But this isn’t any new type of cyber risk; ransomware has been around since the late ’80s. It all started in 1989, when evolutionary biologist Dr. Joseph Popp created PC Cyborg Trojan, better known as the AIDS Trojan. He infected 20,000 diskettes with it and sent them around the world, presenting it as a program to provide information on AIDS. Once the infected computer had been booted several times however, it encrypted the names of all the files on C: and asked users to pay $189 to regain access to their files.
While Popp wasn’t very good at hiding the decryption key (easily obtained from the Trojan’s code), the door was opened for extortion attacks. In 1996 public key cryptography was introduced to ransomware but it wasn’t until 2005 that we saw this type of cybersecurity threat become widely used.
Beginning in the early 2010’s, with the introduction of cryptocurrencies as a form of ransom payment, the first large-scale ransomware attacks started taking place. Then, with the the global WannaCry epidemic in 2017, where attackers used the EternalBlue exploit to target Microsoft OS (which was developed by the NSA before being stolen and leaked), the real risk and scale of these attacks was introduced to the public.
Despite talks of ransomware attacks being on decline, they’re still going strong: an Emsisoft report for 2019 declared ransomware attacks a crisis, with at least 966 government agencies, educational establishments and healthcare providers hit with attacks amassing a potential cost in excess of $7.5 billion.
Due to the targets of these attacks involving people’s health, safety and even lives, and with a high level of sophistication evident in recent cases, it’s important to get familiar with ransomware and the threat they pose. We need to take the first steps toward better protecting ourselves—precisely what we’re doing today.
First, let’s find out what constitutes a ransomware attack.
What are ransomware attacks?
Ransomware is precisely what the name implies—a type of malware that infects a computer or network, encrypts its files or denies the owner access to them, and demands a ransom in return.
And how does the ransomware infect a computer or system?
It usually arrives in an email as an attachment, which upon opening, injects malware into the recipient’s device. Another way is by disguising itself as a legitimate file that the victim will download. Using exploit kits is another common attack method, where attackers use toolkits that exploit different vulnerabilities, hide them on a website (often in an ad), and redirect the victim to the toolkit’s landing page. The system is then infected, with the victim’s files held under ransom.
Once your system is infected, the malware will not delete your private files. They’re still present in the system, but encrypted, making them inaccessible without the decryption key. The criminals will offer to give that to you…in exchange for payment, of course.
And what if you don’t pay up? Well, most often, the files will be deleted forever. When sensitive data containing financial, health and other information hangs in the balance, these attacks are devastating, leaving victims with no way out but to pay the ransom. Unfortunately, giving the attackers what they want only encourages the vicious cycle, with nearly half of past victims getting attacked again.
Before we learn how to protect ourselves against these frequent and destructive attacks, let’s take a look at different types of ransomware.
Stay in the loop with the best infosec news, tips and tools
Follow us on Twitter to receive updates!Follow @SecurityTrails
Types of ransomware attacks
There are many different types of ransomware using different techniques, targeting different devices and marked with different levels of severity. What they all have in common is their demand for ransom.
Here are the four most common types of ransomware attacks:
Crypto ransomware is considered the most dangerous of all these types of attacks. This type of malware encrypts your hard drive, files and folders, and there’s no way of recovering your files once they’re in the hands of criminals.
Once you’ve opened an infected attachment or downloaded a file containing this malware, it begins encrypting your files. You won’t be aware of this until you get the lock screen, after booting up your computer, that tells you your files have been encrypted and that you need to pay a certain amount of money or cryptocurrencies, often by a specific date, to obtain the decryption key that will allow you access to them. Otherwise, the files will be gone forever.
And since you’re dealing with cybercriminals, there’s no guarantee that you’ll ever get those files back, not even after paying a ransom.
Locker ransomware, or screen lockers, don’t encrypt your files once they’re in your system, but block your access to them with a lock screen. Your entire system is rendered useless, often leaving you with only one channel of communication—with the attacker.
When your computer gets infected with locker ransomware, after you boot up your device it presents itself in a similar fashion as crypto ransomware, with a lock screen telling you that you have been locked out of your computer, and that you’re obligated to pay a fine to unlock it. With one type of locker ransomware, Reveton, the lock screen message looks as though it’s issued by the FBI, saying illegal activity coming from your device has been detected, and that you need to pay a fine as a result.
Again, even if you pay the ransom (or “fine”), nothing can guarantee that you’ll regain access to the system, or even if you do regain it, that cybercriminals won’t infect it with other types of malware (such as password-stealing software).
On the “lighter” end of ransomware attacks is scareware, which, contrary to its name, is much less scary than both crypto and locker ransomware. Scareware often presents itself as an anti-virus or anti-malware software that informs you that problems have been found on your device, and requires you to pay to get them fixed or removed.
With scareware, if you decide not to bite the bait and you don’t pay, the worst thing that generally happens is a continuing onslaught of the same “You have been infected!” pop-ups. They might be annoying and not ideal, but that’s certainly better than losing all your files forever.
Doxware, also known as extortionware, is a newer type of ransomware. This method specifically targets victim’s private information such as files, photos or conversations, then encrypts them, holds them hostage and demands ransom. If that sounds similar to crypto ransomware, it has an added twist: victims are threatened with the release of their sensitive information to the public if they don’t pay the ransom. This makes victims much more likely to pay.
As it’s so highly targeted, with attackers combing through victims’ files and the amount of sensitive data we store on our devices, doxware is especially scary and disruptive.
How to protect yourself against ransomware attacks
When you suffer a ransomware attack there are certainly ways to deal with it, but they’re often complicated or even insufficient. That’s why it’s important to work on prevention. Good cybersecurity hygiene applies to ransomware attacks just as with any type of cyberattack, and on an organizational level, instilling a proper cybersecurity culture will go a long way.
Now let’s examine what specific steps you can take so you’ll never put your files in danger of being held for ransom:
Offline and external backup
Make frequent backups of all your most important data and be sure to have a restoration plan on hand. Backing up your files is a standard step in defending your devices against attacks, but merely syncing your files to cloud storage is not enough. Ransomware has managed to compromise various cloud storage locations containing backups, so keeping an offline backup is a safer bet for restoring files.
That being said, backing up your files offline and maintaining external storage (such as a USB stick or external hard drive) will help, but you won’t always want them connected to your device. There have been instances where files on a connected USB and other storage drivers holding backups were compromised. Once you are finished using tem, unconnect them from your computer.
Use security software and keep it up to date
Using a trusted security solution to guard against ransomware attacks can go far: as ransomware becomes even more widespread, there are many anti-virus solutions available to block any malware that threatens to infect your devices and alert you when accessing suspicious websites.
With cybercriminals constantly developing new malware that’s able to circumvent security software, always keep yours up to date, to ensure your system is ready to thwart any future attacks.
Regularly update your OS and other software
If WannaCry has taught us anything, it’s to always keep your OS updated. Even when Microsoft released a patch for EternalBlue exploit, many didn’t update their systems, leaving themselves vulnerable to attack.
Keeping track of all the new, available updates can be a tiring job. It’s also easy to forget about them, so we recommend you enable automatic updates on all your software, including your operating system.
Watch out for those email attachments
In general, phishing is the leading type of cybercrime, an unfortunately convenient technique for distributing ransomware.
Be wary of any email that contains an attachment: always verify that it comes from a trusted source, and use content scanning and filtering on your email servers.
Don’t pay the ransom
If you’ve already been infected with ransomware, the final protection method we advise is to not pay the ransom. It may seem like the easy way out, and it is a devastating situation to find yourself in, but it’s highly important to not pay the cybercriminals or negotiate with them. As we’ve said earlier, a cybercriminal is not a person to trust, so what tells you they’ll ever restore access to your files?
The fact is, the more that people pay the ransom, the more these attacks become successful, only opening the door to more attacks.
The best thing to do in this situation is to contact your local authorities and let them contain the situation. You can even check to see if a decryptor exists, and while it’s rare, you might be able to decrypt your data without paying the ransom.
Many predictions tell us that ransomware will remain one of the most widespread forms of cybercrime, and that 2020 will only see even more sophisticated attacks targeting organizations, especially government and health organizations.
The sad truth is you can never be 100% protected, but it’s important to always be diligent, prepared, and knowledgeable about how to handle falling victim to a ransomware attack.
Identify potential threats before they wreak havoc. With SurfaceBrowser™, you can discover all the sensitive areas of your internet assets and detect, analyze and manage your entire infrastructure in one unified place to keep all the important things under control.