BACKGROUND IMAGE: iSTOCK/GETTY IMAGES
Ransomware is a subset of malware in which the data on a victim's computer is locked, typically by encryption, and payment is demanded before the ransomed data is decrypted and access is returned to the victim. The motive for ransomware attacks is nearly always monetary, and unlike other types of attacks, the victim is usually notified that an exploit has occurred and is given instructions for how to recover from the attack. Payment is often demanded in a virtual currency, such as Bitcoin, so that the cybercriminal's identity is not known.
Ransomware malware can be spread through malicious email attachments, infected software apps, infected external storage devices and compromised websites. Attacks have also used remote desktop protocol and other approaches that do not rely on any form of user interaction.
How ransomware attacks work
Ransomware kits on the deep web have allowed cybercriminals to purchase and use a software tool to create ransomware with specific capabilities. They can then generate this malware for their own distribution and with ransoms paid to their bitcoin accounts. As with much of the rest of the IT world, it is now possible for those with little or no technical background to order up inexpensive ransomware as a service (RaaS) and launch attacks with minimal effort. In one RaaS scenario, the provider collects the ransom payments and takes a percentage before distributing the proceeds to the service user.
Types of ransomware
Attackers may use one of several different approaches to extort digital currency from their victims. For example:
- Ransomware known as scareware will try and pose as security software or tech support. Victims may receive pop-up notifications saying malware has been discovered on their system (which, an un-owned security software would not have access to this information). Not responding to this will not do anything except lead to more pop-ups.
- Screen lockers, or lockers, are a type of ransomware designed to completely lock a user out of their computer. Upon starting up the computer a victim may then see what looks to be an official government seal, leading the victim into believing they are the subject of an official inquiry. After being informed that unlicensed software or illegal web content has been found on their computer, the victim is given instructions for how to pay an electronic fine. However, official government organizations would not do this; they instead would go through proper legal channels and procedures.
- In encrypting ransomware, or data kidnapping attacks, the attacker will gain access to and encrypt the victim’s data and ask for a payment to unlock the files. Once this happens, there is no guarantee that the victim will get access to their data back- even if they negotiate for it.
- Similar to encrypting ransomware, the attacker may also encrypt files on infected devices and will make money by selling a product that promises to help the victim unlock files and prevent future malware attacks.
- In doxware, an attacker may also threaten to publish your data online if the victim does not pay a ransom.
- Mobile ransomware is ransomware which affects mobile devices. An attacker can use mobile ransomware to steal data from a phone or lock it and require a ransom to return the data or unlock the device.
- The victim may also receive a pop-up message or email ransom note warning that if the demanded sum is not paid by a specific date, the private key required to unlock the device or decrypt files will be destroyed.
While early instances of these attacks sometimes merely "locked" access to the web browser or the Windows desktop -- and did so in ways that often could be fairly easily reverse-engineered and reopened -- hackers have since created versions of ransomware that use strong, public-key encryption to deny access to files on the computer.
Screenlocker vs. encryption ransomware
Screenlockers and encryption ransomware are the two main types of ransomware. Knowing the difference between them will help in knowing what to do next in the case of infection.
As described above, screenlockers will completely lock a user out of their computer until a payment is made. Screenlockers deny a user access to the inflicted system and files; however, the data is not encrypted. In Windows systems, a screenlocker will also block access to system components such as Windows Task Manager and Registry Editor. The screen is locked until the payment is made. Typically the victim is given instructions for how to pay. Screenlockers will also try to trick the user into paying by posing as an official government organization.
Encryption ransomware is one of the most effective forms of ransomware today. As mentioned above, an attacker will gain access to, and encrypt the victim’s data, asking for payment to unlock the files. Attackers will use complex encryption algorithms to encrypt all data saved on the device, making it difficult for users to detect or even replicate. A note will commonly be left on the inflicted system with information on how to retrieve the encrypted data after payment. Compared to screenlockers, encryption ransomware puts the victims data in more immediate danger, and there is no guarantee of the data returning to the victim after negotiation.
Ransomware attack prevention
To protect against ransomware attacks and other types of cyberextortion, experts urge users to back up computing devices regularly and update software, including antivirus software, regularly. End users should beware of clicking on links in emails from strangers or opening email attachments. Victims should do all they can to avoid paying ransoms.
While ransomware attacks may be nearly impossible to stop, there are important data protection measures individuals and organizations can take to ensure that damage is minimal and recovery is as quick as possible. Strategies include compartmentalizing authentication systems and domains, keeping up-to-date storage snapshots outside the primary storage pool and enforcing hard limits on who can access data and when access is permitted.
How to remove ransomware
There is no guarantee that a victim can stop a ransomware attack and regain their data; however, there are methods that may work in some cases. For example, a victim can stop and reboot their system in safe mode, install an anti-malware program, scan the computer and restore the computer to a previous, non-infected state.
Victims could also restore their system from a backup stored on a separate disk. If in the cloud, then victims could reformat their disk and restore from a previous backup.
Mobile ransomware is malware that holds a victim’s data hostage, afflicting mobile devices- commonly smartphones. Mobile ransomware operates on the same premise as other types of ransomware, where a user is blocked access to the data on their device by an attacker until they make a payment to the attacker. Once the malware is downloaded on the inflicted device, a message will show up demanding payment before unlocking the device. If the ransom is paid, a code is sent to unlock the device or decrypt its data.
Typically, mobile ransomware will hide itself as a legitimate app in a third-party app store. Hackers will commonly pick popular apps to imitate, waiting for an unsuspecting user to download it, and with it, the malware. Smartphone users may also get infected with mobile ransomware by visiting websites or by selecting a link that appears in an email or text message.
Tips to avoid becoming a victim to mobile ransomware include:
- Do not download apps using third-party app stores (stick to the Apple App Store and Google Play Store).
- Keep mobile devices and mobile apps up to date.
- Do not grant administrator privileges to applications unless absolutely trusted.
- Do not click on links that appear in spam emails or in text messages from unknown sources.
Mobile device users should also have their data backed up in a different location in the case their device is inflicted. In the worst case scenario, this would at least ensure the data on the device won’t be lost permanently.
Famous ransomware: CryptoLocker and WannaCry
Perhaps the first example of a widely spread attack that used public-key encryption was Cryptolocker, a Trojan horse that was active on the internet from September 2013 through May of the following year. The malware demanded payment in either Bitcoin or a prepaid voucher, and experts generally believed that the RSA cryptography used, when properly implemented, was essentially impenetrable. In May 2014, however, a security firm gained access to a command-and-control server used by the attack and recovered the encryption keys used in the attacks. An online tool that allowed free key recovery was used to effectively defang the attack.
In May 2017, an attack called WannaCry was able to infect and encrypt more than a quarter million systems globally. The malware uses asymmetric encryption so that the victim cannot reasonably be expected to recover the (private and undistributed) key needed to decrypt the ransomed files.
Payments were demanded in Bitcoin, meaning that the recipient of ransom payments could not be identified, but also meaning that the transactions were visible and thus the overall ransom payments could be tallied. During the thick of the week in which WannaCry was most virulent, only about $100,000 in bitcoin was transferred (to no avail: There are no accounts of data having been decrypted after payment).
The impact of WannaCry was pronounced in some cases. For example, the National Health Service in the U.K. was heavily affected and was forced to effectively take services offline during the attack. Published reports suggested that the damages caused to the thousands of impacted companies might exceed $1 billion.
According to the Symantec 2017 Internet Security Threat Report, the amount of ransom demanded roughly tripled from the previous two years in 2016, with the average demand totaling $1,077. Overall, it's difficult to say how often these demands are met. A study by IBM found that 70% of executives they surveyed said they had paid a ransomware demand, but a study by Osterman Research found that a mere 3% of U.S.-based companies had paid (though percentages in other countries were considerably higher). For the most part, payment seems to work, though it is by no means without risk. A Kaspersky Security Bulletin from 2016 claimed that 20% of businesses that chose to pay the ransom demanded of them didn't receive their files back.
Internet of things (IoT) ransomware may not be far behind. Two researchers, Andrew Tierney and Ken Munro, demonstrated malware that attacked, locked and demanded a one-bitcoin ransom on a generally available smart thermostat at the 2016 Def Con conference.