What is Ransomware? An Easy-to-Understand Guide
Ransomware, or ransom malware, is a type of malware used to prevent access to computer systems by infecting them with a virus and threatening not to remove it until demands are met. In most cases, the ransom is monetary, with payment demanded in cryptocurrency (e.g., Bitcoin). Depending on the type of ransomware malware, denial of access could be permanent if the ransom is not paid.
Ransomware has wreaked havoc on organizations and individuals for more than 30 years. In 1989, Joseph L. Popp, a Harvard-educated biologist, introduced a Trojan by sending 20,000 compromised diskettes named “AIDS Information—Introductory Diskettes” to attendees of a World Health Organization AIDS conference.
The Trojan encrypted file names on the computers and hid directories for the systems where users inserted the diskette. Then, a message popped up, telling users to pay $189 to PC Cyborg Corp. (by mail to a PO box in Panama) to have their systems decrypted.
Ransomware criminals are as varied as their approaches and targets. However, what remains consistent about ransomware is that small and medium businesses are the target of the bulk of attacks, because they lack the depth of security infrastructure that larger organizations have, making them easier targets.
Ransomware is used by individuals, small groups, and crime syndicates. The accessibility and ease of use make it readily accessible as would-be criminals can buy ransomware on the dark web or use ransomware-as-a-service.
The primary roles in a ransomware operation are:
- Ransomware procurement (create it or buy it) and hosting
- Campaign development and execution
- Payload collection and distribution
The more committed cybercriminals band together in networks to leverage reach, resources, and skills. The way these ransomware networks organize differs, but the three most common structures are:
1. Consolidated ownership and operations
One organization or individual controls all three operational functions and keeps 100% of the profits.
2. Channel-styled operations
The lead organization handles ransomware procurement and hosting as well as payment collection and distribution. Campaign development and execution, or the spread of ransomware, is managed by a third-party organization or individual who generally receives 50-75% of the profits. This model is popularly known as ransomware-as-a-service.
3. Ransomware infrastructure-in-a-box
A third-party service provider packages and sells the bundle of products and services needed to launch ransomware attacks and collect payment. Then the attacker procures the ransomware, buys the bundled solution, and keeps 100% of the profits.
Let’s jump in and learn:
How Ransomware Works
There are three main types of ransomware, ranging from annoying to potentially devastating:
- 1. Scareware Ransomware
Scareware malware tricks users into believing that their system is infected and they need to purchase a product to repair it. Users are inundated with pop-up notifications intended to bully them into buying the fake solution. While the pop-ups are annoying, there is no underlying threat to the systems until users click on their malicious links.
- 2. Screen Lockers or Locker Ransomware
Screen locker ransomware is a form of malware that freezes users out of their systems. It blocks them from logging in or accessing files. Payment is demanded to regain access.
A common tactic for locker ransomware is to put an official-looking seal on the page (e.g., FBI or US Department of Justice) with a note stating that illegal activity has been detected on the computer and the user must pay a fine. Screen locker ransomware uses non-encrypting malware to lock the infected computer.
- 3. Encrypting Ransomware or Crypto Ransomware
Encryption ransomware is a form of malware that uses complex algorithms to lock all data on the targeted system. The danger of crypto ransomware is that it usually cannot be decrypted without a key.
Two signs a system may have been infected by ransomware:
- 1. The screen is locked and shows a message about how to pay to unlock the system, and/or the file directories contain a “ransom note.”
- 2. Files have a new extension appended to the file names, such as .ecc, .ezz, .exx, .zzz, .xyz, .aaa, .abc, .ccc, .vvv, .xxx, .ttt, .micro, .encrypted, .locked, .crypto, _crypt, .crinf, .r5a, .XRNT, .XTBL, .crypt, .R16M01D05, .pzdc, .good, .LOL!, .OMG!, .RDM, .RRK, .encryptedRSA, .crjoker, .EnCiPhErEd, .LeChiffre, .keybtc@inbox_com, .0x0, .bleep, .1999, .vault, .HA3, .toxcrypt, .magic, .SUPERCRYPT, .CTBL, .CTB2, .locky, or 6-7 length extension consisting of random characters.
Ransomware Entry Points
Ransomware depends not on the complexity of its code, but the vulnerabilities of its targets. At its core, ransomware is a worm looking for a hole. Preparation for a near-inevitable ransomware attack helps to prevent the malware from breaching systems and closing holes.
Many organizations have porous security perimeters, especially considering the spike in remote workers. However, ransomware usually finds easier access, entering from a download delivered via a phishing email, because that point of entry requires the least effort on the part of the attacker.
The ransomware appears as a link or attachment, often from a known source, with an enticement to click it. The attachment or link is an executable file that unleashes the ransomware.
Inadvertent downloads of malware from an infected website—sometimes executed by clicking, others by simply landing on the site—are also popular attack points for ransomware. (This includes chat and social media messaging.) This stealthy ransomware enters systems through vulnerabilities in various browser plugins, with the delivery mechanism being merely visiting a website.
This ransomware, known as drive-by ransomware, is delivered in the background, often without the user being aware of it. Other entry points include good old-fashioned social engineering and malware carried on USB drives.
More sophisticated ransomware attacks take advantage of backdoors or vulnerabilities in systems and networks. Attackers probe targets to find weaknesses in security systems, such as lapsed patches and updates, gaps in the configuration of security tools, and non-secure remote users.
Ransomware Attack Profiles
Ransomware attacks do not necessarily begin at the time of entry. Often, ransomware works quietly, without users noticing it. It lurks in the background while it prepares for its attack on the point-of-entry system or spreads across the network to other systems before activating and making its presence known.
Sometimes ransomware lies dormant after download or downloads in segments to avoid detection. Regardless of its download timeline, once file lockdown begins, ransomware acts quickly—taking between 18 seconds and 16 minutes to encrypt 1,000 files.
Ransomware has two approaches to encryption: Simpler versions use the encryption functions on Windows and Unix, including macOS and Linux, while more sophisticated ransomware uses custom encryption implementations to bypass security software.
“Off-the-shelf” open-source projects offer packaged ransomware. No matter the type of ransomware attack, once files are encrypted, no one can decrypt them without the attacker’s decryption key.
After files are locked down, the ransomware presents a message (i.e., a ransom note) that tells users:
- What has occurred
- The amount and currency of the ransom
- Where to send the payment
- What will happen if the ransom is not received
Ransom notes usually reveal the type of ransomware used for the attack.
Who Does Ransomware Target?
Attackers can be loosely classified into two groups, based on their typical ransomware targets:
- 1. Big-game hunters
They target organizations with high-value data or assets, especially those sensitive to downtime, as they are more likely to pay a ransom.
- 2. Spray and pray attackers
This approach directs attacks at an acquired list of emails or compromised websites. These smaller, generic ransomware attacks cause significant harm and disruption because of their scale.
Five types of organizations that are prime ransomware targets are:
- 1. Professional services
Service-oriented businesses, such as real estate, accounting, law firms, and other small-to-medium-sized businesses have been ransomware targets.
- 2. Healthcare
Sensitive information makes hospitals and clinics ransomware targets. Both must have electronic medical records accessible to administer and monitor patient care.
- 3. Education
Public school districts, trade schools, colleges, and university systems have all been ransomware targets. All are susceptible because of disruption to classes and the sensitive student data that they store.
- 4. Manufacturing
Manufacturers have been targeted for ransomware attacks because many require operations to run factory production lines around the clock. Disruption would create impacts across the supply chain.
- 5. Infrastructure
Industrial control systems (ICS) are ransomware targets because of their wide-ranging dependencies. Holding critical infrastructure hostage could put access to energy, water, and other utilities at risk.
How to Prevent Ransomware
The most effective way to prevent ransomware attacks is with a combination of technology and user training. While technology is an excellent way to prevent a ransomware attack, people can undermine even the most sophisticated cybersecurity tools.
- Engage users
Ongoing training coupled with continual education and awareness messages help users to not only understand ransomware threats, but learn how to avoid and prevent potential attacks.
- Take advantage of technology
In addition to solutions for general data protection with detection, monitoring, and response capabilities, consider multi-layered ransomware protection solutions.
- Perform back-ups
Schedule regular back-ups and, if possible, encrypt and isolate back-ups to protect them from network breaches.
- Segment networks
Protect IT systems by controlling the flow of traffic between networks and subnetworks to prevent unauthorized lateral movement.
- Install all patches
Keep computers, networks, mobile devices, and other systems safe from known vulnerabilities by installing patches when they become available.
Ransomware removal approaches vary depending on the type of attack. Following is an overview of tactics for ransomware removal.
How to Remove Screen Locker Ransomware
Most screen locker ransomware can be taken care of with removal tools. There are a number of free removal tools made available by vendors who support the fight to put a stop to the profitability of ransomware.
How to Remove Encrypting or Crypto Ransomware
First, neutralize the malware with antivirus or other programs. In the case where backups exist, programs can be executed to scan systems and delete the ransomware malware. Once the ransomware has been removed, files can be restored from backups.
If there is not a backup for the infected systems, ransomware recovery is more complicated, and success is not guaranteed. Use a tool to scan the system and identify the specific strain of ransomware.
In some cases, there are remedies to remove the malware. If not, a ransomware decryptor tool can be used. This searches for and applies decrypting keys, which are available for free for certain types of ransomware.
If a decryption key is not found, there are two options:
- Put your data “on hold” and wait for a solution for that specific ransomware type.
- Evaluate the need to pay the attacker’s ransom.
- The number of ransomware attacks increased by more than 150% over the past year, and these attacks are projected to cost businesses $11.5 billion, in addition to the cost of loss of customer and partner trust.
- North America was the most targeted geographic region, with 66% of one research company’s ransomware alerts coming from organizations in North America.
- In professional services, more than 70% of ransomware incidents involved companies with fewer than 1,000 employees, and 60% had revenues of less than $50 million.
- More than 18 million patient records were impacted by ransomware attacks on healthcare organizations, a 470% increase with an estimated cost of almost $21 billion.
- The education sector reported 31 ransomware incidents in Q3 2020, a 388% increase between the second and third quarters of 2020.
- The number of reported ransomware attacks on manufacturing entities more than tripled in 2020 compared to the previous year.
- Ransomware attacks against industrial entities jumped more than 500 percent over the last two years (as of 2020).
How to Respond to Ransomware
Ransomware is a frightening prospect, and time does matter in terms of a response. However, it is important to consider how to respond to ransomware before taking action.
If ransomware is detected, a few pre-remediation steps can help with overall recovery.
- 1. Immediately disconnect the infected device.
- 2. Create a system backup
- 3. Disable any cleanup or system optimization software.
- 4. Identify the type of ransomware.
- 5. Record evidence of the ransomware attack.
Should Organizations Pay the Ransom?
Generally, security experts and law enforcement agencies do not support paying ransom in response to a ransomware attack. The primary reason is that there is no guarantee that the files will be released and the extortion will stop. According to the FBI, “It does not guarantee you or your organization will get any data back. It also encourages perpetrators to target more victims and offers an incentive for others to get involved in this type of illegal activity.” And, organizations that pay ransom are frequently subjected to future attacks, simply because they demonstrate a willingness to negotiate financially with the attackers.
There are a number of industry and government organizations fighting ransomware. An example of a joint effort is “No More Ransom,” an initiative by the National High Tech Crime Unit of the Netherlands’ police, Europol’s European Cybercrime Centre, Kaspersky, and McAfee. The group’s goal is to stop the payment of ransom by helping retrieve their encrypted data without having to pay ransom after an attack.
- Discovered in August 2020
- Caused massive gasoline shortages at U.S. east coast gas stations in a 2021 attack and stole a large amount of data from a chemical distribution company the following month
- Ransom of nearly $5 million paid, with the majority later recovered by the Justice Department
REvil (a.k.a. Sodin and Sodinokibi)
- Discovered in April 2019
- Encrypts victims’ files very quickly
- Doubles ransom demand if not paid in time
- Operates via ransomware-as-a-service
- Launched an auction site to sell stolen data
- Discovered in January 2020
- Targets industrial control systems (ICS), making installed automated devices became non-operational by stopping operations and processes
- Includes a static “kill list” that stops many anti-virus solutions
- Evades detection by modifying file extensions with a hexadecimal, five-random character string rather than following a uniform extension
- Believed to be the first for-profit ransomware designed to shut down specific processes used in ICS
NetWalker (a.k.a. Mailto)
- Discovered in September 2019
- Spreads through a VBS script that is attached to phishing emails and executable files that spread through networks
- Appends files with a random character string extension
- Operates as ransomware-as-a-service
- Discovered in April 2019
- Spawned at least eight variations
- Provides a payment portal where victims can see the amount of ransom, the countdown, and the Bitcoin wallet address
- Shares most of its code with the BitPaymer ransomware
- Launched a site to shame victims who do not pay a ransom and to publish their data
Maze (previously known as ChaCha)
- Discovered in May 2019
- Launches attacks by using exploit tools called Fallout and Spelvo
- Targets Windows systems in large organizations
- Encrypts and exfiltrates data with a threat to publish the information if the ransom is not paid
- Considered one of the most notorious strains of ransomware
- Discovered in December 2019
- Targets remote management software (RMM), software commonly used by managed service providers, to prevent attacks from being detected and stopped
- Takes victims’ files before encrypting them and threatens to publish the files if the ransom is not paid
- Distributes ransomware payloads via virtual machines
- Utilized Facebook ads to pressure a victim into paying a ransom
- Discovered in February 2019
- Adds the “.clop” extension to every encrypted file
- Publishes the data on a leak site called ‘CL0P ^ _- LEAKS’ if the ransom is not paid
- Deactivates local security systems such as Windows Defender and Microsoft Security Essentials to expand the scale of the attack
- Distributed via fake software updates, trojans, cracks, and unofficial download sources
- Discovered in March 2020
- Threatens victims with publishing sensitive data if they do not pay the ransom
- Encrypts victims’ data by using the vulnerability of a remote desktop network and VPN
- Discovered in August 2018
- Considered one of the largest and most active ransomware-as-a-service operators
- Targets large enterprises and government agencies
- Compromises systems using TrickBot, a malware Trojan
- Discovered in December 2019
- Targets education and software industry
- Deployed in a Trojanized version of Java Runtime Environment and compiled in ImageJ
- Attacks Windows and Linux using the Java image format as part of the attack process
- Denies access to the administrator after it infects the system by accessing file servers and the domain controller
- Discovered in May 2020
- Described as human-operated ransomware, with attackers researching targets
- Accumulates network access and maintains persistence on target networks
- Stays dormant until the best time to execute for the most financial gain is determined
- Bypasses event logging using a deployed remote manipulator system
Zeppelin (previously Vega or VegaLocker)
- Discovered in November 2019
- Designed to stop running on machines that are based in Russia
- Operates as ransomware-as-a-service
- Targets technology and healthcare companies in Europe and the US
- Believed to have conducted attacks through managed security service providers (MSSPs)
- Discovered in July 2019
- Infects organizations through unprotected or poorly secured RDP ports
- Disables Volume Shadow Copy Service (VSS) to make data recovery difficult
- Ignores critical system files and objects stored in the Sample Music folder
- Targets corporate environments
- Discovered in January 2019
- Affects enterprise networks previously compromised by Qakbot and Emotet Trojans
- Targets businesses located in the US, Canada, the Netherlands, and France
- Leverages automated and manual components in its attacks
- Uses a signed executable as part of the payload
- Offers security consulting services
- Discovered in March 2020
- Follows the big-game-hunting approach, targeting large companies and government networks with substantial uptime requirements
- Deployed on networks previously infected with the Qakbot trojan
- Utilizes the CVE-2019-0859 Windows vulnerability to gain administrator-level access on infected hosts
- Known for seeking high ransoms, as high as $3 million
- Discovered in January 2020
- Configured to overwrite the master boot record (MBR), a more destructive approach to ransomware than typical approaches
- Offered as ransomware-as-a-service with a private ransomware builder that can be used to generate new Thanos ransomware clients based on forty-three configuration options
- Steals and encrypts files, and changes file extensions to .crypted
- Discovered in March 2016
- Targets Microsoft Windows-based systems, infecting the master boot record to encrypt the hard drive’s file system table and prevent Windows from booting
- Infected millions of people during the first year of its release
- Considered the first ransomware-as-a-service
- Morphed into NotPetya, which was released in June 2017
Understand Ransomware to Fight It
Ransomware has the attention not just of IT, but of executive teams. It ranks among the top priorities for business and IT leaders. To fight ransomware, organizations must understand:
- Perpetrators and how they operate
- How ransomware works
- Prevention tactics
- Remediation and best practices for an effective response
- Ongoing monitoring and maintenance considerations
A proactive approach to ransomware prevention can significantly reduce the risk of attack. However, in the event of an attack, planning is the best front-line defense. Effective response procedures expedite containment of the incident, prevent data loss, and streamline the recovery process.
When assessing security as it relates to ransomware, remember content protection and governance. Machines can be replaced, but content may be difficult or impossible to recover. Securing content and providing granular access if a rollback is required enables business continuity after a ransomware attack.
Egnyte has experts ready to answer your questions. For more than a decade, Egnyte has helped more than 16,000 customers with millions of customers worldwide.
Last Updated: 5th August, 2021