What is Ransomware?

What is Ransomware?

Table of contents

  1. How does ransomware work?
  2. Who is a target for ransomware attacks?
  3. What are the different types of ransomware?
  4. What makes ransomware different to other forms of malware?
  5. Should you pay ransomware?
  6. How to prevent ransomware
  7. How to remove ransomware
  8. Why is ransomware not detected by antiviruses?
  9. How does ransomware impact my business
  10. Is ransomware on the decline?
  11. Notable ransomware examples
  12. Ransomware timeline infographic
  13. How UpGuard can help protect your organization from ransomware

1. How does ransomware work?

  • Social engineering and phishing: Ransomware spreads by tricking users into downloading an infected email attachment that masquerades as a file from a colleague or boss.
  • Malvertising: Malvertising uses an infected iframe or invisible element to spread ransomware. The iframe redirects to a page that executes malicious code or an exploit kit to perform a drive-by download without user knowledge.
  • Vulnerabilities: More aggressive forms of ransomware like WannaCry exploits vulnerabilities to infect computers without user action.

2. Who is a target for ransomware attacks?

3. What are the different types of ransomware?

  1. Scareware:Scareware is fake security software that claims malware is on the computer. The end user receives a pop-up that demands payment for removal. If a payment isn’t made, pop-ups will continue but files are generally safe. Real antimalware/antivirus software already monitors for malware attacks. Nor will it make you pay to have an infection removed.
  2. Screen lockers:Screen lockers lock you out of your computer. The ransomware replaces the login screen with a screen demanding payment. Often the screen has the FBI’s or another law enforcement agency’s logo. No law enforcement agency will freeze you out of your computer. Nor will they demand payment for an illegal activity. They will go through appropriate legal channels.
  3. Encryption ransomware:Encrypts your files and demands payment to decrypt them. This is ransomware has the highest cybersecurity risk. It is hard to regain access to encrypted files. The only way is to pay the ransom or use a decryption tool. Even if you do pay the ransom, there is no guarantee the attacker will decrypt your files.
  4. Mobile ransomware:The popularity of mobile devices has led to the development of mobile ransomware. It often targets Android as it allows installation of third-party applications. Unlike Apple’s iPhone operating system.

4. What makes ransomware different to other forms of malware?

5. Should you pay ransomware?

6. How to prevent ransomware

  • No single point of failure: Whether it’s ransomware, hardware failure, database error, or something else. If your data is important, then it should be backed up, at at least one other secure location.
  • Automate provisioning process: If an asset is taken down by ransomware or anything else, you should be able to return it to a working state as soon as possible.
  • Patch everything: Keep your systems up-to-date to avoid known exploits.
  • Security awareness training: It’s easier to prevent malware infections than reverse them. Don’t install software you don’t trust. And don’t give administrative privileges to every employee.
  • Antivirus software: Antivirus software like Kaspersky or McAfee can detect known ransomware families and whitelisting software can prevent unauthorized applications from executing in the first place.
  • Backup solutions: In the event of a ransomware infection, it’s essential to have data backed up. If your data is backed up and safe, your organization can quickly recover from an attack. Use an online storage solution and/or external hard drive back up such as Google Drive or Dropbox for all important files.

7. How to remove ransomware

8. Why is ransomware not detected by antiviruses?

9. How does ransomware impact my business

10. Is ransomware on the decline?

11. Notable ransomware examples

  • WannaCry:TheWannaCry ransomware cryptoworm targets computers running the Microsoft Windows operating system. It was initially released on 12 May 2017. The ransomware encrypted data and demanded ransom of $300 to $600, paid in the cryptocurrency Bitcoin. WannaCry is also known as WannaCrypt,WCry, Wana Decrypt0r 2.0,WanaCrypt0r 2.0and Wanna Decryptor.
  • Ryuk: Ryuk is operated by GRIM SPIDER, a sophisticated cybercrime group who targets large enterprises for high ransom payments. GRIM SPIDER has made millions of dollars from Ryuk from about 50 ransom payments. Ryuk is generally spread through phishing emails or using Emotet geo-based download function.
  • SamSam: SamSam emerged in 2016 and targets JBoss servers. It spreads by exploiting known vulnerabilities rather than through social engineering. It uses Remote Desktop Protocol and brute force attacks to guess weak passwords. Notable victims include the town of Farmington in New Mexico, the Colorado Department of Transportation, Davidson County in North Carolina and the infrastructure of Atlanta. Two Iranians are wanted by the FBI for allegedly launching SamSam, with estimates of $6 million from extortion and over $30 million in damages caused.
  • Cryptolocker: CryptoLocker occured from 5 September 2013 to late May 2014. The attack utilized a trojan to target computers running Windows and propagated via infected email attachments and an existing Gameover ZeuS botnet. Once activated, the malware encrypted certain files stored on local and mounted network drives using RSA public-key cryptography and stored the private key on the malware’s control servers. It then displayed a message offering to decrypt the data if a payment was made through Bitcoin or a prepaid cash voucher by a deadline and threatened to delete the key if payment was not made in time. Ransom payment did not always lead to decryption.
  • TeslaCrypt: TeslaCrypt is a now defunct ransomware trojan as its master key was released by its developers. In its early forms, TeslaCrypt targeted game-play data for specific video games such as Call of Duty, World of Warcraft, Minecraft and World of Tanks. The malware infected computers via the Angler Adobe Flash exploit.
  • Locky: Locky was released in 2016 and spread via an email, that said an invoice required payment, with an attached Microsoft Word document that contained malicious macros. Once the user opened the document it appeared to be full of garbage and included the phrase “Enable macro if data encoding is incorrect”, a form of social engineering. If the user enabled macros, it would save and run a binary file that would download the actual encryption trojan and encrypt all files with a particular extension.
  • Reveton: Reveton pretends to be from the police and prevents the user from accessing their computer, claiming the computer has been locked by a local law enforcement agency. It is commonly referred to as the “Police Trojan” and informs users that they must pay a fine to unlock their systems. To increase the illusion that the computer is being tracked by law enforcement, the screen displays the computer’s IP address and often webcam to give the illusion the user is being recorded.
  • Bad Rabbit:Bad Rabbit followed a similar pattern to WannaCry and was distributed by a bogus update to Adobe Flash. Interfax, Odessa International Airport, Kiev Metro and the Ministry of Infrastructure of Ukraine were all affected by Bad Rabbit. Experts believe the ransomware is tied to the Petya attack in Ukraine because Bad Rabbit’s code has many overlapping similarities to the code of Petya/NotPetya.

12. Ransomware timeline infographic

History of Ransomware

13. How UpGuard can help protect your organization from ransomware

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
UpGuard

UpGuard

1.3K Followers

https://www.upguard.com — UpGuard combines third-party security ratings, vendor questionnaires, and threat intelligence in a single cyber risk solution.