Ransomware is a form of malware that encrypts a victim’s files and demands payment in order to restore access. “Your files are encrypted” is a common message displayed by ransomware upon encrypting a computer’s data. This article will provide an overview of ransomware, how it infects systems and encrypts files, the different types of ransomware, how to detect a ransomware infection, and steps to take if your files become encrypted by ransomware.
What is ransomware?
Ransomware is a type of malicious software (malware) that prevents users from accessing their system or personal files and demands ransom payment in order to regain access. It encrypts files on the infected device and even on shared or networked drives and storage.
The ransom demand usually appears on-screen as a popup with instructions for how to pay to get a decryption key. Payment is often demanded in cryptocurrency, such as Bitcoin, to protect the anonymity of the cybercriminals. Once payment is received, the criminals may send a decryption key to unlock the files.
However, there is no guarantee files will be restored after paying the ransom. The criminals may not provide the correct decryption key or they may simply take the money without unlocking anything. For this reason, ransom payments are not recommended.
Main goal of ransomware
The main goal of ransomware is to extort money from victims by blocking access to their own data. It is a financially motivated cybercrime that can be highly disruptive to individuals and businesses.
How ransomware has evolved
Early ransomware viruses in the late 1980s and early 1990s were relatively simple, using basic encryption. Over time, ransomware has become much more sophisticated.
Some key developments include:
– Use of asymmetric encryption – Public and private encryption keys make it virtually impossible to decrypt files without the private key.
– Anonymous payment methods – Cryptocurrency enables anonymous ransom payments that are difficult to trace.
– Improved distribution methods – Advanced phishing emails, exploit kits, and other methods improve infection rates.
– Ransomware-as-a-Service – Allows cybercriminals to purchase ransomware code and infrastructure from developers and launch their own campaigns.
– Double extortion – Exfiltrating data before encryption and threatening to release it raises the stakes.
These innovations have made ransomware a multibillion dollar criminal industry affecting organizations across the globe.
How does ransomware infect your computer?
Ransomware uses a variety of infection vectors to get onto a victim’s device and encrypt their files:
Malicious email attachments
Mass phishing emails containing infected file attachments are one of the most common ransomware infection methods. The attachments may appear to be innocuous files like PDFs, Word documents, or images, but they contain embedded malicious code. Opening the infected attachment triggers the ransomware infection.
Compromised websites and ads
Browsing websites compromised by malware exploitation kits or malicious ads can inadvertently download and install ransomware code onto a device. This is known as a drive-by download. The ransomware may also exploit vulnerabilities in web browsers and plugins.
Remote Desktop Protocol (RDP) vulnerabilities
Weak passwords or unpatched systems running Remote Desktop Protocol can allow hackers to gain access and deploy ransomware across networks. Healthcare organizations have been frequent targets of ransomware campaigns exploiting RDP.
Software vulnerabilities
Unpatched vulnerabilities in operating systems and applications can be exploited to silently push ransomware onto systems. Two common examples are vulnerable Internet-facing services like VPNs or exploiting weaknesses in SMB file sharing.
Unpatched systems
Neglected, outdated systems that are no longer supported by vendors with security updates are prime targets, since new vulnerabilities are not being patched.
How does ransomware encrypt your files?
Once installed on a system, ransomware uses strong encryption algorithms to encrypt files, making them inaccessible to the user. Here is the general process:
Locate target files
Ransomware recursively scans local drives, servers, external storage, and mapped network drives to hunt for files to encrypt. It may be configured to target specific file types like Office documents, photos, videos, etc.
Encrypt the files
The ransomware encrypts located files using asymmetric encryption. This uses a public key to encrypt each file and a private key to decrypt them. The private key is retained by the ransomware operators. Without it, it is mathematically unfeasible to decrypt files.
Delete originals
After encrypting files, the original unencrypted files are deleted. This prevents recovering files from backups. Some ransomware only deletes larger files to save time.
Display ransom note
A ransom note is displayed with payment instructions for purchasing the decryption key. This will often appear as a text file, desktop background image, or popup window. The note provides the ransom amount and the bitcoin payment address.
Different types of ransomware
There are several major families and variants of ransomware in circulation today. Some notable examples include:
CryptoLocker
One of the earliest ransomware strains to use advanced encryption. It spread via malicious email attachments and drive-by downloads from 2013-2014.
CTB-Locker
Emerged in 2014 and pioneered the use of Tor payment sites to anonymize ransom payments. It was distributed via spam emails.
Locky
Active from 2016-2017, Locky was distributed via massive spam campaigns. It used RSA public key encryption with a 4096-bit keylength.
WannaCry
WannaCry made headlines in 2017 after infecting over 230,000 computers in 150 countries by exploiting a Windows SMB vulnerability. It was notable for spreading like a worm from system to system.
Ryuk
First observed in 2018, Ryuk has targeted large enterprises and government agencies, often via Remote Desktop Protocol (RDP) compromises. Operators demand extremely high ransoms.
Sodinokibi
Also known as REvil, Sodinikibi emerged in 2019 and pioneered the double extortion trend of exfiltrating data prior to encryption and threatening to publish it.
Conti
Active since 2020, Conti has aggressively targeted the healthcare and public sectors with more than 290 organizations affected. It has ransoms starting in the millions.
How to detect a ransomware infection
Detecting a ransomware infection quickly is crucial to potentially mitigate its spread and impact. Here are some telltale signs that ransomware may have infected a system:
Inaccessible files
Trying to open normal files results in error messages that they cannot be opened or are corrupted. This is a key indicator of encryption.
Renamed files
Encrypted files may have been renamed with strange extensions like .crypt, .locker, or .encrypted added to the end.
Text ransom note
A text file ransom note appearing on the desktop or folders with payment instructions indicates ransomware.
Custom ransomware note
A custom splash screen or message may be displayed instead of the normal desktop. Ransomware notes are distinctive.
Slow performance
Unusual slowness, crashing, or freezing could indicate ransomware encrypting files in the background.
Disabled services
Some ransomware attempts to disable security tools, restrict access to controls panels, or stop services like email databases.
Antivirus alerts
Antivirus software may send an alert about suspicious behavior, malware detection, or ransomware-specific signatures.
What to do if your files are encrypted by ransomware?
Here are important steps to take if you discover ransomware has encrypted your files:
Disconnect from networks
Unplug wired networks and disconnect Wi-Fi to contain the infection from impacting other devices or shared storage.
Take pictures for identification
Photograph any ransom note displayed on-screen for identification and investigation purposes.
Check for decryptors
Research the ransomware variant to determine if any free decryption tools have been released. This is not typical but can occasionally happen.
Report the crime
File a report with the FBI’s Internet Crime Complaint Center at www.ic3.gov and notify law enforcement. This can help investigations.
Evaluate backups
Check cloud and offline backups to assess whether critical files can be restored without paying the ransom. Ensure the backups are intact.
Seek technical assistance
Contact IT support specialists who may be able to contain and remove the infection. Cybersecurity firms can also advise recovery options.
Consider paying ransom
As a last resort, payment may be the only way to regain access quickly, but there are risks the decryption may fail. Consult experts first.
Conclusion
Ransomware attacks pose a serious threat to individuals, businesses, and organizations by encrypting valuable data and demanding ransom payments. Awareness of common infection methods, ransomware families, detection signs, and response steps can improve resilience. While ransom payment may seem the only option, it should be carefully weighed against other recovery alternatives after consulting technical and legal experts. Implementing robust offline backups, keeping software patched and updated, training staff on phishing risks, and using layered cybersecurity defenses can help reduce the likelihood of a successful ransomware attack.