What is a ransomware attack?
Ransomware is one of the biggest problems on the web right now. It’s a form of malicious software — malware — which encrypts documents on a PC or even across a network. Victims can often only regain access to their encrypted files and PCs by paying a ransom to the criminals behind the ransomware.
A ransomware infection often starts with someone clicking on what looks like an innocent attachment, and it can be a headache for companies of all sizes if vital files and documents (think spreadsheets and invoices) are suddenly encrypted and inaccessible. But that’s not the only way to get infected.
Cybercriminals didn’t used to be so obvious. If hackers infiltrated your corporate network, they would do everything possible to avoid detection. It was in their best interests not to alert a victim that they’d fallen victim to a cybercriminal.
But now, if you are attacked with file-encrypting ransomware, criminals will brazenly announce they’re holding your corporate data hostage until you pay a ransom in order to get it back.
It might sound too simple, but it’s working: cybercriminals pocketed over €1bn from ransomware attacks during 2016 alone and a Europol report describes it as having “eclipsed” most other global cybercriminal threats in 2017.
How did ransomware evolve?
This early ransomware was a relatively simple construct, using basic cryptography which mostly just changed the names of files, making it relatively easy to overcome.
But it set off a new branch of computer crime, which slowly but surely grew in reach — and really took off in the internet age. Before they began using advanced cryptography to target corporate networks, hackers were targeting general internet users with basic ransomware.
One of the most successful variants was ‘police ransomware’, which tried to extort victims by claiming to be associated with law enforcement. It locked the screen with a ransom note warning the user they’d committed illegal online activity, which could get them sent to jail.
However, if the victim paid a fine, the ‘police’ would let the infringement slide and restore access to the computer by handing over the decryption key. Of course, this wasn’t anything to do with law enforcement — it was criminals exploiting innocent people.
While somewhat successful, these forms of ransomware often simply overlaid their ‘warning’ message on the user’s display — and rebooting the machine could get rid of the problem and restore access to files which were never really encrypted.
Criminals learned from this and now the majority of ransomware schemes use advanced cryptography to truly lock down an infected PC and the files on it.
What is the history of ransomware?
Known as AIDS or the PC Cyborg Trojan, the virus was sent to victims — mostly in the healthcare industry — on a floppy disc. The ransomware counted the number of times the PC was booted: once it hit 90, it encrypted the machine and the files on it and demanded the user ‘renew their license’ with ‘PC Cyborg Corporation ‘ by sending €189 or €378 to a post office box in Panama.
What are the main types of ransomware?
Ransomware is always evolving, with new variants continually appearing in the wild and posing new threats to businesses. However, there are certain types of ransomware which have been much more successful than others.
Perhaps the most notorious form of ransomware is Locky, which terrorised organisations across the globe throughout 2016. It infamously made headlines by infecting a Hollywood hospital. The hospital gave into the demands of cybercriminals and paid a €17,000 ransom to have its networks restored.
Locky remained successful because those behind it regularly update the code to avoid detection. They even update it with new functionality, including the ability to make ransom demands in 30 languages, so criminals can more easily target victims around the world. Locky became so successful, it rose to become most prevalent forms of malware in its own right.
While not as prolific as it once was, Locky remains one of the most dangerous forms of ransomware, regularly going quiet before reemerging with new attack techniques.
Cryptowall is another form of ransomware which has found great success for a prolonged period of time. Starting life as doppelganger of Cryptolocker, it’s gone onto become one of the most successful types of ransomware.
Like Locky, Cryptowall has regularly been updated in order to ensure its continued success and even scrambles file names to make it harder for victims to know which file is which, putting additional pressure on the victim to pay.
While some ransomware developers — like those behind Locky or Cryptowall — closely guard their product, keeping it solely for their own use, others happily distribute ransomware to any wannabe hacker keen to cash in on cyber-extortion — and it’s proved to be a very successful method for wide distribution.
One of the most common forms of ransomware distributed in this way is Cerber, which infected hundreds of thousands of users in just a single month. The original creators of Cerber are selling it on the Dark Web, allowing other criminals to use the code in return for 40 percent of each ransom paid.
Cerber has become so successful that after it has surpassed Locky — which appeared to mysteriously disappear over Christmas, although reemerged in April with new attack techniques — to become the most dominant form of ransomware on the web, accounting for 90 percent of ransomware attacks on Windows as of mid-April 2017.
This particular family of ransomware is constantly evolving, with its developers regularly adding new features to ensure its continued success. Indeed, the cryptography behind Cerber is so advanced that there’s currently no decryption tools available to help those infected by the latest versions.
But not content with just illicitly making money from ransom payments, Cerber now comes with the ability to steal to steal bitcoin wallet and password information, in addition to encrypting files.
In exchange for giving up some of the profits for using Cerber, wannabe cyber-fraudsters are provided with everything they need in order to successfully make money through the extortion of victims.
Indeed, now some criminal groups offer this type of ransomware-as-a-service scheme to potential users for no cost at the point of entry. Instead of charging a fee for the ransomware code, they want a 50 percent cut of the ransom payments.