What is Ransomware?
Ransomware is a specific type of malware that holds data hostage in exchange for a ransom. It threatens to publish, block, or corrupt data—or prevent a user from accessing their computer unless they meet the attacker’s demands. The number of ransomware detections skyrocketed 820% in 2019, and they’re predicted to cost organizations around the globe $20 billion by 2021.
The Evolution of Ransomware
Ransomware was first developed by a Harvard-trained evolutionary biologist by the name of Joseph L. Popp. He launched the AIDS Trojan by giving diskettes infected with ransomware to attendees of an international AIDS conference held by the World Health Organization in Stockholm, Sweden. The code hid file directories on their computers and demanded $189 be sent to Panama to free up their computers.
Even though ransomware has come a long way since then, its primary mission remains the same: to extort or scam money from unsuspecting users. It evolved from existing on a diskette to traveling across the internet, through emails, sound, and video downloads—and even inside images. In recent years, it has been a tool for cryptominers, who need computing power to generate cryptocurrencies. Because mining digital assets requires a lot of expensive electricity, ransomware has been developed to force a user’s computer to mine crypto—all for the benefit of a cryptominer hundreds or thousands of miles away.
Ransomware is often sent through phishing emails. These malicious attachments infect the user’s computer after being opened. Some, such as CryptoLocker, act as a Trojan horse, infecting your computer and then looking for files to encrypt. Ransomware can also be spread through drive-by downloading, which is when a user visits a website that happens to be infected. The malware on that site is then downloaded and installed without the user even knowing about it.
Social engineering plays a big role as well. This is when people try to manipulate others into divulging personal or confidential information. One common social engineering tactic is using emails or texts to scare the target into sharing sensitive information, open a malicious file, or click on a malicious link.
Malspam is short for “malware spam,” and it is email that delivers malware to the target’s inbox. The attachments or URLs (web addresses) in the email may contain or link to malware, or they may have phishing messages inside it.
Malvertising involves the distribution of graphic or text ads infected with malware. They often cannot be distinguished from normal ads and can appear alongside regular, harmless advertisements.
How Ransomware Works
Regardless of the ransomware definition, once it enters your computer, it secretly infects it. The software then proceeds to attack files and access and alter credentials without the user being able to tell. As a result, the computer is effectively held hostage by the person who controls the malware.
Ransomware known as cryptoware encrypts the files of the victim’s computer. This makes it so the computer’s owner cannot access these files unless they pay a ransom to the attacker. The attacker is the only one who can access the files because they are hidden behind the encryption password. Sometimes, the attacker will lock out the entire computer and then demand a ransom before releasing the new password.
With leakware and doxware, the attacker threatens to publish sensitive information on the victim’s hard drive if they do not pay a ransom. Companies with private proprietary information like patents and sensitive schematics may find themselves a favorite target of leakware and doxware.
Ransom and Demands
Hackers tend to ask for payment using methods such as Western Union or through a text message. This helps them hide their identity. Once they have the money, they decrypt the files and free up the system. Some demand bitcoin payments due to their anonymity and a lack of a middleman.
Keep in mind that some attackers masquerade as law enforcement or government officials. They may say they are shutting down the victim’s computer because pornography or pirated software was found on it. They then demand the victim pay a “fine” before they release their computer.
Common Attack Targets
Cybercriminals like to go for the low-hanging fruit, which often includes small to medium-sized businesses (SMBs) because they don’t have adequate security measures in place. SMBs also are less likely to have large teams of IT professionals who understand what a ransomware attack is.
They also target companies that have an urgent need to access their files, such as organizations that depend on databases and storehouses of marketing collateral or applications to run their day-to-day business. The business may reason that even though the attacker is asking for a couple thousand dollars, they will lose far more if business interruption continues.
Anyone who has information they really want to keep private may also find themselves a target. The attacker may have an idea how important privacy is to the target and will charge a hefty fee in exchange for not publishing it.
Unfortunately, anyone can end up a target. In fact, malware does not even need to be sent from the attacker straight to the victim’s computer. It can spread on its own. Malicious code can be embedded in a normal-looking advertisement. Anyone can click on it and end up a victim.
While attacks are the most common on people’s desktops and laptops, any device with an operating system can fall victim. This includes cell phones, tablets, and other mobile devices. To ensure all devices are safe, a comprehensive endpoint detection and response (EDR) solution may be necessary. With EDR, you can identify threats in real time and prepare and protect the devices on your network to make them less susceptible to attack.
Types of Ransomware
Sadly, it is cheap and easy for cyber criminals to get started with these attacks. The software solutions are inexpensive and readily available on the dark web. There are several different types, and here are some of the most popular options:
Scareware is a type of malware that uses social engineering to scare, shock, or cause a victim anxiety. The person is then manipulated into purchasing software they do not need. Scareware often tells the victim they have been exposed to a fake virus or even another type of malware. The best way to avoid scareware is to second-guess any claims that your computer has been infected unless they come from a renowned, trusted virus protection service.
Screen lockers lock your computer screen, making it seem impossible to access. Instead of your normal screen, you may get a message that demands payment before you are allowed to access your screen again. It may be from a fake law enforcement agency asking you to use an online payment service to send someone money. If you have been infected by a screen locker, authorities advise to not pay the ransom. You can use a recent backup to restore your computer after wiping your system.
Encrypting ransomware uses advanced encryption algorithms to encrypt the data on your device. You are given a note that explains how much you have to pay and the steps you have to take to regain access to your files. Similar to screen lockers, you may have to resort to a recent backup to get your computer functioning again without giving in to the attacker’s demands.
Some Emerging Threats
Ransomware threats are constantly evolving and growing more severe. As new security measures arise, hackers are devising more and more ways to invade the computers of individuals and enterprises.
Threats such as Ransomware-as-a-Service (RaaS) are becoming more and more common. With RaaS, someone can purchase or rent a full ransomware package that they can unleash on anyone they want. Sometimes, they split the profits with the RaaS provider.
Government agencies will continue to be the targets of attacks as well. When a hacker is able to shut down even a small branch of a government—whether it is local or national—it affects the lives of a wide swath of people, which makes it particularly tempting to pay the ransom and get back up and running.
Ransomware and Business
Businesses, regardless of their size, are favorite targets of ransomware cyber criminals. Many businesses depend on their computers for their daily operations, to manage crucial files, or to communicate. Any downtime has an effect on the business’s bottom line. Cyber criminals use this to manipulate business owners and employees into paying to regain access to their computers. In many cases, they succeeded in either extorting large sums of money or significantly disrupting operations.
In 2018, SamSam was used to attack the Colorado Department of Transportation as well as the Port of San Diego. The ransomware brought all their services to a halt. Also in 2018, two hackers from Iran allegedly used SamSam to attack upwards of 200 organizations and companies across the United States and Canada. Some of their victims included hospitals, public institutions, and municipalities. The attacks resulted in a loss of an estimated $30 million.
What To Expect After an Attack
After an attack, you will likely suffer a significant slowdown in business operations. In addition to trying to restart operations, you can expect to:
- Upgrade your antivirus protection system
- Train employees on how to avoid ransomware in the future
- Decrypt your Microsoft Office files, which are a favorite target of cyber criminals
- Deal with the frustration of employees and management as they suffer a loss in productivity
How To Respond to a Ransomware Attack
There are steps you can take after an attack to minimize the damage to your operations. Regardless of the situation, authorities advise not to pay the ransom. Paying the ransom only encourages further attacks as other cyber criminals hear of successful attacks.
Check for Scareware
Scareware is often easy to spot on your computer. It may pop up when you visit the internet, replacing what you would expect to see in your tabs. Sometimes, tabs open up automatically when you click, regardless of where on the screen you click or tap.
Scareware also pops up on an infected computer when it is not connected to the internet. It may come in the form of a message telling you that your device has been infected and needs to be cleaned. It may also appear as an offer to install antivirus software.
Scareware can sometimes be cleaned by taking steps directed by a customer service representative from your computer’s manufacturer. Because these types of ransomware are so common, some companies have trained professionals ready to help users uninstall them.
Consult an Expert
An IT specialist may be able to identify, locate, and get rid of the ransomware. While there is no guarantee they can get it off your computer, some ransomware has been used many times over. As a result, there are decryption keys already out there and circulated among IT pros.
Consulting an expert also has its drawbacks. It often costs a considerable amount of money to hire a professional. Also, there is no way of knowing, before you agree to pay an initial fee, whether the expert will be successful in getting the ransomware off your computer.
Try the following steps:
- Isolate the infected devices: Likely, only a few devices will have the ransomware on them. It is important to get these off the network so they cannot infect other connected devices.
- Identify the kind of attack: The steps you take will largely depend on the type of ransomware you have been infected with. Write down any and all details about the attack and its symptoms.
- Use antivirus software or hire a professional to do it for you: This can help prevent further attacks, and it may also reveal and eliminate other threats.
- Recover your encrypted files: Whether you can recover them—and how—will depend on the nature of the attack and the decryption options.
Removing the ransomware makes it impossible to respond to the demands of the attacker, which can prevent you from making a harmful, emotional decision. However, this will not decrypt the files that are being held hostage.
You may end up losing the decrypted files or all information on your device, particularly if you have been locked out. On the other hand, with scareware and many screen lockers, you may suffer no adverse effects. With some screen lockers, for example, you can restart the computer in safe mode, and then remove the screen locker using antivirus software. When you reboot your computer, it may be back to normal.
Preventing Ransomware Attacks
Experts agree prevention is the best way to combat ransomware. There are several things you can do to secure your devices.
Updating your devices can be an effective, free way to shield them. Many updates include antivirus protection against new types of cyber threats. As the device’s manufacturer learns to combat different types of ransomware, the code that protects your device is included in an update.
To take advantage of this provision, constantly check for updates by either keeping an eye out for update alerts or checking your device’s settings. You can also schedule automatic updates—often during times when you are not using your device.
Authenticating software ensures any software you run on your device comes from a reputable source and not a cyber criminal. Certain software you can install does not have any kind of automatic authentication included, which can make verifying them a challenge. You can contact the software developer over the phone and verify that the software, as well as its specific version, is authentic. You can also describe how you came across the software, the website, or email from which it came, and any details about the installation directions that can help the developer determine if it is genuine.
To further protect your computer against unauthorized software, a tool like FortiToken gives you the power of two-factor authentication using a cloud-based environment to verify connections on your network.
Install Antivirus Protection
Antivirus protection is one of the most powerful and straightforward solutions in the battle against malware. Antivirus measures prevent ransomware from reaching your devices or network in the first place, precluding attackers from extorting you for money or disrupting your operations.
Often, ransomware gains a foothold through a seemingly innocent email, but email security can combat it in its earliest stages. The data inside email attachments can be analyzed threats. With this type of filtering, you can block emails from the offending sender, as well as set up rules to keep these types of messages from ever hitting your inbox.
Also, a next-generation firewall (NGFW) can provide an extra layer of protection. NGFWs offer packet filtering, virtual private network (VPN) support support, and IP mapping features. They also monitor your network, keeping an eye out for threats. NGFW providers perform continuous research on the security landscape to learn about new threats as they arise and use this data in the form of automatic updates to block attacks on your devices.
Whitelisting software is an effective method against preventing attacks. The user routinely checks their device and approves software before using it. Protective measures like firewalls can alert you to software that may contain ransomware and ask your permission before connecting to the internet. Through the whitelisting process, you can also choose to block all incoming programs if you suspect there may have been a security breach. You can then focus on figuring out the source of the problem before continuing to use any of your programs.
Back Up Your Data
Even though they cannot prevent attacks, backups are an essential element of a proactive approach. Backing up your data on a regular basis can provide you with a baseline image of each device on your network. In the event of an attack, you can wipe the system and use the backup to get up and running again.
Your employees, when equipped with the right knowledge, can go a long way to prevent ransomware attacks. Let them know what attacks look like, as well as how to prevent exposing their devices to them.
Use a Comprehensive Security Solution
The best defense against ransomware is a comprehensive solution designed to shield a range of devices from attack. This can include web filtering, which sets up a barrier between your network and malicious sites, links, malware, or other risky content. A comprehensive solution may also employ sandboxing, which involves putting the actions of an application in an isolated environment. Within the sandbox, the application’s behavior is analyzed and the data gathered can reveal errors, inefficiencies, ransomware, and other suspicious code. Because the application is in the sandbox, other elements of the device or network are protected.
To learn more, explore the full suite of ransomware solutions.