Ransomware is a type of malware that locks users out of their computer systems and encrypts their files, giving attackers control of any personal information stored on victims’ devices. Cybercriminals then threaten to withhold victims’ sensitive data until a ransom is paid—hence the “ransom” in ransomware.
How Does Ransomware Work?
The defining feature of ransomware is that it’s used as an extortion tool, and there are a variety of ways cybercriminals exploit this type of malware to gain access to victims’ devices. One of the more common vehicles for ransomware is a phishing email campaign—victims are sent emails containing malicious attachments from a seemingly trusted source, which infect their computer once they’re opened.
After successfully taking over the victim’s computer, attackers go on to encrypt some or all of the user’s files, like Word documents, PDFs, images, databases and so on. The ransomware may also exploit entire network vulnerabilities, which can spread to other connected systems and even across entire organizations.
At the end of the process, the attacker sends the victim a message explaining their files are now compromised and can only be decrypted if a ransom is paid. The ransom is most often requested in the form of an untraceable Bitcoin payment to be paid to the attacker.
Who Is a Target for Ransomware?
Ransomware targets might be individual consumers, small and medium-sized businesses or larger enterprise organizations. How criminals choose their targets usually comes down to a matter of opportunity. For instance, they may go after groups with smaller security teams like universities due to their weaker security defenses and high levels of file sharing.
Another common target is organizations that are more likely to pay a ransom in a timely manner. Government agencies, banks, law firms and medical facilities all fall into this category, since they’d likely need immediate access to sensitive client files and would be more willing to pay a ransom if it means keeping news of an organizational security breach quiet.
Finally, it’s common for criminals to target large corporate entities in the hopes of landing a bigger payout. Ransomware attacks in this category are usually focused on enterprises in the United Kingdom, the United States and Canada due to greater wealth and a high volume of personal computer use.
Types of Ransomware
While there are countless strains of ransomware, most attacks fall under two main categories: crypto ransomware and locker ransomware.
- Crypto ransomware works by encrypting victims’ sensitive computer files and demanding a ransom before the files can be recovered.
- Locker ransomware does not encrypt files. Instead, it compromises basic computer function and locks the victim out of their device entirely until a ransom is paid.
The severity of the threat posed by a ransomware attack will depend on the variant of ransomware being used, and resolution methods will differ depending on the type of malware at play.
While ransomware has only been around for a few decades, it’s made rapid developments in the last five years thanks to the increasing availability of untraceable payment methods like Bitcoin. Here are some of the worst offenders to date.
CryptoLocker was one of the first widespread ransomware attacks that used public key encryption. This 2013 attack put the modern ransomware age into motion and compromised up to 500,000 machines between 2013 and 2014. Payment was demanded in the form of Bitcoin or a prepaid voucher, and at the time experts believed the malware being used was impenetrable.
By 2014, a security firm finally gained access to a server involved in the attack and successfully recovered the encryption keys that were being held, but the attackers still managed to extort close to $3 million before they were shut down.
WannaCry was a 2017 attack that spread across over 150 countries targeting security vulnerabilities in Windows software. The attack infected 230,000 devices worldwide, locking users out of their computers until a Bitcoin ransom was paid.
The WannaCry attack functioned by exploiting an operating system vulnerability that was found to have been present long before the attack, and the event ultimately shed light on the issue of outdated security systems. Globally, WannaCry caused an average of $4 billion in financial losses.
NotPetya was a global 2017 attack that primarily targeted Ukraine. It was initially believed to be a new strain of Petya ransomware—a form of malware that infects a target computer, encrypts its data, and demands a bitcoin ransom to recover the files. However, NotPetya was later deemed an entirely new strain of ransomware known as a wiper, whose sole purpose is to destroy the compromised data instead of returning it for a ransom.
BadRabbit was a strain of ransomware that infected media companies across Russia and Eastern Europe in 2019. The attack was carried out through the spread of a fake Adobe Flash update that infected victims’ devices upon downloading, directing them to a payment page where a Bitcoin ransom was demanded. Unlike the NotPetya attack, the BadRabbit attack allowed for decryption if the ransom payment was received.
How to Protect Against a Ransomware Infection
As with any cybersecurity threat, prevention methods are almost always better than finding a cure once it’s too late. Follow the prevention best practices below to mitigate the chances of an attack.
- Backup your data: The best way to avoid being permanently locked out of your sensitive files is to be vigilant about periodically backing up your data. It’s best to do this in the cloud or with an external hard drive. If you do experience an attack, you can just wipe your device and reinstall your files with your backup.
- Protect your email: email phishing campaigns are one of the most common vehicles for distributing ransomware, so securing your email is critical. On the organizational level, equipping your workforce to recognize suspicious emails can shut an attack down before it can do any damage.
- Keep systems updated: Regularly updating your software is one of the simplest ways to prevent any cyberattack. Every available software update mitigates newly found security vulnerabilities, making it harder for attackers to exploit outdated software.
- Never click suspicious links: Whether it’s an email attachment or a link found online, never click on links in spam messages or unknown websites. Simply clicking a malicious link can initiate an automatic download that infects your computer immediately.
- Don’t disclose personal information: Never respond to emails or text messages from an unknown source requesting personal information, even if they claim to be someone you trust.
- Use security software: Installing a trusted security software is one of the easiest ways to keep your data secure. To enhance protection, choose one that offers more than just antivirus features—some have cross-platform threat detection capabilities that can keep all your devices safe.
How to Respond to a Ransomware Attack
If you’ve suffered a ransomware attack, time is of the essence and it’s important to act as quickly as possible. There are a few steps you can take to minimize damage and hopefully recover quickly from the attack.
- Isolate the infected device: To ensure the safety of your network, shared drives and other devices, it’s critical that you disconnect the affected device from the network as soon as possible. This can prevent other connected devices from becoming infected.
- Assess all other connected devices: Isolating the infected device won’t always guarantee that the ransomware doesn’t exist elsewhere on your network. To stop it from spreading, assess all other connected devices and disconnect any that are behaving suspiciously.
- Report to the authorities: Ransomware is a crime like any other that should be reported to law enforcement. Federal authorities may also have access to tools that can help retrieve stolen data and locate the attackers.
Can Ransomware Be Removed?
Ransomware removal depends on the type of ransomware you’re dealing with, and you’ll need to have security software already installed prior to the attack—but in some cases removal is possible. Here’s what you can do:
- Disconnect the infected device from the internet as soon as possible to prevent the ransomware from spreading.
- Scan for malicious files and remove them using security software. If you’re a victim of screen locking ransomware, this might not be possible.
- Regain access to your data by a decryption tool connected to your security software. This step will depend on the security software you have.
- Restore your lost files if you have an external data backup.
If you’re unable to perform the above steps, the only remaining option is to reset your computer to factory settings. For further assistance, it’s best to contact your device’s tech support.
Ransomware poses a significant threat to consumers and companies alike, and attackers are carrying out increasingly sophisticated attacks as technology advances. When it comes to protecting yourself, prevention is almost always better than a post-attack cure—this means that educating yourself on ransomware and how to use your devices safely is essential to prevent an attack. For increased security, be sure to have antivirus software on all of your devices to reduce the chance of an infection.