What Is Ransomware?

Ransomware is a type of malicious software (malware) that threatens to publish or blocks access to data or a computer system, usually by encrypting it, until the victim pays a ransom fee to the attacker. In many cases, the ransom demand comes with a deadline. If the victim doesn’t pay in time, the data is gone forever or the ransom increases.

Ransomware attacks have become all too common. Major companies in North America and Europe alike have fallen victim to it. Cybercriminals attack any consumer or business in any industry.

Several government agencies, including the FBI, advise against paying the ransom to keep from encouraging the ransomware cycle, as does the No More Ransom Project. Furthermore, half of the victims who pay the ransom will likely suffer from repeat ransomware attacks, especially if it’s not cleaned from the system.

Ransomware can be traced back to 1989 when the “AIDS virus” was used to extort funds from ransomware recipients. Payments for that attack were mailed to Panama, at which point a decryption key was sent back to the user.

In 1996, Columbia University’s Moti Yung and Adam Young introduced ransomware known as “cryptoviral extortion.” This idea, born in academia, illustrated the progression, strength, and creation of modern cryptographic tools. Young and Yung presented the first cryptovirology attack at the 1996 IEEE Security and Privacy Conference. Their virus contained the attacker’s public key and encrypted the victim’s files. The malware then prompted the victim to send asymmetric ciphertext to the attacker to decipher and return the decryption key—for a fee.

Attackers have grown creative over the years by requiring payments that are nearly impossible to trace, which helps cybercriminals remain anonymous. For example, the notorious mobile ransomware Fusob requires victims to pay using Apple iTunes gift cards instead of standard currencies, like dollars.

Ransomware attacks began to soar in popularity with the growth of cryptocurrencies, such as Bitcoin. Cryptocurrency is a digital currency that uses encryption techniques to verify and secure transactions and control the creation of new units. Beyond Bitcoin, there are other popular cryptocurrencies that attackers prompt victims to use, such as Ethereum, Litecoin, and Ripple.

Ransomware has attacked organizations in nearly every vertical, with one of the most famous viruses being the attacks on Presbyterian Memorial Hospital. This attack infected labs, pharmacies and emergency rooms, highlighting the potential damage and risks of ransomware.

Social engineering attackers have become more innovative over time. The Guardian wrote about a situation where new ransomware victims were asked to have two other users install the link and pay a ransom to decrypt their files.

The growing prevalence of ransomware has brought about increasingly complex ransomware attacks.

• Scareware: This common type of ransomware deceives users by displaying a fake warning message claiming malware has been detected on the victim’s computer. These attacks are often disguised as an antivirus solution demanding payment to remove the nonexistent malware.
• Screen lockers: These programs are designed to lock the victim out of their computer, preventing them from accessing any files or data. A message is typically displayed that demands payment to unlock it.
• Encrypting ransomware: Also called “crypto-ransomware,” this common ransomware encrypts the victim’s files and demands payment in exchange for a decryption key.
• DDoS extortion: A Distributed Denial of Service extortion threatens to launch a DDoS attack against the victim’s website or network unless a ransom payment is fulfilled.
• Mobile ransomware: As the name suggests, mobile ransomware targets devices like smartphones and tablets and demands payment to unlock the device or decrypt the data.
• Doxware: While less common, this sophisticated type of ransomware threatens to publish sensitive, explicit, or confidential information from the victim’s computer unless a ransom is paid.
• Ransomware-as-a-Service (RaaS): Cybercriminals offer ransomware programs to other hackers or cyber-attackers that use such programs to target victims.

These are just some of the most common types of ransomware. As cyber criminals adapt to cybersecurity strategies, they pivot to new and innovative ways to exploit vulnerabilities and breach computer systems.

By learning about the major ransomware attacks below, organizations will gain a solid foundation of their tactics, exploits, and characteristics. While ransomware codes, targets, and functions continue to vary, attack innovation is typically incremental.

• WannaCry: A powerful Microsoft exploit was leveraged to create a worldwide ransomware worm that infected over 250,000 systems before a kill switch was tripped to stop its spread. Proofpoint was involved in identifying the sample used to find the kill switch and deconstructing the ransomware. Learn more about Proofpoint’s involvement in stopping WannaCry.
• CryptoLocker: This was an early current-generation ransomware requiring cryptocurrency for payment (Bitcoin) and encrypted a user’s hard drive and attached network drives. CryptoLocker spread via an email with an attachment claiming to be FedEx and UPS tracking notifications. A decryption tool was released for this in 2014. But various reports suggest that upwards of $27 million was extorted by CryptoLocker.
• NotPetya: Considered one of the most damaging ransomware attacks, NotPetya leveraged tactics from its namesake, Petya, such as infecting and encrypting the master boot record of a Microsoft Windows-based system. NotPetya targeted the same vulnerability as WannaCry to rapidly spread payment demands in Bitcoin to undo the changes. Some have classified it as a wiper since NotPetya cannot undo its changes to the master boot record and renders the target system unrecoverable.
• Bad Rabbit: Considered a cousin of NotPetya, using similar code and exploits to spread, Bad Rabbit was a visible ransomware that appeared to target Russian and Ukrainian media companies. Unlike NotPetya, Bad Rabbit did allow for decryption if the ransom was paid. Most cases indicated that it was spread via a fake Flash player update that impacted users via a drive-by attack.
• REvil: REvil is authored by a group of financially-motivated attackers. It exfiltrates data before encryption to blackmail targeted victims into paying if they choose not to send the ransom. The attack stemmed from compromised IT management software used to patch Windows and Mac infrastructure. Attackers compromised the Kaseya software used to inject the REvil ransomware onto corporate systems.
• Ryuk: Ryuk is a manually-distributed ransomware application mainly used in spear-phishing. Targets are carefully chosen using reconnaissance. Email messages are sent to chosen victims, and all files hosted on the infected system are then encrypted.

Aligned with the latest statistics, ransomware trends continue to evolve. Some of the most compelling trends worth noting include:

• Increased globalized threats
• More targeted and sophisticated attacks
• Growth in multistage extortion techniques
• Higher frequency of ransomware breaches
• Ransom prices plateau as security postures strengthen

Government intervention is another major trend that could shift how ransomware attacks are handled. Gartner predicts 30% of global governments will likely enact ransomware payment legislation by 2025.

The average discount on ransomware payments appears to be increasing as well. Based on the latest ransomware trends, victims can expect between 20% to 25% discount on ransom payments, with some seeing discounts of up to 60%.

Ransomware is a type of malware designed to extort money from its victims, who are blocked or prevented from accessing data on their systems. The two most prevalent types of ransomware are “encryptors” and “screen lockers.” Encryptors, as the name implies, encrypt data on a system, making the content useless without the decryption key. Screen lockers, on the other hand, simply block access to the system with a “lock” screen, asserting that the system is encrypted.

Figure 1: How Ransomware tries to trick a victim into installing it

Victims are often notified on a lock screen (common to both encryptors and screen lockers) to purchase a cryptocurrency, like Bitcoin, to pay the ransom fee. Once the ransom is paid, customers receive the decryption key and may attempt to decrypt files. Decryption is not guaranteed, as multiple sources report varying degrees of success with decryption after paying ransoms. Sometimes victims never receive the keys. Some attacks install malware on the computer system even after the ransom is paid and the data is released.

While initially focused on personal computers, encrypting ransomware has increasingly targeted business users, as businesses often pay more than individuals to unlock critical systems and resume daily operations.

Enterprise ransomware infections or viruses typically start with a malicious email. An unsuspecting user opens an attachment or clicks on a malicious or compromised URL.

At that point, a ransomware agent is installed and encrypts critical files on the victim’s PC and any attached file shares. After encrypting the data, the ransomware displays a message on the infected device explaining what happened and how to pay the attackers. If the victims pay, the ransomware promises they’ll get a code to unlock their data.

Any device connected to the internet risks becoming the next ransomware victim. Ransomware scans a local device and any network-connected storage, which means a vulnerable device makes the local network a potential victim. If the local network is a business, the ransomware could encrypt important documents and system files that could halt services and productivity.

If a device connects to the internet, it should be updated with the latest software security patches, and it should have anti-malware installed that detects and stops ransomware. Outdated operating systems such as Windows XP that are no longer maintained are at a much higher risk of being a target of cyber crime.

A business that falls victim to ransomware can lose thousands of dollars in productivity and data loss. Attackers with access to data blackmail victims into paying the ransom by threatening to release data and expose the data breach. Organizations that do not pay fast enough could experience additional side effects such as brand damage and litigation.

Since ransomware stops productivity, the first step is containment. After containment, the organization can either restore from backups or pay the ransom. Law enforcement gets involved in investigations, but tracking ransomware authors requires research time that delays recovery. Root-cause analysis identifies the vulnerability, but any delays in recovery impact productivity and business revenue.

With more people working from home, threat actors have increased their use of phishing. Phishing is a primary starting point for ransomware infection. The phishing email targets employees, both low- and high-privileged users. Email is inexpensive and easy to use, making it convenient for attackers to spread ransomware.

Documents are generally passed in email, so users think nothing of opening a file in an email attachment. The malicious macro runs, downloads ransomware to the local device and then delivers its payload. The ease of spreading ransomware in email is why it’s a common malware attack.

The availability of malware kits has also contributed to widespread ransomware attacks. These exploit kits scan devices for software vulnerabilities and deploy additional malware to further infect a device, producing malware samples on demand. Malware-as-a-service trends have fueled the popularity of these kits.

Sophisticated attacks might use ransomware with authors who build their own versions. Variants use the codebase from an existent ransomware version and alter just enough of the functions to change the payload and method of attack. Ransomware authors can customize their malware to perform any action and use a preferred encryption cipher.

Attackers are not always authors. Some ransomware authors sell their software to others or lease it for use. Ransomware can be leased as malware-as-a-service (MaaS), where customers authenticate into a dashboard and launch their own campaign. Therefore, attackers are not always coders and malware experts. They are also individuals who pay authors to lease their ransomware.

After ransomware encrypts files, it displays a screen to the user announcing files are encrypted and the ransom amount. Usually, the victim is given a specific period of time to pay or the ransom increases. Attackers also threaten to expose businesses and publicly announce that they were victims of ransomware.

The biggest risk of paying the ransom is never receiving the cipher keys to decrypt data. Most experts advise against paying the ransom to stop perpetuating the monetary benefits to attackers, but many organizations have no choice. Ransomware authors require cryptocurrency payments, so the money transfer cannot be reversed.

Authors constantly change code into new variants to avoid detection. Administrators and anti-malware developers must keep up with these new methods to detect threats quickly before propagating across the network. Here are a few new threats:

• DLL side loading. Malware attempts to avoid detection by using DLLs and services that look like legitimate functions.
• Web servers as targets. Malware on a shared hosting environment can affect all sites hosted on the server. Ransomware, such as Ryuk, targets hosted sites, mainly using phishing emails.
• Spear-phishing is preferred over standard phishing. Instead of sending malware to thousands of targets, attackers perform reconnaissance on potential targets for their high-privilege network access.
• Ransomware-as-a-Service (RaaS) lets users launch attacks without any cybersecurity knowledge. The introduction of RaaS has led to an increase in ransomware attacks.

A primary cause for the increase of threats using ransomware is remote work. The pandemic introduced a new way of working globally. An at-home workforce is much more vulnerable to threats. Home users do not have the enterprise-level cybersecurity necessary to protect from sophisticated attacks, and many of these users comingle their personal devices with work devices. Since ransomware scans the network for vulnerable devices, personal computers infected with malware can also infect network-connected business machines.

Prevention for ransomware attacks typically involves setting up and testing backups as well as applying ransomware protection in security tools. Security tools such as email protection gateways are the first line of defense, while endpoints are a secondary defense. Intrusion Detection Systems (IDSs) can detect ransomware command-and-control to alert for a ransomware system calling out to a control server. While user training is critical, it’s just one of several layers of defense to protect against ransomware. It typically comes into play after the delivery of ransomware via email phishing.

In case other ransomware preventative defenses fail, a fallback measure is to stockpile Bitcoin. This is more prevalent where immediate harm could impact customers or users at the affected organization. Hospitals and the hospitality industry are at particular risk of ransomware, as patients’ lives could be affected or people could be locked in or out of facilities.

How to Prevent Ransomware Attacks

• Defend your email against Ransomware: Email phishing and spam are the primary ways ransomware attacks are distributed. Secure Email Gateways with targeted attack protection are crucial for detecting and blocking malicious emails that deliver ransomware. These solutions protect against malicious attachments, malicious documents, and URLs in emails delivered to user computers.
• Defend your mobile devices against Ransomware: When used with mobile device management (MDM) tools, mobile attack protection products can analyze applications on user devices and immediately alert users and IT to any applications that might compromise the environment.
• Defend your web surfing against Ransomware: Secure web gateways can scan users’ web surfing traffic to identify malicious web ads that might lead them to ransomware.
• Monitor your server and network and back up key systems: Monitoring tools can detect unusual file access activities, viruses, network C&C traffic and CPU loads in time to block ransomware from activating. Keeping a full image copy of crucial systems can reduce the risk of a crashed or encrypted machine causing a critical operational bottleneck.

How to Remove Ransomware

• Call federal and local law enforcement: Just as someone would call a federal agency for a kidnapping, organizations must contact the same bureau for ransomware. Their forensic technicians can ensure systems aren’t compromised in other ways, gather information to better protect organizations going forward, and try to find the attackers.

Ransomware Recovery

• Learn about anti-ransomware resources: No More Ransom portal and Bleeping Computer provide tips, suggestions, and even decryptors for selected ransomware attacks.
• Restore data: If organizations have followed best practices and kept system backups, they can restore their systems and resume normal operations.