Ransomware: The Complete FAQ

Phishing

Ransomware is destructive – and potentially devastatingly effective. Learn what ransomware is, how it works, some of the most well-known ransomware types and what to do if you find yourself a victim of a ransomware attack.

What is Ransomware?

Ransomware is a type of malicious software designed to block a user’s access to – or take control of – a computer, network, files, etc. It is from the crypto virology strain of malware, meaning the virus uses encryption to prevent users from accessing what has been infected. As the name ransomware suggests, the cybercriminals demand a ransom in return for the decryption key. As a tool used in cybercrime, ransomware can be devastatingly effective. It has widely been cited as the number one cyberthreat, both to businesses and individuals. A ransomware attack could be something broad, like attacking a school district’s systems, or something pertaining to an individual, like encrypting your personal photos and threatening to publish them. Estimates vary, but some estimates put the cost of ransomware attacks at around $20 billion – and that figure is expected to rise in the coming years.

Ransomware vs. Malware

Ransomware is a type of malware. The latter is a broad term used to describe any type of malicious software designed to disrupt a computer, files, server, or network. These include viruses, worms, spyware, adware, and ransomware. As a specific type of malware, ransomware, which is usually encryption-based, is designed to block access to a computer or data. If your computer is not properly protected, all types of malware can be a problem. However, ransomware has become the cybercriminals’ weapon of choice in the last several years.

Is Ransomware a Virus?

The term virus has been widely used as a catch-all term to describe malicious software installed on a computer. However, viruses are but one subset of malware, which can also include worms and Trojans. As such, ransomware isn’t technically a virus, although it can be implemented as one. If that all sounds confusing, think of it this way: Ransomware can be spread by a virus, as well as worms and Trojans, but it is not a virus itself. Some research shows that the most common way of spreading ransomware is through Trojan malware. As the name suggests (it’s taken from the story of the Trojan Horse), the ransomware program lies hidden (perhaps inside a file or within a link) waiting to be activated.

How Does Ransomware Work?

There are basically three stages of a ransomware attack:

Stage 1: Access

This is the point where the ransomware gains access to a target system. This could be caused by clicking a link in a phishing email, or by hackers taking remote access after stealing passwords, or it could be a direct attack on a network’s vulnerabilities, as was used by the WannaCry hackers. These entry points are called infection vectors, and hackers can use individual options or a combination. There are even examples of ransomware groups brazenly trying to bribe employees to install ransomware. It’s worth noting that one of the main attack vectors of ransomware is achieved through social engineering. This is a type of manipulation where cybercriminals coerce individuals to unwittingly do something – like click a malicious phishing link – that installs the ransomware. Some ransomware even has built-in social engineering capabilities that trick the user into granting it administrative access. Using software with anti-phishing protection can help eliminate these social engineering threats, alongside educating yourself and your family on how to spot social engineering scams.

Stage 2: Encryption

This is the point where the ransomware will start encrypting files. One of the reasons ransomware is so effective is that it is often “smart,” carefully selecting the correct files so that the system can still operate. As mentioned, ransomware can lie in wait for a long time, waiting for the opportune moment to encrypt what it wants. It can also take steps to delete backups and other copies of files, making the decryption key seem like the only possible route to get them back. This gives the hackers more leverage for the ransom demands (see below).

Stage 3: Ransom

This is the point where the hackers make their demands. You suddenly find that you are locked out of your computer, or certain files. One of the common ways this appears is through a ransom note on your screen, explaining what you must pay to get the decryption key. Recently, demands in bitcoin have been very common, as the cryptocurrency offers some level of anonymity. The tactics used here are often clever, with hackers sometimes asking for relatively small sums of money, making the user more likely to pay. Of course, the ransom demands will be a lot higher for a business. Nevertheless, the majority of people pay the ransom (58%, according to some studies). But here’s the kicker: The cyberhackers often don’t decrypt the files anyway. Sadly, evidence quoted by Forbes says that 92% of those who do pay the ransom don’t get their data back.

How Does Ransomware Encryption Work?

Ransomware uses a type of cryptography called asymmetric encryption. In the simplest terms, it selects what it wants to encrypt by using a public key generated from another computer. This (the ransomware group’s) computer will hold the private key, which is needed to decrypt the files. It is possible to decrypt without that private key, but it is very difficult and might even cost more than the ransom. That’s one of the reasons ransomware has become so popular among cybercriminals – victims often simply give up and pay.

How Many Ransomware Variants Are There?

In short, a lot. Broadly speaking, there are two main types of ransomware – Locker and Crypto. The former locks users out of a device by blocking access to the interface. Crypto ransomware encrypts files. But within these two broad types of ransomware, there are many different strains. Moreover, new types of ransomware attacks are becoming more common. Double extortion ransomware, for example, has been created to combat organizations’ increased security measures since the high profile WannaCry and NoPetya attacks of the late 2010s, which prompted many businesses to use new backup measures. It acts both to encrypt the files and exfiltrate them, meaning the hackers can leak sensitive data if the ransom is not paid. There’s also the worrying trend of RaaS (Ransomware as a Service), a type of ransomware for hire that any criminal can use to launch a sophisticated attack.

What To Do in the Event of a Ransomware Attack?

There are several steps* you should follow when hacked by ransomware:

*Please note that this is a general guide and that different types of ransomware attacks will require different steps to mitigate the threat. If you are unsure about what to do, contact a cybersecurity professional before you do anything as your actions might make the problem worse. And remember that the best way to deal with a ransomware attack is by stopping it before it happens by using advanced anti-ransomware protection.

Step 1: Identify and Isolate the Impacted Systems

The first action is to prevent the ransomware from spreading. If it’s just one computer, then disconnect it from all power. Unplug it from the wall, remove the battery. If it’s several systems, take the network offline and turn off Wi-Fi. Determine the scale of the problem and try to isolate it as much as possible. If rebooting systems, remember to switch on to Safe Mode.

Step 2: Secure Backups

While backups are not immune to ransomware and are often targeted as part of the attack, make sure backups are secure and disconnect them from the network or lock down access to backup storage.

Step 3: Quarantine Ransomware and Identify Patient Zero

This is an important aspect of ransomware recovery, and it should be left to cybersecurity professionals. Quarantining – as opposed to trying to remove ransomware – is important as it helps identify the strain and can provide information on vulnerabilities, i.e., the source of the infection (patient zero).

Step 4: Dealing with the Ransom

We have more detailed information on whether you should pay a ransomware demand below. But to begin with, you should always report the attack to the authorities. It might help if you take photos of the ransom demands. But rather than deal with the hackers, you should take the advice of police and specialized cybersecurity teams.

Can I Decrypt Hacked Files?

If you are not protected, then you are going to have a lot of difficulties decrypting files. As we have mentioned before, ransomware is popular with cybercriminals as, put simply, it yields results. And we should also stress that removing ransomware does not mean your files will be decrypted. You might have options to restore your systems backups once the ransomware has been removed, but many ransomware attacks target backups too.

Should I Pay Ransomware Hackers?

The short answer is no. There are numerous reasons for this, including the fact that paying the ransom could be deemed illegal as it is funding organized crime. Moreover, paying will further propagate the idea that ransomware is profitable for cybercriminals. But on a more personal note, remember that paying the ransom is no guarantee that you will get the decryption key and access to your data. And even if the hackers do provide it, the key might not work.

Can ransomware spread through USB?

Yes. Ransomware can be spread through any type of device that connects physically to your computer or smartphone. In fact, several types of ransomware have been known to be specially adapted to spread using a USB drive. This includes Try2Cry Ransomware, a new family of ransomware discovered in the summer of 2020.

Why does ransomware use Bitcoin?

There are several reasons why ransomware attackers demand Bitcoin. First and foremost, Bitcoin is very valuable, with a single token worth around $22K at the time of writing. In addition, it’s one of the most widely used and accessible cryptocurrencies. Bitcoin also offers hackers some protection in terms of the anonymity of Bitcoin wallets. However, contrary to some perceptions, Bitcoin is traceable, as transactions are publicly accessible on the blockchain. Hackers have various means to launder their Bitcoin after the ransom has been paid, including the use of “cryptocurrency mixing” tools like Tornado Cash.

Can ransomware spread through a network?

Yes. There are many ways for ransomware to enter a device or network, including through the downloading of malicious apps, portable devices like USBs, PDF files, emails and so on. But once the ransomware is in there, it can spread through the network. For example, ransomware can potentially spread across a business Wi-Fi network, meaning it can potentially reach any computer, smartphone or system linked to the network.

Can ransomware attack Android devices?

Yes. Android devices are much more likely to be attacked by ransomware compared to iOS (Apple) devices. There are several reasons for this, including the fact that Android is open-source software, whereas iOS is (largely) propriety software. In addition, Apple is much tighter in its controls of what apps can be listed in the App Store compared to Google Play (Android). As such, many types of malware, including ransomware, are created specifically to target Android devices.

Can ransomware be detected?

Yes, although cybercriminals are constantly testing ransomware that can hide and evade standard checks until it’s too late. One of the reasons we recommend adding a trusted anti-ransomware solution to protect your devices is that there is a need not only to detect ransomware – but to detect it early. This allows the user to catch the ransomware before the – potentially irreversible – damage is done.

Is ransomware a cyber-crime?

Yes, and it’s one of the most prevalent, destructive, and costly of cyber-crimes. Forbes recently reported that two out of three organizations suffered ransomware attacks in 2021. And the same report showed that the average ransomware payment was over $800K. Sadly, while ransomware attacks are considered criminal, only a few significant arrests are ever made.

Is ransomware self-replicating?

Some types of ransomware can be considered self-replicating, which means that, like a virus, the ransomware spreads through different networks and devices. Self-replicating ransomware first became mainstream in the mid-2010s. The WannaCry Virus – arguably the most infamous ransomware family – is one well-known example of self-replicating ransomware.

Is ransomware still a threat??

Yes. And some experts still consider ransomware to be the number one online threat. Experts vary in their estimates of how much ransomware costs businesses each year, but some put the figure as high as $170 billion. Moreover, some cyber-security analysts believe the threat of ransomware will continue to grow in the 2020s and beyond.

List of Ransomware

As mentioned previously, there are many different types of ransomware, many of which evolve and overlap. Some of the important strains and types of attacks are listed below:

AIDS Trojan – one of the earliest identified types of ransomware, created by Dr. Joseph Pop back in 1987.

WannaCry – arguably the most famous type of ransomware worm, which infected outdated versions of Microsoft Windows in 2017.

Petya – a type of ransomware that overrides the computer’s MBR (Master Boot Record), Petya was first discovered in 2016. Another strain, NotPetya, emerged a year later.

Locky – a type of ransomware that spread by email posing as an invoice. It was also discovered in 2016.

Ryuk – famous for its sophistication and the fact it targeted big business, Ryuk made millions of dollars for the cybercrime group Wizard Spider, which was behind the attacks.

Cerber – this ransomware attacked cloud-based Microsoft 365 users and had one of the most sophisticated phishing campaigns as an infection vector.

CryptoLocker – often cited as the father of modern ransomware, CryptoLocker came to prominence in 2013 and unleashed a new zeal for ransomware among cybercriminals.
Several similar variants like CryptoWall have emerged to replace it in recent years.

GoldenEye – similar to Petya, GoldenEye ransomware benefitted from an elaborate campaign to target businesses’ HR departments.

XingLocker – a type of ransomware-as-a-service, XingLocker first appeared in May 2021. It is now listed as one of the most common ransomware threats in 2022.

DarkSide – another type of ransomware that gained prominence in 2021, DarkSide ransomware is linked to the hacker group of the same name that claimed responsibility for the Colonial Pipeline ransomware attack of 2021.

Lapsus – Lapsus, sometimes referred to as Lapsus$, is one of the newest ransomware groups. Its most notable attack so far came against Nvidia, the US software and graphics card company. The Lapsus group was also behind an attack on Microsoft in March 2022.

BlackByte – BlackByte is a type of ransomware-as-a-service software. It was used in a ransomware attack against the San Francisco 49ers NFL team in February 2022.