What is ransomware?
There are so many different malware versions out there, including trojans, viruses, and worms, but ransomware is a particularly nasty one that can cause businesses no end of problems. So, what do you need to know about it?
Read on for a potted history of ransomware, some examples of malware, and info on how ransomware can get into a system.
What is ransomware, and how does it work?
As the name suggests, ransomware is a type of malware that can encrypt your files, leaving you no way to access them, with the cybercriminal involved demanding a ransom to unlock your files. Another variant is for the attacker to download your sensitive data, with the threat that they will post your files on the internet for all to see unless you pay.
While ransomware has been in the news a lot since around 2010, the idea of ransomware, and it's very first recorded use, goes back to the 1980s, when criminals issued the AIDS trojan, also known as the PC Cyborg Virus in 1989, via floppy disk. Anyone caught by this virus had to send a ransom payment to a PO box in Panama to regain access to their files.
What kicked ransomware into high gear was the advent of Bitcoin and other cryptocurrencies in 2010. The start of crypto made it much easier for criminals to instantly receive payments without having a physical address or a PO box to collect payments.
Later ransomware has become much more heavily encrypted than the first attempts, leaving a significant problem for infected businesses who cannot regain access to their data without the encryption key.
Today, rather than send out random attacks with no idea who they will infect, organised cybercriminals are more likely to use what's known as Big Game Hunting or BGH to target large companies with big budgets in the hope of huge payoffs.
What causes a ransomware attack?
One of the most common ways of delivering ransomware is via phishing spam. We're already familiar with spam as thoroughly annoying unwanted email. Still, there is a further trick to some spam, with unsafe attachments that are often disguised as an email from someone you know or from a well-known company. These attachments contain either the malware itself or a link to a site containing the ransomware, and once you click, that's it. Attackers can take over your computer, download data and encrypt your files.
You'll then receive a message explaining that the attacker locks your files and that you won't be able to open them without a mathematical key. This key can, of course, be obtained by paying the attacker large sums in Bitcoin or another cryptocurrency. Though it's no guarantee, you'll get your files back or have downloaded data, and they won't continue to ask for more money to keep your data from being published on the internet. This is a variant of ransomware, known as doxware or leakware.
Some types of ransomware can exploit system weaknesses without users needing to click on anything.
Yet another variant is for attackers to claim to be from the police or other law enforcement. They might claim they are shutting down your computer because of pirated software or other illegalities and attempt to make you pay a 'fine.'
What are examples of ransomware?
Brits will likely remember the ransomware attack on the National Health Service in 2017. This attack was due to the WannaCry ransomware, which gained a hold by attacking older PCs running Windows. WannaCry was designed to exploit a vulnerability in Windows, but the NHS machines affected hadn't been updated with the required patch from Microsoft that would have closed the vulnerability. The virus ran with a familiar pattern of encrypting files and then posting a message demanding a ransom in Bitcoin.
Petya is very similar to WannaCry in terms of blocking access to your files and demanding a ransom, but it works differently. With this ransomware, your files aren't actually encrypted at all. Petya, instead, overwrites your computer's master boot system and encrypts your master file table. While that might not sound so bad, basically, your computer can then no longer find your files unless, of course, you risk paying the ransom and see if you get them back.
These criminals don't bother with small companies or companies who can't afford a hefty ransom. They aim for vulnerable targets, like hospitals, who can't afford to wait to regain access to their systems, and the ransoms are enormous, ranging from £100,000 to £500,000, and sometimes more.
Ryuk works differently again, with an initial infection of the Trickbot trojan. It appears that the attackers use Trickbot to gain entry to a company's system and see if it is worth it to follow up with a further attack. If so, the attackers then use manual hacking to compromise as many systems as possible within an organisation. When Ryuk is deployed, it has maximum impact on file encryption.
For more information on how to deal with ransomware, the National Cyber Security Centre has a handy guide to walk you through how to protect your business, what to do if your systems become infected, and who you can report a ransomware attack to.