Ransomware

Ransomware is a type of malicious software that blocks access to a target system until a ransom has been paid. There are hundreds of ransomware variants in existence, which collectively generate millions of dollars annually for cybercrime groups.

Ransomware is considered one of the most serious cyber threats in the world today – and every single incident can have a profound impact. For individuals, a ransomware infection may mean the loss of important documents and cherished photographs; for businesses, it may mean prolonged downtime, significant reputational loss and financial ruin.

This page discusses ransomware in general. For information on specific ransomware strains and ransomware droppers, please see the following links:

What is ransomware?

Ransomware is a type of malware that prevents users from accessing their system until a ransom is paid.

Most modern strains of ransomware work by encrypting data on the target system and demanding the victim to pay the ransom in a cryptocurrency.

The ransom amount varies significantly, depending on the target. Home users may be forced to pay hundreds of dollars to regain access to their systems, while small businesses, enterprises and government agencies may face five-, six- and seven-figure ransom demands. After the payment has been received, the cybercriminals send a decryption key to the victim, which – in theory, at least – allows the user to regain access to the encrypted data.

Ransomware attacks are typically financially motivated and can generate millions of dollars for cybercrime groups while causing widespread disruption to affected organizations.

Types of ransomware

  • Crypto ransomware

    The majority of modern ransomware falls into the category of crypto ransomware, a type of ransomware that encrypts data and prevents a user from accessing their files unless they pay the ransom. If the victim fails to pay by the specified deadline, the ransom amount may increase or the encrypted data may be deleted. When properly implemented, it is impossible to recover encrypted data without paying for the attacker-supplied decryption key.

  • Screen lockers

    Screen lockers prevent users from accessing their systems and demand payment to restore access. However, unlike crypto ransomware, screen lockers do not actually damage or encrypt data. Screen lockers can be extremely annoying, but remediation is usually simple and regaining system access is almost always possible.

  • Scareware

    Scareware uses basic social engineering techniques to scare users into making payments. Common examples of scareware include rogue security software and tech support scams, which claim to detect an issue with a user’s system and request a payment to resolve the problem.

  • Mobile device ransomware

    This type of ransomware is usually delivered through malicious apps and phishing links. Mobile device ransomware typically uses scareware tactics to inform users that their device has been locked due to illegal activity, and payment must be made to restore access.

How does ransomware spread?

Cybercriminals use a variety of techniques to distribute ransomware, including:

  • Remote desktop protocol (RDP)

    RDP, a communications protocol that enables a user to establish a remote connection to another computer, is one of the most common attack vectors. Attackers use RDP to gain access to a system by exploiting security vulnerabilities, or hacking login credentials with brute-force or stolen passwords. After obtaining access, threat actors can elevate their privileges, deploy ransomware and leave backdoors that can be used for future attacks.

  • Phishing emails

    Ransomware is commonly distributed through phishing emails, which often use evocative wording and familiar branding to encourage the recipient to click on a malicious attachment or URL. Once the malicious file has been opened, the ransomware may be deployed immediately; alternatively, attackers may wait weeks after the initial point of infection to encrypt the target’s files.

  • Drive-by downloads

    Drive-by downloads are downloads that occur without the user’s knowledge or consent. Ransomware distributors utilize drive-by downloads by inserting malicious code into legitimate websites. When a user visits the compromised website and views the malicious content (often an advertisement) the payload is executed automatically without any input from the user.

  • Infected software

    Certain strains of ransomware, such as the prolific STOP Djvu, spread through pirated software. When a user installs the software, they inadvertently deploy the hidden ransomware.

See this blog post for additional information on common ransomware infection methods.

Who does ransomware target?

In the early days of ransomware, cybercriminals were indiscriminate in their attacks. From 2013 to 2017, almost anyone with an Internet connection was a potential target, and millions of home users around the world fell victim to ransomware.

However, attackers have become increasingly selective over the years, and the focus has steadily shifted from home users to small businesses, enterprises, large organizations and government agencies. Today, ransomware groups tend to focus on organizations with valuable data assets – targets that have the resources and motivation to comply with ransom demands.

  • Healthcare: Healthcare is one of the most frequently targeted sectors. Ransomware groups understand that encrypting patient data and disrupting healthcare systems can endanger lives, which puts pressure on hospitals, healthcare centers and aged care facilities to quickly pay the ransom. Healthcare organizations often rely on outdated IT systems and a wide range of Internet-connected devices that may be vulnerable to exploitation.

  • Enterprises: Large companies may be inclined to pay for decryption keys in order to resume operations as quickly as possible and avoid costly reputational damage. The downtime associated with a ransomware incident can cost multinationals millions of dollars per day.

  • Government agencies: Local governments are vulnerable to compromise as they often lack the resources to adhere to best security practices and, due to offering many public-facing services, typically have a larger attack surface than private organizations. In addition, government agencies have a strong incentive to pay, as disrupted services can have far-reaching effects on citizens.

  • Small businesses: Small and medium-sized businesses (SMBs) remain a popular target as they often hold valuable data yet typically lack the IT infrastructure and security expertise of larger companies. The data stolen in a ransomware incident can be used to fuel additional campaigns against the compromised SMB’s partners, suppliers and customers, which has contributed to the increase in attacks on managed service providers (MSPs). Law and accounting firms are also common targets.

Geographically, ransomware attacks are concentrated in Western nations such as the U.K., the U.S., Canada and Australia, which have a high rate of PC penetration, Internet connectivity and economic wealth. However, any nation can potentially be impacted by ransomware.

Stay protected with Emsisoft!

Notable ransomware attacks

Millions of ransomware attacks take place every year, with total ransom demands exceeding an estimated $25 billion. Below are some of the most notable incidents.

  • CryptoLocker

    While ransomware had existed in some form since the late 1980s, CryptoLocker was the first large-scale ransomware operation and the first variant to utilize cryptocurrency as a form of payment. Between September 2013 and May 2014, CryptoLocker generated about $27 million for its operators. In May 2014, law enforcement agencies brought down the Gameover ZeuS botnet that had been used to distribute CryptoLocker and obtained a database of private decryption keys, which allowed victims to recover their files for free.

  • WannaCry outbreak

    In May 2017, a strain of ransomware known as WannaCry impacted more than 200,000 computers across 150 countries. The ransomware encrypted files and demanded $300-$600 in bitcoin. WannaCry propagated through EternalBlue, an exploit discovered by the U.S. National Security Agency, and affected systems that had not installed Microsoft’s April 2017 security update.

  • NotPetya outbreak

    In June 2017, NotPetya affected more than 80 companies in Ukraine, as well as organizations in Russia, the U.S., the U.K. and other parts of Europe. In contrast to most ransomware attacks, the goal of NotPetya was economic destruction rather than financial gain, leading experts to conclude that it was probably created by Russian military hackers to destabilize Ukraine’s financial systems.

  • RobbinHood attack on Baltimore

    In May 2019, the city of Baltimore was infected with RobbinHood, which disrupted almost every government department. Communication systems were brought offline, real estate sales were delayed and payment systems used for water bills, property taxes and parking tickets were disabled. The city refused to pay the $75,000 ransom, resulting in recovery costs of more than $18 million.

  • Sodinokibi attack on 22 Texas towns

    In August 2019, attackers leveraged an IT company’s remote management software to deploy Sodinokibi/REvil to 22 Texas towns. Attackers asked for a collective ransom of $2.5 million paid in bitcoin, but none of the municipalities complied. Some cities were able to restore their systems from backups, while others were forced to rebuild networks from scratch.

Ransomware incidents are data breaches

Modern ransomware incidents should be considered data breaches. In the past, threat actors were not concerned with extracting data from targets – they simply encrypted the data and demanded a ransom for its return.

This changed in November 2019 when the Maze ransomware gang published on the clear web the stolen data of a victim that refused to pay the ransom. Since then, many ransomware groups have followed in Maze’s footsteps, using stolen data as leverage to encourage ransom payments, and publicly leaking the data of organizations that refuse to cooperate.

Organizations that experience a ransomware incident must assume their data has been compromised. This carries a number of implications:

 

 

  • Leverage

    The added threat of publicly leaking files may result in more organizations cooperating with threat actors, which may encourage further attacks.

  • Spear phishing

    The data stolen in ransomware incidents can be used to carry out highly targeted spear phishing attacks on business partners and customers of the victim company.

  • Disclosure

    Ransomware attacks that exfiltrate data are no longer “just” malware infections – they’re also data breaches. In the U.S., organizations that have experienced a data breach are required by law to notify government regulators and affected users (although the thresholds and required response vary between states).

  • Increased recovery costs

    Data breaches escalate the already high recovery costs associated with ransomware attacks. Not only do affected organizations have to bear the costs of downtime, loss of productivity and IT infrastructure upgrades, they may also have to pay for data breach lawyers and potential lawsuits from disgruntled customers.

See this blog post for more information on how to mitigate data-stealing ransomware.

History of ransomware

 

 

The first documented example of ransomware was the AIDS Trojan, written by Joseph Popp in 1989. Popp, a Harvard-educated evolutionary biologist, distributed 20,000 infected discs to people who had attended a World Health Organization’s AIDS conference. After an infected system had rebooted 90 times, the malware encrypted the names of all files in the C: directory and instructed the user to send $189 to PC Cyborg Corp via a post office box in Panama if they wished to recover their files. However, the decryption key could be easily extracted from the malware, and thus the AIDS Trojan never posed a serious threat. Popp was eventually caught but was declared unfit to stand trial.

For the next 10 years, ransomware remained largely dormant, although researchers speculated it would return and pose a greater threat. They were correct. The proliferation of the Internet in the early 2000s gave cybercriminals an opportunity to monetize ransomware on a large scale and utilize more robust encryption techniques that were far harder to crack than the rudimentary cryptography used in the AIDS Trojan.

The first true example of crypto ransomware, GPcode, arrived in 2004. Primarily targeting Russian businesses, GPcode encrypted files using weak RSA encryption and demanded users pay a ransom via Yandex, a Russian online payment system similar to PayPal.

2007 marked the arrival of the world’s first prolific screen locker, WinLock. Rather than encrypting files, WinLock locked victims out of their devices, displayed pornographic images and instructed users to send a $10 premium-rate SMS to receive an unlock code. WinLock inspired dozens of copycats, many of which masqueraded as legitimate products and used basic scareware tactics to extort victims.

In 2012, Reveton popularized “law enforcement” ransomware, a new take on screen lockers that preyed on people’s fear of authority and made them question their own innocence. Reveton locked users out of their devices and issued an official-looking document that appeared to have been sent from a legitimate law enforcement authority such as the FBI or Interpol. The document claimed that the device had been used for illegal activity and would be locked until the user paid a fine.

In 2013, CryptoLocker was released. CryptoLocker set the new standard for crypto ransomware. Not only did it utilize 2048-bit RSA encryption, but it was also one of the first ransomware variants to be distributed through compromised websites, which were part of the Gameover ZeuS botnet.

In the years that followed, a number of major ransomware outbreaks impacted millions of individuals and businesses around the world, including WannaCry, NotPetya, SamSam and Cerber, among many others.

Toward the end of the 2010s, ransomware groups became more selective with their attacks, shifting their focus from home users to larger targets such as businesses, schools, MSPs and government agencies. As a result, the total number of global ransomware attacks declined, but ransom demands skyrocketed. Ransomware operators also began operating more like professional enterprises, leasing their services to other cybercriminals and providing regular updates to improve their software. At the end of 2019, ransomware groups began stealing data and using it as additional leverage to coerce victims into paying the ransom.

How to prevent ransomware attacks

A proactive approach to cybersecurity can help reduce the risk of a ransomware incident. Organizations of all sizes should adhere to the following best practices:

Cybersecurity awareness training

Because the majority of ransomware spreads through user-initiated actions, organizations should implement training initiatives that focus on teaching end users the fundamentals of cybersecurity. Ransomware and propagation methods are constantly evolving, so training must be an ongoing process to ensure end users are across current threats.

Block macros

Many ransomware families are delivered via macro-embedded Microsoft Office or PDF documents. Organizations should review their use of macros, consider blocking all macros from the Internet, and only allow vetted and approved macros to execute from trusted locations.

Credential hygiene

Practicing good credential hygiene can help prevent brute force attacks, mitigate the effects of credential theft and reduce the risk of unauthorized network access.

Email authentication

Organizations can use a variety of email authentication techniques such as Sender Policy Framework, DomainKeys Identified Mail, and Domain-Based Message Authentication, Reporting and Conformance to detect email spoofing and identify suspicious messages.

Multi-factor authentication

MFA provides an extra layer of security that can help prevent unauthorized access to accounts, tools, systems and data repositories. Organizations should consider enabling MFA wherever possible.

Security patches

Organizations of all sizes should have a robust patch management strategy that ensures security updates on all endpoints, servers, and appliances are applied as soon as possible to minimize the window of opportunity for an attack.

Backups

Backups are one of the most effective ways of mitigating the effects of a ransomware incident. Many strains of ransomware can spread laterally across the network and encrypt locally stored backups, so organizations should use a mixture of media storage, and store backup copies both on- and off-site. See this guide for more information on creating ransomware-proof backups.

System hardening

Hardening networks, servers, operating systems and applications is crucial for reducing attack surface and managing potential security vulnerabilities. Disabling unneeded and potentially exploitable services such as PowerShell, RDP, Windows Script Host, Microsoft Office macros, etc. reduces the risk of initial infection, while implementing the principle of least privilege can help prevent lateral movement.

Network segregation

Effective network segregation helps contain incidents, prevents the spread of malware and reduces disruption to the wider business.

Network monitoring

Organizations of all sizes must have systems in place to monitor possible data exfiltration channels and respond immediately to suspicious activity.

Penetration testing

Penetration testing can be useful for revealing vulnerabilities in IT infrastructure and employees’ susceptibility to ransomware. Results of the test can be used to allocate IT resources and inform future cybersecurity decisions.

Incident response plan

Organizations should have a comprehensive incident response plan in place that details exactly what to do in the event of infection. A swift response can help prevent malware from spreading, minimize disruption and ensure the incident is remediated as efficiently as possible.

The Ultimate Checklist on Ransomware Mitigation

How to respond to a ransomware attack

Organizations that have been hit with ransomware need to be able to respond swiftly and decisively. The following steps can help affected organizations reduce downtime and minimize the risk of complications during the recovery process:

  1. Isolate the infection

    To prevent ransomware from spreading across the network, affected devices must be identified, disconnected and isolated as quickly as possible. It’s important to remember that these devices may not be the source of the infection, which means the ransomware may exist elsewhere on the network. All machines on the network should be scanned and indicators of compromise fully investigated.

  2. Assess the damage

    All suspicious activity should be thoroughly investigated to understand the true impact of the incident. IT teams should aim to build a comprehensive list of all affected systems and devices. Locating patient zero should be a priority, as this will reveal the initial point of infection and may offer clues as to how and where the ransomware has spread.

  3. Create an image of affected machines

    Some ransomware strains are designed to delete encrypted files after a certain amount of time, while others have faulty decryptors that may damage files during the decryption process. Mitigate these risks by creating a backup of encrypted files before moving forward with recovery.

  4. Identify the ransomware

    Identifying the strain of ransomware allows administrators to get a better understanding of the threat and the requirements for effective remediation. Emsisoft offers a free online tool that identifies ransomware strains and provides a free decryption tool if one is available.

  5. Report the incident

    All ransomware incidents should be reported to the authorities as the information provided can help law enforcement agencies gain a better understanding of the threat and enable them to issue alerts with indicators of compromise when appropriate. Disclosing a data breach may be required by law in the U.S. and many parts of Europe.

  6. Restore the system

    Begin the backup process, following procedures that should have been set out in the organization’s incident response plan. IT personnel must ensure all devices on the network are clean before reconnecting restored systems to avoid reinfections.

  7. Search for free decryption tools

    If there is no backup system in place, organizations should explore free decryption tools, which are available for certain ransomware variants. If no decryptor is available, encrypted files should be archived in case a decryptor becomes available in the future.

  8. Evaluate processes

    After the incident has been resolved, organizations should take the time to evaluate their cybersecurity and backups systems. Identify the cause of the initial infection and take steps to address vulnerabilities, which may involve staff training and/or technological solutions. Similarly, assess the response to the incident and consider what could be done in the future to strengthen or expedite the recovery process.

Deciding to pay the ransom

If backups have been damaged or encrypted, or if there is no backup system in place, organizations may be tempted to simply give in to the attackers’ demands and pay the ransom.

While paying the ransom can help reduce disruption and may be cheaper than the cost of downtime, organizations should remember that they are dealing with criminals who are not bound to any rules. Consider the following:

  • Ransomware groups may not provide a decryptor.
  • The provided decryptor may not work or may damage files.
  • Complying can incentivize further attacks as it signals to threat actors that the organization is susceptible to exploitation.
  • Paying the ransom demonstrates the profitability of ransomware schemes, which fuels the ransomware cycle.
  • Ransomware may fund other serious criminal activities such as drug manufacturing and human trafficking.

Both security experts and law enforcement agencies recommend that organizations that have been impacted by ransomware should avoid paying the ransom unless it is absolutely necessary.

As the FBI notes:

There are serious risks to consider before paying the ransom. The United States government does not encourage paying a ransom to criminal actors. However, after systems have been compromised, whether to pay a ransom is a serious decision, requiring the evaluation of all options to protect shareholders, employees, and customers.

 

See this blog post for more considerations on whether to pay the ransom.