Ransomware is malicious software that prevents or limits access to a computer. The malware either locks the computer screen or encrypts the hard disk until the user pays a ransom to the ransomware owner via digital currency methods.
Typical Ransom Demands and Payment Methods
Ransom amounts will vary depending on the type of ransomware and the prevailing exchange rates of digital currency bitcoin. Ransom also sometimes is demanded in the form of iTunes or Amazon gift cards. One thing to note is that payment of the ransom is not a guarantee that the computer will be unlocked or decrypted.
Ransomware Attack Vectors and Behavior
Ransomware can attack computer systems via a number of routes. Unsuspecting users can visit infected websites and unknowingly download the software. It can also be packaged with other downloaded software. Many people have been infected by downloading email attachments or clicking links in emails. Ransomware is also known to be delivered through advertisements laced with malware. Most recently, the GoldenEye Petya virus payload was delivered through a software update of a common accounting application in Ukraine.
Once the ransomware infects a system, it either locks the computer if it’s a locker or encrypts the files if it’s crypto-ransomware. The victim has no access to the computer and risks incurring heavy losses or being greatly inconvenienced as a result.
There is also a third type of ransomware which is really more of “scareware”. Once it infects a computer, it displays a message showing fake antimalware scanning results and offers a bogus anti-ransomware solution.
A Brief History of Ransomware
The earliest case of ransomware can be traced back to 1989. A rudimentary virus was delivered via floppy disks and users had to send payment to a PO Box address in Panama. The modern types of ransomware were first seen in Russia in 2005. This was detected as TROJ_CRYZIP.A. The virus zipped certain types of files and then overwrote the original files; only password protected zip files were left on the computer. The program also generated a text file containing a ransom note.
Early ransomware only encrypted certain popular file types such as .doc, .xls, .jpg, .PDF and other common file extensions. These days ransomware will typically encrypt the entire hard disk. Ransomware variants that corrupt the Master Boot Record are also quite common these days. Once this is done, the operating system fails to load and a ransom note is displayed in its place.
Though ransomware was popularized in Russia, it soon spread to other parts of the world. By March 2012, ransomware had spread all across Europe and North America. There have many vectors and ransomware variants over the years ranging from website infection to ransomware that impersonates law enforcement agencies. Crypto lockers and crypto ransomware emerged in 2013 and uses Bitcoin as a payment method for ransom.
The Worst Attacks to Date
Though there have been some pretty bad attacks over recent years, none is worse than the Wannacry attack of May 2017 and the most recent GoldenEye Petya attack of June 2017. Both attacks made use of exploits stolen and leaked from the NSA. The Wannacry attack would have been really bad had it not been stopped accidentally stopped by a group of researchers who registered a domain that the malware needed stage attacks. By the time it was stopped, thousands of companies and millions of people had already been infected.
With all the leaks that have emanated from the NSA and CIA, one can only expect attacks to get worse as criminals take advantage of these leaked tools. Software companies are moving fast to patch the exploits but users are usually not as fast in implementing updates. For example, Microsoft had already issued an update for the Wannacry attack after the NSA exploit was revealed but millions of people around the globe had not performed the update. Ransomware is also very profitable for criminals because most people prefer to pay to small amounts demanded rather than hiring a computer professional to fix the problem.
There isn’t a 100% fool proof ransomware solution. The solution to preventing infection lies in a multi-pronged approach that minimizes the risk of infection and mitigates the severity in the event of infection.
The first thing to do before anything else is to backup your data using the 3-2-1 rule. That is three backup copies on two different media with one copy in a different location. Thus, you could, for example, have two external hard drives and a cloud backup solution.
The next step is to install an antivirus with anti-ransomware protection. Finally, practice good computer practices by not opening unverified emails or clicking links in them. Update your software regularly and avoid bad Internet neighborhoods such as porn sites and dark web forums.