What is Ransomware?

Ransomware is a type of malware (malicious software) that may present itself in a few different ways, affecting individual systems as well as networks of businesses, hospitals, airports, and government agencies.

Ransomware is being constantly improved and is getting more and more sophisticated since the first registered occurrence, in 1989. While simple formats are, typically, non-encryption ransomware, modern ones make use of cryptography methods in order to encrypt files, making them inaccessible. Encryption ransomware may also be used on hard drives as a way to completely lock a computer operating system, preventing the victim from accessing it. The final goal is to convince victims to pay for a decryption ransom - which is usually asked in digital currencies that are difficult to trace (such as Bitcoin or other cryptocurrencies). However, there is no guarantee that payments will be honored by the attackers.

The popularity of ransomware has grown significantly in the last decade (especially in 2017) and as a financially motivated cyber attack, it is currently the most prominent malware threat in the world - as reported by Europol (IOCTA 2018).





How victims are made?

Phishing: a recurrent form of social engineering. In the context of ransomware, phishing emails are one of the most common forms of malware distribution. The victims usually get infected through compromised email attachments or links that are disguised as legitimate. Within a network of computers, one single victim can be enough to compromise a whole organization.

Exploit Kits: a package made of various malicious tools and pre-written exploit code. These kits are designed to exploit issues and vulnerabilities in software applications and operating systems as a way to spread malware (insecure systems running out-of-date software are the most common targets).

Malvertising: attackers make use of advertising networks to spread the ransomware.





How to protect yourself from ransomware attacks?

Use external sources to back up your files regularly, so you are able to restore them after a potential infection is removed;

Be cautious with email attachments and links. Avoid clicking on ads and websites of unknown source;

Install a trustworthy antivirus and keep your software applications and operating system up to date;

Enable ‘show file extensions’ option in the Windows settings so you can easily check the extensions of your files. Avoid file extensions like .exe .vbs and .scr;

Avoid visiting websites that are not secured by the HTTPS protocol (i.e. URLs that begin with “https://”). Keep in mind, however, that many malicious websites are implementing the HTTPS protocol in order to confuse the victims and the protocol alone does not guarantee that the website is legitimate or safe.

Visit NoMoreRansom.org, a website created by law enforcement and IT security companies working towards the disruption of ransomware. The website offers free decryption toolkits for infected users as well as prevention advice.





Ransomware examples

GrandCrab (2018)

First seen in January 2018, the ransomware made over 50,000 victims in less than a month, before being disrupted by the work of Romanian authorities along with Bitdefender and Europol (a free data recovery kit is available). GrandCrab was spread through malvertising and phishing emails and was the first known ransomware to demand a ransom payment in DASH cryptocurrency. The initial ransom varied from 300 to 1500 US dollars.





WannaCry (2017)

A worldwide cyberattack that infected over 300,000 computers in 4 days. WannaCry propagated through an exploit known as EternalBlue and targeted Microsoft Windows operating systems (most affected computers were running Windows 7). The attack was stopped due to emergency patches released by Microsoft. US security experts claimed that North Korea was responsible for the attack, although no evidence was provided.





Bad Rabbit (2017)

A ransomware that was spread as a fake Adobe Flash update that was downloaded from compromised websites. Most infected computers were located in Russia and the infection was dependent on manual installation of a .exe file. The price for decryption was roughly 280 US dollars at the time (0.05 BTC).





Locky (2016)

Usually distributed by email as an invoice requiring payment that contained infected attachments. In 2016, the Hollywood Presbyterian Medical Center was infected by Locky and paid a 40 BTC ransom (17,000 US dollars back then) in order to regain access to the hospital's computer systems.



