What is Ransomware?
Ransomware is a malware that encrypts a victim’s files and systems. The malicious program prevents you from accessing your systems or files. The attacker demands a ransom from the target to restore access to files.
In ransomware attacks, hackers display instructions on how victims can pay the ransom in exchange for the decryption key.
- Ransomware is a form of malware that encrypts user files until a victim pays a ransom
- Ransomware infects computers through phishing, malvertising, or exploiting other security holes
- Ransomware from phishing emails increased 109 percent between 2017 and 2019
- Ransomware targets both businesses and individuals, but the attack is more prevalent in organizations that are willing to pay huge ransoms to prevent loss of revenues caused by system disruptions
- Keeping an updated backup of your systems and information can help reduce the impact of ransomware attacks
Cybercriminals create 1.5 million new phishing sites every month. Ransomware attacks increased over 97 percent in 2017 and 2018. Thirty-four percent of businesses hit with malware took a week or more to regain access to their data.
How Does Ransomware Infect Your Computer?
Hackers use different methods to infect your devices with ransomware. Some ransomware attack vectors include:
- Phishing – cybercriminals send emails containing attachments and URLs masquerading as information victims trust. Immediately you download the attachment or visit the URL, ransomware takes over your computer
- Malvertising – hackers use malicious advertising to distribute malware, even without user interaction. Malvertising redirects victims to criminal servers without ever clicking an ad. The servers catalogue victim computer details before delivering the ransomware
- Unpatched Software – hackers can exploit vulnerabilities in outdated operating systems and applications to deliver ransomware
The threat actor presents a message explaining that the victim’s files are inaccessible. The hacker commits to sharing a decryption key once their target sends an untraceable Bitcoin payment.
Types of Malware
- Scareware – this form of ransomware includes rogue security software and tech support scams. Hackers send pop-up messages claiming that a victim’s device has malware, and the only way to eliminate it is to pay
- Screen lockers – this ransomware freezes users out of their computers entirely. Once you start a computer, a full-size screen displays with official-looking FBI or US Department of Justice seal indicating that ‘authorities’ have detected illegal activities on your company and you must pay a fine.
- Encrypting ransomware – this is a nasty malware that snatches up victims’ files and makes them unreadable. Once encrypting ransomware infects your computer, no security software can remove it unless you pay the ransom
Impact of Ransomware
If ransomware takes over your computer, the malware encrypts some or all the files. Victims cannot open the files without the decryption key in possession of the attacker. Ransomware targets different computer files, including documents, databases, source codes, and media files.
SamSam, NotPetya, WannaCry, and other popular ransomware targeting businesses translates to big payoffs to hackers and enormous losses for companies. The average cost of a data breach, including ransom payout, penalties, and remediation, is approximately $3.86 million.
A ransomware attack can knock out essential services. For instance, the 2018 SamSam cyber incident crippled Atlanta City essential services, including police record-keeping and revenue collection systems.
Attackers employ different ways to select ransomware attack victims. The most popular approach is a matter of opportunity. In this instance, an attacker can target institutions with inadequate security capabilities and disparate user base.
Ransomware authors also target regular people. However, attackers realized full potential when they targeted business systems.
Apart from businesses and individuals, hackers target specific entities like medical facilities and government agencies that need immediate access to files and systems.
Geographically, ransomware threat actors are focused on western markets, with the US, UK, and Canada ranking as the top three countries targeted respectively. Since ransomware attackers are financially motivated, they look for areas with a wide PC adoption and wealth.
Preventing Ransomware Attacks
You can take the following measures to prevent ransomware attacks:
- Patch or update your operating systems to eliminate vulnerabilities that hackers can exploit to launch ransomware attacks
- Do not install software from unknown sources
- Do not give applications administrative privileges unless when you have done adequate due diligence
- Install and update antivirus programs that detect and block malicious software
- Whitelist software to prevent unauthorized applications from executing
- Back up your files frequently in a different location. You can use cloud-based storage that offers high-level security controls such as multi-factor authentication and advanced encryption
What Should You Do if You are Infected?
- Never Pay the Ransom
If you discover you are infected with ransomware, never pay the ransom. Giving hackers money encourages them to launch additional attacks on your systems.
- Use a Decryptor
You can use widely available decryptors to retrieve your files. Examples of free ransomware decryption tools include 7even-HONE$T decrypting tool, Alma decrypting tool, Alpha decrypting tool Shade Decryptor, Rakhini Decryptor, Rannoh Decryptor, CoinVault Decryptor, Wildfire Decryptor, Xorist Decryptor, and WannaCry decryption tool.
Always pay close attention when using a decryption tool to avoid encrypting your files further by using the wrong decryptor.
- A Full System Restore
You can remove screen-locking ransomware through a full system restore. In case the OS fails to boot, you can run a scan from a bootable CD or USB drive
- System Isolation
You can thwart encryption ransomware by disconnecting and shutting down a system that slows down for no reason. Disconnecting a target device from the Internet prevents hackers from sending instructions from the command and control server.