Ransomeware 101: WHAT, HOW, AND WHY
IF YOU ALREADY HAVE RANSOMWARE: UNPLUG YOUR COMPUTER ASAP & REMOVE THE BATTERY IF IT IS A NOTEBOOK. BRING IT IN TO US FOR INSPECTION
While ransomware isn’t new, many users still find themselves victimized by it without knowing how their device got infected. They could have downloaded ransomware unknowingly by visiting malicious or compromised websites, or it could have been dropped or downloaded into their systems by other malware. Paying the ransom however, does not guarantee that users will regain access to their digital assets.
Ransomware started gaining popularity years ago, and has cashed in on unknowing victims ever since it was first seen between 2005-2006 in Russia. During its initial phase, ransomware hijacks the user’s files by searching for files with certain file extensions, zips them, and overwrites the original file. The methods used have evolved since then, and by 2011, we have started seeing SMS ransomware variants where users with infected systems were prompted to dial a premium SMS number.
Some ransomware have evolved from simple scareware into what we now know as crypto-ransomware, which is a more advanced type of ransomware that goes a step further by encrypting hostaged files. In late 2013, we saw a crypto-ransomware variant called CryptoLocker, which encrypts files and locks the victim’s system. Like the previous types of ransomware, CryptoLocker damands payment from the affected users to unlock their encrypted files. CryptoLocker continuously evolves and includes new tactics and methods to avoid early detection.
In the third quarter of 2014, crypto-ransomware accounted for more than a third of all ransomware types found in infected systems, and it’s still gaining popularity. Data gathered over the last quarter of 2014 shows that crypto-ransomware variants have increased from 19% to more than 30% in the last 12 months.
Recently, we observed a new ransomware variant called TorrentLocker, which targeted nearly 4,000 organizations and enterprises. Since its emergence in the threat landscape, it has affected users from all over the world, preventing victims from accessing their own files unless they pay a hefty ransom fee.
How does ransomware work?
The nature of a ransomware attack will depend upon the motives of the attacker. Generally, the cybercriminal creates a code specifically designed to take control of a computer and hijack files. The files are encrypted so the victim loses access to them. Once executed in the system, the ransomware can either (1) lock the computer screen or (2) encrypt predetermined files. In the first scenario, the infected system will show a full-screen image or notification that prevents victims from using their system unless a fee, or “ransom”, is paid. This also shows the instructions on how users can pay for the ransom as a fee to gain back access to the system. The second type of ransomware locks files like documents, spreadsheets and other important files.
The ransom amount varies, ranging from a minimal amount to hundreds of dollars. The attacker still profits no matter how meager the amount, as they make up in the overall numbers of computers they infect. The demand for money is paid via online payment methods. If the user fails to pay, the attacker could create additional malware to further destroy the files until the ransom is paid.
How to prevent being a victim
Ransomware is a particularly sophisticated type of malware, and while knowledgeable professionals might know how to disable it, users can curb the problem by following routine security measures. It’s important to remember that in some cases, recovery without paying the ransom might not be possible, and this is when it becomes necessary to resort to file backups.
Here are a few simple tips on how you can secure yourself from likely attacks:
- Backup your files regularly – the 3-2-1 rule applies here: three backup copies of your data on two different media and one of those copies in a separate location.
- Bookmark your favorite websites and access only via bookmarks – attackers can easily slip malicious codes into URLs, directing unwitting users to a malicious site where ransomware could be downloaded. Bookmarking frequently-visited, trusted websites will prevent you from typing in the wrong address.
- Verify email sources – while this practice could be tricky, it always pays to be extra careful before opening any link or email attachment. To be sure, verify with your contacts prior to clicking.
- Update security software – employing security software adds an extra layer of protection from all possible points of infection. Specifically, it prevents access to malicious websites hosting ransomware variants. More importantly, it detects and deletes ransomware variants found in the system.