All you need to know about ransomware in 60 seconds
What is a ransomware attack?
Ransomware has grown to be one of the biggest problems on the web. It's a form of malicious software -- malware -- which encrypts documents on a PC or even across a network. Victims can often only regain access to their encrypted files and PCs by paying a ransom to the criminals behind the ransomware.
A ransomware infection often starts with someone clicking on what looks like an innocent attachment, and it can be a headache for companies of all sizes if vital files and documents (think spreadsheets and invoices) are suddenly encrypted and inaccessible. But that's not the only way to get infected.
Cybercriminals didn't used to be so obvious. If hackers infiltrated your corporate network, they would do everything possible to avoid detection. It was in their best interests not to alert a victim that they'd fallen victim to a cybercriminal.
But now, if you are attacked with file-encrypting ransomware, criminals will brazenly announce they're holding your corporate data hostage until you pay a ransom in order to get it back.
It might sound too simple, but it's working: cybercriminals pocketed over $1bn from ransomware attacks during 2016 alone and a Europol report describes it as having "eclipsed" most other global cybercriminal threats in 2017.
What is the history of ransomware?
Known as AIDS or the PC Cyborg Trojan, the virus was sent to victims -- mostly in the healthcare industry -- on a floppy disc. The ransomware counted the number of times the PC was booted: once it hit 90, it encrypted the machine and the files on it and demanded the user 'renew their license' with 'PC Cyborg Corporation ' by sending $189 or $378 to a post office box in Panama.
How did ransomware evolve?
This early ransomware was a relatively simple construct, using basic cryptography which mostly just changed the names of files, making it relatively easy to overcome.
But it set off a new branch of computer crime, which slowly but surely grew in reach -- and really took off in the internet age. Before they began using advanced cryptography to target corporate networks, hackers were targeting general internet users with basic ransomware.
One of the most successful variants was 'police ransomware', which tried to extort victims by claiming to be associated with law enforcement. It locked the screen with a ransom note warning the user they'd committed illegal online activity, which could get them sent to jail.
However, if the victim paid a fine, the 'police' would let the infringement slide and restore access to the computer by handing over the decryption key. Of course, this wasn't anything to do with law enforcement -- it was criminals exploiting innocent people.
While somewhat successful, these forms of ransomware often simply overlaid their 'warning' message on the user's display -- and rebooting the machine could get rid of the problem and restore access to files which were never really encrypted.
Criminals learned from this and now the majority of ransomware schemes use advanced cryptography to truly lock down an infected PC and the files on it.
What are the main types of ransomware?
Ransomware is always evolving, with new variants continually appearing in the wild and posing new threats to businesses. However, there are certain types of ransomware which have been much more successful than others.
Perhaps the most notorious form of ransomware is Locky, which terrorised organisations across the globe throughout 2016. It infamously made headlines by infecting a Hollywood hospital. The hospital gave into the demands of cybercriminals and paid a $17,000 ransom to have its networks restored.
Locky remained successful because those behind it regularly update the code to avoid detection. They even update it with new functionality, including the ability to make ransom demands in 30 languages, so criminals can more easily target victims around the world. Locky became so successful, it rose to become most prevalent forms of malware in its own right.
While not as prolific as it once was, Locky remains one of the most dangerous forms of ransomware, regularly going quiet before reemerging with new attack techniques.
Cryptowall is another form of ransomware which has found great success for a prolonged period of time. Starting life as doppelganger of Cryptolocker, it's gone onto become one of the most successful types of ransomware.
Like Locky, Cryptowall has regularly been updated in order to ensure its continued success and even scrambles file names to make it harder for victims to know which file is which, putting additional pressure on the victim to pay.
While some ransomware developers -- like those behind Locky or Cryptowall -- closely guard their product, keeping it solely for their own use, others happily distribute ransomware to any wannabe hacker keen to cash in on cyber-extortion -- and it's proved to be a very successful method for wide distribution.
One of the most common forms of ransomware distributed in this way is Cerber, which infected hundreds of thousands of users in just a single month. The original creators of Cerber are selling it on the Dark Web, allowing other criminals to use the code in return for 40 percent of each ransom paid.
Cerber ransomware became so successful that it surpassed Locky -- which appeared to mysteriously disappear over Christmas, although reemerged in April with new attack techniques -- to become the most dominant form of ransomware on the web, accounting for 90 percent of ransomware attacks on Windows as of mid-April 2017.
This particular family of ransomware is constantly evolving, with its developers regularly adding new features to ensure its continued success. Indeed, the cryptography behind Cerber is so advanced that there's currently no decryption tools available to help those infected by the latest versions.
But not content with just illicitly making money from ransom payments, Cerber now comes with the ability to steal to steal bitcoin wallet and password information, in addition to encrypting files.
In exchange for giving up some of the profits for using Cerber, wannabe cyber-fraudsters are provided with everything they need in order to successfully make money through the extortion of victims.
Indeed, now some criminal groups offer this type of ransomware-as-a-service scheme to potential users for no cost at the point of entry. Instead of charging a fee for the ransomware code, they want a 50 percent cut of the ransom payments.
Another successful form of ransomware is SamSam, which is notorious for charging a ransom of tens of thousands of dollars for the decryption key.
Rather than being distributed via phishing emails, the attackers seek out unsecured internet-facing systems then exploit them to help spread SamSam laterally across networks.
What is WannaCry ransomware?
In the biggest ransomware attack to date, WannaCry -- also known as WannaCrypt and Wcry -- caused chaos across the globe in an attack which started on Friday 12 May 2017.
WannaCrypt ransomware demands $300 in bitcoin for unlocking encrypted files -- a price which doubles after three days. Users are also threatened, via a ransom note on the screen, with having all their files permanently deleted if the ransom isn't paid within a week.
More than 300,000 victims in over 150 countries fell victim to the ransomware over the course of one weekend, with businesses, governments, and individuals across the globe all affected.
Healthcare organisations across the UK had systems knocked offline by the ransomware attack, forcing patient appointments to be cancelled and hospitals telling people to avoid visiting Accident and Emergency departments unless it was entirely necessary.
Of all the countries affected by the attack, Russia was hit the hardest, according to security researchers, with the WannaCry malware crashing Russian banks, telephone operators, and even IT systems supporting transport infrastructure. China was also hit hard by the attack, with 29,000 organisations in total falling victim to this particularly vicious form of ransomware.
Other high-profile targets included the car manufacturer Renault which was forced to halt production lines in several locations as the ransomware played havoc with systems.
What all the targets had in common is that they were running unsupported versions of Microsoft Windows, including Windows XP, Windows 8, and Windows Server 2003.
The ransomware worm is so potent because it exploits a known software vulnerability called EternalBlue. The Windows flaw is one of many zero-days which apparently was known by the NSA -- before being leaked by the Shadow Brokers hacking collective. Microsoft released a patch for the vulnerability earlier this year -- but only for the most recent operating systems.
In response to the attack, Microsoft took the unprecedented step of issuing patches for unsupported operating systems to protect against the malware.
Security services in the US and the UK have since pointed to North Korea as being the perpetrator of the WannaCry ransomware attack, with the White House officially declaring Pyongyang as the source of the outbreak in a report published in December.
No matter who was ultimately behind WannaCry, if the goal of the scheme was to make large amounts of money, it failed -- only about $100,000 was paid.
It was almost three months before the WannaCry attackers finally withdrew the funds from the WannaCry bitcoin wallets -- they made off with a total of $140,000 thanks to fluctuations in the value of bitcoin.
But despite critical patches being made available to protect systems from WannaCry and other attacks exploiting the SMB vulnerability, a large number of organisations seemingly chose not to apply the updates. It's thought that this is the reason LG suffered a WannaCry infection in August -- three month after the initial outbreak. The company has since said it has applied the relevant patches.
The public dump of the EternalBlue exploit behind WannaCry has led to various hacking groups attempting to leverage it to boost their own malware.
Researchers have even documented how a campaign targeting European hotels by APT28 -- a Russian hacking group linked with meddling in the US presidential election -- is now using the leaked NSA vulnerability.
What is Petya/NotPetya/GoldenEye?
A little a month after the WannaCry ransomware outbreak, the world was hit with another global ransomware attack.
This cyberattack first hit targets in Ukraine, including its central bank, main international airport, and even the Chernobyl nuclear facility, before quickly spreading around the globe, infecting organisations across Europe, Russia, the US, and Australia.
After some initial confusion as to what this malware was -- some said it was Petya, some said it was something else -- researchers at Bitdefender came to the conclusion suggest that the outbreak was down to a modified version of Petya ransomware, combining elements of GoldenEye -- a particularly vicious relative of Petya -- and WannaCry ransomware into extremely potent malware.
This second form of ransomware also exploits the same EternalBlue Windows exploit which provided WannaCry with the worm-like features to spread through networks (not simply through an email attachment as is often the case) and hit 300,000 computers around the world.
However, Petya/NotPetya/GoldenEye is a much more vicious attack. Not only does the attack encrypt victims' files, it also encrypts entire hard drives by overwriting the master reboot record, preventing the computer from loading the operating system or doing anything.
The attackers ask for a bitcoin ransom of $300 to be sent to a specific email address -- which has now been shut down by the email service host. However, the way this very sophisticated ransomware was apparently equipped with very basic, non-automated functions for accepting ransoms has led some to suggest money isn't the goal.
Some have even speculated that the ransomware note was just a cover for the real goal of the virus -- to cause mayhem by irrecoverably wipe data from infected machines.
Whatever the aim of the attack, it significantly impacted the finances of the organisations that became infected. UK consumer goods firm Reckitt Benckiser said it lost £100m in revenue as a result of falling victim to Petya.
But that's a relatively modest loss in comparison to other victims of the attack: shipping and supply vessel operator Maersk and goods delivery company FedEx have both estimated losses of $300m due to the impact of Petya.
In February 2018, the governments of the United Kingdom, the United States, Australia and others officially declared that the NotPetya ransomware had been the work of the Russian military. Russian denies any involvement.
What is Bad Rabbit ransomware?
October 2017 saw the third high profile ransomware attack of the year when organisations in Russia and Ukraine fell victim to a new variant of Petya ransomware.
Dubbed Bad Rabbit, it infected at least three Russian media organisations while also infiltrating the networks of several Ukrainian organisations including the Kiev Metro and Odessa International Airport - at the time, the airport said it had fallen victim to a 'hacker attack'.
The initial attack vector used to distribute Bad Rabbit was drive-by downloads on hacked websites - some of which had been compromised since June. No exploits were used, rather visitors were told they had to install a phony Flash update, which dropped the malware.
Like NotPetya before it, Bad Rabbit spread through networks using a leaked NSA hacking tool - but this time it was via the EternalRomance SMB vulnerability, rather than the EternalBlue exploit.
Analysis of Bad Rabbit shared much of its code - at least 67 percent - with Peyta and researchers at Cisco Talos concluded that this, combined with how it uses SMB exploits, means there's "high confidence" in a link between the two forms of ransomware - and that they could even share the same author.
Bad Rabbit was named after the text which appeared at the top of the Tor website hosting the ransom note. Some security researchers joked it should've been named after the lines in the code referencing characters from Game of Thrones.
How much will a ransomware attack cost you?
Obviously, the most immediate cost associated with becoming infected with ransomware -- if it's paid -- is the ransom demand, which can depend on the type of ransomware or the size of your organisation.
Recent research revealed that a quarter of companies which paid a ransom paid over £5,000 to retrieve their encrypted data, while a further quarter paid hackers between £3,000 and £5,000.
The most common ransom paid amongst small and medium-sized businesses was between £500 and £1500, proving that there's still easy money to be made from targeting organisations of this size.
There are also examples of high-profile targets paying five-figure fees in order to regain access to their encrypted networks and their files, especially in cases where criminals threaten to delete data if they're not paid.
Ultimately, whatever the size of the company, time is money, and the longer your network is down because of malware, the more it's going to cost your business.
Even if you regain access to your encrypted documents by paying a ransom, there will be additional costs on top of that. In order to avoid future attacks -- especially if you've been marked as an easy target -- be prepared to invest in additional cybersecurity software and to pay for additional staff training.
There's also the risk of customers losing trust in your business because of poor cybersecurity and taking their custom elsewhere.
Why should businesses worry about ransomware?
To put it simply: ransomware could ruin your business. Being locked out of your own files by malware for even just a day will impact on your revenue. But given that ransomware takes most victims offline for at least a week, or sometimes months, the losses can be significant. Systems go offline for so long not just because ransomware locks the system, but because of all the effort required to clean up and restore the networks.
And it isn't just the immediate financial hit of ransomware which will damage a business; consumers become wary of giving their data to organisations they believe to be insecure.
How does ransomware infect your PC?
It's the modern enterprise's reliance on the internet which is enabling ransomware to boom. Every day, every employee receives hundreds of emails and many roles require these employees to download and open attachments, so it's something which is often done on autopilot. Taking advantage of employees' willingness to open attachments from unknown senders is allowing cyber criminals to successfully run ransomware campaigns.
Like other forms of malware, botnets send ransomware out en masse, with millions of malicious phishing emails sent every single second. Cyber criminals use a variety of lures to encourage targets to open a ransomware email, ranging from offers of financial bonuses, fake online purchase receipts, job applications from prospective employees, and more.
While some messages give away clues to their malicious nature with poorly-worded messages or strange return addresses, others are specially tailored to look as convincing as possible, and appear no different from any other message the victim might be sent.
Once the malicious attachment has been opened, the user is encouraged to enable macros in order to view and edit the document. It's when this is enabled that the ransomware code hidden within the macros strikes. It can encrypt files in seconds, leaving the victim with a ransom note demanding a payment ranging from a few hundred dollars to tens of thousands of dollars in order to get them back.
But it's not just email attachments you need to worry about: one recent malvertising campaign managed to infect PCs with ransomware without users even clicking on the malicious adverts. Visiting the compromised website was enough to be infected, because the hackers deploying the Astrum exploit kit to leverage an old Flash exploit, according to a security firm.
Which organisations are targets for ransomware?
Any business can find itself a victim of ransomware, but perhaps the most high-profile incident occurred when the Hollywood Presbyterian Medical Center in Los Angeles became infected with Locky ransomware. The malware infection left doctors and nurses unable to access patient files for days, until the hospital opted to give into the ransom demands of hackers in order to restore services.
"The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key," Allen Stefanek, CEO of the hospital, said at the time.
Hospitals and other healthcare organisations are popular targets for ransomware attacks, because they are often willing to pay. Losing access to data is a life-or-death matter for them -- and hospitals don't want to be held responsible for letting people die due to poor cybersecurity. However, there are even cybercriminals who think attacking hospitals is too despicable an activity.
But there are plenty of other sectors criminals will happily target, including educational institutions, such as the University of Calgary, which paid a ransom of $20,000 to hackers. Any large business is at threat and there's even the prospect of ransomware infecting industrial systems. There are even suggestions that ransomware could be used as a tool for cyber-warfare.
Why are small businesses targets for ransomware?
Small and medium-sized businesses are a popular target because they tend to have poorer cybersecurity than large organisations. Despite that, many SMEs falsely believe they're too small to be targeted -- but even a 'smaller' ransom of a few hundred dollars is still highly profitable for cybercriminals.
Why is ransomware so successful?
You could say there's one key reason why ransomware has boomed: because it works. Organisations can have the best antivirus software in the world, but all it takes for ransomware to infect the network is for one user to slip up and launch a malicious email attachment and discover all their files have been encrypted.
If organisations weren't giving in to ransom demands, criminals would stop using ransomware. But businesses do need access to data in order to function so many are willing to pay a ransom and get it over and done with.
Meanwhile, for criminals it's a very easy way to make money. Why spend time and effort developing complex code or generating fake credit cards from stolen bank details if ransomware can result in instant payments of hundreds or even thousands of dollars from large swathes of infected victims at once?
What does bitcoin and other cryptocurrency have to do with the rise of ransomware?
The rise of crypocurrencies like bitcoin has made it easy for cybercriminals to secretly receive payments extorted with this type of malware, without the risk of the authorities being able to identify the perpetrators.
The secure, untraceable method of making payments -- victims are asked to make a payment to a bitcoin address -- makes it the perfect currency for criminals who want their financial activities to remain hidden.
Cybercriminal gangs are becoming more professional -- some even offer customer service and help for victims who don't know how to acquire or send bitcoin, because what's the point of making ransom demands if users don't know how to pay? Some organisations have even hoarded some of the cryptocurrency in case they get infected and their files encrypted and have to pay in bitcoin in a hurry.
How has the popularity of bitcoin impacted on ransomware?
During the second half of 2017, the value of bitcoin surged, reaching a peak of almost $20,000 for one unit of the cryptocurrency.
This created a number of problems for those dealing in ransomware. In addition to the fluctuations in the value of bitcoin meaning the price of payments changes by the day - even the hour - the interest in bitcoin drove more people to buy into it. As well as surging prices, transaction fees also increased as did delays receiving payments, creating additional difficulty when paying -- and collecting -- ransom demands.
As a result, some cybercriminals have started to look towards other means of accepting ransom payments. One additional form of cryptocurrency ransomware distributors are experimenting with is Monero.
Meanwhile, those behind GandGrab ransomware - which first appeared in January 2018 - demand the the ransom payment in the Dash cryptocurrency.
What is Monero and how is it changing ransomware?
Launched in 2014, Monero is far less high profile than bitcoin, making it quicker and simpler TO make transactions using it. For criminals, it also comes with the added bonus that it hasprivacy and security features which stop transactions from being traced back to users.
Forms of ransomware which have already been seen using Monero as a payment method in the wild include SpriteCoin - a form of ransomware which distrubutes itself to users via a fake cryptocurrency scam.
How do you prevent a ransomware attack?
With email being by far the most popular attack vector for ransomware, you should provide employees with training on how to spot an incoming malware attack. Even picking up on little indicators like poor formatting or that an email purporting to be from 'Microsoft Security' is sent from an obscure address which doesn't even contain the word Microsoft within it might save your network from infection. The same security policies that protect you from malware attacks in general will go some way towards protecting your company from ransom demands too.
There's also something to be said for enabling employees to learn from making mistakes while within a safe environment. For example, one firm has developed an interactive video experience which allows its employees to make decisions on a series of events then find out the consequences of those at the end. This enables them to learn from their mistakes without suffering any of the actual consequences.
On a technical level, stopping employees from being able to enable macros is a big step towards ensuring that they can't unwittingly run a ransomware file. Microsoft Office 2016 -- and now Microsoft 2013 -- both carry features which allow macros to be disabled. At the very least, employers should invest in antivirus software and keep it up-to date, so that it can warn users about potentially malicious files. Backing up important files and making sure those files can't be compromised during an attack in another key.
How long does it take to recover from a ransomware attack?
Simply put, ransomware can cripple a whole organisation -- an encrypted network is more or less useless and not much can be done until systems are restored.
If your organisation is sensible and has backups in place, systems can be back online in the time it takes the network to be restored to functionality, although depending on the size of the company, that could range from a few hours to days.
However, while it's possible to regain functionality in the short term, it can be the case that organisations struggle to get all systems back up and running -- as demonstrated by the Petya attack.
A month on from the outbreak, Reckitt Benckiser confirmed that some of its operations were still being disrupted and wouldn't be fully up and running until the end of August -- two months on from the initial Petya outbreak.
FedEx said that it may not be able to recover all the systems affected by the Petya cyberattack, meaning that while the company is back up and running, some machines won't ever be able to be restored.
Outside of the immediate impact ransomware can have on a network, it can result in an ongoing financial hit. Any time offline is bad for a business as it ultimately means the organisation can't provide the service it sets out to -- and can't make money -- but the longer the system is offline, the bigger that can be.
That's if your customers want to do business with you: in some sectors, the fact you've fallen victim to a cyberattack could potentially drive customers away.
How do I get rid of ransomware?
The 'No More Ransom' initiative -- launched in July 2016 by Europol and the Dutch National Police in collaboration with a number of cybersecurity companies including Kaspersky Lab and McAfee -- offers free decryption tools for ransomware variants to help victims retrieve their encrypted data without succumbing to the will of cyber extortionists.
Initially launching as a portal offered portal offers decryption tools four for families of ransomware -- Shade, Rannoh, Rakhn, and CoinVault -- the scheme is regularly adding more decryption tools for even more versions of ransomware including Crypt XXX, MarsJoke, Teslacrypt, Wildfire and Nemucod.
The portal -- which also contains information and advice on avoiding falling victim to ransomware in the first place -- is updated as often as possible in an effort to ensure tools are available to fight the latest forms of ransomware.
No More Ransom has grown from offering a set of four tools to carrying 52 decryption tools covering hundreds of families of ransomware. So far, these tools have decrypted tens of thousands of devices, depriving criminals of millions in ransoms.
The platform is now available in over 29 languages with more than 100 partners across the public and private sectors supporting the scheme.
Individual security companies also regularly release decryption tools to counter the ongoing evolution of ransomware -- many of these will post updates about these tools on their company blogs as soon as they've cracked the code.
For example, another decryption tool was recently released which may be able to help if your PC has been hit by one of the original versions of the Petya malware -- the so-called Red Petya, Green Petya, and GoldenEye -- and may enable you to recover the lost files (although it can't help with PetrWrap or those hit by the Petya/NotPetya global attack). However, these tools don't always work so it is always wise to make additional backups.
Another way of working around a ransomware infection is to ensure your organisation regularly backs up data offline. It might take some time to transfer the backup files onto a new machine, but if a computer is infected and you have backups, it's possible just to isolate that unit then get on with your business. Just make sure that crypto-locking crooks aren't able to encrypt your back-ups too.
Should I pay a ransomware ransom?
There are those who say victims should just pay the ransom, citing it to be the quickest and easiest way to retrieve their encrypted data -- and many organisations do pay even if law enforcement agencies warn against it.
But be warned: if word gets out that your organisation is an easy target for cybercriminals because it paid a ransom, you could find yourself in the crosshairs of other cybercriminals who are looking to take advantage of your weak security. And remember that you're dealing with criminals here and their very nature means they may not keep their word: there's no guarantee you'll ever get the decryption key, even if they have it. Decryption isn't even always possible: there are stories of victims making ransom payments and still not having encrypted files unlocked.
For example a type of ransomware targeting Linux discovered earlier this year demanded a bitcoin payment but did not store encryption keys locally or through a command-and-control server, making paying the ransom futile at best.
What's the future of ransomware?
Ransomware is continually evolving, with an increasing number of variants now engaging in additional activities such as stealing data or weakening infected computers in preparation for future attacks.
Researchers even warn that ransomware could soon hold whole operating systems hostage, to such an extent that the only two options available to the user would be to pay, or to lose access to the entire encrypted system.
And ransomware isn't just a problem for Windows PCs; Apple Macs are vulnerable to it too.
Can you get ransomware on your smartphone?
Absolutely. Ransomware attacks against Android devices have increased massively, as cybercriminals realise that many people aren't aware that smartphones can be attacked and the contents (often more personal than the stuff we keep on PCs) encrypted for ransom. Various forms of Android ransomware have therefore emerged to plague mobile users.
In fact, any internet-connected device is a potential target for ransomware, which has already been seen locking smart TVs.
Ransomware and the Internet of Things
Internet of Things devices already have a poor reputation for security. As more and more of these make their way onto the market, they're going to provide billions of new attack vectors for cybercriminals, potentially allowing hackers to hold your connected home or connected car hostage. An encrypted file is one thing: but what about finding a ransom note displayed on your smart fridge or toaster?
There's even the potential that hackers could infect medical devices, putting lives directly at risk.
In March 2018, researchers at IOActive took this once step further by demonstrating how a commercially available robot could come under a ransomware attack. In addition to making the robot verbally demand payment in order to be returned to normal, researchers also made it issue threats and swear.
As ransomware continues to evolve, it's therefore crucial for your employees to understand the threat it poses, and for organisations to do everything possible to avoid infection, because ransomware can be crippling and decryption is not always an option.
Read more about ransomware
- Surviving ransomware - without losing customers
- Ransomware, DDoS now top threats as hackers look for big paydays
- The horror! Mac users must beware of ransomware (like everyone else) [CNET]
- Locky ransomware: How this malware menace evolved in just 12 months
- I infected my Windows computer with ransomware to test RansomFree's protection [TechRepublic]