What is Ransomware? The Complete Guide
Ransomware is a form of malicious software designed to either block access to a computer system or publishes a victim’s personal data online. The attacker demands a ransom from the victim, promising – not always truthfully – to restore access to the data upon payment.
Around since the 1980s, the last decade has seen various ransomware Trojans crop up, but the real opportunity for attackers has ramped up since the introduction of Bitcoin. This cryptocurrency allows attackers to easily collect money from their victims without going through traditional channels.
A ransomware attack begins when malicious software is downloaded onto a device. The device could be a laptop, smartphone or desktop. The malicious software is normally downloaded due to user error or poor security protocols.
Over the last few years, phishing attacks have become a popular way of distributing ransomware. A phishing attack is where a cybercriminal will attach an infected document or URL to an email, disguising it as a legitimate mail, with the hope that the recipient will be tricked into opening it. Once opened, the ransomware is installed on the device.
The ‘trojan horse’ is another popular style of attack. This involves disguising ransomware as legitimate software online, and then infecting devices after users install this software.
Once ransomware has infected a system, it will take over the critical process on the device; searching for files to encrypt, the virus will scramble all the data on the device or delete those files it can’t encrypt. Any external devices attached to the host machine will also be infected. The virus will also send signals to other devices on the infected network in an attempt to infect them also.
There are many different variants of ransomware, with new ones being created all the time. Below are the most recurrent and famous ransomware types:
The most common delivery system for ransomware is via phishing spam – attachments that arrive in a victim’s email, masquerading as a file that they can trust. According to research from a security software firm, Trend Micro, 91% of cyber attacks and the resulting data breach begin with a spear-phishing email.
Once the attachment has been downloaded and opened, the malware can take over the victim’s computer, encrypting some of the user’s files. When this happens, the only way the files can be decrypted is through a mathematical key only known to by the attacker.
There have also been cases where malware will display a message claiming that the user’s ‘Windows’ is locked. The user is then encouraged to call a “Microsoft” phone number and enter a six-digit code in order to reactivate the system. The message alleges that the phone call is free, but this isn’t true. While on the phone calling the fake ‘Microsoft’, the user racks up long-distance call charges.
Another malware is called leakware or doxware. This is where the attacker will threaten to release sensitive data on the victim’s hard drive unless a ransom is paid. Often targeting emails and word documents, there have also been cases of mobile variants where private messages, pictures and contact lists from users’ phones have been released.
Doxware is known to be more effective than ransomware – in terms of getting the money from the victim. With ransomware, you can maintain separate backups of data that is no longer accessible, but with doxware, once an attacker has information that the victim doesn’t want to be made public, there is little to be done apart from paying up.
A discovery for 2019 was the ransomware Anatova. This new ransomware family disguises itself as the icon of a game or application to trick the user into downloading it. An extremely advanced form of malware, it adapts quickly and uses evasion and spreading techniques to prevent its discovery. Due to its modular design, it can embed additional functionalities allowing it to thwart anti-ransomware methods. Fortunately, the McAfee Advanced Threat Research team discovered this new ransomware family in early 2019 before it became a significant threat.
A variant of CrySiS, Dharma ransomware has been around since 2018, but cybercriminals continue to release new variants, which are impossible to decrypt.
Malicious ransomware that uses AES encryption and drops a file called ‘GandCrab.exe’ onto the system. GandCrab targets consumers and businesses with PCs running Microsoft Windows. On May 31st, 2019, the cybercriminals behind GandCrab sent an announcement saying they were stopping all further GandCrab ransomware attacks claiming they had made over $2 billion in ransom payments and they were taking a “well-earnt retirement.”
Emotet was originally a malware that targeted banks – it would sneak onto your computer and steal sensitive and private information. First, on the scene in 2014, Emotet has gone through a variety of versions, evolving into ransomware that can evade detection even by some anti-malware products. Since its inception, Emotet has stolen banking logins, financial data, and Bitcoin wallets from individuals, companies and government entities across Europe and the USA.
Using worm-like capabilities to spread to other computers, hackers usually introduce Emotet by spam emails – made to look legitimate and with the use of tempting language to trick the victim into clicking on the link.
Emotet is one of the most costly and destructive malware – according to the Department of Homeland Security, the cost of the average Emotet attack is upwards of $1 million to clean up.
Ryuk specifically targets large organisations for a high-financial return. According to CrowdStrike, between August 2018 and January 2019, Ryuk netted over 705.80 bitcoins across 52 transactions totalling a value of $3,701,893.98. It first turned heads with its attack on Tribune Publishing’s operations over the Christmas period of 2018. At first, the company thought the attack was just a server outage, but it was soon clear it was the Ryuk ransomware.Another term for ransomware such as Ryuk that targets large enterprises for high ROI is ‘big game hunting.’ These large-scale attacks involve detailed customisation of campaigns to best suit the individual targets, increasing the effectiveness of the attacks. ‘Big game hunting’ therefore requires much more work from the hacker; it is also a normally launched in phases. For example, phase one might be a phishing attack with an aim to infect an enterprises network with malware to map the system and identify crucial assets to target. Phases two and three will then be a series of extortion and ransom attacks/demands.
Am I a target for ransomware?
No vertical is safe from the effects of ransomware. Unfortunately, some are more susceptible to successful attacks than others. There are a variety of reasons for this that include the technology they deploy, the security they have in place, identity governance and privilege maturity, and their overall cybersecurity protocols.
If you read the news, you will have noted that organisations from a variety of different sectors and industries have become victims of ransomware attacks. From healthcare to airlines, the attackers don’t seem to have a preference of who they target…or do they?
An attacker will normally choose an organisation to hit based on two things:
- Potential financial gain
If an organisation has a small security team, lacks IT resources, and has a user base that shares a lot of files, i.e. a University, then an attacker may view this as an easy target.
Potential financial gain
Organisations that need immediate access to their files, e.g. Law firms or government agencies, may be more likely to pay a ransom quickly. Organisations with sensitive data may also be willing to pay to keep the news of the data breach quiet.
Should I pay the ransom?
You would think that paying a ransom to gain access to your data was bad enough, but that can pale into comparison to the actual damage costs involved with an attack. This can include:
- Damage and destruction (or loss) of data
- Lost productivity
- Post-attack disruption to the normal course of business
- Forensic investigation
- Restoration and deletion of hostage data and systems
- Reputational harm
- Employee training in direct response to the attacks
When you take the above into account, it is no wonder that ransomware damages are predicted to climb to $11.5 billion this year, with an attack projected every 14 seconds by the end of this year, up from every 40 seconds last year.
When you speak to cybercrime experts, most urge you not to pay the ransoms as funding ransomware attackers will only help create more ransomware.
Although, many organizations go against this advice weighing up the cost of the encrypted data against the ransom being asked. Last year, in the US, 45% of companies hit with ransomware paid their attackers. But why?!
While refusing to pay ransomware is suggested for the wider business community, refusing to pay may not be the best case of action for the business itself. Especially when there is a chance the business may permanently lose access to vital data, incur fines from regulators or go out of business altogether. The choice between paying a relatively modest ransom and staying in business or refusing to pay to help the wider business community is a no brainer for most.
In some ransomware cases, the ransom demanded is often set at a point that it’s worth the attacker’s while, but low enough that it is often cheaper than a victim paying to reconstruct their lost data. Discounts are also sometimes offered if the victim pays within a certain timeframe e.g. 3 days.
With that in mind, some companies are actually building up reserves of Bitcoin specifically for ransom payments. This is particularly being seen in the UK, where organizations seem more likely to pay ransoms. According to Gotham Sharma, managing director at Exeltek Consulting Group, “About a third of mid-sized British companies report having Bitcoin on hand to respond to ransomware emergencies when other options can’t be immediately exhausted.”
What to do when you’re under a ransomware attack
If you find yourself infected by ransomware, first you need to find out what kind of ransomware it is. If you can’t get past a ransomware note on your screen, then you probably have been infected by screen-locking ransomware. If you can browse through your apps but can’t open your files, movies etc. you have been hit with encrypting ransomware – the worse of the two. If you can navigate your system and read all your files, then you have probably hit with a fake that is just trying to scare you into paying.
There is a great blog that goes into detail about what to do when you’re hit with both screen-locking and encrypting ransomware here.
Even with the best precautions and policies in place, you may still suffer from an attack. In the event your data is held hostage by Ransomware, the following is recommended:
- Remain calm. Rash decisions could cause further data loss. For example, if you discover an infection and suddenly cut power to a server, versus powering it down properly, you could lose data in addition to the infected data.
- Never pay the ransom because attackers may not unlock your data. There are many cases of victims paying the ransom demanded and not receiving their data back in return. Rather than running this risk, companies should work with data recovery experts who may be able to regain access to data by reverse-engineering the malware.
- Check your most-recent set of backups. If they are in-tact and up-to-date, the data recovery becomes easier to restore them to a different system.
- Contact an expert to explore recovery options. An expert data recovery specialist will examine your scenario to see if they have a solution already in place; if not, they should be able to develop one in time.
How to prevent a ransomware attack
Ransomware variants will target different business verticals. The highest risk targets are healthcare, financial institutions and government agencies. Those who are at risk should take precautions to reduce their risk and lessen the effects of an attack.
One of the most important plans your organisation should have in place is a Disaster Recovery Plan. If you don’t have one in place, the chances are that the consequences will be severe. According to the National Archives and Records Administration, 93% of companies that experience data loss and downtime for ten or more days file for bankruptcy within 12 months.
A disaster recover plan describes a variety of scenarios for resuming work quickly after a disaster, i.e. a ransomware attack. A key part of an organisation’s business continuity plan it should allow for sufficient IT recovery and data loss prevention. A disaster recovery plan describes a variety of scenarios for resuming work quickly after a disaster i.e. a ransomware attack. A key part of an organisation’s business continuity plan, a disaster recovery plan should allow for sufficient IT recovery and data loss prevention.
If you don’t have a disaster recovery plan, you can download our free template here.
Other recommendations include:
- Ensure you have up-to-date backups - this way if anything does happen, restoration of your files from a backup is the fastest way to regain access to your data.
- Be prepared by testing backups regularly. Organisations must be familiar with what is stored in backup archives and ensure the most critical data is accessible should ransomware target backups.
- Implement security policies. Use the latest anti-virus and anti-malware software and monitor consistently to prevent infections.
- Develop IT policies that limit infections on other network resources. Companies should put safeguards in place, so if one device becomes infected with ransomware, it does not permeate throughout the network.
- Conduct user training, so that all employees can spot a potential attack. Make sure employees are aware of best practices to avoid accidentally downloading ransomware or opening up the network to outsiders.
- Make sure you have content scanning and filtering on your mail servers. Scan every inbound email for known threats and block any attachment types that could pose a threat.
- Watch our ransomware webinar.
Reducing your attack surface
The management of data across its lifecycle is often not a consideration for many organisations. But without a data lifecycle strategy in place, an organisation is leaving itself exposed to serious security risks and costs. Today, the cost of ineffectively safeguarding data comes with ‘too high a price’.
It’s not just ransomware attacks organisations need to be wary of, data breaches, damaged reputation, lost customers, downtime, and large fines are all potential risks for an organisation that doesn’t effectively manage its data’s lifecycle.
Those organisations that take the time to invest the necessary efforts and resources in data lifecycle management can minimise the risks and costs of their business-critical data at all stages.
You can read more about how your organisation can protect its data throughout its lifecycle here.
How Ontrack has helped organisations hit by ransomware
At Ontrack, we are constantly tracking 271 different types of ransomware. Ransomware changes and develops all of the time, so we want to make sure we are watching and studying the latest changes and advancements. Studying ransomware and its ever-changing forms mean it’s more likely that we will be able to recover data that has been lost in result of an attack.
We currently have encryption abilities on 138 types of ransomware. Only a couple of years ago this figure was only six, so we have come a long way!
When it comes to inaccessible data, it is always best to contact an expert. If you find yourself under attack from ransomware contact an expert like Ontrack who potentially has the capability to help you gain access to your data.
Below are some examples of successful ransomware data recovery cases we have completed.
Start your ransomware data recovery now with a free consultation.
Contact our team of experts. Ontrack accommodates everyone – from the largest government or enterprise organization to an individual who may have lost their digital photos and everyone in between.