You might have often heard of people talking about “what is ransomware and how ransomware attacks can cause you data loss?” Well, Ransomware is a kind of malware, which, once active on the computer system demands ransom payment from the victim for regaining access to their system or personal files. After infecting and entering the systems, it will either ‘lock’ the computer to prevent normal usage or encrypt the documents and files on it to restrict access to the saved data.
Once encryption is done, the victim is shown instructions for paying the ransom ranging from a few hundred dollars to thousands, to get the decryption key.
According to the reports, the ransomware threats are kind of cybersecurity vulnerability which is getting more and more sophisticated with time.
So it is important to be aware of them before we are threatened. In this article, we are going to discuss about ransomware attack, its different types, steps involved in causing this attack, remedial actions and the protection measures one can take to prevent it.
What is ransomware attack?
Ransomware is the most common type of malware (a cyber threat) attack using which the attackers invade the computer system of the victim and demands a considerable sum in return of the decryption key, without the which the victim won’t be able to regain access to the files.
Depending on the variant of ransomware the system is infected with, they can also do a variety of malicious activities like disabling the anti-malware software, altering firewall rules, deleting backups, volume shadow copies of files, browser hijacking, etc.
Evolution of ransomware
Do you know that the first ransomware had originated back in the 1980’s when Joseph Popp had programmed a Trojan “AIDS”? And any guess on how payment has been demanded that time and was the trojan successful or not?
There was, of course, no plastic money during those days and so payment was demanded through usual postal services. Unlike now when payments are made using bitcoins or credit cards.
If we look into the recent history of ransomware, new families of this threat have been emerging since 2005. The “Trojan.Gpcoder” family had emerged in May 2005.
The appearance of crypto ransomware had led to the discovery of “Trojan.Cryzip” & “Trojan.Archiveus” in 2006. Around 2008-2009, the cyber-criminals used fake antivirus programs to mislead the victims.
In 2011, the screen locker ransomware emerged which locked the screen and denied access and control of the computer. From 2013 to the present day, the crypto ransomware has been back to the fore with stronger operational and encryption procedures.
Anatomy of the attack – how ransomware work?
It describes the necessary four steps the attacker takes to establish ransomware attacks successfully.
Step 1 – The bait
They can enter the system through email, malicious websites, malicious packaged software, etc. It can also spread through external storage like Dropbox, USB drives, shared storages, etc.
Step 2 – The infection
Once the malware has entered the system, it begins to systematically crawl the file system, typically looking for documents, images, and other files. When the files are found, it encrypts them and deletes the original version.
Step 3 – Ransom notice
Once the encryption process is complete, a warning can be dropped in the form of a text file with instructions on how to send payment to get the key for decrypting the files.
Step 4 – Pay or restore
There are two critical choices, the first one is to pay the ransom and the second choice is not paying the ransom and restoring the files from backup. By the way, paying ransom does not guarantee any future attacks.
Types of ransomware attacks
Now, let’s discuss some of the common types of ransomware.
It is also known as a ‘file encryptor’ ransomware. This kind encrypts the files or folders containing the spreadsheets, pictures, videos or documents.
The files are deleted once encrypted, and a text file is made visible to the user in the same folder with instructions for payment.
All the files may not show a lock sign, but once you try opening it, you may notice a problem. There is no way out other than paying once the cyber criminals get hold of your system.
But again even if the sum is paid, there is no full guarantee of getting the files back.
Lock Screen ransomware
It is also known as the ‘WinLocker’ ransomware. This kind completely locks down the computer screen and demands payment for access.
The victim will be ultimately denied access to the PC. A full-screen image is presented by blocking all other windows. Here the personal files are not encrypted.
Master Boot Record (MBR) ransomware
MBR is a section of your computer’s hard drive that allows the operating system to boot up. So, the MBR ransomware changes the computer’s MBR to interrupt the normal boot process.
When a system is switched on during the boot process, a message is displayed stating the PC is blocked and the hard drives are encrypted. Also, the ransom demand is displayed on the screen instead.
Some significant ransomware attacks of past
Some notable examples of ransomware that one should know includes:
It is also known as ‘police trojan’ which had spread in 2012. This malware didn’t encrypt files but instead blocked internet access. The warning faked to be from law enforcement demanding payment to restore access.
It had emerged in 2013 and is one of the most recognized versions of this attack. It had implemented encryption ransomware technique.
It had offered to give the decryption key only if the payment was made within 72 hours. They had threatened to delete the key if the deadline passed.
It appeared in 2014 and employed more sophisticated attack methods and techniques to hide from anti-malware engines. It had attempted to delete volume shadow copies of files so that the victim is unable to recover the data.
It is the most recent version of this attack where the windows systems were affected by the WannaCry cryptoworm. The cyber-criminals had demanded ransom payment in bitcoin in exchange for the decryption key.
It took place in May 2017 and had spread over 150 countries causing a massive amount of losses.
Now let’s discuss the important part. Isn’t it always better to be secure and safe rather than first falling into the problem and then look for solutions?
- Ensure current OS patches and updated anti-malware or anti-virus software is installed on the systems.
- Enable the email filters to inspect and block suspicious messages.
- Don’t just download and run programs from unknown sources. Do read the instructions carefully before clicking anything.
- Have a good backup system in place beforehand. Apart from system backup options we also have cloud storage solutions now and several online tools also available.
- The firewall should always be turned ‘on.’
- Conduct security risk assessment from time-to-time.
- If any minute malware infection is visible treat it immediately as that can result in a ransomware attack later.
In case your machine is attacked by some ransomware, you should know ways to recover from the attacks or at least lessen the impact.
Paying the ransom
Cybersecurity experts suggest not to pay the ransom, but that may not be a choice always. Let’s say you lack sufficient backups, and if the data is sensitive like HIPAA, Payment card industry data(PCI), personally identifiable information (PII), etc., then you practically have no choice.
You should notify the security team and the regulatory bodies. Then preserving the evidence and calling the legal team for aid as soon as possible.
Isolate the device
Removing the impacted system from the network is quite essential to remove the threat from spreading.
Attempt data recovery
You should try restoring impacted files from backup if possible. It requires confidence, integrity, and reliability of your backups. This process may take some time depending on your backup strategies.
You can buy time while trying to negotiate with the attackers. In the meantime also try to recover from the backup and see if that works.
You may also decide to dispose of all the infected devices and start rebuilding everything from scratch. It is costly and time-consuming.
Over to you on ransomware attacks
Ransomware is a kind of malware, which, once active on the computer system demands ransom payment from the victim for regaining access to their system or personal files.
Once infected, it is near impossible to recover and get your data back unless you have proper backups or you agree to the ransom demands.
The ransomware threats are advancing with time, and so are the current security mechanisms, but ransomware attackers can always get an upper hand.
Ransomware attacks are getting a lot of attention from cybercriminals because huge ransom can be extracted from victims. Hence, it is important to be safe by taking preventive measures else it can always bite us and cause us losses.
Always be careful especially when accessing files and emails from unknown sources.