Ransomware is a subset of malware in which the data on a victim's computer is locked -- typically by encryption -- and payment is demanded before the ransomed data is decrypted and access is returned to the victim. The motive for ransomware attacks is usually monetary and, unlike other types of attacks, the victim is usually notified that an exploit has occurred and is given instructions for how to recover from the attack. Payment is often demanded in a virtual currency, such as bitcoin, so that the cybercriminal's identity is not known.
Ransomware malware can be spread through malicious email attachments, infected software apps, infected external storage devices and compromised websites. Attacks have also used remote desktop protocol and other approaches that do not rely on any form of user interaction.
How ransomware attacks work
Ransomware kits on the deep web have allowed cybercriminals to purchase and use software tools to create ransomware with specific capabilities. They can then generate this malware for their own distribution, with ransoms paid to their bitcoin accounts. As with much of the rest of the IT world, it is now possible for those with little or no technical background to order inexpensive ransomware as a service (RaaS) and launch attacks with minimal effort. In one RaaS scenario, the provider collects the ransom payments and takes a percentage before distributing the proceeds to the service user.
History of ransomware
The first documented occurrence of ransomware can be traced back to the AIDS Trojan horse virus in 1989. The AIDS Trojan was created by a Harvard-trained biologist named Joseph Popp, who distributed 20,000 infected floppy disks labeled "AIDS Information -- Introductory Diskettes" to AIDS researchers at the World Health Organization's international AIDS conference. Attendees who decided to insert the diskette encountered a virus that would lock the user's files on the computer's drive, making the PC unusable. To unlock their files, users were forced to send $189 to a post office box that the PC Cyborg Corporation owned. Eventually, users were able to bypass the virus and decrypt their files because the virus used easily solvable symmetric cryptography tools.
Aside from Popp's 1989 virus, ransomware was relatively rare until the mid-2000s, when attackers used more sophisticated encryption to extort their victims. For example, the Archievus ransomware used asymmetric RSA encryption. Reveton, a virus from 2012, accused the infected system as being used for illegal activity and used the system's webcam to mimic filming the user, using scare tactics to collect a $200 ransom.
Today, the attack vector for ransomware has spread to include applications used on internet of things (IoT) and mobile devices, and viruses are including more complex encryption. This is partially due to the availability of ready-to-use ransomware kits -- also called ransomware-as-a-service (RaaS) -- available on the dark web, which feature encryption resulting from collaboration among communities of ransomware developers on the dark web. Ransomware is now much more adept at targeting larger organizations as opposed to individuals, which means exponentially greater sums of money are at stake. Ransomware has evolved from a minor nuisance to a major threat since the days of Joseph Popp.
Types of ransomware
Attackers may use one of several different approaches to extort digital currency from their victims. For example:
- Scareware: This malware poses as security software or tech support. Victims may receive pop-up notifications saying malware has been discovered on their system -- security software that the user doesn't own would not have access to this information. Not responding to this will not do anything except lead to more pop-ups.
- Screen lockers: Also known simply as lockers, these are a type of ransomware designed to completely lock users out of their computers. Upon starting up the computer, a victim may see what looks to be an official government seal, leading the victim into believing they are the subject of an official inquiry. After being informed that unlicensed software or illegal web content has been found on the computer, the victim is given instructions on how to pay an electronic fine. However, official government organizations would not do this; they instead would go through proper legal channels and procedures.
- Encrypting ransomware: Otherwise known as data kidnapping attacks, these give the attacker access to and encrypt the victim's data and ask for a payment to unlock the files. Once this happens, there is no guarantee that the victim will get access to their data back -- even if they negotiate for it. The attacker may also encrypt files on infected devices and make money by selling a product that promises to help the victim unlock files and prevent future malware attacks.
- Doxware: With this malware, an attacker may threaten to publish victim data online if the victim does not pay a ransom.
- Master boot record (MBR) ransomware: With this, the entire hard drive is encrypted, not just the user's personal files, making it impossible to access the operating system.
- Mobile ransomware: This ransomware affects mobile devices. An attacker can use mobile ransomware to steal data from a phone or lock it and require a ransom to return the data or unlock the device.
While early instances of these attacks sometimes merely locked access to the web browser or the Windows desktop -- and did so in ways that often could be fairly easily reverse-engineered and reopened -- hackers have since created versions of ransomware that use strong, public-key encryption to deny access to files on the computer.
Screen lockers and encryption ransomware are the two main types of ransomware. Knowing the difference between them will help in knowing what to do next in the case of infection.
As described above, screen lockers completely lock users out of their computers until a payment is made. Screen lockers deny a user access to the inflicted system and files; however, the data is not encrypted. In Windows systems, a screen locker also blocks access to system components such as Windows Task Manager and Registry Editor. The screen is locked until the payment is made. Typically the victim is given instructions for how to pay. Screen lockers also try to trick the user into paying by posing as an official government organization.
Encryption ransomware is one of the most effective forms of ransomware today. As mentioned above, an attacker gains access to and encrypts the victim's data, asking for payment to unlock the files. Attackers use complex encryption algorithms to encrypt all data saved on the device. A note is commonly left on the inflicted system with information about how to retrieve the encrypted data after payment. Compared to screen lockers, encryption ransomware puts the victim's data in more immediate danger, and there is no guarantee of the data returning to the victim after negotiation.
In both cases, the victim may receive a pop-up message or email ransom note warning that if the demanded sum is not paid by a specific date, the private key required to unlock the device or decrypt files will be destroyed.
Ransomware targets can vary from a single individual, a small to medium-sized business, an enterprise-level organization or to an entire city. For example, in 2018, the SamSam ransomware virus used a brute-force attack to guess weak passwords guarding important infrastructure in the city of Atlanta. Applications that residents used to pay bills and access court-related information were shut down, causing major rifts in the city's infrastructure. The result was untold amounts of compromised data and millions of dollars of recovery costs.
In December 2019, the city of Pensacola, FL fell victim to a ransomware attack as well. It affected customer service and online bill pay for a number of departments in the city, including Pensacola Energy and Pensacola Sanitation Services.
Public institutions are especially vulnerable to ransomware because they lack the cybersecurity to defend against it adequately. The same is true for small to medium-sized businesses. In addition to spotty cybersecurity, public institutions have irreplaceable data that could cripple them if made unavailable. This makes them more likely to pay.
One of the ways that ransomware scams can grow to such a damaging scale is through a lack of reporting. In 2018, safeatlast.co-- a website that offers consumers ratings, reviews and statistics on various security systems -- found that less than one-quarter of small to medium-sized businesses report their ransomware attacks. This is most likely because there is a low likelihood of them getting their money back.
The lack of reporting does not mean that ransomware attacks are uncommon, however, especially among small businesses. Symantec estimated that smaller organizations (1-250 employees) have the highest targeted malicious email rate out of any demographic, with 1 in 323 emails being malicious.
One analysis by safeatlast.co estimated that in 2019, a business falls victim to a ransomware attack every 14 seconds. That interval is expected to shrink to every 11 seconds by 2021. This may be attributed in part to the increasing prevalence of IoT devices, which experience an average of 5,200 attacks per month according to Symantec.
Most importantly, safeatlast.co estimated in 2018 that 77% of businesses subject to a ransomware attack were up to date in their endpoint security technology. This proves that using and properly maintaining average endpoint defense software is not enough to deter the latest ransomware.
Ransomware statistics generally point to ransomware as potentially the number one concern for businesses because they strike frequently, have the capacity to tie up massive sums of money and can spread and evolve beyond standard defenses very quickly. Additionally, the ransoms themselves are hard to track, with around 95% of all profits being exchanged using a cryptocurrency platform according to safeatlast.co.
Effects of ransomware on businesses
The impact of a ransomware attack on a business can be devastating. According to safeatlast.co, Ransomware has cost businesses over $8 billion in the past year, and over half of all malware attacks were ransomware attacks. Some effects include:
- Downtime as a result of compromised infrastructure
- Lost productivity as a result of downtime
- Costly recovery efforts that potentially outweigh the ransom itself
- Long-term damage to both data and data infrastructure
- Damage to a business's previous reputation as secure
- Loss of customers, and in worst cases, the potential for personal harm if the business deals in public services such as healthcare
Ransomware attack prevention
To protect against ransomware threats and other types of cyberextortion, experts urge users to back up computing devices regularly and update software, including antivirus software. End users should beware of clicking on links in emails from strangers or opening email attachments. Victims should do all they can to avoid paying ransoms.
While ransomware attacks may be nearly impossible to stop, individuals and organizations can take important data protection measures to ensure that damage is minimal and recovery is as quick as possible. Strategies include:
- compartmentalizing authentication systems and domains;
- keeping up-to-date storage snapshots outside the primary storage pool; and
- enforcing hard limits on who can access data and when access is permitted.
How to remove ransomware
There is no guarantee that victims can stop a ransomware attack and regain their data; however, there are methods that may work in some cases. For example, victims can stop and reboot their system in safe mode, install an antimalware program, scan the computer and restore the computer to a previous, non-infected state.
Victims could also restore their system from a backup stored on a separate disk. If in the cloud, then victims could reformat their disk and restore from a previous backup.
Windows users specifically could use System Restore, which is a function that rolls Windows devices (along with system files) back to a certain marked point in time -- in this case, before the computer was infected. For this to work, System Restore needs to be enabled beforehand, so that it can mark a place in time for the computer to return to. Windows enables System Restore by default.
Mobile ransomware is malware that holds a victim's data hostage, afflicting mobile devices -- commonly smartphones. Mobile ransomware operates on the same premise as other types of ransomware, where a user is blocked access to the data on their device by an attacker until they make a payment to the attacker. Once the malware is downloaded on the infected device, a message appears demanding payment before unlocking the device. If the ransom is paid, a code is sent to unlock the device or decrypt its data.
Typically, mobile ransomware hides as a legitimate app in a third-party app store. Hackers commonly pick popular apps to imitate, waiting for an unsuspecting user to download it, and with it, the malware. Smartphone users may also get infected with mobile ransomware by visiting websites or by clicking a link that appears in an email or text message.
Tips to avoid becoming a victim to mobile ransomware include:
- Do not download apps using third-party app stores (stick to the Apple App Store and Google Play Store).
- Keep mobile devices and mobile apps up to date.
- Do not grant administrator privileges to applications unless absolutely trusted.
- Do not click on links that appear in spam emails or in text messages from unknown sources.
Mobile device users should also have their data backed up in a different location in the case their device is infected. In the worst-case scenario, this would at least ensure the data on the device won't be lost permanently.
Famous ransomware: CryptoLocker and WannaCry
Perhaps the first example of a widely spread attack that used public-key encryption was CryptoLocker, a Trojan horse that was active on the internet from September 2013 through May of the following year. The malware demanded payment in either bitcoin or a prepaid voucher, and experts generally believed that the RSA cryptography used, when properly implemented, was essentially impenetrable. In May 2014, however, a security firm gained access to a command-and-control server involved in the attack and recovered the encryption keys used. An online tool that allowed free key recovery effectively defanged the attack.
In May 2017, an attack called WannaCry infected and encrypted more than a quarter million systems globally. The malware uses asymmetric encryption so that the victim cannot reasonably be expected to recover the (private and undistributed) key needed to decrypt the ransomed files.
Payments were demanded in bitcoin, meaning that the recipient of ransom payments could not be identified, but also meaning that the transactions were visible and thus, the overall ransom payments could be tallied. During the week in which WannaCry was most virulent, about $100,000 in bitcoin was transferred, but there are no accounts of data having been decrypted after payment.
The impact of WannaCry was pronounced in some cases. For example, the National Health Service in the U.K. was heavily affected and was forced to take services offline during the attack. Published reports suggested that the damages caused to the thousands of affected companies might exceed $1 billion.
According to the "Symantec 2017 Internet Security Threat Report," the amount of ransom demanded roughly tripled from the previous two years in 2016, with the average demand totaling $1,077. Overall, it's difficult to say how often these demands are met. A study by IBM found that 70% of surveyed executives said they had paid a ransomware demand, but a study by Osterman Research found that a mere 3% of U.S.-based companies had paid -- though percentages in other countries were considerably higher. For the most part, payment seems to work, though it is by no means without risk. A Kaspersky Security Bulletin from 2016 claimed that 20% of businesses that chose to pay the ransom demanded of them didn't receive their files back.
IoT ransomware may not be far behind. Two researchers, Andrew Tierney and Ken Munro, demonstrated malware that attacked, locked and demanded a one-bitcoin ransom on a generally available smart thermostat at the 2016 Def Con hacking conference.
Future trends of ransomware
The most significant trend to expect from ransomware in the coming years is increased attacks on utilities and public infrastructure because they are critical institutions with access to large sums of money, and they often use old or outdated cybersecurity technology. As ransomware technology continues to advance, the technological margin between attackers and public targets has potential to grow even wider. Within these targeted public sectors, specifically healthcare, attacks may be more costly in the coming years than before.
Predictions also indicate a growing focus on small businesses that run outdated security software. As the number of business devices in IoT grows, small businesses can no longer think that they are too small to be considered for a significant attack. The attack vector is growing exponentially, and their security methods are not. For this same reason, home devices are predicted to be progressively more likely targets.
The increased use of mobile devices also intensifies the use of social engineering attacks that open the door for a ransomware attack. Social engineering attack methods such as phishing, baiting, quid pro quo, pretexting and piggybacking, prey on manipulating human psychology.
One IBM study claims that users are three times more likely to respond to a phishing attack on a mobile device than a desktop, in part because this is where users most likely see the message first.
Verizon also published research stating that the success of social engineering on mobile devices is likely because smaller screens limit the amount of detailed information that is displayed. Mobile devices compensate for this with smaller notifications and one-tap options for responding to messages and open links, which makes responding more efficient but also expediates the process of falling pray to a phishing attack.
Another trend is the increased stealing or sharing of code. For example, two major ransomware campaigns (Ryuk and Hermes) were found to have very similar code. Officials at first assumed that both ransomware variants originated from the same group of ransomware actors, but later found that much of Ryuk's code was simply copied from Hermes. In fact, Ryuk originated from a separate, unrelated group of threat actors from another country.
Finally, in the long term the eventual quantum transformation may leave many older encryption methods based on classic computing useless, opening the door for a host of cyberthreats, including ransomware.