In the past, security threats often involved scraping information from systems that could be used for other crimes such as identity theft. Now, criminal organizations have proceeded to directly demanding money from victims by holding their devices—and data—hostage. This trend of ransomware, in which data is encrypted and victims are prompted to pay for the key, has been growing rapidly since late 2013.
TechRepublic's smart person's guide about ransomware is a quick introduction to this security threat, as well as a "living" guide that will be updated periodically as new exploits and defenses are developed.
SEE: Check out all of TechRepublic's smart person's guides
Executive summary
- What is it? Ransomware is malware. The hackers demand payment, often via Bitcoin or prepaid credit card, from victims in order to regain access to an infected device and the data stored on it.
- Why does it matter? Because of the ease of deploying ransomware, criminal organizations are increasingly relying on such attacks to generate profits.
- Who does this affect? While home users have traditionally been the targets, healthcare and the public sector have been targeted with increasing frequency. Enterprises are more likely to have deep pockets from which to extract a ransom.
- When is this happening? Ransomware has been an active and ongoing threat since September 2013.
- How do I protect myself from a ransomware attack? A variety of tools developed in collaboration with law enforcement and security firms are available to decrypt your computer.
SEE: Cybersecurity ebook: The ransomware battle (Tech Pro Research)
What is ransomware?
Ransomware is a subclass of malware that is characterized by holding device control—and therefore locally stored data—for a ransom, which is typically paid using virtual currencies such as Bitcoin, though often premium SMS messaging and prepaid credit cards are alternative options. Sophisticated ransomware attacks employ disk or file-level encryption, making it impossible to recover files without paying the ransom demanded by the hackers.
Historically, ransomware has invoked law enforcement to coerce victims into paying—displaying warnings such as the FBI logo and a message indicating that illegal file sharing has been detected. More recently, the authors of ransomware payloads clearly indicate that a device has simply been hacked.
Ransomware payloads are typically distributed on file-sharing networks, but have also been distributed as part of a malvertising campaign on the Zedo ad network, as well as through phishing emails that disguise the payload as maliciously crafted images or as executables attached to emails.
Additional resources:
- Infographic: The 5 phases of a ransomware attack (TechRepublic)
- Easy to carry out, difficult to fight against: Why ransomware is booming in 2016 (ZDNet)
- New ransomware skips files, encrypts your whole hard drive (ZDNet)
- Infographic and interview: The explosion of cybercrime and how to protect your business (TechRepublic)
Why does ransomware matter?
For criminal organizations, the use of ransomware provides a very straight line from development to profit, as the comparatively manual labor of identity theft requires more resources. As such, the burgeoning growth of ransomware can be attributed to the ease of deployment, and a high rate of return relative to the amount of effort put forth.
For IT professionals, the risk of ransomware extends beyond desktops and notebook workstations, but has historically included smartphones and other connected computing devices, such as Synology NAS products and Android TV devices. While home users were traditionally the targets of ransomware, business networks have been increasingly targeted by criminals. Additionally, servers have become high-profile targets for ransomware attackers, as unpatched software makes systems vulnerable.
Additional resources:
- Skyrocketing Android ransomware has quadrupled over past year, says new report (TechRepublic)
- Ransomware is now the biggest cybersecurity threat (ZDNet)
- Throwing money at the problem? Security tech spending reaches $82bn a year (ZDNet)
- CEOs' pay should be slashed if firms fail to protect against online attacks (ZDNet)
- Create a security culture framework to protect against threats (Tech Pro Research)
Who does ransomware affect?
In particular, healthcare service providers have been explicitly targeted in recent ransomware attacks, as well as public sector employees. Less sophisticated ransomware attacks purport to be able to restore your files after payment, though in reality the files are deleted whether users pay or not.
Ransomware attacks are generally quite successful for criminal organizations, as victims often pay the ransom. Specifically targeted attacks may result in increasingly higher ransom demands, as attackers become more brazen in their attempts to extort money from victims.
Additional resources:
- Ransomware rises to strike almost 40 percent of enterprise companies (ZDNet)
- A troubling trajectory of malware and ransomware targeting OS X and iOS (TechRepublic)
- Businesses beware: the 'industrial internet of things' is a prime target for cyberattacks (TechRepublic)
- Cybersecurity spotlight: The critical labor shortage (Tech Pro Research)
When is ransomware happening?
While the first rudimentary ransomware attack dates back to 1989, the first widespread encrypting ransomware attack was CryptoLocker, which was deployed in September 2013. Originally, victims of CryptoLocker were held to a strict deadline to recover their files, though the authors later created a web service that can decrypt systems for which the deadline has passed at the hefty price of 10 BTC (at the time of publication, the USD equivalent of 10 Bitcoin, or BTC, is approximately $5,787).
While the original CryptoLocker authors are thought to have made about $3 million USD, imitators using the CryptoLocker name have appeared with increasing frequency. The FBI's Internet Crime Complaint Center estimates that between April 2014 and June 2015, victims of ransomware paid over $18 million USD to restore access to their devices.
Additional resources:
- Ransomware's next target: Anything's that connected (CBS News)
- Wildfire ransomware code cracked: Victims can now unlock encrypted files for free (ZDNet)
- Ransomware 2.0 is around the corner and it's a massive threat to the enterprise (TechRepublic)
- Ransomware-as-a-service allows wannabe hackers to cash-in on cyber extortion (ZDNet)
- Ransomware-as-a-service is exploding: Be ready to pay (TechRepublic)
- TeslaCrypt no more: Ransomware master decryption key released (ZDNet)
- Why antivirus programs have become the problem, not the solution (TechRepublic)
How do I protect myself from a ransomware attack?
Ransomware is often spread in file-sharing networks or on websites that purport to provide direct downloads. Other traditional attack vectors have also been used, such as email attachments or malicious links. There are ways to protect against a potential infection. For enterprise workstation deployments, using Group Policy to prevent executing unknown programs is an effective security measure for ransomware and other types of malware.
For those who have been infected, the No More Ransom project—a collaboration between Europol, the Dutch National Police, Kaspersky Lab, and Intel Security—provides decryption tools for many widespread ransomware types.
Additional resources:
- Kaspersky Lab offers free anti-ransomware tool for Windows (ZDNet)
- This initiative wants to help ransomware victims decrypt their files for free (ZDNet)
- Ransomware customer service: Negotiation is always on the table (ZDNet)
- Ransomware: To pay or not to pay (TechRepublic)
- How to avoid ransomware attacks: 10 tips (TechRepublic)
- How to mitigate ransomware, DDoS attacks, and other cyber extortion threats (TechRepublic)
- 4 ways to reduce your chances of getting caught by malvertising (TechRepublic)
- Video: Ransomware — How to defend yourself against it (CNET)
Full Bio
James Sanders is a Java programmer specializing in software as a service and thin client design, and virtualizing legacy programs for modern hardware.