Ransomware. To some, it still sounds like a plot in a futuristic thriller but gone are the days when a ransom was typically a monetary demand made in exchange for a kidnapped person’s safety (Or a pet’s! What would you pay for the release of Fluffy?). In this digital day and age, it’s more likely to be your data that’s at risk. So, what is this digital hostage-taker exactly, how does it work and, most importantly, how can you protect yourself? Plus, what does it have to do with a certain evolutionary biologist in the late 1980’s? We have the answers to your most pressing ransomware concerns.
Getting up close and personal: What is ransomware?
As the name suggests, ransomware is a type of malware that blocks users from accessing their files or even entire operating system until a ransom is paid. It locks the system’s screen or encrypts files until you do as it demands. If you’re a victim, you’ll receive a ransom note informing you that you must pay a certain amount of money—often in Cryptocurrencies—to free your system or data. There’s usually a deadline for completing the payment and if you fail to meet it, the cyber attackers could permanently delete your files or make them public. Sadly, even if you do pay the ransom, there’s no guarantee whatsoever you’ll be given the decryption key to regain access to your data. Honesty is not always the best policy among thieves…
Did you know that ransomware has a founding father? The first documented case was the 1989 AIDS Trojan. Evolutionary biologist Joseph L. Popp sent 20,000 floppy disks labelled “AIDS Information—Introductory Diskettes” to attendees of the World Health Organization international AIDS conference. These were infected with a Trojan which encrypted files on the computer and to regain access, the user had to send $189 to a P.O. box in Panama. Dr. Popp was caught but, after he started wearing a cardboard box on his head, was declared unfit to stand trial. (Sadly, a cardboard box hat is not a ransomware defense—more on that later).
What does ransomware do and how does it deploy?
All ransomware behaves slightly differently, but broadly speaking, it falls into two categories: locker ransomware and encrypting ransomware. As the name suggests, the first locks the victim out of their operating system so they can’t access their desktop, plus any apps or files. The latter uses advanced encryption algorithms to block system files and is generally the more common of the two, but the result is the same: The victim is locked out and receives a ransom demand for the release of their system or data.
The following infection methods are the most popular choices for cyber criminals. Remember: They look for the easiest access via back doors. They also love users who aren’t cyber-security savvy and unwittingly help them achieve their goals. Look out for:
- Email attachments: These malicious attachments in seemingly innocent emails can be delivered in a variety of formats, including a ZIP file, PDF, Word document, Excel, and more. Once the attachment is opened, the ransomware may be deployed immediately. Sometimes the cyber attackers wait days or even longer—as was the case in the Trickbot attacks, where ransomware was initially delivered by a banking trojan. These emails are often well-crafted, so they look highly credible. After all, the more legitimate it looks, the more likely you are to open that attachment.
Consider this worst-case scenario: A University of Vermont Medical Centre employee opened an infected emailed file, which led to the state’s largest hospital cancelling surgeries and delaying some cancer treatments.
- Malicious URLs: These links are inserted into emails, social media posts, and even SMS messages. To trigger action from the reader, the messages usually evoke a sense of outrage, urgency, or mystery. Has a kitten been dumped in a dustbin? Click on the link at your peril: It could trigger a ransomware download (but thankfully, maybe no animal was harmed).
- Drive-by downloads: It starts so innocently. You visit a trusted website, not realizing that malicious code has been injected into it. This starts scanning your device for security vulnerabilities… and bam! Once it spots a weakness, like an outdated app, it infiltrates the system and takes control. Job done.
- Malvertising: Online ads can be more than annoying—they may harbor malicious code, courtesy of scammers who purchase ad space on legitimate websites and then submit infected images. It’s difficult to distinguish good from damaging ads so users won’t realize that they’ve been redirected to a malicious site once they click on the ad. On the site, malicious code will then worm its way into the system.
- Remote Desktop Protocol exploitations: If you work from home for a company, chances are that you log in remotely via the corporate portal. This communications protocol is called RDP (Remote desktop protocol). Cyber criminals scour the internet for computers with exposed ports (connections). They then attempt to gain access to the machine via its security vulnerabilities or by using brute force attacks to crack its login credentials.
- USB drives: Don’t be that member of staff who unknowingly plugs in an infected USB device. This can lead to ransomware encrypting not just your local machine but potentially spreading across the network. While older strains of ransomware were only capable of encrypting the single machine they infected, advanced variants these days are self-propagating, so they can move laterally to other devices on the network. Successful attacks can cripple entire organizations—not something you want on your CV.
- Pirated software: Unlicensed software is lurking everywhere, but it may be laced with ransomware, as was the case with the STOP/Djvu plague that started in 2018 and is now experiencing a resurgence. Unless you want a ransom note demanding payment in Bitcoin for the release of your files, only download clean, genuine software straight from the manufacturer!
Tips on how to help protect yourself from this list of usual ransomware suspects can be found at the end of this blog, so leap there now or simply keep reading…
The industries cyber attackers love to hit, plus top ransomware examples
Cyber attackers generally choose where they can expect maximum financial gain, but if you think you or your business are too small to matter, think again. Ransomware can be used against all kinds of organizations in both the private and public sectors—it’s not just 50,000-person enterprises. The following areas are typically top targets: Education (including schools, colleges, and universities), healthcare, business and legal services, retail, government, IT, manufacturing, and energy/utilities.
Confidential data tends to be lucrative for ransomware hackers because organizations are desperate to get it back. That’s why schools and hospitals are popular targets—they collect loads of sensitive data. Consider the attacks against Ireland’s national health service in 2021. Criminal gang, Wizard Spider, disrupted services and reportedly asked for $20m (£14m) to restore them. It resulted in a near shutdown of networks and appointments in some areas dropped by up to 80%.
Similarly, professional services, such as legal and consulting services, tend to house a treasure trove of confidential info. Plus, they may lack adequate cyber security, making them easy targets. Even giants aren’t immune, as this cyber attack on the manufacturing industry illustrates: In 2021, ransomware gang REvil compromised Taiwan-based PC manufacturer Acer’s network and made one of the largest ransom demands on record: $50 million. It’s not known if the company paid the ransom. And in 2022, Toyota and their main supplier were hit by cyber attacks, apparently causing a 5% dip in monthly production.
Spare a thought for the Costa Rica government—it’s the first time a country was forced to declare a national emergency in response to a cyber attack. Ransomware group Conti demanded $10 million (later increasing it to $20 million), plunging the country’s ministry of finance, the healthcare system, and even import/exports into disarray. Some experts believe the cyber attack could herald the dawn of a new ransomware era.
Now you know all about it, how do you protect yourself from ransomware?
First, take a long, hard look at your devices. Are they old and running outdated software? Are browsers and operating systems out of date? Is a backup plan missing? If you answered “yes” to any of the above, you may be at risk of falling victim to ransomware. With more than 35 years of online security experience, Avira can help. Its free Software Updater is designed to update software and drivers and helps ensure all updates are clean. Avira Free Antivirus is packed with ransomware protection features. It also helps protect your device and data from a range of online threats, including adware, spyware, trojans, and more. Always make sure your precious data is backed up—either on an external hard drive or with safe, clean backup software.
Never forget that careful action on your behalf is essential. Don’t be your own worst enemy!
- Never click on unsafe links in messages, websites, or on social media.
- Don’t open email attachments unless you know that the source is trustworthy. Check closely that the sender’s email address is correct by hovering over it.
- Never connect media like USB sticks to your device unless you know where they came from.
- Only use verified download sources for software or media files.
- Always use a VPN like Avira Phantom VPN on public Wi-Fi networks. This helps encrypt your online communications to improve your online privacy and security.
For even greater peace of mind, Avira also offers an extensive array of cyber-security features as a convenient monthly subscription. Find out more about the premium service, Avira Prime, here.
To pay or not to pay? What to do if you’re infected
Oh dear. We’re all human and mistakes happen. Your device has been infected with ransomware and your files have been encrypted… what now? According to the experts at the No More Ransom Project, “The general advice is not to pay the ransom. By sending your money to cyber criminals you’ll only confirm that ransomware works, and there’s no guarantee you’ll get the decryption key you need in return”. No More Ransom is an initiative by the National High Tech Crime Unit of the Netherlands’ police, Europol’s European Cybercrime Centre, and cyber security software providers. It aims to help victims of ransomware retrieve encrypted data without paying the criminals.
Upload your encrypted files to the website here and provide details of the ransom demand in the space provided. Best of luck!