What Is Ransomware? Definition, Types, Detection, & Removal
Ransomware is a type of malware that can lock computers, networks, and systems until a ransom is paid. It's a growing problem for businesses and individuals alike.
The Internet Crime Complaint Center received 2,474 ransomware reports in 2020, causing millions of dollars in damages, and those numbers will likely increase when the 2021 numbers are revealed. Ransomware is constantly in the news, leading to the question: what is ransomware and why is it so prevalent?
Various state agencies and the private sector keep track of ransomware attacks and related tactics worldwide, but malicious actors change and evolve their ransomware strategies all the time, making it hard to detect and block every attack. We’ve put together a comprehensive guide that will define ransomware, how to detect it, and what steps to take if you’ve fallen victim to a ransomware virus attack.
What Is Ransomware?
Ransomware is any type of extortion malware that locks your computer and demands payment in exchange for freeing your systems, hence the name. The ransomware definition can be boiled down to any type of cyberattack that encrypts its victims’ files where once attackers have infiltrated a system, they then demand a ransom in exchange for returning access to the data.
As part of the attack, victims are provided with instructions on how to obtain the decryption key by paying the ransom. Ransom fees can range from a few hundred to several thousand dollars, and in some rare cases, rising into the millions. In recent years, ransoms to hackers are often paid in cryptocurrency.
Types of Ransomware
The two most common forms of ransomware are locker ransomware and crypto-ransomware:
Locker Ransomware: Prevents the victim from accessing their machine. Once access is denied, the victim is prompted to pay the ransom to unlock their device.
Crypto Ransomware: Encrypts the user's data and prevents it from being accessed. The cybercriminal then demands money to decode the information. Cryptoware has become the most popular type of ransomware in recent years.
Other types of ransomware include:
Lock Screens or Non-Encrypting Ransomware: Restricts access to files and data but do not encrypt them.
Master Boot Record (MBR) Ransomware: Makes it impossible for victims' PCs to boot into a live OS environment.
Extortionware or Leakware: Steals compromising or damaging information that attackers then threaten to release if the ransom is not paid.
Mobile Ransomware: Infects cell phones through drive-by downloads or fake apps.
Is Ransomware A Virus?
The short answer is no, but defining ransomware can be tricky. Computer viruses attack your software and can multiply themselves, but ransomware scrambles your files, making them useless, and then demands payment to unscramble them. They can both be deleted with antivirus software, but if your files are encrypted, you won't be able to recover them.
Ransomware attacks have had success amounting to billions of dollars. Here are a few examples of recent ransomware attacks:
- WannaCry: WannaCry was a ransomware outbreak that spread over 150 countries in 2017. It was created to exploit a Windows flaw and infected over 100,000 machines by May 2017. The attack wreaked havoc on several UK hospital trusts, costing the NHS £92 million when users were locked out and a Bitcoin ransom was requested. The hack revealed the dangers of relying on out-of-date technology and resulted in approximately $4 billion in global financial damages.
- Ryuk: Ryuk spread in the middle of 2018. On PCs, the Windows System Restore feature was disabled by the ransomware, meaning users weren’t able to recover encrypted files without a backup. Victims paid the ransoms, and the total loss is believed to be $640,000.
- KeRanger: KeRanger is considered the first ransomware attack to target Mac machines using the OS X operating system. KeRanger was included in an installation of Transmission, an open-source BitTorrent client. After three days of inactivity, it encrypted 300 distinct sorts of data. It then downloaded a file containing a ransom note that demanded Bitcoin and instructions to pay the ransom. The victim's files were decrypted when the ransom was paid.
- Petya: Petya caused everyone a scare, but it was considerably less devastating than WannaCry. Petya mostly hit Ukraine with more than 90% of assaults, but victims also reported efforts in other parts of the world.
How Does Ransomware Work?
Ransomware attacks may disrupt business operations and leave companies without the data they need to operate or deliver mission-critical services, not to mention the damage to a company’s reputation after suffering a security breach. As a supplementary type of extortion, malicious actors have modified their ransomware techniques to include pressing victims for payment by threatening to expose stolen data if they refuse to pay. The monetary value of ransom demands has also risen, with some surpassing $1 million in extreme cases.
Malicious actors use lateral movement to target sensitive information and spread ransomware across entire networks. These actors also increasingly employ techniques that make restoration and recovery more difficult (or impossible) for targeted businesses, such as destroying system backups. Ransomware spreads swiftly and strikes hard, from malicious email attachments and false links to social media frauds.
Here are a few methods used by ransomware attackers:
Social engineering is a phrase used to describe the process of fooling individuals into downloading malware via a phony file or link. Malicious files are frequently disguised as legitimate papers (order confirmations, invoices, bills, and notifications) and look like they came from a trustworthy organization. It's as simple as downloading one of them to your computer, trying to open it, and bam! You've been infected.
Malvertising is the term for sponsored advertisements that transmit ransomware, spyware, viruses, and other malicious software at the click of a button. Hackers will invest in ad space on popular websites to obtain your personal information.
Exploit kits are ready-to-use hacking tools that contain pre-written code. As you might expect, these kits are designed to exploit vulnerabilities and security flaws created by out-of-date software.
Drive-by downloads are hazardous files that you didn’t request and may be completely unaware of. While you're surfing an innocent-looking website or watching a video, some dangerous websites take advantage of out-of-date browsers or applications to quietly download malware in the background.
What Is A Ransomware Attack?
If a company has fallen prey to one of the above attacks, how quickly does it escalate? What does a ransomware attack look like? Here’s a general timeline of attacks:
- Infection: The ransomware installs itself on the system and any network devices it can access after being transmitted through an email attachment, phishing email, infected program, etc.
- Secure Key Exchange: The ransomware communicates with the hackers behind the attack's command and control server to create the cryptographic keys utilized on the local machine.
- Encryption: The malware encrypts any data it finds on local computers and across the network.
- Extortion: Once the encryption is complete, the ransomware shows ransom payment instructions, threatening data destruction or publication if payment is not made.
- Decryption: Companies can pay the ransom and hope the hackers decrypt the files or recover data. This is done by removing infected files and computers from the network and restoring data from clean backups. Negotiating with cyber thieves is typically futile, as a recent study revealed that 42% of businesses that paid a ransom did not get their files decrypted.
Who Does Ransomware Target?
There are many methods through which ransomware criminals select the organizations they attack. It's also a matter of timing. For example, attackers may target colleges since they have smaller security teams and a wide user base that shares numerous files, making it simple to breach their defenses. On the other hand, large corporations are appealing targets because they appear to be more inclined to pay a ransom quickly and have the means to do so.
Government institutions and medical facilities, for example, frequently require rapid access to their information. Law firms and other businesses with sensitive data are more likely to pay to keep an attack hidden from the public, since these organizations may be particularly vulnerable to leakware assaults.
How To Detect Ransomware
Ransomware attacks are difficult to identify fast enough to avoid serious consequences. They’re installed through devious social engineering tactics, and sensitive data is scrambled using military-grade encryption algorithms. Once a computer or other endpoint has been compromised, ransomware may swiftly spread throughout the network, making it virtually impossible to respond in real-time. Often, the infected business is only aware of the attack after the ransomware has encrypted its data and made an announcement demanding payment. The following are signs of a ransomware attack:
Hundreds of unsuccessful file changes, among other strange file system activities due to the ransomware attempting to access those files.
Unexpectedly high CPU and disk activity due to the ransomware searching for, encrypting, and removing data files.
Access to some files is restricted, a result of ransomware encrypting, deleting, renaming, or relocating data.
Suspicious network communications as a result of the ransomware's contact with the attackers' command and control server.
How To Prevent Ransomware
The best form of ransomware protection is prevention. In order to take preventative measures, you'll need a keen eye and the proper security software. Vulnerability checks can also aid in the detection of intruders on your network. First and foremost, ensure your machine isn't a prime ransomware target. Make sure that you always keep your device’s software up to date to benefit from the most recent security updates.
Furthermore, proceed with extreme caution online, mainly when dealing with fraudulent websites and email attachments. However, even the most nuanced preventative measures might fail, emphasizing the importance of having a backup plan. A backup of your data is a good contingency plan in the case of a ransomware attack.
While no company is immune to cyberattacks, there are a few best practices that can decrease your chances of becoming a victim:
- Educate your staff. Give workers a checklist of what to do if they get a questionable email or visit a suspicious website. Teach them to look for red flags in phishing emails.
- Analyze your systems for any unusual activity. You should regularly scan file systems for unusual behavior, such as hundreds of unsuccessful file changes.
- Monitor all incoming and outgoing traffic. Determine the usual user activity baseline and search for anomalies ahead of time. Investigate any odd behavior right away.
- Set up honeypots. Honeypots are decoys, or false file repositories, that appear to be authentic. Honeypots will be targeted by hackers, allowing you to detect them before they widen their attack to your system. Early detection aids in the safe eradication of malware and saves your infrastructure from being hacked.
- Implement anti-ransomware solution. Use whitelisting software in conjunction with antivirus and anti-ransomware software to detect risks.
- Systematically examine and filter spam or questionable email content. Configure email settings so that incoming mail is automatically filtered and suspicious messages are not delivered to a user's mailbox.
How To Remove Ransomware
If you’ve fallen victim to a file encryption ransomware attack, you may remove the encryption malware by following these instructions:
- Disconnect from the internet. First, disconnect all virtual and physical connections. This can help to prevent ransomware from spreading throughout the network. Wireless and wired devices, external hard drives, storage devices, and cloud accounts are all examples. If you believe that additional places have been impacted, follow the procedures below to restore those areas as well.
- Use your internet security software to investigate. Use the internet security software you've installed to run a virus scan—this aids in detecting dangers. If you find any potentially harmful files, either delete or quarantine them. You can manually delete dangerous files or use antivirus software to do it automatically. Manual virus eradication is only suggested for experts.
- Use a decryption tool. If a system has been infiltrated by ransomware, you will need a decryption program to restore access to your files.
- Recover your data from a backup. Create a backup of your system externally or in cloud storage. Cleaning and restoring your device is far more difficult if you don't have any backups. It’s suggested that you generate backups regularly to avoid this problem. If you have a habit of forgetting essential items, employ automated cloud backup services or create calendar notifications to remind you.
Step-By-Step Guide: What To Do If You're Under Ransomware Attack
1. Isolate the ransomware.
Ransomware detection rate and speed are crucial in countering fast-moving assaults before propagating across networks and encrypting sensitive data. The first thing to do is isolate it from other computers and storage devices. Remove it from the network (wired and wireless) as well as any external storage devices, as you don't want the ransomware's command and control center to communicate across the network.
Be careful as there might be more than one patient zero, indicating that the ransomware may have infiltrated your business or household via numerous machines or that it may be dormant and has not yet shown itself on certain systems. Suspect all linked and networked devices and take precautions to guarantee that none of them are infected.
2. Identify the ransomware.
When ransomware requests money, it usually identifies itself. Knowing what you’re dealing with can help you understand:
The type of ransomware
How it spreads
What type of data it encrypts
What removal options you have
Once you know the type, you can figure out what to do next.
3. Report the attack.
By reporting ransomware to the authorities, you’ll be doing everyone a service. Regardless of the outcome, the FBI's Internet Crime Complaint Center encourages ransomware victims to report their attacks. Reporting allows law enforcement to gain better knowledge of the threat, offers solutions for ransomware investigations, and contributes essential information to ongoing cases. Knowing more about the victims and their ransomware experience can aid the FBI in determining who is behind the attacks and how they identify or target victims.
4. Evaluate your options.
When infected with ransomware, you have the following options:
Cover the cost of the ransom
See if it's possible to get rid of the malware
Completely erase the system(s) and start over
Paying the ransom is typically thought to be a poor choice, as it fosters the spread of additional ransomware, and unlocking the encrypted files is often unsuccessful.
5. Restore the system.
You can either try to eradicate the malware from your devices or wipe and reinstall them from secure backups and fresh OS and application sources. However, it's uncertain if you can successfully and eradicate a ransomware infection as there isn't a viable decryptor for every known ransomware attack. The newer the ransomware is, the more sophisticated it’s likely to be, and the less time there is to build a decryptor.
The most reliable approach to ensuring that malware or ransomware has been eradicated from a system is to erase all storage devices and reinstall everything from the ground up. You should format the hard drives on your system to guarantee that no vestiges of the virus remain.
Ransomware: The Bottom Line
Hackers are constantly refining their methods of delivering ransomware. The only way to mitigate the threat posed by online extortionists is to know how to recognize malicious actors and keep a close eye on the evolution of ransomware attacks. Unfortunately, this requires time and resources that may need to be reallocated from business-critical activities.
To stop ransomware attacks that come via email, you can implement next-generation integrated cloud email security that provides protection against the most advanced attacks, including ransomware, business email compromise, and more. Adding a solution on top of your Microsoft or Google environment will provide you with the best possible protection to prevent malware, ransomware and other attacks.
Want to learn more about how Abnormal stops ransomware attacks? Request a demo today to discover how integrated cloud email security can protect your organization.