Ransomware: The Complete FAQ

Phishing

Ransomware is destructive – and potentially devastatingly effective. Learn what ransomware is, how it works, some of the most well-known ransomware types and what to do if you find yourself a victim of a ransomware attack.

What is Ransomware?

Ransomware is a type of malicious software designed to block a user’s access to – or take control of – a computer, network, files, etc. It is from the crypto virology strain of malware, meaning the virus uses encryption to prevent users from accessing what has been infected. As the name ransomware suggests, the cybercriminals demand a ransom in return for the decryption key. As a tool used in cybercrime, ransomware can be devastatingly effective. It has widely been cited as the number one cyberthreat, both to businesses and individuals. A ransomware attack could be something broad, like attacking a school district’s systems, or something pertaining to an individual, like encrypting your personal photos and threatening to publish them. Estimates vary, but some estimates put the cost of ransomware attacks at around $20 billion – and that figure is expected to rise in the coming years.

Ransomware vs. Malware

Ransomware is a type of malware. The latter is a broad term used to describe any type of malicious software designed to disrupt a computer, files, server, or network. These include viruses, worms, spyware, adware, and ransomware. As a specific type of malware, ransomware, which is usually encryption-based, is designed to block access to a computer or data. If your computer is not properly protected, all types of malware can be a problem. However, ransomware has become the cybercriminals’ weapon of choice in the last several years.

Is Ransomware a Virus?

The term virus has been widely used as a catch-all term to describe malicious software installed on a computer. However, viruses are but one subset of malware, which can also include worms and Trojans. As such, ransomware isn’t technically a virus, although it can be implemented as one. If that all sounds confusing, think of it this way: Ransomware can be spread by a virus, as well as worms and Trojans, but it is not a virus itself. Some research shows that the most common way of spreading ransomware is through Trojan malware. As the name suggests (it’s taken from the story of the Trojan Horse), the ransomware program lies hidden (perhaps inside a file or within a link) waiting to be activated.

How Does Ransomware Work?

There are basically three stages of a ransomware attack:

Stage 1: Access

This is the point where the ransomware gains access to a target system. This could be caused by clicking a link in a phishing email, or by hackers taking remote access after stealing passwords, or it could be a direct attack on a network’s vulnerabilities, as was used by the WannaCry hackers. These entry points are called infection vectors, and hackers can use individual options or a combination. There are even examples of ransomware groups brazenly trying to bribe employees to install ransomware. It’s worth noting that one of the main attack vectors of ransomware is achieved through social engineering. This is a type of manipulation where cybercriminals coerce individuals to unwittingly do something – like click a malicious phishing link – that installs the ransomware. Some ransomware even has built-in social engineering capabilities that trick the user into granting it administrative access. Using software with anti-phishing protection can help eliminate these social engineering threats, alongside educating yourself and your family on how to spot social engineering scams.

Stage 2: Encryption

This is the point where the ransomware will start encrypting files. One of the reasons ransomware is so effective is that it is often “smart,” carefully selecting the correct files so that the system can still operate. As mentioned, ransomware can lie in wait for a long time, waiting for the opportune moment to encrypt what it wants. It can also take steps to delete backups and other copies of files, making the decryption key seem like the only possible route to get them back. This gives the hackers more leverage for the ransom demands (see below).

Stage 3: Ransom

This is the point where the hackers make their demands. You suddenly find that you are locked out of your computer, or certain files. One of the common ways this appears is through a ransom note on your screen, explaining what you must pay to get the decryption key. Recently, demands in bitcoin have been very common, as the cryptocurrency offers some level of anonymity. The tactics used here are often clever, with hackers sometimes asking for relatively small sums of money, making the user more likely to pay. Of course, the ransom demands will be a lot higher for a business. Nevertheless, the majority of people pay the ransom (58%, according to some studies). But here’s the kicker: The cyberhackers often don’t decrypt the files anyway. Sadly, evidence quoted by Forbes says that 92% of those who do pay the ransom don’t get their data back.

How Does Ransomware Encryption Work?

Ransomware uses a type of cryptography called asymmetric encryption. In the simplest terms, it selects what it wants to encrypt by using a public key generated from another computer. This (the ransomware group’s) computer will hold the private key, which is needed to decrypt the files. It is possible to decrypt without that private key, but it is very difficult and might even cost more than the ransom. That’s one of the reasons ransomware has become so popular among cybercriminals – victims often simply give up and pay.

How Many Ransomware Variants Are There?

In short, a lot. Broadly speaking, there are two main types of ransomware – Locker and Crypto. The former locks users out of a device by blocking access to the interface. Crypto ransomware encrypts files. But within these two broad types of ransomware, there are many different strains. Moreover, new types of ransomware attacks are becoming more common. Double extortion ransomware, for example, has been created to combat organizations’ increased security measures since the high profile WannaCry and NoPetya attacks of the late 2010s, which prompted many businesses to use new backup measures. It acts both to encrypt the files and exfiltrate them, meaning the hackers can leak sensitive data if the ransom is not paid. There’s also the worrying trend of RaaS (Ransomware as a Service), a type of ransomware for hire that any criminal can use to launch a sophisticated attack.

What To Do in the Event of a Ransomware Attack?

There are several steps* you should follow when hacked by ransomware:

*Please note that this is a general guide and that different types of ransomware attacks will require different steps to mitigate the threat. If you are unsure about what to do, contact a cybersecurity professional before you do anything as your actions might make the problem worse. And remember that the best way to deal with a ransomware attack is by stopping it before it happens by using advanced anti-ransomware protection.

Step 1: Identify and Isolate the Impacted Systems

The first action is to prevent the ransomware from spreading. If it’s just one computer, then disconnect it from all power. Unplug it from the wall, remove the battery. If it’s several systems, take the network offline and turn off Wi-Fi. Determine the scale of the problem and try to isolate it as much as possible. If rebooting systems, remember to switch on to Safe Mode.

Step 2: Secure Backups

While backups are not immune to ransomware and are often targeted as part of the attack, make sure backups are secure and disconnect them from the network or lock down access to backup storage.

Step 3: Quarantine Ransomware and Identify Patient Zero

This is an important aspect of ransomware recovery, and it should be left to cybersecurity professionals. Quarantining – as opposed to trying to remove ransomware – is important as it helps identify the strain and can provide information on vulnerabilities, i.e., the source of the infection (patient zero).

Step 4: Dealing with the Ransom

We have more detailed information on whether you should pay a ransomware demand below. But to begin with, you should always report the attack to the authorities. It might help if you take photos of the ransom demands. But rather than deal with the hackers, you should take the advice of police and specialized cybersecurity teams.

Can I Decrypt Hacked Files?

If you are not protected, then you are going to have a lot of difficulties decrypting files. As we have mentioned before, ransomware is popular with cybercriminals as, put simply, it yields results. And we should also stress that removing ransomware does not mean your files will be decrypted. You might have options to restore your systems backups once the ransomware has been removed, but many ransomware attacks target backups too.

Should I Pay Ransomware Hackers?

The short answer is no. There are numerous reasons for this, including the fact that paying the ransom could be deemed illegal as it is funding organized crime. Moreover, paying will further propagate the idea that ransomware is profitable for cybercriminals. But on a more personal note, remember that paying the ransom is no guarantee that you will get the decryption key and access to your data. And even if the hackers do provide it, the key might not work.

List of Ransomware

As mentioned previously, there are many different types of ransomware, many of which evolve and overlap. Some of the important strains and types of attacks are listed below:

AIDS Trojan – one of the earliest identified types of ransomware, created by Dr. Joseph Pop back in 1987.

WannaCry – arguably the most famous type of ransomware worm, which infected outdated versions of Microsoft Windows in 2017.

Petya – a type of ransomware that overrides the computer’s MBR (Master Boot Record), Petya was first discovered in 2016. Another strain, NotPetya, emerged a year later.

Locky – a type of ransomware that spread by email posing as an invoice. It was also discovered in 2016.

Ryuk – famous for its sophistication and the fact it targeted big business, Ryuk made millions of dollars for the cybercrime group Wizard Spider, which was behind the attacks.

Cerber – this ransomware attacked cloud-based Microsoft 365 users and had one of the most sophisticated phishing campaigns as an infection vector.

CryptoLocker – often cited as the father of modern ransomware, CryptoLocker came to prominence in 2013 and unleashed a new zeal for ransomware among cybercriminals.
Several similar variants like CryptoWall have emerged to replace it in recent years.

GoldenEye – similar to Petya, GoldenEye ransomware benefitted from an elaborate campaign to target businesses’ HR departments.

ZoneAlarm (A Check Point Company) website uses cookies to ensure you get the best experience.More info >
Got it, thanks