What Is Ransomware?

What Is Ransomware?

Ransomware is a type of malware — short for malicious software — that blocks access to a victim’s device or system and then demands that certain conditions be met in exchange for restoring access to the device/system’s legitimate owner. Ransomware can be delivered to a system in a number of ways: from email attachments and phishing links to unexpected add-ins to seemingly legitimate software. Attackers have also employed social engineering tactics by posing as law enforcement agents that demand fines for the presence of pirated software or illicit material on their computers. 

Ransomware can also gain access to devices by leveraging security vulnerabilities in a larger network. When a victim downloads and opens an attachment, ransomware can enter and lock a system or encrypt files. Ransomware generally targets valuable files, like financial documents, critical programs, and personal photos, and encrypts or deletes their backup files. This is often done using a symmetric or asymmetric encryption algorithm, which allows an encryption key to be generated by the ransomware and offered to the victim in exchange for something, usually some kind of payment.

Most often, ransomware victims are not aware of the breach until they are presented with an onscreen ransom note that alerts them of the attack. This note generally threatens denial of access until a ransom is paid. The ransom amount is specified and sometimes payment is demanded in cryptocurrency due to the privacy and convenience of blockchain payment networks. Once the attacker’s conditions have been met, the attacker typically sends the victim a decryption key or directly decrypts the infected device/system so that the legitimate user can regain control of their system.

Types of Ransomware

Ransomware generally falls into two broad categories based on the threat posed to the user. The first is crypto ransomware, which encrypts files in order to block access to specific data. The second is locker ransomware, which locks users out of their devices or systems altogether.

Further subsets of ransomware attacks include leakware (also called doxware), screen-locking or mobile ransomware, and scareware. Doxware threatens to leak sensitive information protected on a computer in exchange for ransom. Similarly, scareware threatens encryption — but only scares the victim and does not actually execute the threat. Screen-locking ransomware blocks access to a user’s mobile devices.

More recently, Ransomware-as-a-Service (RaaS) has become a growing concern where hackers sell their ransomware or services to less savvy cybercriminals to deploy as they see fit, and often take a cut of the profit from a successful attack.

Prominent Ransomware Attacks

Most ransomware attacks involve a monetary ransom request. Recent studies on ransomware indicate that average payment following a ransomware attack increased 171% in 2020 alone — up to $312,493 USD compared to $115,123 in 2019. The cost of these attacks is staggering, with an estimated $20 billion lost to ransomware attacks on a wide array of businesses, individuals, and public institutions in 2020. And while hundreds of types of ransomware have been detected, a few have had particularly devastating effects:

WannaCry: WannaCry ransomware (or WCry, WanaCrypt0r, Wana Decrypt0r 2.0) was one of the largest recorded ransomware attacks in history, with $4 billion in damage and ransom money paid. The first attack hit in 2017 and targeted Windows vulnerabilities. Since then, WannaCry has affected over a quarter of a billion users spread across 150 countries, with a particularly devastating impact on the healthcare industry in the UK and the Russian banking system. The ransomware generally looks for vulnerabilities and backdoors on a system, uses a kill switch to freeze a program’s execution, and demands ransom to be paid in bitcoin.

Ryuk: First discovered in August 2018, Ryuk was one of the first types of ransomware that was able to identify and encrypt network drives and resources, and also delete shadow copies. In other words, attackers using Ryuk are able to disable Windows System Restore for users, making it impossible to recover from an attack without an external backup or sophisticated technology dedicated to rolling back the damage resulting from these attacks. Most Ryuk attacks use corrupted Microsoft Office documents attached to phishing emails and attackers have historically targeted large organizations that are more likely to pay steep ransdom demands.

CryptoLocker: One of the most infamous cases of ransomware is the CryptoLocker ransomware, which targeted computers running Windows operating systems. In its first wave of attacks the ransomware infiltrated computers through spam emails, which included infected ZIP file attachments. Attackers used encryption algorithms to encrypt infected files and systems, which then spread through network drives. A second version of CryptoLocker was spread through the peer-to-peer Gameover ZeuS, which used a botnet to send spam that would try to lure victims into executing exploit kits.

Cerber: Cerber ransomware became notorious for first distributing RaaS, which has become an increasingly problematic vector. With many hackers openly advertising their “services” on dark web marketplaces, the number of people able to access sophisticated malware technology has exploded with the release of malware like Cerber.

Ransomware and Cryptocurrencies

In recent years, cryptocurrency holders have increasingly become the targets of ransomware attacks. This is due largely to the rising value of cryptocurrencies and the fact that many individual and institutional investors have entered the space. Further, ransomware attackers tend to request cryptocurrency payments because many types of cryptocurrencies are designed to enable secure and anonymous (or pseudonymous) transactions. Anonymity-Enhanced Cryptocurrencies (AECs) such as Monero and privacy coins are increasingly being requested during ransomware attacks.

Many ransomware attackers also prefer cryptocurrency payment networks because payments can be received with fewer delays and fees, especially when moving funds across borders. The open and transparent nature of cryptocurrencies allow cybercriminals to easily monitor the progress of a ransom payment on the public blockchain, and since these transactions are taking place on-chain rather than processed by a centralized authority, they cannot be blocked or rolled back by traditional financial institutions.

How to Prevent Ransomware Attacks

Once your device/system has been infected with ransomware, your options become fairly limited and therefore the most effective way to protect yourself from these attacks is to prevent them from happening in the first place.

• Constant vigilance: Since many malware attacks come in the form of phishing emails or other forms of misleading digital communications, it’s important to be cautious of suspicious messages and learn how to identify potential risks at the initial point of contact. If you inadvertently divulge confidential information to an attacker or compromise your accounts or devices by clicking a malicious link, none of the other preventative measures listed below may be enough to protect you.

• Additional layers of identity verification: Because phishing attacks are made possible entirely through human error, using personal security measures such as two-factor authentication (2FA) or a password manager can mitigate the risks of these attacks in the event that one of your access/identification credentials is compromised.

• Restrict access to your device/system: It is often worth disabling file sharing, unused wireless connections, and remote services for your devices/networks, as well as setting up specific permissions in order to reduce your potential attack surfaces. While these precautions won’t fully protect you from malware attacks they may decrease your likelihood of coming across and accidentally falling for a phishing attempt.

• Secure digital asset storage: While there are pros and cons to spreading your digital assets across multiple accounts and wallets, one reliable method of asset protection involves keeping a significant portion of your funds in cold storage. While assets in a cold wallet may be harder to access and exchange, these same features make those funds substantially harder to steal even if your digital identity is compromised.

• Regular updates/backups: Because most types of malware are designed to leverage specific software security exploits, it’s important to keep programs such as your web browsers, operating systems, and antivirus programs updated at all times. Backups should be located in multiple locations and protected through multi-factor authentication (MFA). A local hardware backup device can also provide secure backup, as long as it remains disconnected when being used to download/upload a backup and generally kept separate from any potentially infected device. 

If your system is compromised by a ransomware attack in spite of the above precautions, generally your two main choices are to either pay the ransom or restore your data from an uncompromised backup. However, restoring your system from a backup doesn’t undo the damage the attacker has already done, and if the attacker has downloaded the data from your system they will be free to leak it online or sell it to other criminals, which could lead to severe consequences depending on what’s stored in your system.

As a result, while the underlying format of malware attacks has remained essentially unchanged over time, the specific methods used to execute these cybercrimes and extract payments are constantly evolving. The number of malware attacks has steadily grown in recent years, and the volume of these attacks is expected to accelerate in the future. As an increasingly large portion of our lives shifts online, we expect more cybersecurity firms, activists, and regulatory bodies to develop more effective countermeasures to prevent or mitigate the damage from these attacks. However, it is ultimately your responsibility to keep your devices, connected systems, and digital assets safe.