What is ransomware?
Ransomware is a subset of malware in which the data on a victim's computer is locked -- typically by encryption -- and payment is demanded before the ransomed data is decrypted and access is returned to the victim. The motive for ransomware attacks is usually monetary, and unlike other types of attacks, the victim is usually notified that an exploit has occurred and is given instructions for how to recover from the attack. Payment is often demanded in a virtual currency, such as bitcoin, so that the cybercriminal's identity is not known.
Ransomware malware can be spread through malicious attachments found in emails or in infected malicious software apps, infected external storage devices and compromised websites. Attacks have also used Remote Desktop Protocol and other approaches that do not rely on any form of user interaction.
How do ransomware attacks work?
Ransomware kits on the deep web have enabled cybercriminals to purchase and use software tools to create ransomware with specific capabilities. They can then generate this malware for their own distribution, with ransoms paid to their bitcoin accounts. As with much of the rest of the information technology world, it is now possible for those with little or no technical background to order inexpensive ransomware as a service (RaaS) and launch attacks with minimal effort.
One of the more common methods of delivering ransomware attacks is through a phishing email. An attachment the victim thinks they can trust is added to an email as a link. Once the victim clicks on that link, the malware in the file begins to download.
Other more aggressive forms of ransomware will exploit security holes to infect a system, so they do not have to rely on tricking users. The malware can also be spread through chat messages, removable Universal Serial Bus (USB) drives or browser plugins.
Once the malware is in a system, it will begin encrypting the victim's data. It will then add an extension to the files, making them inaccessible. Once this is done, the files cannot be decrypted without a key known only by the attacker. The ransomware will then display a message to the victim, explaining that files are inaccessible and can only be accessed again upon paying a ransom to the attackers -- commonly in the form of bitcoin.
Types of ransomware
Attackers may use one of several different approaches to extort digital currency from their victims:
- Scareware. This malware poses as security software or tech support. Ransomware victims may receive pop-up notifications saying malware has been discovered on their system. Security software that the user does not own would not have access to this information. Not responding to this will not do anything except lead to more pop-ups.
- Screen lockers. Also known simply as lockers, these are a type of ransomware designed to completely lock users out of their computers. Upon starting up the computer, a victim may see what looks to be an official government seal, leading the victim into believing they are the subject of an official inquiry. After being informed that unlicensed software or illegal web content has been found on the computer, the victim is given instructions on how to pay an electronic fine. However, official government organizations would not do this; they instead would go through proper legal channels and procedures.
- Encrypting ransomware. Otherwise known as data kidnapping attacks, these give the attacker access to and encrypt the victim's data and ask for a payment to unlock the files. Once this happens, there is no guarantee that the victim will get access to their data back -- even if they negotiate for it. The attacker may also encrypt files on infected devices and make money by selling a product that promises to help the victim unlock files and prevent future malware attacks.
- Doxware. With this malware, an attacker may threaten to publish victim data online if the victim does not pay a ransom.
- Master boot record ransomware. With this, the entire hard drive is encrypted, not just the user's personal files, making it impossible to access the operating system.
- Mobile ransomware. This ransomware affects mobile devices. An attacker can use mobile ransomware to steal data from a phone or lock it and require a ransom to return the data or unlock the device.
While early instances of these attacks sometimes merely locked access to the web browser or the Windows desktop -- and did so in ways that often could be fairly easily reverse-engineered and reopened -- hackers have since created versions of ransomware that use strong, public key encryption to deny access to files on the computer.
Screen lockers and encrypting ransomware are the two main types of ransomware. Knowing the difference between them will help an organization determine what to do next in the case of infection.
As described above, screen lockers completely lock users out of their computers until a payment is made. Screen lockers deny a user access to the inflicted system and files; however, the data is not encrypted. In Windows systems, a screen locker also blocks access to system components, such as Windows Task Manager and Registry Editor. The screen is locked until the payment is made. Typically, the victim is given instructions for how to pay. Screen lockers also try to trick the user into paying by posing as an official government organization.
Encrypting ransomware is one of the most effective forms of ransomware today. As mentioned above, an attacker gains access to and encrypts the victim's data, asking for payment to unlock the files. Attackers use complex encryption algorithms to encrypt all data saved on the device. A note is commonly left on the inflicted system with information about how to retrieve the encrypted data after payment. Compared to screen lockers, encrypting ransomware puts the victim's data in more immediate danger, and there is no guarantee of the data returning to the victim after negotiation.
In both cases, the victim may receive a pop-up message or email ransom note warning that, if the demanded sum is not paid by a specific date, the private key required to unlock the device or decrypt files will be destroyed.
Who is targeted by ransomware?
Ransomware targets can vary from a single individual, a small to medium-sized business (SMB) or an enterprise-level organization to an entire city.
Public institutions are especially vulnerable to ransomware because they lack the cybersecurity to defend against it adequately. The same is true for SMBs. In addition to spotty cybersecurity, public institutions have irreplaceable data that could cripple them if made unavailable. This makes them more likely to pay.
One way that ransomware scams can grow to such a damaging scale is through a lack of reporting. In 2018, safeatlast.co -- a website that offers consumers ratings, reviews and statistics on various security systems -- found that less than one-quarter of SMBs report their ransomware attacks. This is most likely because there is a low likelihood of them getting their money back.
The lack of reporting does not mean that ransomware attacks are uncommon, however, especially among small businesses. Symantec estimated that smaller organizations with between one and 250 employees have the highest targeted malicious email rate out of any demographic, with one in 323 emails being malicious.
One analysis by safeatlast.co estimated that, in 2019, a business fell victim to a ransomware attack every 14 seconds. That interval is expected to shrink to every 11 seconds by 2021. This may be attributed in part to the increasing prevalence of internet of things (IoT) devices, which experience an average of 5,200 attacks per month, according to Symantec.
Safeatlast.co estimated in 2018 that 77% of businesses subject to a ransomware attack were up to date in their endpoint security technology. This proves that using and properly maintaining average endpoint defense software is not enough to deter the latest ransomware.
Ransomware is potentially the No. 1 concern for businesses because it has the capacity to tie up massive sums of money and can spread and evolve beyond standard defenses quickly. Additionally, the ransoms themselves are hard to track, with around 95% of all profits being exchanged using a cryptocurrency platform, according to safeatlast.co.
What are the effects of ransomware on businesses?
The impact of a ransomware attack on a business can be devastating. According to safeatlast.co, ransomware cost businesses over $8 billion in the past year, and over half of all malware attacks were ransomware attacks. Some effects include the following:
- loss of a business's data;
- downtime as a result of compromised infrastructure;
- lost productivity as a result of downtime;
- loss of potential revenue;
- costly recovery efforts that potentially outweigh the ransom itself;
- long-term damage to both data and data infrastructure;
- damage to a business's previous reputation as secure; and
- loss of customers and, in worst cases, the potential for personal harm if the business deals in public services such as healthcare.
How do you prevent ransomware attacks?
To protect against ransomware threats and other types of cyberextortion, security experts urge users to do the following:
- Back up computing devices regularly.
- Inventory all assets.
- Update software, including antivirus software.
- Have end users avoid clicking on links in emails or opening email attachments from strangers.
- Avoid paying ransoms.
- Avoid giving out personal information.
- Do not use unknown USB sticks.
- Only use known download sources.
- Personalize antispam settings.
- Monitor the network for suspicious activity.
- Use a segmented network.
- Adjust security software to scan compressed and archived files.
- Disable the web after spotting a suspicious process on a computer.
While ransomware attacks may be nearly impossible to stop, individuals and organizations can take important data protection measures to ensure that damage is minimal and recovery is as quick as possible. Strategies include the following:
- Compartmentalize authentication systems and domains.
- Keep up-to-date storage snapshots outside the primary storage pool.
- Enforce hard limits on who can access data and when access is permitted.
Should you pay the ransom?
Most law enforcement agencies recommend not paying ransomware attackers, citing that it will only invite hackers to commit more ransomware attacks. However, when an organization faces a possibility of weeks or longer of recovery, the thought of lost profits may begin to sink in, and an organization may start to consider the price of the ransom compared to the value of the data that has been encrypted. According to Trend Micro, while 66% of companies state they would not pay a ransom, about 65% do pay the ransom when faced with the decision. The attackers set the price point so it is worth their time but low enough that it will be cheaper for the targeted organization to pay the attackers off rather than restore the encrypted data.
Even though it would be understandable as to why some organizations would want to pay the ransom, it is still not recommended for a number of reasons:
- Still dealing with criminals. There is still no guarantee that the attackers will follow through with their word and decrypt the data. A Kaspersky Security Bulletin from 2016 claimed that 20% of businesses that chose to pay the ransom demanded of them did not get their files back.
- Potential for scareware. The ransom message could be used without having accessed an organization's data.
- Bad decryption key or one that barely works. After paying the ransom, the decryptor an organization receives may only work enough for the criminals to say they followed through with what they promised.
- Possibility of repeated ransom demands. Cybercriminals will now know that the targeted organization has a history of paying ransoms.
How to remove ransomware
There is no guarantee that victims can stop a ransomware attack and regain their data; however, there are methods that may work in some cases. For example, victims can stop and reboot their system in safe mode, install an antimalware program, scan the computer and restore the computer to a previous, noninfected state.
Victims could also restore their system from backup files stored on a separate disk. If they are in the cloud, then victims could reformat their disk and restore from a previous backup.
Windows users specifically could use System Restore, which is a function that rolls Windows devices and their system files back to a certain marked point in time -- in this case, before the computer was infected. For this to work, System Restore needs to be enabled beforehand so that it can mark a place in time for the computer to return to. Windows enables System Restore by default.
For a general step-by-step process in identifying and removing the ransomware, follow these recommendations:
- Create a system backup, and back up all important or integral files. If an organization cannot recover its files, it will be able to restore from a backup.
- Ensure system optimization or cleanup software does not remove the infection or other necessary ransomware files. The files must first be isolated and identified.
- Quarantine the malware using antimalware software. Also, make sure the attackers did not create a backdoor that can allow them to access the same system at a later date.
- Identify the ransomware type and exactly which encryption method was used. Decryptor and ransomware recovery tools can help determine the type of ransomware.
- Once identified, ransomware recovery tools can be used to decrypt files. Because of the different and evolving methods of ransomware, there is no absolute guarantee that the tool will be able to help.
Ransomware recovery tools include products such as McAfee Ransomware Recover and Trend Micro Ransomware File Decryptor.
Mobile ransomware is malware that holds a victim's data hostage, afflicting mobile devices -- commonly smartphones. Mobile ransomware operates on the same premise as other types of ransomware, where an attacker blocks a user's access to the data on their device until they make a payment to the attacker. Once the malware is downloaded on the infected device, a message appears demanding payment before unlocking the device. If the ransom is paid, a code is sent to unlock the device or decrypt its data.
Typically, mobile ransomware hides as a legitimate app in a third-party app store. Hackers commonly pick popular apps to imitate, waiting for an unsuspecting user to download it and, with it, the malware. Smartphone users may also get infected with mobile ransomware by visiting websites or by clicking on a link that appears in an email or text message.
Tips to avoid becoming a victim to mobile ransomware include the following:
- Do not download apps using third-party app stores. Stick to Apple App Store and Google Play Store.
- Keep mobile devices and mobile apps up to date.
- Do not grant administrator privileges to applications unless absolutely trusted.
- Do not click on links that appear in spam emails or in text messages from unknown sources.
Mobile device users should also have their data backed up in a different location in case their device is infected. In the worst-case scenario, this would at least ensure the data on the device would not be lost permanently.
Famous ransomware: CryptoLocker and WannaCry
Perhaps the first example of a widely spread attack that used public key encryption was CryptoLocker, a Trojan horse that was active on the internet from September 2013 through May 2014. The malware demanded payment in either bitcoin or a prepaid voucher, and experts generally believed that the Rivest-Shamir-Adleman (RSA) cryptography used, when properly implemented, was essentially impenetrable. In May 2014, however, a security firm gained access to a command-and-control server involved in the attack and recovered the encryption keys used. An online tool that enabled free key recovery effectively defended the attack.
In May 2017, an attack called WannaCry infected and encrypted more than a quarter-million systems globally. The malware uses asymmetric encryption so that the victim cannot reasonably be expected to recover the private and undistributed key needed to decrypt the ransomed files.
Payments were demanded in bitcoin, meaning that the recipient of ransom payments could not be identified. Also, the transactions were visible, and thus, the overall ransom payments could be tallied. During the week in which WannaCry was most virulent, about $100,000 in bitcoin was transferred, but there are no accounts of data having been decrypted after payment.
The impact of WannaCry was pronounced in some cases. For example, the National Health Service in the U.K. was heavily affected and was forced to take services offline during the attack. Published reports suggested that the damages caused to the thousands of affected companies would exceed $1 billion.
IoT ransomware may not be far behind. Two researchers, Andrew Tierney and Ken Munro, demonstrated malware that attacked, locked and demanded a 1 bitcoin ransom on a generally available smart thermostat at the 2016 Def Con hacking conference.
Other examples of ransomware
On Dec. 11, 2021, Ultimate Kronos Group (UKG) was hit with a ransomware attack, knocking systems offline. This attack affected payroll systems for a number of customers. As a result, many customers had to resort to providing paper checks to employees. Some affected customers include the city of Springfield, Mass., New York’s Metropolitan Transportation Authority and the city of Cleveland, Ohio.
UKG is an HR systems provider known for its payroll and time management systems. The attack affected the Kronos Private Cloud, which houses UKG Workforce Central, UKG Telestaff, Healthcare Extensions and Banking Scheduling Solutions.
On May 7, 2021, the U.S. Colonial oil pipeline shut down after a ransomware attack infected systems at its parent company. The attack was targeted by a threat actor known as DarkSide. Even though none of its critical industrial control systems were believed to be affected, Colonial Pipeline still announced that it was shutting off operations temporarily to prevent the spread of the ransomware. The shutdown of the 5,500-mile pipeline, the largest of its kind in the U.S., led to gas shortages in parts of the country.
It was later reported by The Wall Street Journal that Colonial Pipeline CEO Joseph Blount authorized the $4.4 million ransom payment. The decision was made because, at the time, executives were not sure how badly the cyber attack had breached its systems, as well as how long it would take to bring the pipeline back into operation.
The incident caused one of the nation's main oil pipelines to shut down and raised concerns from the White House and Federal Bureau of Investigation about the security implications and infrastructure problems due to the days-long shutdown.
In December 2019, the city of Pensacola, Fla., fell victim to a ransomware attack as well. It affected customer service and online bill pay for a number of departments in the city, including Pensacola Energy and Pensacola Sanitation Services.
In 2018, the SamSam ransomware virus used a brute-force attack to guess weak passwords guarding important infrastructure in the city of Atlanta. Applications that residents used to pay bills and access court-related information were shut down, causing major rifts in the city's infrastructure. The result was untold amounts of compromised data and millions of dollars of recovery costs.
History of ransomware
The first documented occurrence of ransomware can be traced back to the AIDS Trojan horse virus in 1989. The AIDS Trojan was created by a Harvard-trained biologist named Joseph Popp, who distributed 20,000 infected floppy disks labeled "AIDS Information -- Introductory Diskette" to acquired immunodeficiency syndrome researchers at the World Health Organization's international AIDS conference. Attendees who decided to insert the diskette encountered a virus that would lock the user's files on the computer's drive, making their personal computer (PC) unusable. To unlock their files, users were forced to send $189 to a post office box that PC Cyborg Corp. owned. Eventually, users were able to bypass the virus and decrypt their files because the virus used easily solvable symmetric cryptography tools.
Aside from Popp's 1989 virus, ransomware was relatively rare until the mid-2000s, when attackers used more sophisticated encryption to extort their victims. For example, the Archievus ransomware used asymmetric RSA encryption. Reveton, a virus from 2012, accused the infected system of being used for illegal activity and used the system's webcam to mimic filming the user, using scare tactics to collect a $200 ransom.
Today, the attack vector for ransomware has spread to include applications used on IoT and mobile devices, and viruses are including more complex encryption. This is partially due to the availability of ready-to-use ransomware kits -- RaaS -- available on the dark web, which features encryption resulting from collaboration among communities of ransomware developers on the dark web. Ransomware is now much more adept at targeting larger organizations, as opposed to individuals, which means exponentially greater sums of money are at stake. Ransomware has evolved from a minor nuisance to a major threat since the days of Joseph Popp.
Future trends of ransomware
The most significant trend to expect from ransomware in the coming years is increased attacks on utilities and public infrastructure because they are critical institutions with access to large sums of money and they often use old or outdated cybersecurity technology. As ransomware technology continues to advance, the technological margin between attackers and public targets has the potential to grow even wider. Within these targeted public sectors, specifically healthcare, attacks may be more costly in the coming years than ever before.
Predictions also indicate a growing focus on small businesses that run outdated security software. As the number of IoT business devices grows, small businesses can no longer think that they are too small to be attacked. The attack vector is growing exponentially, and the security methods are not. For this same reason, home devices are predicted to be progressively more likely targets.
The increased use of mobile devices also intensifies the use of social engineering attacks that open the door for a ransomware attack. Social engineering attack methods, such as phishing, baiting, quid pro quo, pretexting and piggybacking, prey on manipulating human psychology.
One IBM study claimed that users are three times more likely to respond to a phishing attack on a mobile device than a desktop, in part because this is where users will most likely see the message first.
Verizon also published research stating that the success of social engineering on mobile devices is likely because smaller screens limit the amount of detailed information that is displayed. Mobile devices compensate for this with smaller notifications and one-tap options for responding to messages and open links, which makes responding more efficient but also expedites the process of falling prey to a phishing attack.
Another trend is the increased stealing or sharing of code. For example, major ransomware campaigns Ryuk and Hermes were found to have similar code. Officials, at first, assumed that both ransomware variants originated from the same group of ransomware actors but later found that much of Ryuk's code was simply copied from Hermes. In fact, Ryuk originated from a separate, unrelated group of threat actors from another country.
Ransomware is becoming a larger and more serious threat, as 56% of organizations were targeted in 2020, according to CrowdStrike. It is becoming more important than ever to protect against ransomware and prevent attacks.