What is ransomware? Ransomware definition
Ransom malware is malware that blocks users’ access to their files or systems. It demands ransom payments for them to be granted access. Ransomware was first developed in the late 1980s. The payment was sent by snail mail. Ransomware authors today request payment via cryptocurrency or credit card. Attackers target individuals, businesses, and organizations of every kind. Some ransomware authors sell the service to other cybercriminals, which is known as Ransomware-as-a-Service or RaaS.
What is the best way to get ransomware?
Ransomware can be infected your computer in many different ways. One of the most common methods today is through malicious spam, or malspam, which is an unsolicited email that is used to deliver malware. You might find booby-trapped attachments in the email, such as Word documents or PDFs. You might also find links to malicious sites in the email.
Malspam uses social engineering to trick people into opening attachments or clicking on links by appearing as legitimate–whether that’s by seeming to be from a trusted institution or a friend. Social engineering is also used by cybercriminals to scam users into paying them money to unlock their files.
Another popular infection method, which reached its peak in 2016, is malvertising. Malvertising is also known as malicious advertising. It involves the use of online advertisements to spread malware without any user interaction. Users can navigate the internet, and even to legitimate websites, and be directed to criminal server sites without ever clicking an ad. These servers collect information about victims’ computers and their locations and then choose the most appropriate malware to deliver. Often, that malware is ransomware.
Malvertising uses infected iframes, or invisible web elements, to accomplish its tasks. The iframe redirects to an exploit landing page, and malicious code attacks the system from the landing page via exploit kit. All this happens without the user’s knowledge, which is why it’s often referred to as a drive-by download.
Different types of ransomware
Ransomware can be of three types. They range in severity from mildly offensive to dangerous, such as the Cuban Missile Crisis ransomware. These are the main types:
As it turns out, scareware isn’t that scary. This includes scams and rogue security software. A pop-up message might appear claiming that malware has been discovered. You must pay to remove it. You will likely be bombarded with popups if you don’t do anything, but your files remain safe.
This is not how legitimate cybersecurity software programs would solicit customers. You wouldn’t be monitored for ransomware infection if you didn’t have the company’s software installed on your computer. You don’t have to pay for ransomware removal if you have security software.
These guys will need to upgrade to terror alert orange. Lock-screen ransomware can cause your computer to be locked down. A full-sized window will appear when you start up your computer. It is often accompanied by a seal from the FBI or US Department of Justice stating that illegal activity was detected on your computer and that you must pay a penalty. The FBI will not block your access to your computer or demand payment. They would pursue the proper legal channels if they suspect you of child pornography, piracy, or any other cybercrimes.
This is the really nasty stuff. These guys will encrypt your files, then demand payment to decrypt and deliver them. This ransomware is dangerous because cybercriminals can get hold of your files and no security software or system restoration will be able to return them. They are gone unless you pay the ransom. Even if you pay the ransom, it’s not guaranteed that cybercriminals will return your files.
In 2021, there were several major ransomware incidents. Malwarebytes Labs has the most recent news about ransomware and ransomware attacks:
Podcasts about Ransomware
Lock and Code is Malwarebytes’ cybersecurity podcast. You can listen to the most recent episodes about ransomware.
Ransomware attacks in the past
In the late 1980s, PC Cyborg, also known as AIDS or PC Cyborg, created the first ransomware. After 90 reboots, PC Cyborg would then encrypt files in the C directory and demand that the user renew their license. The user was required to send $189 via mail to PC Cyborg Corp. It was easy enough to reverse the encryption, so it did not pose a threat to computer-savvy users.
There were very few ransomware variants that appeared over the next decade. A true ransomware threat wouldn’t appear until 2004 when GpCode used weak RSA encryption for personal files to be held hostage.
WinLock was the first ransomware to encrypt files and block people from their computers. WinLock took control of the victim’s screen and displayed pornographic pictures. It then demanded payment by SMS for the removal of pornographic images.
A new type of ransomware was introduced in 2012 with the creation of Reveton’s ransom family: law enforcement ransomware. Victims would be locked from their computers and taken to a page with credentials for law enforcement agencies like the FBI or Interpol. Ransomware would claim the victim had committed a crime such as hacking computers, downloading illegal files, or being involved in child pornography. The ransomware demanded that a pre-paid card like UKash or PaySafeCard be used to pay a fine ranging between $100 and $3,000 for most law enforcement ransomware families.
The average user didn’t know what to think and believed that they were being investigated by law enforcement. Implied guilt is a social engineering tactic that makes users question their innocence. Instead of being called out for something they don’t like, they pay the ransom to get it all gone.
CryptoLocker introduced ransomware encryption to the world in 2013. However, it was much more dangerous. CryptoLocker used military-grade encryption and kept the key needed to unlock files on remote servers. Users were unable to retrieve their data without paying the ransom. This ransomware can still be used today to encrypt data. It’s proven to have been a very effective tool for cybercriminals to make their money. Ransomware was used to ensnare users as well as businesses around the world in large-scale outbreaks like WannaCry in May 2017 or Petya in June 2017.
Ryuk emerged on the ransomware stage in late 2018 with a series of attacks against American news publications, North Carolina’s Onslow Water and Sewer Authority, and a host of other ransomware threats. Interesting twist: Targeted systems were infected first with TrickBot or Emotet, information-stealing Trojans that are now being used to distribute other types of malware such as Ryuk. Adam Kujawa, Director of Malwarebytes Labs speculates that TrickBot and Emotet are being used to identify high-value targets. Emotet/TrickBot infects the system again with Ryuk after it is flagged as infected.
Recent news has revealed that the Sodinokibi ransomware, an alleged offshoot from GandCrab, was being used by managed service providers (MSPs) to spread infection. In August 2019, many dental offices across the country discovered they couldn’t access patient records. In this instance, attackers used a compromised MSP to infect up to 400 dental offices that were using the record-keeping software.
Ransomware for Mac
the ransomware infected an app called Transmission that, when launched, copied malicious files that remained running quietly in the background for three days until they detonated and encrypted files. Apple’s anti-malware program XProtect was able to block the ransomware from infecting users’ systems. However, Mac ransomware has been proven to be real.
It wasn’t until the height of the infamous CryptoLocker and other similar families in 2014 that ransomware was seen on a large scale on mobile devices. Mobile ransomware usually displays the message that the device was locked because of some illegal activity. After paying a fee, the message will inform you that your phone will be unlocked. Mobile ransomware is commonly delivered by malicious apps. To retrieve your access to your mobile phone, you must turn off the dangers and restart the phone in safe mode.
Who do ransomware authors target?
Ransomware was first introduced and then reintroduced. Its initial victims were individuals (aka regular people). Cybercriminals realized its true potential when ransomware was distributed to businesses. Ransomware proved so effective against businesses that it halted productivity and resulted in lost data, and revenue, that most of its authors decided to attack them. By the end of 2016, 12.3 percent of global enterprise detections were ransomware, while only 1.8 percent of consumer detections were ransomware worldwide. And by 2017, 35 percent of ransomware attacks are still focused on western markets, with the UK, US, and Canada ranking as the top three countries targeted, respectively. Ransomware authors, like other threats actors, will look for areas with high PC adoption and relative wealth. Expect to see ransomware and other malware increase as emerging markets in Asia, South America, and the Americas ramp up their economic growth.
What should I do if I get infected?
If you are infected by ransomware, the number one rule is to not pay the ransom. (This is now advice endorsed by the FBI.) This encourages cybercriminals to launch more attacks against you or another person. However, you may be able to retrieve some encrypted files by using free decryptors.
Let’s be clear: Not every ransomware family has had decryptors made for it. In many cases, ransomware uses advanced encryption algorithms. Even if there is a possible decryptor, it is not always obvious if it is for the correct version of the malware. It is not a good idea to use the wrong decryption program to further encrypt files. Before you try anything, pay attention to the ransom message.
You can also download ransomware-removal software and run a scan to get rid of the threat. Although you may not be able to recover your files, the infection will be removed. A complete system restore may be necessary for screen-locking ransomware. You can also try a scan using a USB or bootable CD if that fails.
You must be vigilant if you want to stop an encrypting ransomware attack in its tracks. If your system is slowing down, even if it seems to be for no apparent reason, you should turn it off and disconnect it from the Internet. The malware will stop sending or receiving instructions from the command-and-control server if it is active after you restart your computer. The malware could remain inactive without a key or a way to obtain payment. You can then download and install security software and run a complete scan.
How can I avoid ransomware?
You should also make regular backups of all your data, even though it might be painful. We recommend cloud storage with multiple-factor authentication and high-level encryption. You can also purchase USBs and an external hard drive to save files. However, after backing up make sure you physically disconnect the devices. Otherwise, ransomware can infect them.
Make sure that your software and systems are up-to-date. WannaCry ransomware exploited a Microsoft software vulnerability. The company released a patch to close the security loophole in March 2017. However, many people didn’t download the update. This left them vulnerable to attacks. It can be difficult to keep up with the ever-growing number of updates for software and apps you use every day. We recommend that you change your settings to allow automatic updates.
Keep informed. One of the most common ways that computers are infected with ransomware is through social engineering. Educate yourself (and your employees if you’re a business owner) on how to detect malspam, suspicious websites, and other scams. Use common sense. It may be suspect.
What does ransomware do to my business?
GandCrab and SamSam are all ransomware types that hit businesses hard. In fact, ransomware attacks on businesses went up 88% in the second half of 2018 as cybercriminals pivot away from consumer-focused attacks. Cybercriminals know that big business means big payoffs and they target hospitals, government agencies, as well as commercial institutions. All told, the average cost of a data breach, including remediation, penalties, and ransomware payouts, works out to $3.86 million.
The majority of ransomware cases as of late have been identified as GandCrab. GandCrab was first detected in January 2018. It has been through multiple versions since then, as ransomware authors make it harder to detect and stronger its encryption. It’s been estimated GandCrab has already raked in somewhere around $300 million in paid ransoms, with individual ransoms set from $600 to $700,000.
In another notable attack happening back in March of 2018, the SamSam ransomware crippled the City of Atlanta by knocking out several essential city services–including revenue collection and the police record-keeping system. All told, the SamSam attack cost Atlanta $2.6 million to remediate.
Given the recent spate of ransomware-related attacks and the high cost involved with them, it is now a great time to start thinking about how you can protect your business. We’ve covered the topic in great detail previously but here’s a quick gloss on how to protect your business from malware.
- Back up your data. If you have backups, it is easy to restore a ransomware attack. Ransomware can infect network shares so you might want to scan backups. You would be wise to keep data backups on a secure cloud storage server with multiple-factor authentication and high-level encryption.
- Update and patch your software. Ransomware uses exploit kits to gain unauthorized access to networks or systems (e.g. GandCrab Exploit-based ransomware attacks are not possible as long as your network software is up to date. You are at risk of ransomware if you have outdated or insecure software. This is because software manufacturers no longer release security updates. Get rid of abandonware and replace it with software still being supported by the manufacturer.
- Your end-users should be taught about malspam, strong passwords, and how to prevent it. Emotet is being used by cybercriminals to deliver ransomware via the ex-banking Trojan. Emotet uses malspam to infect end-users and gain access to your network. Emotet spreads from one system to another using a list of common passwords once it has infected your network. You can keep your end-users safe by learning how to spot malware and using multi-factor authentication.
- Make investments in cybersecurity technology. Malwarebytes Endpoint Detection and Response, for example, gives you detection, response, and remediation capabilities via one convenient agent across your entire network. You can also request a free trial of Malwarebytes anti-ransomware technology to learn more specifically about our ransomware protection technology.
What should you do if ransomware has already infected your computer? Ransomware is something that no one wants to deal with after the fact.
- You can check to see if there’s a decryptor. You may be able to decrypt your data in some cases without having to pay, but ransomware threats are constantly evolving intending to make it more difficult to decrypt your files.
- Pay the ransom. We’ve long advocated not paying the ransom and the FBI (after some back and forth) agrees. Cybercriminals aren’t scruples, and it’s not guaranteed that you’ll receive your files back. You’re also showing cybercriminals how ransomware attacks work by paying the ransom.