Ransomware explained: How it works and how to remove it

Ransomware explained: How it works and how to remove it

Despite a recent decline, ransomware is
still a serious threat. Here’s everything you need to know about the
file-encrypting malware and how it works.

By

ransomware

Ransomware definition

Ransomware is a form of malware that encrypts a victim’s files. The attacker then demands a ransom from the victim to restore access to the data upon payment. 

Users
are shown instructions for how to pay a fee to get the decryption key.
The costs can range from a few hundred dollars to thousands, payable to
cybercriminals in Bitcoin.

How ransomware works

There are a number of vectors ransomware can take to access a computer. One of the most common delivery systems is phishing
spam — attachments that come to the victim in an email, masquerading as
a file they should trust. Once they’re downloaded and opened, they can
take over the victim’s computer, especially if they have built-in social engineering tools that trick users into allowing administrative access. Some other, more aggressive forms of ransomware, like NotPetya, exploit security holes to infect computers without needing to trick users.

There are several things the malware might do once it’s taken
over the victim’s computer, but by far the most common action is to
encrypt some or all of the user’s files. If you want the technical
details, the Infosec Institute has a great in-depth look at how several flavors of ransomware encrypt files.
But the most important thing to know is that at the end of the process,
the files cannot be decrypted without a mathematical key known only by
the attacker. The user is presented with a message explaining that their
files are now are now inaccessible and will only be decrypted if the
victim sends an untraceable Bitcoin payment to the attacker.

In some forms of malware, the attacker might claim to be a law enforcement agency
shutting down the victim’s computer due to the presence of pornography
or pirated software on it, and demanding the payment of a “fine,”
perhaps to make victims less likely to report the attack to authorities.
But most attacks don’t bother with this pretense. There is also a
variation, called leakware or doxware,
in which the attacker threatens to publicize sensitive data on the
victim’s hard drive unless a ransom is paid. But because finding and
extracting such information is a very tricky proposition for attackers,
encryption ransomware is by far the most common type.

Who is a target for ransomware?

There are several different ways attackers choose the organizations they target with ransomware.
Sometimes it’s a matter of opportunity: for instance, attackers might
target universities because they tend to have smaller security teams and
a disparate user base that does a lot of file sharing, making it easier
to penetrate their defenses.

On
the other hand, some organizations are tempting targets because they
seem more likely to pay a ransom quickly. For instance, government
agencies or medical facilities often need immediate access to their
files. Law firms and other organizations with sensitive data may be
willing to pay to keep news of a compromise quiet — and these
organizations may be uniquely sensitive to leakware attacks.

But don’t feel like you’re safe if you don’t fit these
categories: as we noted, some ransomware spreads automatically and
indiscriminately across the internet.

How to prevent ransomware

There are a number of defensive steps you can take to prevent ransomware infection.
These steps are a of course good security practices in general, so
following them improves your defenses from all sorts of attacks:

  • Keep your operating system patched and up-to-date to ensure you have fewer vulnerabilities to exploit.
  • Don’t install software or give it administrative privileges unless you know exactly what it is and what it does.
  • Install antivirus software, which detects malicious programs like ransomware as they arrive, and whitelisting software, which prevents unauthorized applications from executing in the first place.
  • And, of course, back up your files, frequently and automatically! That won’t stop a malware attack, but it can make the damage caused by one much less significant.

Ransomware removal

If your computer has been infected
with ransomware, you’ll need to regain control of your machine. CSO’s
Steve Ragan has a great video demonstrating how to do this on a Windows
10 machine:

                                                     Important steps are to:
  • Reboot Windows 10 to safe mode
  • Install antimalware software
  • Scan the system to find the ransomware program
  • Restore the computer to a previous state

But here’s the important thing to keep in mind: while walking
through these steps can remove the malware from your computer and
restore it to your control, it won’t decrypt your files. Their
transformation into unreadability has already happened, and if the
malware is at all sophisticated, it will be mathematically impossible
for anyone to decrypt them without access to the key that the attacker
holds. In fact, by removing the malware, you’ve precluded the
possibility of restoring your files by paying the attackers the ransom
they’ve asked for.

Ransomware facts and figures

Ransomware is big business. There’s
a lot of money in ransomware, and the market expanded rapidly from the
beginning of the decade. In 2017, ransomware resulted in $5 billion in losses,
both in terms of ransoms paid and spending and lost time in recovering
from attacks. That’s up 15 times from 2015. In the first quarter of
2018, just one kind of ransomware software, SamSam, collected a $1 million in ransom money.

Some markets are particularly prone to ransomware—and to paying the ransom. Many
high-profile ransomware attacks have occurred in hospitals or other
medical organizations, which make tempting targets: attackers know that,
with lives literally in the balance, these enterprises are more likely
to simply pay a relatively low ransom to make a problem go away. It’s
estimated that 45 percent of ransomware attacks target healthcare orgs, and, conversely, that 85 percent of malware infections at healthcare orgs are ransomware.
Another tempting industry? The financial services sector, which is, as
Willie Sutton famously remarked, where the money is. It’s estimated that
90 percent of financial institutions were targeted by a ransomware attack in 2017.   

Your anti-malware software won’t necessarily protect you. Ransomware
is constantly being written and tweaked by its developers, and so its
signatures are often not caught by typical anti-virus programs. In fact,
as many as 75 percent of companies that fall victim to ransomware were running up-to-date endpoint protection on the infected machines.

Ransomware isn’t as prevalent as it used to be. If
you want a bit of good news, it’s this: the number of ransomware
attacks, after exploding in the mid ’10s, has gone into a decline,
though the initial numbers were high enough that it’s still. But in the
first quarter of 2017, ransomware attacks made up 60 percent of malware payloads; now it’s down to 5 percent.  

Ransomware on the decline?

What’s
behind this big dip? In many ways it’s an economic decision based on
the cybercriminal’s currency of choice: bitcoin. Extracting a ransom
from a victim has always been hit or miss; they might not decide to pay,
or even if they want to, they might not be familiar enough with bitcoin
to figure out how to actually do so.

As Kaspersky points out, the decline in ransomware has been matched by a rise in so-called cryptomining malware, which infects the victim computer and uses its computing power to create (or mine,
in cryptocurrency parlance) bitcoin without the owner knowing. This is a
neat route to using someone else’s resources to get bitcoin that
bypasses most of the difficulties in scoring a ransom, and it has only
gotten more attractive as a cyberattack as the price of bitcoin spiked
in late 2017.

That doesn’t mean the threat is over, however. Barkly explains that there are two different kinds of ransomware attackers:
“commodity” attacks that try to infect computers indiscriminately by
sheer volume and include so-called “ransomware as a service” platforms
that criminals can rent; and targeted groups that focus on particularly
vulnerable market segments and organizations. You should be on guard if
you’re in the latter category, no matter if the big ransomware boom has
passed.

With the price of bitcoin dropping over the course of
2018, the cost-benefit analysis for attackers might shift back.
Ultimately, using ransomware or cryptomining malware is a business
decision for attackers, says Steve Grobman, chief technology officer at
McAfee. “As cryptocurrency prices drop, it’s natural to see a shift back
[to ransomware].”

Should you pay the ransom?

If your
system has been infected with malware, and you’ve lost vital data that
you can’t restore from backup, should you pay the ransom? 

When
speaking theoretically, most law enforcement agencies urge you not to
pay ransomware attackers, on the logic that doing so only encourages
hackers to create more ransomware. That said, many organizations that
find themselves afflicted by malware quickly stop thinking in terms of
the “greater good” and start doing a cost-benefit analysis,
weighing the price of the ransom against the value of the encrypted
data. According to research from Trend Micro, while 66 percent of
companies say they would never pay a ransom as a point of principle, in practice 65 percent actually do pay the ransom when they get hit.

Ransomware
attackers keep prices relatively low — usually between $700 and $1,300,
an amount companies can usually afford to pay on short notice. Some
particularly sophisticated malware will detect the country where the
infected computer is running and adjust the ransom to match that
nation’s economy, demanding more from companies in rich countries and
less from those in poor regions.

There are often discounts offered
for acting fast, so as to encourage victims to pay quickly before
thinking too much about it. In general, the price point is set so that
it’s high enough to be worth the criminal’s while, but low enough that
it’s often cheaper than what the victim would have to pay to restore
their computer or reconstruct the lost data. With that in mind, some
companies are beginning to build the potential need to pay ransom into
their security plans: for instance, some large UK companies who are
otherwise uninvolved with cryptocurrency are holding some Bitcoin in reserve specifically for ransom payments.

There
are a couple of tricky things to remember here, keeping in mind that
the people you’re dealing with are, of course, criminals. First, what
looks like ransomware may not have actually encrypted your data at all;
make sure you aren’t dealing with so-called “scareware
before you send any money to anybody. And second, paying the attackers
doesn’t guarantee that you’ll get your files back. Sometimes the
criminals just take the money and run, and may not have even built
decryption functionality into the malware. But any such malware will
quickly get a reputation and won’t generate revenue, so in most cases —
Gary Sockrider, principal security technologist at Arbor Networks, estimates around 65 to 70 percent of the time — the crooks come through and your data is restored.

Ransomware examples

While ransomware has technically
been around since the ’90s, it’s only in the past five years or so that
it’s really taken off, largely because of the availability of
untraceable payment methods like Bitcoin. Some of the worst offenders have been:

  • CryptoLocker, a 2013 attack that launched the modern ransomware age and infected up to 500,000 machines at its height
  • TeslaCrypt, which targeted gaming files and saw constant improvement during its reign of terror
  • SimpleLocker, the first widespread ransomware attack that focused on mobile devices
  • WannaCry,
    which spread autonomously from computer to computer using EternalBlue,
    an exploit developed by the NSA and then stolen by hackers
  • NotPetya, which also used EternalBlue and may have been part of a Russian-directed cyberattack against Ukraine
  • Locky, which started spreading in 2016, was “similar in its mode of attack to the notorious banking software Dridex.”

And this list is just going to get longer. Even as this article was being put together, a new wave of ransomware, dubbed BadRabbit, spread across media companies in Eastern Europe and Asia. It’s important to follow the tips listed here to protect yourself.