In this article: ransomware meaning; types of ransomware; ransomware examples; protection against ransomware.
Ransomware meaning: What is ransomware?
Ransom malware, or ransomware, is a type of malware that prevents users from accessing their system or personal files and demands ransom payment in order to regain access. While some people might think ‘a virus locked my computer’, ransomware would typically be classified as a different form of malware than a virus. The earliest variants of ransomware were developed in the late 1980s, and payment was to be sent via snail mail. Today, ransomware authors order that payment be sent via cryptocurrency or credit card, and attackers target individuals, businesses and organisations of all kinds. Some ransomware authors sell the service to other cyber criminals, which is known as Ransomware as a Service.
How do I get ransomware?
How exactly does a criminal carry out a ransomware attack? First, they must gain access to a device or network. Having access enables them to utilise the malware needed to encrypt (or lock up) your device and data. There are several different ways that ransomware can infect your computer.
Malspam
To gain access, some threat actors use spam, where they send an email with a malicious attachment to as many people as possible, seeing who opens the attachment and ‘takes the bait’, so to speak. Malicious spam is unsolicited email that is used to deliver malware. The email might include booby-trapped attachments, such as PDFs or Word documents. It might also contain links to malicious websites.
Malvertising
Another popular infection method is malvertising, or malicious advertising, which is the use of online advertising to distribute malware with little to no user interaction required. While browsing the web – even legitimate sites – users can be directed to criminal servers without ever clicking on an ad. These servers catalogue details about victims’ computers and their locations, and then select the malware.
Spear phishing
A more targeted means to a ransomware attack is through spear phishing. An example of spear phishing would be sending emails to employees of a certain company, claiming that the CEO is asking them to take an important employee survey, or the HR department is requiring them to download and read a new policy.
The term ‘whaling’ is used to describe such methods targeted toward high-level decision makers in an organisation, such as the CEO or other executives.
Social engineering
Malspam, malvertising and spear phishing can, and often do, contain elements of social engineering.
Threat actors may use social engineering in order to trick people into opening attachments or clicking on links by appearing as legitimate – whether that’s by seeming to be from a trusted institution or a friend.
Cyber criminals use social engineering in other types of ransomware attacks, such as posing as a government agency in order to scare users into paying them a sum of money to unlock their files.
Another example of social engineering would be if a threat actor gathers information from your public social media profiles about your interests, places you visit often, your job, etc., and uses some of that information to send you a message that looks familiar to you, hoping you’ll click before you realise it’s not legitimate.
Encrypting files and demanding a ransom
Whichever method the threat actor uses, once they gain access and the ransomware software (typically activated by the victim clicking a link or opening an attachment) encrypts your files or data so you can’t access them, you’ll then see a message demanding a ransom payment to restore what they took. Often the attacker will demand payment via cryptocurrency.
Types of ransomware: Examples
Scareware
Scareware, as it turns out, is not that scary. It includes rogue security software and tech support scams.
You might receive a pop-up message claiming that malware was discovered and the only way to get rid of it is to pay up. If you do nothing, you’ll likely continue to be bombarded with pop-ups, but your files are essentially safe. A legitimate cyber security software programme would not solicit customers in this way. If you don’t already have this company’s software on your computer, then they would not be monitoring you for ransomware infection. If you do have security software, you wouldn’t need to pay to have the infection removed – you’ve already paid for the software to do that very job.
Screen lockers
Screen lockers – upgrade to terror alert orange for these guys. When lock-screen ransomware enters your computer, it means you’re frozen out entirely.
Upon starting your computer, a full-size window will appear, often accompanied by an official-looking FBI or US Department of Justice seal saying illegal activity has been detected on your computer and you must pay a fine. However, the FBI would not freeze you out of your computer or demand payment for illegal activity. If they suspected you of cyber crimes, they would go through the appropriate legal channels.
Encrypting ransomware
Encrypting ransomware – this is the truly nasty stuff. These are the guys who snatch up your files and encrypt them, demanding payment in order to decrypt and redeliver. The reason why this type of ransomware is so dangerous is because once cyber criminals get hold of your files, no security software or system restore can return them to you. Unless you pay the ransom, for the most part, they’re gone. And even if you do pay up, there’s no guarantee the cyber criminals will give you those files back.
Mobile ransomware
Mobile ransomware – it wasn’t until the height of the infamous CryptoLocker and other similar families in 2014 that ransomware was seen on a large scale on mobile devices. Mobile ransomware typically displays a message that the device has been locked due to some type of illegal activity. The message states that the phone will be unlocked after a fee is paid. Mobile ransomware is often delivered via malicious apps and requires that you boot the phone up in safe mode and delete the infected app in order to retrieve access to your mobile device.
Who do ransomware authors target?
When ransomware hit the scene, its initial victims were individual systems (aka regular people). However, cyber criminals began to realise its full potential when they rolled out ransomware to businesses. Ransomware was so successful against businesses – halting productivity and resulting in lost data and revenue – that its authors turned most of their attacks toward them.
By the end of 2016, 12.3% of threats were ransomware, while only 1.8% of consumer detections were ransomware worldwide. And by 2017, 35% of SMEs had experienced an attack.
Ransomware attacks are still focused on western markets, with the UK, US and Canada ranking as the top 3 countries targeted. As with other threat actors, ransomware authors will follow the money, so they look for areas that have both wide PC adoption and relative wealth. As emerging markets in Asia and South America ramp up on economic growth, expect to see an increase in ransomware (and other forms of malware) there as well.
How can I remove ransomware?
If an attacker encrypts your device and demands a ransom, there’s no guarantee they will unencrypt it whether or not you pay up. That is why it’s critical to be prepared before you get hit with ransomware. 2 key steps to take are:
- Install security software before you get hit with ransomware.
- Back up your important data (files, documents, photos, videos, etc.).
If you do find yourself with a ransomware infection, the number 1 rule is to never pay the ransom and make sure you have backed up all of your data on a remote drive. Other ways to deal with a ransomware infection include downloading a security product known for remediation and running a scan to remove the threat. You may not get your files back, but you can rest assured the infection will be cleaned up. For screen locking ransomware, a full system restore might be in order. If that doesn’t work, you can try running a scan from a bootable CD or USB drive.
How do I protect myself from ransomware?
My advice is to prevent it happening in the first place. There are methods to deal with a ransomware infection, but they are imperfect solutions at best, and often require much more technical skill than the average computer user posesses.
How to prevent ransomware
The first step in ransomware prevention is to invest in security tools – software and programmes with real-time protection that are designed to thwart advanced malware attacks such as ransomware.
In addition to using the right tools, it all comes down to training, education and awareness…. don’t click on it if it doesn’t feel right!
How ESA Risk can help
If you’ve been the victim of an attack or you’d like further advice and support on ransomware protection, please contact us at advice@esarisk.com, on +44 (0)343 515 8686 or via our contact form.
Increase your knowledge of cyber security – we offer cyber security courses, provided by the Global Cyber Academcy, from levels 2 to 5.
