need to involve law enforcement.
1. Endpoint Protection
Many people assume that installing antivirus will be enough to protect from ransomware, but most legacy antivirus tools help only against some types of malware.
A much more efficient option, in this case, would be one of the modern endpoint protection platforms, useful against threats such as WannaCry or those whose signatures are not yet in malware databases. Such tools are more effective in assisting security teams in detecting and blocking threats in real-time.
2. Data Backup
It is advised to back up data to an external hard drive by creating three backup copies on at least two different disks, one of which should be stored separately. Keeping at least one in “cold storage” and disconnected will ensure that the backed-up data will be safe if the encryption happens.
3. Patch Management
Keeping the installed applications and the operating system up-to-date and installing the latest security software is very important. Vulnerability scans should be run frequently to identify and remediate the vulnerabilities as quickly as possible.
4. Control and Application Whitelisting
Installed applications should be limited to a whitelist that is centrally controlled. Adobe Flash should be disabled, along with other vulnerable browser plugins. Browser security needs to be optimal, and web filtering should be used to prevent users from accessing malicious websites. Finally, macros on word processing apps should be disabled.
5. Email Protection and Employee Training
Business owners should work on training their employees to spot social engineering emails and - if possible - test them and see whether they’re able to identify phishing and avoid it. Spam and endpoint protection are very useful for blocking suspicious emails. Malicious clickable links should be blocked immediately. Ransom malware usually gets to the users via email, so teaching employees proper email etiquette will hugely reduce the risks of ransomware infection.
6. Network Defenses
To prevent ransomware from communicating with command & control centers, intrusion prevention and detection systems need to be in place. Every company worried about the safety of its data needs to invest in an advanced firewall system to help stop attacks before they’ve even had a chance to happen.
Steps To Take if Attacked by Ransomware
If users do get infected by ransomware, the payload will appear immediately. A message with instructions for payment will appear, along with a text that will explain the ransomware’s effect on the data. It is critical to act quickly, as ransomware aims to spread to other locations in the system. While there are several steps the user can take independently, expert intervention is often necessary - average users should not handle ransomware on their own.
1. Isolating the Affected Device
If users have only one of their devices infected by ransomware, the damage can usually be remedied. However, if the infection spreads to all the devices in a network, this could mean the end of the company’s operations.
The reaction time often determines which one of these two scenarios will happen. The first step is to disconnect the infected device from the internet and the local network, denying it access to other devices as soon as possible. Time is of the essence here, and a hard shutdown or disconnect is often recommended.
2. Stopping the Spread
Since ransomware spreads quickly, isolating the device will often not be enough. To avoid ransomware spreading across the network, it is necessary to disconnect all devices from it, especially those acting suspiciously. Even computers that are not physically in the same place as the infected one can be attacked, so everything needs to be shut down. It is recommended to turn off the Wi-Fi, Bluetooth, and all other means of internet connection.
3. Assessing the Damage
Users can check which files got infected by checking the files that were recently encrypted and have strange extension names. To prevent further damage, the files that have not been completely infected should be isolated. It is imperative to make a list of all affected systems. Another step is to ensure file sharing between devices is restricted.
4. Finding Patient Zero
The moment the source of the infection is located, it becomes much easier to contain the attack. Any alerts from your antivirus might be a good starting point. Another helpful tip is asking the users about their online activity to find out who and in what way came across the ransom malware in the first place. Finally, clues can be found by looking at file properties, i.e., unusual extensions or names. Quickly identifying the first infected device helps curtail the spread of the ransomware across the network.
5. Removing the Threat
Ransomware can attack targeted systems from various angles, so the help of a trusted expert is often necessary. The expert will access the logs and identify vulnerabilities and all affected systems.
A detailed root cause analysis is required to deal with this issue successfully. The moment the threat is contained, this crime must be reported to the authorities. It is wise to invest in software that will prevent the initial outbreak of ransomware, but security and decryption tools to deal with the aftermath of an attack should not be neglected either.
Should You Pay the Ransom?
The answer is no. The attackers often take the money and never send the key for decryption, leaving the individual or company seriously financially damaged. Moreover, paying the money to cybercriminals only perpetuates the cycle of extortion, giving them financial incentives and means to create new threats. Besides, it is very common for people who paid ransom once to experience more attacks in the future.
Ransomware is a serious threat that can affect both businesses and individuals. If users are not careful enough, it can bring devastating damage to their data, potentially completely paralyzing workflow until things are resolved.
There is no guarantee that the malware will be removed if the ransom is paid, so the best option is to work on prevention. Ransomware actors constantly develop new software, so keeping your software updated and having a backup of all important data is all but mandatory these days.
Ransomware is a type of malware that encrypts files on a victim’s device so they become unusable until a decryption key is used.
Usually, ransomware infects your device after clicking on a link or attachment from a phishing email or by downloading and running an infected file from a shady website.
WannaCry is one of the most well-known ransomware tools around. In 2017, it infected over 2000,000 computers across 150 countries, resulting in £6 billion in recovery costs globally.
Your email address will not be published.*