On June 7, operations at Belgium-based ASCO Industries, one of the world’s largest airplane parts suppliers, ground to a screeching halt after being hit with a ransomware attack.
Unfortunately, this is not an uncommon scenario. Ransomware attacks are happening every day, and any person or organization can be the next target. Cybersecurity Ventures predicts that by the end of 2019, a ransomware attack on a business will occur every 14 seconds, with anticipated total damages of $11.5 billion.
What is ransomware?
Ransomware is a form of malware, a malicious software that takes over and infects a device. In most cases, the device or its important files are encrypted and held for “ransom.” The user will see a message on their screen stating that data access has been denied and they can only recover it by paying a fee to a cybercriminal. Should they refuse, the hacker may threaten their victim with permanent file deletion.
Although ransomware has become much more prevalent over the last several years, its origins go back three decades to 1989, when a trojan virus called PC Cyborg was distributed via floppy disk.
In 1996, two researchers developed a way to encrypt host data while deleting or overwriting the original data in the process, using public-key cryptography. This crypto-virus appears to be the origin of modern ransomware, as it requests a ransom payment in order to get a decryption key.
In 2013, encrypting ransomware—the most common kind used in today’s ransomware attacks —came out in full force with a malware called CryptoLocker. This program used military-grade encryption and stored decryption keys on a remote server, leaving users with no choice but to pay the ransom.
With the rise of cryptocurrency, it is now easier than ever for hackers to demand ransom via hard-to-trace internet payment platforms like bitcoin—and the problem is only getting worse. A spokeswoman for Kaspersky, an antivirus software maker, said nearly 235,000 employees working in large organizations suffered a ransomware attempt in the 12 months ending in May 2019—an 18% increase compared to the previous year.
How does ransomware work?
Ransomware can infect a device in several different ways, most commonly via email. The cybercriminal sends an unsolicited email, usually containing a malicious attachment or website link used to deliver the malware. These emails frequently rely on social engineering—that is, appearing to be from a friend or trusted institution.
A similar method called “malvertising” (malicious advertising) redirects internet users to criminal servers. Even if the user doesn’t directly click on a malicious browser ad, they can be tracked by the criminal and targeted for malware deployment.
Once a device is infected with malware, users will see a message pop up on their screen informing them that their files have been encrypted. These messages are often threatening and intimidating in nature to scare the victim into paying. If your device is under a ransomware attack, you may see a message such as:
- “Your computer has been infected. To resolve the issue, click here to send a payment.”
- “Your computer has been locked. You must pay a fine to unlock it.”
- “Your files have been encrypted. You must pay a fee within 72 hours to regain access to your data.”
The ransom price may vary greatly depending on the hacker and the program they’re using. Some cybercriminals request as little as $300 worth of bitcoins, while others demand tens of thousands of dollars.
Who is a target for ransomware?
Hackers don’t discriminate when deploying ransomware attacks; anyone can be targeted, including individual computer users, businesses and even city governments. A cybercriminal may attack individuals or smaller organizations who are less likely to have top-notch security programs in place, simply because they’re easier targets.
Other times, hackers target specific organizations with high-profile or sensitive data, such as governments or health care facilities. Attackers often believe these types of organizations will be inclined to pay the ransom rather than risk losing such important files, or having to admit the breach to the public.
No matter whom the target is, the effects of ransomware can be devastating. Besides the ransom (should the victim choose to pay), they may still have to pay security and tech experts to help unlock devices and recover files.
For businesses and government organizations, ransomware may cause long-term financial losses due to crippling disruptions to their regular operations or a damaged public reputation. (Learn about the most recent ransomware attacks here.)
What are the different types of ransomware?
While all ransomware essentially function the same way, there are two main forms that a hacker might deploy. The first is locker ransomware, which locks access to a device’s interface and demands a fee to restore it. Locked computers often only allow the user to interact with the hacker and pay the requested ransom. Because locker ransomware only blocks access to the computer interface, as opposed to the underlying system and files, it is often easier for victims to restore access and cleanly remove the malware from their devices.
The second type, crypto ransomware, is far more difficult to overcome. Crypto ransomware locates and encrypts valuable data stored on a device, and a user can only obtain a decryption key once they pay the ransom. If the user does not have the encrypted data backed up, they could lose it completely in this type of attack. Unlike locker ransomware, most crypto ransomware does not render computers completely nonfunctional; a user can often still operate the device, except for accessing the encrypted data.
Some of the most commonly used ransomware programs in recent years include:
- Locky is one of the most notorious types of ransomware and can demand ransoms in 30 languages.
- Cryptolocker/Cryptowall scrambles file names so victims can’t tell which files are encrypted.
- Cerber is sold on the dark web so criminals can use it in return for a percentage of each ransom paid. Criminals can also use this program to steal bitcoin wallet and password information.
- SamSam seeks out unsecured internet-facing systems and spreads ransomware across networks.
- WannaCry is the world’s largest ransomware attack to date. It raises the ransom price after three days and threatens to permanently delete files if the ransom is not paid within a week.
- Petya/NotPetya is a combination of elements from ransomware called GoldenEye (a relative of Petya) and WannaCry that encrypts entire hard drives, which prevents computers from functioning.
Can you remove ransomware?
If you see a ransomware message pop up on your computer, you should not pay the ransom, no matter how insignificant it may seem.
“It may seem counterintuitive, but you have no guarantee that the cybercriminal will keep their word and actually provide the decryption key to unlock your files,” said Jakub Křoustek, a research manager for Avast Threat Labs who focuses on ransomware analysis. “Or, they could even increase the fee once they realize your willingness to pay. That will also make you a target for future attacks down the road.”
Furthermore, said Křoustek, it is prohibited by law to pay the ransom in some locations.
“Ransomware attacks are a criminal offense, so report the incident to law enforcement,” said the Kaspersky spokesperson. “Don’t pay the attackers, as it will mark you or your organization out as a target for future attacks, and support this malicious business model.”
To regain control of your device after a ransomware attack, you may be able to reinstall your operating system or execute a system restore, Křoustek said. This can take your computer back to a time before the ransomware was loaded and restore its previous state.
While taking these steps can release your machine from the hacker’s control, a system restore will not decrypt your files. You must have already created backup versions of your data to restore access to them.
How to protect yourself from ransomware attacks
As ransomware attacks become more prevalent and more damaging, it’s important to educate yourself on ransomware and understand how to reduce the likelihood of becoming a victim. Although you can’t completely eliminate your risk, following the latest security best practices can provide some level of protection.
Here’s what experts recommend doing to avoid potential ransomware attacks:
1. Install antivirus and antimalware software. Although some hackers are still able to break past antivirus software, installing it and keeping it up-to-date is an important first step in warding off would-be cybercriminals. Businesses may also consider investing in enhancements such as anti-ransomware tools to ensure their sensitive company data remains safe.
2. Always update your systems and programs. “Make sure your operating system and malware protection software are up-to-date,” said Strato Doumanis, cybersecurity expert and chief technical officer of MediaCutlet. “Critical updates for Windows and Mac should not be ignored.”
3. Take extra precautions with your email. That advice especially goes for email attachments. “A simple PDF or Word document can unpack and deploy ransomware,” Doumanis said. “Only download or open attachments from trusted, verified senders.”
4. Backup data regularly. Having backups of your data is the only way to restore them after malware is removed from your device.
5. Conduct regular security audits. According to Kaspersky, you should consistently scan your network for anomalies, especially if you’re operating a business. “Don’t overlook less obvious targets, such as queue management systems, POS terminals and even vending machines,” said the spokesperson.
If you believe your personal information has been compromised in a cyberattack and released on the dark web, you may be able to find out what’s been exposed by running a dark web search on yourself.