Ransomware 101: What, How, and Why

11Ransomware used to be more of a consumer or end-user problem. Now, criminal groups are infiltrating ransomware into your network, and every host, database, fileshare, system backup and is exposed to the risk of being turned into an extortion engine. While it is difficult to accurately estimate the impact of the enterprise ransomware epidemic globally, Trend Micro stopped 99 million threats between October last year and April 2016. 

 

Recently, the Hollywood Presbyterian Medical Center was one of the first organizations to make the news after one such an attack. It’s thought the hospital was forced to turn away outpatients and cancel X-rays, CT scans and lab work as a result. CEO Allen Stefanek later admitted that the organization paid a ransom of 40 Bitcoins – around $17,000 at the time – to get its files back. He claimed this was the “the quickest and most efficient way to restore our systems and administrative functions.”

 

Some ransomware have evolved from simple scareware into what we now know as crypto-ransomware, which is a more advanced type of ransomware that goes a step further by encrypting hostaged files. In late 2013, we saw a crypto-ransomware variant called CryptoLocker, which encrypts files and locks the victim's system. Like the previous types of ransomware, CryptoLockerdamands payment from the affected users to unlock their encrypted files. CryptoLocker continuously evolves and includes new tactics and methods to avoid early detection.

 

In the third quarter of 2014, crypto-ransomware accounted for more than a third of all ransomware types found in infected systems, and it's still gaining popularity. Data gathered over the last quarter of 2014 shows that crypto-ransomware variants have increased from 19% to more than 30% in the last 12 months.

 

Recently, we observed a new ransomware variant called TorrentLocker, which targeted nearly 4,000 organizations and enterprises. Since its emergence in the threat landscape, it has affected users from all over the world, preventing victims from accessing their own files unless they pay a hefty ransom fee.

 

WatchTorrentLockervideo

 

Generally, the cybercriminal creates a code specifically designed to take control of a computer and hijack files. The files are encrypted so the victim loses access to them. Once executed in the system, the ransomware can either (1) lock the computer screen or (2) encrypt predetermined files. In the first scenario, the infected system will show a full-screen image or notification that prevents victims from using their system unless a fee, or "ransom", is paid. This also shows the instructions on how users can pay for the ransom as a fee to gain back access to the system. The second type of ransomware locks files like documents, spreadsheets and other important files.

 

The ransom amount varies, ranging from a minimal amount to hundreds of dollars. The attacker still profits no matter how meager the amount, as they make up in the overall numbers of computers they infect. The demand for money is paid via online payment methods. If the user fails to pay, the attacker could create additional malware to further destroy the files until the ransom is paid.

 

How to prevent being a victim

 

Ransomware is a particularly sophisticated type of malware, and while knowledgeable professionals might know how to disable it, users can curb the problem by following routine security measures. It’s important to remember that in some cases, recovery without paying the ransom might not be possible, and this is when it becomes necessary to resort to file backups.

 

Here are a few simple tips on how you can secure yourself from likely attacks:

 

- Backup your files regularly – the 3-2-1 rule applies here: three backup copies of your data on two different media and one of those copies in a separate location.

- Bookmark your favorite websites and access only via bookmarks – attackers can easily slip malicious codes into URLs, directing unwitting users to a malicious site where ransomware could be downloaded. Bookmarking frequently-visited, trusted websites will prevent you from typing in the wrong address.

- Verify email sources – while this practice could be tricky, it always pays to be extra careful before opening any link or email attachment. To be sure, verify with your contacts prior to clicking.

- Update security software – employing security software adds an extra layer of protection from all possible points of infection. Specifically, it prevents access to malicious websites hosting ransomware variants. More importantly, it detects and deletes ransomware variants found in the system.