In the past, security threats often involved scraping information from systems that could be used for other crimes such as identity theft. Now, cybercriminals have proceeded to directly demanding money from victims by holding their devices—and data—hostage. This type of malware attack in which data is encrypted and victims are prompted to pay for the key, called ransomware, has grown rapidly since 2013.
TechRepublic's smart person's guide about ransomware is a quick introduction to this malware threat, as well as a "living" guide that will be updated periodically as new exploits and defenses are developed.
SEE: Cybersecurity ebook: The ransomware battle (Tech Pro Research)
- What is ransomware? Ransomware is malware. The hackers demand payment, often via Bitcoin or prepaid credit card, from victims in order to regain access to an infected device and the data stored on it.
- Why does ransomware matter? Because of the ease of deploying ransomware, cybercriminals are increasingly relying on such malware attacks to generate profits.
- Who does ransomware affect? While home users have traditionally been the targets, healthcare and the public sector have been targeted with increasing frequency. Enterprises are more likely to have deep pockets from which to extract a ransom.
- What are the most well-known ransomware attacks? Ransomware has been an active and ongoing malware threat since September 2013. CryptoLocker, Locky, WannaCry, and Petya are some of the most high-profile ransomware attacks to date.
- How do I protect myself from a ransomware attack? A variety of tools developed in collaboration with law enforcement and security firms are available to decrypt your computer.
What is ransomware?
Ransomware is a type of malware that is characterized by holding device control—and therefore locally stored data—for a ransom, which victims typically pay in Bitcoin or with other virtual currencies, though often premium SMS messaging and prepaid credit cards are alternative options. Sophisticated ransomware attacks employ disk or file-level encryption, making it impossible to recover files without paying the ransom demanded by the hackers.
Historically, ransomware has invoked the image of law enforcement to coerce victims into paying—displaying warnings such as the FBI logo and a message indicating that illegal file sharing has been detected. More recently, the authors of ransomware payloads clearly indicate that a device has simply been hacked.
Ransomware attacks are typically propagated through file-sharing networks, but have also been distributed as part of a malvertising campaign on the Zedo ad network, as well as through phishing emails that disguise the payload as maliciously crafted images or as executables attached to emails. WannaCry, perhaps the most well-known single ransomware attack, uses a flaw in Microsoft's SMB protocol, leaving any unpatched, internet-connected computer vulnerable to infection.
- Infographic: The 5 phases of a ransomware attack (TechRepublic)
- Video: How ransomware and file-less cyber-attacks proliferate (TechRepublic)
- Download: Ransomware—An executive's guide to one of the biggest threats on the web (TechRepublic)
- Easy to carry out, difficult to fight against: Why ransomware is booming in 2016 (ZDNet)
- New ransomware skips files, encrypts your whole hard drive (ZDNet)
- Infographic and interview: The explosion of cybercrime and how to protect your business (TechRepublic)
Why does ransomware matter?
For cybercriminals, the use of ransomware provides a very straight line from development to profit, as the comparatively manual labor of identity theft requires more resources. As such, the burgeoning growth of ransomware can be attributed to the ease of deployment, and a high rate of return relative to the amount of effort put forth.
Many ransomware attacks leverage known vulnerabilities, so original research is not required of cybercriminals. The WannaCry attack is a special case—it leverages two exploits named EternalBlue and DoublePulsar. These exploits were discovered and used by the NSA, and the existence of these vulnerabilities was disclosed by The Shadow Brokers, a group attempting to sell access to a cache of vulnerabilities and hacking tools developed by the US government.
For IT professionals, the risk of a ransomware infection extends beyond desktops and notebook workstations, but has historically included smartphones and other connected computing devices, such as Synology NAS products and Android TV devices. While home users were traditionally the targets of ransomware, business networks have been increasingly targeted by criminals. Additionally, servers have become high-profile targets for malicious ransomware attackers, as unpatched, internet-connected systems are easy targets.
- Video: 3 crucial issues businesses don't understand about ransomware (TechRepublic)
- The future of cyberwar: Weaponised ransomware, IoT attacks and a new arms race (TechRepublic)
- Former US security advisor: Cyberattacks damage society as much as physical infrastructure (TechRepublic)
- Skyrocketing Android ransomware has quadrupled over past year, says new report (TechRepublic)
- Ransomware is now the biggest cybersecurity threat (ZDNet)
- Throwing money at the problem? Security tech spending reaches $82bn a year (ZDNet)
- CEOs' pay should be slashed if firms fail to protect against online attacks (ZDNet)
- Create a security culture framework to protect against threats (Tech Pro Research)
Who does ransomware affect?
According to NTT Security's 2017 Global Threat Intelligence Report, 28% of ransomware attacks targeted businesses and professional service firms over the last year. 19% of attacks targeted government and public sector employees, with healthcare service providers accounting for 15% of ransomware attacks. Enterprises are particularly appealing targets for these malware attacks. While larger organizations have deeper pockets to pick from, they are more likely to have robust IT operations with recent backups to mitigate any damage and avoid paying the ransom.
Ransomware attacks are generally quite successful for cybercriminals, as victims often pay the ransom. Specifically targeted attacks may result in increasingly higher ransom demands, as malicious attackers become more brazen in their attempts to extort money from victims.
However, "false" ransomware attacks—in which attackers demand a ransom, though files are deleted whether users pay or not—have also recently become widespread. Perhaps the most brazen (though unsuccessful) of these is a KillDisk variant that demands a $247,000 ransom, though the encryption key is not stored locally or remotely, making it impossible for files to be decrypted if anyone were to pay the ransom.
- Report: SMBs paid $301M to ransomware hackers last year (TechRepublic)
- Ransomware: These four industries are the most frequently attacked (ZDNet)
- Report: 99% of ransomware targets Microsoft products (TechRepublic)
- Report: Ransomware attacks grew 600% in 2016, costing businesses $1B (TechRepublic)
- Android ransomware up more than 50%, locking users' devices until they pay (TechRepublic)
- Ransomware rises to strike almost 40 percent of enterprise companies (ZDNet)
- A troubling trajectory of malware and ransomware targeting OS X and iOS (TechRepublic)
- Businesses beware: the 'industrial internet of things' is a prime target for cyberattacks (TechRepublic)
- Cybersecurity spotlight: The critical labor shortage (Tech Pro Research)
- Computer Hacking Forensic Investigation & Penetration Testing Bundle (TechRepublic Academy)
What are the most well-known ransomware attacks?
While the first rudimentary ransomware attack dates back to 1989, the first widespread encrypting ransomware attack was CryptoLocker, which was deployed in September 2013. Originally, victims of CryptoLocker were held to a strict deadline to recover their files, though the authors later created a web service that can decrypt systems for which the deadline has passed at the hefty price of 10 BTC (as of December 12, 2017, the USD equivalent of 10 Bitcoin, or BTC, is approximately $169,339).
While the original CryptoLocker authors are thought to have made about $3 million USD, imitators using the CryptoLocker name have appeared with increasing frequency. The FBI's Internet Crime Complaint Center estimates that between April 2014 and June 2015, victims of ransomware paid over $18 million USD to decrypt files on their devices.
Locky, another early ransomware attack, has a peculiar tendency to disappear and reappear at seemingly random intervals. It first appeared in February 2016, and stopped propagating in December 2016, only to reappear again briefly in January and April of 2017. With each disappearance, the creators of Locky appear to be refining the attack. The Necurs botnet, which distributes the Locky attack, appears to have shifted to distributing the related Jaff ransomware. Both Locky and Jaff automatically delete themselves from systems with Russian selected as the default system language.
The WannaCry attack, which started on May 12, 2017, was stopped three days later when a security researcher identified and registered a domain name used for command and control of the payload. The National Cyber Security Centre, a division of GCHQ, identified North Korea as the origin of the WannaCry attack.
Petya, also known as GoldenEye, was first distributed via infected email attachments in March 2016; like other ransomware attacks, it demanded a ransom to be paid via Bitcoin. A modified version of Petya was discovered in May 2016; it uses a secondary payload if the malware is unable to obtain administrator access.
In 2017, a false ransomware attack called NotPetya was discovered. NotPetya was propagated through the software update mechanism of the accounting software MeDoc, which is used by about 400,000 firms in Ukraine. While Petya encrypts the MBR of an affected disk, NotPetya also encrypts individual files, as well as overwrites files, making decryption impossible.
Like WannaCry, NotPetya also uses the NSA-developed EternalBlue vulnerability to propagate through local networks. Compared to Petya, the cheaper ransom that NotPetya demands, combined with the single Bitcoin wallet victims are instructed to use, suggests that the aim of that attack was to inflict damage rather than generate profits. Given that the affected organizations are almost entirely Ukranian, NotPetya can be inferred to be a cyberwarfare attack.
- The top 10 worst ransomware attacks of 2017, so far (TechRepublic)
- Locky ransomware used to target hospitals evolves (ZDNet)
- Locky ransomware: Why this menace keeps coming back (ZDNet)
- Petya ransomware: Where it comes from and how to protect yourself (TechRepublic)
- Ukraine cybersecurity conference highlighted new threats a week before the Petya ransomware attack (TechRepublic)
- How the GoldenEye/Petya ransomware attack reveals the sorry state of cybersecurity (TechRepublic)
- Why patching Windows XP forever won't stop the next WannaCrypt (TechRepublic)
- "WannaCry" ransomware attack losses could reach $4 billion (CBS News)
- Study finds cybersecurity pros are hiding breaches, bypassing protocols, and paying ransoms (TechRepublic)
- Ransomware's next target: Anything's that connected (CBS News)
- Wildfire ransomware code cracked: Victims can now unlock encrypted files for free (ZDNet)
- Ransomware 2.0 is around the corner and it's a massive threat to the enterprise (TechRepublic)
- Ransomware-as-a-service allows wannabe hackers to cash-in on cyber extortion (ZDNet)
- Ransomware-as-a-service is exploding: Be ready to pay (TechRepublic)
- TeslaCrypt no more: Ransomware master decryption key released (ZDNet)
- Why antivirus programs have become the problem, not the solution (TechRepublic)
How do I protect myself from a ransomware attack?
Ransomware is often spread in file-sharing networks or on websites that purport to provide direct downloads. Other traditional attack vectors have also been used, such as email attachments or malicious links.
There are ways to protect against a potential ransomware infection. For enterprise workstation deployments, using Group Policy to prevent executing unknown programs is an effective security measure for ransomware and other types of malware.
SEE: Download—17 tips for protecting Windows computers and Macs from ransomware (TechRepublic)
Ensuring that all devices on your network receive regular and prompt security patches is the biggest defense against any hacking attempt, including ransomware. Additionally, a sane device lifecycle is also important for network security—outdated systems running unsupported operating systems such as Windows XP have no place on an internet-connected network. Despite this, due to the severity of WannaCry, Microsoft released a patch for Windows XP.
The No More Ransom project—a collaboration between Europol, the Dutch National Police, Kaspersky Lab, and McAfee—provides victims of a ransomware infection with decryption tools for dozens of widespread ransomware types, including Jaff and TeslaCrypt.
- How to avoid ransomware attacks: 10 tips (TechRepublic)
- Windows 10 Fall Creators Update: Be proactive and turn on ransomware protection (TechRepublic)
- Not sure which ransomware has infected your PC? This free tool could help you find the right decryption package (ZDNet)
- Ransomware: This free tool lets you decrypt files locked by a common version of the malware (ZDNet)
- Ransomware: The most important thing you can do not to be a victim (TechRepublic)
- The ransomware debate: Should you pay to get your data back? (TechRepublic)
- Ransomware: To pay or not to pay (TechRepublic)
- RansomWhere? review: Ransomware prevention app for Macs (TechRepublic)
- Ransomware attack: The second wave is coming, so get ready now (ZDNet)
- Why SMBs are at high risk for ransomware attacks, and how they can protect themselves (TechRepublic)
- How to mitigate ransomware, DDoS attacks, and other cyber extortion threats (TechRepublic)
- 4 ways to reduce your chances of getting caught by malvertising (TechRepublic)
- Video: Ransomware — How to defend yourself against it (CNET)
- Kaspersky Lab offers free anti-ransomware tool for Windows (ZDNet)
- This initiative wants to help ransomware victims decrypt their files for free (ZDNet)
- I infected my Windows computer with ransomware to test RansomFree's protection (TechRepublic)
James Sanders is a Tokyo-based programmer and technology journalist. Since 2013, he has been a regular contributor to TechRepublic and Tech Pro Research.