While there may be more than 1 billion
pieces of malware prowling the internet for a chance to infect victims, one
particular piece of nastiness has been inflicting financial losses and security
headaches for years.
Known as ransomware, its sole purpose is to block access to
computer systems or files until the victim pays a ransom. These ransom demands fluctuate
wildly, from the equivalent of a couple of hundred dollars to several hundred
thousand.
Ransomware in a
Nutshell
In the simplest terms, ransomware is a piece of malicious
software that prevents users from using their devices or accessing their
personal or important files, unless a sum of money is paid. Payment is usually
demanded in cryptocurrency, such as Monero or Bitcoin. Victims are told to
purchase these digital assets and then transfer them to the attackers.
Ransomware has evolved over the past decade in an effort to
target more victims, generate huge profit for cybercriminals, and make it
nearly impossible to recover data unless the victim pays the ransom note or recovers
it from backups.
While encryption is considered a powerful tool for ensuring
online privacy, by allowing everyone to communicate without fearing that others
are eavesdropping, ransomware developers have used it to make sure affected
files cannot be used. Some encryption mechanisms make it impossible to recover
data unless attackers agree to send victims the decryption key, unlocking
access to the affected system after the ransom is paid.
Imagine someone breaking into your home, finding your
jewelry, locking it in an impenetrable chest in the middle of your home, then
leaving with the key after placing a ransom note. If you contact the burglar
and pay the ransom note, he will give you the key to unlock the chest and get
to your jewelry. Otherwise, good luck breaking the chest. You know all your
valuables are there, but you simply can’t use them. Ransomware acts in a similar
way, except that it goes after your files and data.
While early ransomware strains were less malignant and focused
on preventing users from accessing their devices by using screen lockers (no
data was encrypted), later versions started using encryption (known as
crypto-ransomware) and various techniques to lock you out of your locally
stored files, and even cloud backups. Some crypto-ransomware families have even
generated the equivalent of more
than 2 billion dollars in paid ransom in less than two years of activity.
Other ransomware families have started adopting
extortion as another intimidation tactic to scare victims into paying. For
instance, before attackers actually encrypt sensitive data, they steal it from
victims and threaten to expose it online as part of a public shaming campaign
if the ransom demand is not met.
Finally, the most disruptive forms of ransomware are known
as disk-encryptors.
Unlike file encryptors, disk encryptors prevent users from booting their entire
operating system as the ransomware holds the entire disk drive “hostage”.
Ransomware Spreading
Mechanism
Emails remain one of the most-used mechanisms for spreading
ransomware. Either tricking victims into clicking on links and downloading
ransomware-infected files, or attaching tainted documents that pose as CVs,
invoices, and other types of files, spam emails account for a large number of
ransomware infections. As soon as a victim opens the file, a message is
displayed on their desktop warning them that their files have been restricted,
along with instructions on how to purchase the decryption key if they want
their files back.
Another technique that attackers use is to buy advertising
on high-traffic websites and then leverage them to exploit unpatched vulnerabilities
in browsers or plugins. When such a vulnerability is exploited, the browser or
plugin crashes and the ransomware payload is automatically installed. Many users
have grown reluctant to open attachments or click on email links, so this
method removes any user interaction or social engineering component by relying
on unpatched vulnerabilities.
Cybercriminals also deliver ransomware by using pirated
content downloaded by victims from torrent or “warez” websites. Unsuspecting
users download ransomware disguised as cracks, key generators and other types
of software onto their systems, execute them, and consequently install
ransomware.
How to Stay Safe from Ransomware?
Ransomware is a highly lucrative business for cybercriminals,
and they’re constantly investing in new ways to infect victims and make it
difficult for security solutions to fend off. However, it’s not impossible to
defeat ransomware. Law enforcement and security companies have been working
together for years to help victims recover their files. Initiatives such as the
nomoreransom.org website can help
ransomware victims recover their data, in cases where law enforcement or
security vendors have found a way to decrypt files for specific ransomware
families.
Before you have to resort to that website, it’s recommended
to install a security solution that can detect even the latest ransomware
families through the use of multiple layers of protection designed to detect malware
during various stages of the attack.
Performing regular backups of your critical or important
files and documents is also recommended. Keeping those backups on storage
devices not directly connected to your computer or discoverable on your network
is also required, as ransomware infections usually seek out connected storage
devices and encrypt those as well. By doing this, even if you get infected and
lose your locally stored files, you can always recover from a backup without
paying the ransom note.
Both law enforcement and security companies recommend not
giving in to ransom demands. Paying only serves to financially fuel the
development of new and more sophisticated ransomware families, helps finance
other cybercriminal activities, and ultimately legitimizes the ransomware
business by making it profitable for cybercriminals.
Remember! It’s important to always keep an eye out for
unsolicited emails, constantly update all your software and operating systems,
install a security solution that features multiple layers of protection against
ransomware, and not give in to extortion.