So, exactly what is ransomware, and how does it work?

According to IBM, ransomware is,

“…an online attack perpetrated by cybercriminals who demand ransom to release hold on encrypted or stolen data.”

Ransomware is a type of malware. There are various types of ransomware threats, most causing malicious encryption of your files and data or a lockup on your computer, device, or system, often spreading from one machine to another, only being freed or decrypted when the ransom is paid.

As much as it sounds like something that could never happen to you, the popularity of ransomware has increased radically over the past year. In light of the Coronavirus pandemic, with more workers operating from home or remotely, without protection from their business headquarters’ security systems, it’s easier than ever for malware to access machines.

Cryptocurrency provided easier ways of paying the ransom

A huge player in the malware industry, ransomware attacks became even more popular with the introduction of Bitcoin. The cryptocurrency system delivered a simpler means for attackers to demand payment without the traditional checks. Paying the ransom became simpler and with less risk, especially with transfers of such vast sums of money.

With off-the-shelf systems available on the dark web—options that deliver ransomware as a service, it makes demands easier to instigate and apply—like a franchise where creators take a percentage as victims pay the ransom—even the smallest of businesses are vulnerable.

So, what is ransomware in simple words? It’s bad news—really bad news.

How do ransomware attacks happen?

The main areas of infiltration and ransomware infection are delivered through,

  • Spam or phishing emails
  • Social engineering
  • From disreputable websites
  •  ‘Drive-by’ downloads from dubious web pages

There are so many ways to bypass your systems even the savviest of Internet users won’t spot many of the highly crafted methods malware utilises. Once it has found its way in, there isn’t much you can do to prevent it from completing its task, locking you out of your system or encrypting your data.

The 5 stages of a ransomware attack are,

  1. Infection – However the malware is delivered, it installs itself on the machine and network.
  2. Secure key exchange – The ransomware typically contacts the attackers’ servers, generating the cryptographic keys used to encrypt the system.
  3. Encryption – The malware system begins the encryption process, spreading as far as it can over each network, creating encrypted files where it can.
  4. Extortion – The malware then dictates the terms of payment to the victim, also alerting them to what will happen if the ransom isn’t met.
  5. Decryption – If the ransom is paid, the encrypted data is freed using a secure decryption key held by the attacker. Sadly, almost half of the businesses to pay a ransom didn’t have their systems released, unable to regain access to their original files.

How does ransomware work?

The methods of infiltration are continually evolving, making protecting against them a tough job. Ransomware works using the following systems:

  • Encrypting ransomware – This type of malware is the most common and works by encrypting all of the selected data and files until the ransom is paid.
  • Non-encrypting ransomware – This malware locks your machine, its screen or blocks access to your files and drives without encrypting them.
  • MBR encryption – This malware encrypts the master boot record of your drives or Microsoft’s NTFS, preventing them from booting up.
  • Extortionware – Compromising or damaging data is stolen and used to blackmail victims into payment, also known as leakware.
  • Mobile device ransomware – Fake apps and drive-by downloads infect mobile phones and tablets, leaving them infected and under pressure to pay to release them.

Important historical ransomware examples

The following includes some of the more well-known types of ransomware and how they affect your systems. Cybercrime experts have found over 120 different virus types amongst the latest ransomware, with attackers showing no sign of morality with who they choose to target.

  • Phishing – The most common threat of them all, phishing typically uses email to convince users to engage, downloading files from what look like trusted sources. Once the file is activated, the device locks or becomes encrypted, and the only way to decrypt it again is with the correct key.
  • Doxware – Also known as ‘leakware’, the attacker threatens to release the user’s sensitive data from the victim’s hard drive or devices. Anything from private messages, images, files, and contacts—this information is often far more sensitive than traditional data, resulting in victims being forced to pay the ransom.
  • Anatova – This version disguises itself as a game or an app, tricking the user into a download.
  • Dharma – Dharma originated in 2018, but with new variants released all the time, it continues to cause problems and is usually impossible to decrypt.
  • GandCrab – Targeting consumers and business users on MS Windows platforms, the cybercriminals behind the system announced their retirement when they reached $2billion in payments!
  • Emotet – Originally created to target banks, Emotet has developed continually, finding new ways to steal logins, financial data, and even Bitcoin wallets from individuals, businesses, and governments worldwide.
  • Ryuk – Aimed at large organisations and networks, Ryuk claims to have netted over $3million over a mere 52 transactions. Targeting major companies and large organisations is known as ‘big game hunting’, an area where Ryuk excelled.

Can ransomware be removed?

Without holding the correct encryption key, it’s unlikely that you’ll be able to free your encrypted files. That’s why it’s imperative to have appropriate protection in place and a recovery plan in the event of a successful attack on your servers.

Of all the forms of malware, it’s easy to see why ransomware is so effective and so costly to its victims. The cost of the ransom is only one expense in a range of damages. The cost of recovery or legal prosecution against data protection can be far higher, and why so many organisations choose to comply and pay the ransom figure on demand.

Should you pay the ransom?

The decision into paying the ransom needs a great deal of consideration. Given that almost half of the businesses that pay their ransom still don’t receive a decryption key to release their files, makes the risks even greater.

The decision is different for every company and organisation. Where available, victims of ransomware attacks should engage with the appropriate law enforcement agencies, their insurance providers, as well as digital security experts. Trying to release your infected files this way is as illegal as the ransomware that locked them up in the first place.

Most law enforcement agencies advise against meeting the terms of any ransom note, as it encourages cybercriminals to continue in their illicit activities. However, for many business owners, losing control of their most sensitive data is too big a risk to take.

Before making your final consideration, you should consult both ransomware specialists and a cybersecurity response team. These professional services will consider your best options and advise you with the most suitable response in your situation.

How to prevent ransomware attacks

The only way to prevent ransomware infection is to meticulously prepare for them, and any other malicious software attacks. 

  1. Devise a solid backup plan – including various inclusion points, ideally on separate networks, different media, and including a secure offline option.
  2. Isolate critical backups with air gap protection.
  3. Ensure all devices and networks are protected with anti-ransomware, anti virus, security scans, firewall protection, and regular audits.
  4. Build protection against human weak points, including phishing, SMSishing (text phishing), Vishing (voicemail phishing), Social Media, and Instant Messaging opportunities.
  5. Build protection against mechanical weak points, including drive-by (viewing web pages with malicious code), system vulnerabilities, Malware advertising, and propagation over your data, networks and shared services.
  6. Organise cyber security training for all employees and network users.
  7. Update software and operating system security regularly.
  8. Educate all users on malware best practices including what to avoid and how to use software that detects different types of ransomware.
  9. Quarantine email attachments until they’re confirmed safe to open.

Recovering from a ransomware attack

With proper backup systems in place and a plan to bounce back from a ransomware attack, you can limit the damage.

  1. Isolate the infected computer or infected machines immediately – before further damaging attacks can spread to other arms of your systems.
  2. Identify the infection – Find out which malware it is and how it entered your system.
  3. Report it to the correct authorities – They’ll do their best support you and coordinate a counter-attack with the appropriate law enforcement teams.
  4. Determine whether you can restore your data, remove the malware, or if you have no other choice than to pay the ransom note.
  5. Where possible, restore your system with a complete wipe, spread across your machines, storage devices, and network, applying your most recent backups to regain access to your files.