At the centre of recent headlines, ransomware is certainly one of the most talked about cyber threats in Europe as well as around the world. Suffice it to say that, according to the “Verizon Data Breach Investigations Report,” ransomware attacks accounted for 25 per cent of all cyber breaches in 2022-one in four attacks worldwide. Ransomware affected 66 per cent of organizations in 2021, a 78 per cent increase over 2020 (“The State of Ransomware 2022” by Sophos), while the FBI’s Internet Crime Complaint Center received 3,729 reports of ransomware attacks in 2021, which accounted for $49.2 million in financial losses.
The Cybersecurity and Infrastructure Security Agency also reported knowledge of ransomware incidents against 14 of 16 U.S. critical infrastructure sectors. So this is an extremely important issue not only from a cybersecurity perspective per se but also for the digital economy on which the bulk of global goods and services production is now based.
What is ransomware?
Ransomware is malware that uses encryption to hold a victim’s information hostage. A user or organization’s critical data is encrypted, so they cannot access files, databases, or applications. A ransom is then demanded to provide access, often in the form of Bitcoins, which are untraceable and destined for anonymous wallets. Ransomware is thought to be a threat capable of spreading across a network and targeting databases and file servers, quickly crippling an entire organization. At its heart, technically, is asymmetric encryption, which uses a key pair to encrypt and decrypt a file.
The attacker uniquely generates the public-private key pair for the victim, with the private key to decrypt files stored on the attacker’s server, making the private key available to the victim only after ransom payment. However, as seen in recent ransomware campaigns, this is only sometimes the case. Without access to the private key, it is nearly impossible to decrypt the files held hostage.
Types of ransomware
There are three main types of ransomware: scareware, screen locker, and cryptographic. Scareware, beyond the name, is not so scary. It includes rogue security software and tech support scams. You might get pop-up messages stating that the malware has been discovered and the only way to get rid of it is to pay for it. If you do nothing, you will probably continue to be bombarded with pop-ups, but your files are essentially safe. A legitimate computer security software program would not solicit clients in this way.
Screen locker: the alert here turns orange. When the lock-screen ransomware enters the computer, it means that you are completely locked out of the PC. When the system starts up, a full-size window will be displayed, often accompanied by an official-looking seal from the FBI or the U.S. Department of Justice indicating that illegal activity has been detected on the computer and a fine must be paid.
However, the FBI would not lock you out of the machine or demand payment for illegal activity. Those suspected of piracy, child pornography or other computer crimes, for example, would have to go through the appropriate legal channels first. Cryptographic ransomware: the worst. These are the viruses that take over files and encrypt them, demanding payment to decrypt them and hand them back. The reason this type of ransomware is so dangerous is because once the cybercriminals get hold of the files, no security software or system recovery can return them to you. Unless you pay the ransom, most are gone. And even those who pay may not be able to get back what they lost.
How is ransomware transmitted? The most common attacks
There are many variants of ransomware. Often, these threats are distributed using email campaigns or through targeted attacks. The ransomware itself needs an attack vector to establish its presence on an endpoint. After it is established, the virus remains in the system until its task is accomplished. After a successful exploit, the ransomware releases and executes a malicious binary on the infected system, which searches for and encrypts files. Ransomware can also exploit system and network vulnerabilities to spread to other systems and possibly entire organizations.
Ransomware attacks and their variants are rapidly evolving to counter security vendors’ preventive technologies through several ploys, including certain outdated ones in terms of technologies, which still prove to be highly exploited. This is because there is much an increasing availability of malware kits that can be used to create new samples on demand. The trend is to develop ‘cross-platform’ threats, which can attack different systems and software simultaneously. One example is Ransom32, which uses Node.js with a JavaScript payload. Then there is the advent of new techniques, such as encrypting the entire disk instead of selected files, with criminals today not even having to be tech-savvy. Ransomware marketplaces are popping up all over the surface web, especially, the dark web, offering malware strains for any would-be hacker and generating extra profits for malware authors, who often demand a percentage from ransom proceeds.
Not surprisingly, there is a lot of talk about ransomware as a service. This very common business model allows malware developers to earn money for their creations without the need to distribute threats directly. Attackers purchase their products and launch infections, paying the developers a percentage of the profit. Developers take relatively little risk since ‘clients’ do most of the work. Some instances of ransomware-as-a-service use subscriptions, while others require registration to access the code.
How to remove ransomware
If a malicious user encrypts your device and demands a ransom, there is no guarantee that they will decrypt it whether you pay or not. This is why it is critical to be prepared before ransomware hits. The two basic steps are installing security software and making a backup.
If you end up with a ransomware infection, the number one rule is never to pay the ransom. All that does is encourage cybercriminals to launch further attacks. One potential option for removing ransomware and recovering some encrypted files is to use free decryptors. To be clear, not all ransomware families have created decryptors for them, in many cases, because ransomware uses advanced and sophisticated encryption algorithms. And even if a decryptor exists, it is not always clear whether it is for the correct malware version. Therefore, you must pay close attention to the ransomware message or seek advice from a security specialist before trying anything.
Other ways to handle a ransomware infection include downloading a security product known to fix it, running a scan and removing the threat. You may not restore the files, but you will have a system cleaned of the infection. For screen lockers, a full system restore is often decisive. If that doesn’t work, you can try scanning from a bootable CD or USB drive. If once restarted, the malware is still active, it will not be able to send or receive instructions from the command-and-control server. This means that the malware may remain inactive without a key or a way to extract payment. At that point, simply download and install a security product and run a full scan.
Brief history of ransomware
Although ransomware has been constantly in the headlines in recent years, the idea of taking users’ files or computers hostage by encrypting them, obstructing system access or other methods, and then demanding a ransom to return them is quite old. In the late 1980s, criminals were already holding encrypted files hostage in exchange for money sent through the postal service. One of the first ransomware attacks ever documented was the AIDS trojan, which was released via floppy disk in 1989. Victims had to send $189 to a post office box in Panama to restore access to their systems, even though it was a simple virus using symmetric encryption.
Despite its long history, ransomware attacks did not become as widespread in the following decade, probably because of difficulties with payment collection. However, the emergence of cryptocurrencies, such as Bitcoin, changed everything by providing an easy and untraceable method of receiving payment from victims.
Virtual currencies have created an opportunity for ransomware to become a lucrative business. To secure payment, some criminals have gone so far as to open call centres to provide technical support and help victims use Bitcoins, but this takes time and money. When it began to gain more mainstream appeal, ransomware developers recognized it as the only accepted method for receiving payments.
Threat actors such as botnets were among the first to truly realize the potential value of ransomware with advanced cryptography to extend their profits beyond traditional automated fraud attacks. CryptoLocker advocates had hit the jackpot, kicking off a new black market. This was the real turning point for the growth of the criminal sector. Within a few months, security researchers had found a conspicuous number of CryptoLocker clones, and so many of the world’s crackers were scrambling to get in on the action, flooding the Dark Web markets with their wares.