What is Ransomware?

Ransomware poses a threat to you and your device, but what makes this form of malware so special? The word “ransom” tells you everything you need to know about this pest. Ransomware is extortion software that can lock your computer and then demand a ransom for its release.

What is Ransomware?

Ransomware is malware that employs encryption to hold a victim’s information at ransom. A user or organization’s critical data is encrypted so that they cannot access files, databases, or applications. A ransom is then demanded to provide access. Ransomware is often designed to spread across a network and target database and file servers, and can thus quickly paralyze an entire organization. It is a growing threat, generating billions of dollars in payments to cybercriminals and inflicting significant damage and expenses for businesses and governmental organizations.

How does it work?

Ransomware uses asymmetric encryption. This is cryptography that uses a pair of keys to encrypt and decrypt a file. The public-private pair of keys is uniquely generated by the attacker for the victim, with the private key to decrypt the files stored on the attacker’s server. The attacker makes the private key available to the victim only after the ransom is paid, though as seen in recent ransomware campaigns, that is not always the case. Without access to the private key, it is nearly impossible to decrypt the files that are being held for ransom.

Many variations of ransomware exist. Often ransomware (and other malware) is distributed using email spam campaigns or through targeted attacks. Malware needs an attack vector to establish its presence on an endpoint. After presence is established, malware stays on the system until its task is accomplished.

After a successful exploit, ransomware drops and executes a malicious binary on the infected system. This binary then searches and encrypts valuable files, such as Microsoft Word documents, images, databases, and so on. The ransomware may also exploit the system and network vulnerabilities to spread to other systems and possibly across entire organizations.

Once files are encrypted, ransomware prompts the user for a ransom to be paid within 24 to 48 hours to decrypt the files, or they will be lost forever. If a data backup is unavailable or those backups were themselves encrypted, the victim is faced with paying the ransom to recover personal files.

Types of Ransomware attacks

There are two main classes of ransomware, and both are intended to disrupt business operations for financial gain for the attackers.

• Crypto ransomware: Crypto ransomware prevents access to files or data through encryption with a different randomly generated symmetric key for each file. The symmetric key is then encrypted with a public asymmetric key; attackers then demand the ransom payment for access to the asymmetric key.
• Doxware: Doxware is a form of crypto-ransomware where victims are threatened with not only losing access to their files but also having their private files and data made public through “doxing”.
• Locker ransomware: Locker ransomware locks the computer or device by preventing users from logging in; an infected machine can display an official-looking message warning the user. This type of malware does not encrypt files on the device.

How do you prevent ransomware attacks?

To protect against ransomware threats and other types of cyberextortion, security experts urge users to do the following:

• Back up computing devices regularly.
• Inventory all assets.
• Update software, including antivirus software.
• Have end-users avoid clicking on links in emails or opening email attachments from strangers.
• Avoid paying ransoms.
• Avoid giving out personal information.
• Do not use unknown USB sticks.
• Only use known download sources.
• Personalize antispam settings.
• Monitor the network for suspicious activity.
• Use a segmented network.
• Adjust security software to scan compressed and archived files.
• Disable the web after spotting a suspicious process on a computer.

While ransomware attacks may be nearly impossible to stop, individuals and organizations can take important data protection measures to ensure that damage is minimal and recovery is as quick as possible. Strategies include the following:

• Compartmentalize authentication systems and domains.
• Keep up-to-date storage snapshots outside the primary storage pool.
• Enforce hard limits on who can access data and when access is permitted.

Why is ransomware spreading?

Ransomware attacks and their variants are rapidly evolving to counter preventive technologies for several reasons:

• Easy availability of malware kits that can be used to create new malware samples on demand
• Use of known good generic interpreters to create cross-platform ransomware (for example, Ransom32 uses Node.js with a JavaScript payload)
• Use of new techniques, such as encrypting the complete disk instead of selected files

Today’s thieves don’t even have to be tech-savvy. Ransomware marketplaces have sprouted up online, offering malware strains for any would-be cybercrook and generating extra profit for the malware authors, who often ask for a cut in the ransom proceeds.

Conclusion

Ransomware in all its forms and variants poses a significant threat both to private users and companies. This makes it all the more important to keep an eye on the threat it poses and to be prepared for all eventualities. It is therefore essential to learn about ransomware, be highly conscious of how you use devices, and install the best security software.