Ransomware is a type of malicious software, or malware, designed to deny access to a computer system or data until ransom is paid. Ransomware spreads through phishing emails, malvertising, visiting infected websites or by exploiting vulnerabilities.
Ransom payment amounts range from a few hundred to hundreds of thousands of dollars. Payable in cryptocurrencies like Bitcoin.
How Does Ransomware Work?
- Social engineering and phishing: Ransomware spreads by tricking users into downloading an infected email attachment that masquerades as a file from a colleague or boss.
- Malvertising: Malvertising uses an infected iframe or invisible element to spread ransomware. The iframe redirects to a page that executes malicious code or an exploit kit to perform a drive-by download without user knowledge.
- Vulnerabilities: More aggressive forms of ransomware like WannaCry exploits vulnerabilities to infect computers without user action.
Once infected, ransomware may encrypt some or all files.
After the initial ransomware infection, a ransom note explains the files are inaccessible. The victim must send a ransom payment to buy the decryption key to decrypt their files.
Other ransomware claims to be law enforcement who have locked the victim's computer, due to pirated software or pornograpy. It then demands payment of a fine to unlock the computer.
Leakware or doxware is another form of ransomware. It threatens to publicize sensitive data on the victim's hard drive.
Who is a Target For Ransomware Attacks?
Attackers have several ways of choosing which organizations to target. It could be a matter of opportunity or the likelihood of payment.
Your organization is a better target if you are vulnerable to a known vulnerability. An example would be EternalBlue. EternalBlue is an exploit in legacy versions of Microsoft's operating systems. Attackers can use the outdated version of the SMB protocol to install ransomware. This is how WannaCry spread.
Common targets are government agencies and medical facilities. This is because they often have poor information security and data protection. And they also need immediate access to their files.
This means they are more likely to pay the ransom.
Other organizations may be willing to pay to keep the security breach quiet. These organizations are key targets for leakware attacks. It's important to note many jurisdictions require data breaches and data leaks to be reported. Examples include the United States, Australia and the Eurozone.
What are the Different Types of Ransomware?
Ransomware is a type of malware and there are four main ransomware variants:
- Scareware: Scareware is fake security software that claims malware is on the computer. The end user receives a pop-up that demands payment for removal. If a payment isn't made, pop-ups will continue but files are generally safe. Real antimalware/antivirus software already monitors for malware attacks. Nor will it make you pay to have an infection removed.
- Screen lockers: Screen lockers lock you out of your computer. The ransomware replaces the login screen with a screen demanding payment. Often the screen has the FBI's or another law enforcement agency's logo. No law enforcement agency will freeze you out of your computer. Nor will they demand payment for an illegal activity. They will go through appropriate legal channels.
- Encryption ransomware: Encrypts your files and demands payment to decrypt them. This is ransomware has the highest cybersecurity risk. It is hard to regain access to encrypted files. The only way is to pay the ransom or use a decryption tool. Even if you do pay the ransom, there is no guarantee the attacker will decrypt your files.
- Mobile ransomware: The popularity of mobile devices has led to the development of mobile ransomware. It often targets Android as it allows installation of third-party applications. Unlike Apple's iPhone operating system.
What Makes Ransomware Different to Other Forms of Malware?
Ransomware uses encryption to make files inaccessible. To regain access, you need the decryption key or a decryptor tool.
The encrypted files could be documents or pictures, videos and audio or other file types.
More sophisticated attacks scramble file names and adds different extensions. This makes it hard to identify the affected files and what ransomware is on your system.
Ransom payments generally have a time-limit and increase with time. This adds pressure to pay. In extreme cases, files are destroyed or leaked. Ransomware that does this extracts sensitive data and sends it to control servers.
Should You Pay Ransomware?
If you are the victim of a ransomware attack, you need to think through your options. Many law enforcement agencies urge you not to pay the ransom. This is generally good advice as it reduces the incentive to create more ransomware.
But, if you have lost vital data, it may make sense to pay the ransom.
Overcoming sophisticated encryption may be impossible. This is why the most important thing is to reduce the risk of being infected by ransomware.
Many ransomware attacks have kept prices low. Ranging from $500 to $1,500 so companies can afford to pay. Attackers often detect the country the computer is in and adjust the ransom amount. This allows them to demand more from companies in rich countries and less from poorer regions.
And there are often discounts for paying fast.
The price must be high enough to make it worth the attacker's time and low enough to be payable by the victim. This can be a large amount if the victim cannot reproduce lost data.
With this in mind, companies have begun to add ransom payments into their security plans. But this is not a great solution. Prevention is key.
Attackers may not deliver the decryption key on ransom payment. Decryption functionality may not even be in the malware at all. Such ransomware gains a reputation and doesn't always generate revenue.
And check whether it's ransomware or scareware that has not encrypted your data.
How to Prevent Ransomware
The risk of ransomware threats highlights how poor worldwide cyber resilience is. Preventable misconfigurations and vulnerabilities have wreak global havoc. WannaCry caused hundreds of millions to billions of dollars in lost productivity.
Ransomware infections often come from flaws in processes and priorities. Rather than software, code and firewall problems. Although those help too.
What is worrying is how vulnerable many organizations are to advanced cyber threats.
Nor should critical business functions have no process in place to restore their systems.
Here’s how to prevent ransomware attacks and minimize their impact if they do occur:
- No single point of failure: Whether it's ransomware, hardware failure, database error, or something else. If your data is important, then it should be backed up, at at least one other secure location.
- Automate provisioning process: If an asset is taken down by ransomware or anything else, you should be able to return it to a working state as soon as possible.
- Patch everything: Keep your systems up-to-date to avoid known exploits.
- Security awareness training: It's easier to prevent malware infections than reverse them. Don't install software you don't trust. And don't give administrative privileges to every employee.
- Antivirus software: Antivirus software like Kaspersky or McAfee can detect known ransomware families and whitelisting software can prevent unauthorized applications from executing in the first place.
- Backup solutions: In the event of a ransomware infection, it's essential to have data backed up. If your data is backed up and safe, your organization can quickly recover from an attack. Use an online storage solution and/or external hard drive back up such as Google Drive or Dropbox for all important files.
These tactics reduce the cybersecurity risk of ransomware, turning it from a disaster to a minor nuisance.
How to Remove Ransomware
There is no one way to remove ransomware as each ransomware family is different and there is always new ransomware being developed.
Further, while removing the ransomware from your computer will restore access to your computer, it won't necessarily decrypt your files. If the malware is sophisticated it will be mathematically impossible for anyone to decrypt your files without access to the decryption key. In fact, by removing the malware you've removed the possibility of restoring your files by paying the attackers the ransom.
This is why mitigation and backing up files is so important. It's better to have a backup of any important files so that you can simply accept that the files have been encrypted and are inaccessible. Then use your back up.
Why is Ransomware Not Detected by Antiviruses?
New ransomware is constantly being developed and antiviruses are really good at stopping things they've seen before, not so much new threats.
This is why the steps method above must be followed. When we considered what ransomware does, the question enterprises should be asking themselves is why can't we just reimage the affected systems.
An image is a snapshot of an entire computer system that can be deployed in minutes to restore the system to an expected state.
There are only a few reasons that ransomware works, it's either important data isn't stored elsewhere or the system performs a critical business function and has no process to restore the system to a working state.
If you have the correct processes in place, it shouldn't matter that antiviruses aren't great at detecting ransomware. You should be able to restore functionality quickly to any impacted systems. Further, you should focus on training your employees to avoid installing ransomware in the first place.
How Does Ransomware Impact Businesses
Ransomware attacks on businesses went up 88% in the second half of 2018 as cybercriminals pivot away from consumer-focused attacks. Cybercriminals have begun to recognize that big businesses translate to bigger ransom payments and are targeting hospitals, government agencies and commercial businesses.
One example of this is GandCrab, which is estimated to have made more than $300 million in ransoms, with individual amounts ranging from $600 to $700,000. SamSam's attack on the City of Atlanta cost them $2.6 million to remediate.
Is Ransomware on the Decline?
Some reports highlight that ransomware may be on the decline in favour of crypto mining malware that infects the victim's computer and uses its computing power to mine cryptocurrency, rather than demanding ransom. This means the attacker does not need to extract a ransom to get paid and it became a more attractive avenue as the price of Bitcoin increased.
That said, the threat of ransomware is not over. There are two types of ransomware attack, commodity attacks that aim to infect a large number of computers with the goal of some small percentage paying, and ransomware-as-a-service platforms that attackers can rent and target vulnerable market segments and organizations.
Further, as the price of Bitcoin falls, attackers may again be more inclined to ask for ransom rather than using the victim's computer to mine cryptocurrency.
Notable Ransomware Examples
- WannaCry: The WannaCry ransomware cryptoworm targets computers running the Microsoft Windows operating system. The worm was initially released on 12 May 2017. The ransomware encrypted data and demanded ransom of $300 to $600, paid in the cryptocurrency Bitcoin. WannaCry is also known as WannaCrypt, WCry, Wana Decrypt0r 2.0, WanaCrypt0r 2.0 and Wanna Decryptor.
- Ryuk: Ryuk is operated by GRIM SPIDER, a sophisticated cybercrime group who targets large enterprises for high ransom payments. GRIM SPIDER has made millions of dollars from Ryuk from about 50 ransom payments. Ryuk is generally spread through phishing emails or using Emotet geo-based download function.
- SamSam: SamSam emerged in 2016 and targets JBoss servers. It spreads by exploiting known vulnerabilities rather than through social engineering. It uses Remote Desktop Protocol and brute force attacks to guess weak passwords. Notable victims include the town of Farmington in New Mexico, the Colorado Department of Transportation, Davidson County in North Carolina and the infrastructure of Atlanta. Two Iranians are wanted by the FBI for allegedly launching SamSam, with estimates of $6 million from extortion and over $30 million in damages caused.
- Cryptolocker: CryptoLocker occured from 5 September 2013 to late May 2014. The attack utilized a trojan to target computers running Windows and propagated via infected email attachments and an existing Gameover ZeuS botnet. Once activated, the malware encrypted certain files stored on local and mounted network drives using RSA public-key cryptography and stored the private key on the malware's control servers. It then displayed a message offering to decrypt the data if a payment was made through Bitcoin or a prepaid cash voucher by a deadline and threatened to delete the key if payment was not made in time. Ransom payment did not always lead to decryption.
- TeslaCrypt: TeslaCrypt is a now defunct ransomware trojan as its master key was released by its developers. In its early forms, TeslaCrypt targeted game-play data for specific video games such as Call of Duty, World of Warcraft, Minecraft and World of Tanks. The malware infected computers via the Angler Adobe Flash exploit.
- Locky: Locky was released in 2016 and spread via an email, that said an invoice required payment, with an attached Microsoft Word document that contained malicious macros. Once the user opened the document it appeared to be full of garbage and included the phrase "Enable macro if data encoding is incorrect", a form of social engineering. If the user enabled macros, it would save and run a binary file that would download the actual encryption trojan and encrypt all files with a particular extension.
- Reveton: Reveton pretends to be from the police and prevents the user from accessing their computer, claiming the computer has been locked by a local law enforcement agency. It is commonly referred to as the "Police Trojan" and informs users that they must pay a fine to unlock their systems. To increase the illusion that the computer is being tracked by law enforcement, the screen displays the computer's IP address and often webcam to give the illusion the user is being recorded.
- Bad Rabbit: Bad Rabbit followed a similar pattern to WannaCry and was distributed by a bogus update to Adobe Flash. Interfax, Odessa International Airport, Kiev Metro and the Ministry of Infrastructure of Ukraine were all affected by Bad Rabbit. Experts believe the ransomware is tied to the Petya attack in Ukraine because Bad Rabbit's code has many overlapping similarities to the code of Petya/NotPetya.
See more ransomware examples.
Ransomware Timeline Infographic
UpGuard Helps Organizations Reduce the Impact of Ransomware Attacks
UpGuard's identify breach feature continuously scans the deep and surface web for cybercriminal sites hosting stolen credentials from ransomware attacks. With instant notifications for each discoered event, UpGuard helps organizations rapidly secure compromised accounts before they're exploited in follow up attacks.
Click here for a free demo of UpGuard's identity breach capabilities.