Viruses that make files disappear, also known as file-encrypting ransomware, are some of the most disruptive and dangerous malware threatening users today. These insidious viruses infiltrate computers, often through phishing emails or infected websites, and encrypt the user’s personal files – photos, documents, videos and more. The encrypted files become inaccessible, essentially held for ransom, until the victim pays a fee to the cybercriminals behind the virus. Unfortunately, even after paying up, there is no guarantee you will get your files back.
What is ransomware?
Ransomware is a type of malicious software, or malware, that encrypts or locks a victim’s files, denying them access until a ransom is paid. The ransom demand usually arrives along with the infection itself, with instructions to pay a fee in cryptocurrency to receive a decryption key. This key is supposed to unlock and restore access to the encrypted files. However, paying the ransom does not always work, and even if you do regain access, your personal information may still remain compromised.
How does ransomware infect computers?
Ransomware usually infiltrates systems through phishing emails, malicious ads or compromised websites. The infection is often completely invisible until it has finished encrypting files. Some common delivery methods include:
- Phishing emails with infected attachments or links
- Compromised websites that automatically download malware
- “Drive-by” ransomware that exploits security flaws in browsers and apps
- Fake software updates containing malware
- Brute force attacks to guess weak passwords on remote desktop connections
Why is ransomware so dangerous?
File-encrypting ransomware is extremely disruptive due to its ability to completely block access to important data like documents, photos and financial records. By seizing these irreplaceable files and holding them hostage, ransomware can cause serious downtime and revenue loss for businesses. Individuals can lose access to their personal records, photos and files, sometimes with no way to restore them if backups are also encrypted.
Most common file-encrypting ransomware
Some of the most widespread and damaging examples of file-encrypting ransomware include:
CryptoLocker
One of the earliest ransomware viruses, active from 2013-2014. Spread via infected email attachments and compromised sites. Encrypted files with RSA-2048 and demanded payments of $300-$600 in Bitcoin.
CTB-Locker
Prolific ransomware variant circulated via spam emails and exploit kits from 2014-2015. Encrypted files with AES-256 and RSA-2048 algorithms. Demanded ransoms of 1-4 Bitcoins.
Locky
Massive global ransomware threat first seen in 2016. Spread through phishing spam emails containing malicious Office document macros. Encrypted a wide range of file types and demanded Bitcoin payment.
Cerber
Active since 2016, Cerber is sold as a ransomware-as-a-service on the dark web. Infected PCs via exploited websites and spam emails. Demanded ransom payments in Bitcoin of $500-$1,000.
WannaCry
Notorious 2017 epidemic infecting over 200,000 computers across 150 countries. Exploited Windows SMB vulnerability to spread. Encrypted files with AES and RSA encryption. Demanded $300 in Bitcoin.
How file-encrypting malware works
File-encrypting ransomware uses robust encryption algorithms to lock access to files on infected devices. The encryption schemes used make it mathematically unfeasible to decrypt the files without the attacker-held key. Here are some details on how typical file-encrypting ransomware infections unfold:
Infiltration
Ransomware sneaks onto a computer through social engineering like phishing emails, compromised ads or infected sites that exploit security holes. Often the user is tricked into loading the payload themselves by opening an attachment or link.
File search
After infiltration, the ransomware searches connected drives and networks for files to encrypt. Targeted files often include:
- Documents
- Photos
- Videos
- Databases
- Backups
- Source code
Encryption process
The ransomware encrypts located files using algorithms like AES, RSA and others. Hybrid encryption combines symmetric and asymmetric schemes for speed and security.
Encryption keys
The symmetric encryption keys used to lock files are secured with a public-private asymmetric key pair. The private key is retained by the ransomware operators to decrypt files.
Ransom demands
With files encrypted, ransomware displays payment demands and decryption instructions. Demands range from $200 to $50,000 or more in cryptocurrencies like Bitcoin.
Top targets for ransomware
Any computer or network can fall prey to file-encrypting ransomware, however attacks tend to target:
Businesses
Businesses often have sensitive data and downtime is extremely costly. High-value targets include:
- Healthcare organizations
- Law firms
- Financial services
- Educational institutions
Government agencies
Attacks on government systems can disrupt public services and access sensitive records. Recent examples include:
- Atlanta city government
- Baltimore city services
- The Colorado Department of Transportation
Individuals
Home users have valuable personal data. Lack of backups and security expertise make them vulnerable.
Most damaging ransomware strains
Some ransomware outbreaks cause enormous financial damage and disruption. The most destructive incidents include:
WannaCry – 2017
The WannaCry worm infected over 200,000 computers across 150 countries, locking healthcare, government and business systems. Financial costs reached into the billions.
NotPetya – 2017
Petya ransomware masked as ransomware but was designed for destruction. Caused over $10 billion in damages to major corporations.
Ryuk – 2018
Targeted ransomware crippled newspaper printing operations in 2018. Extracted over $150 million in Bitcoin from high-value enterprises.
Sodinokibi – 2019
Prolific RaaS ransomware extracted over $123 million in ransoms from MSPs, corporations, municipalities and utilities.
Recent ransomware trends
The ransomware landscape is always evolving. Some current trends shaping modern campaigns:
Ransomware-as-a-Service
RaaS lowers the barrier to entry by selling DIY ransomware kits on dark web marketplaces. Affiliates carry out attacks and split ransoms with developers.
Double extortion
In addition to encrypting files, attackers exfiltrate data and threaten to publish sensitive documents if the ransom goes unpaid.
Supply chain attacks
Injecting malware into apps and software tools used by service providers to spread ransomware downstream to customers.
Cloud services
Backups in cloud storage are now targeted for encryption by ransomware gangs to prevent recovery.
How to prevent ransomware
The most effective ransomware prevention strategy involves layered security defenses and backups. Key precautions include:
Email security
Detect and filter out phishing emails and spam, the primary ransomware delivery method. Use email authentication protocols like SPF, DKIM and DMARC.
Strong passwords
Use strong, unique passwords for all admin accounts and Wi-Fi networks. Enable multi-factor authentication wherever possible.
Patch management
Apply software, operating system and security tool updates promptly to eliminate vulnerabilities.
Security training
Educate staff on ransomware delivery tactics like phishing to reduce the risk of infection.
Backups
Maintain current backups offline and disconnected to retain access to data if encrypted.
Endpoint security
Install antivirus software across all endpoints. Use layered defenses like firewalls, antimalware and behavior monitoring.
Access controls
Only enable admin access to resources when needed. Disable RDP if unused or require VPN with MFA.
Activity monitoring
Monitor systems for signs of compromise like suspicious registry edits, network traffic and file encryption.
What to do if infected with ransomware
If you are hit with file-encrypting ransomware, stay calm but act quickly. Follow these steps:
1. Disconnect infected devices
Isolate and power down affected devices to prevent further encryption or damage.
2. Check what strains hit you
Identify known strains using ransom note characteristics, file extensions and decryptors.
3. Assess the damage
Catalog files encrypted. Scan backups and cloud storage. Determine if any sensitive data was compromised.
4. Consider paying the ransom
Weigh the risks and costs of payment versus data loss. Negotiate the ransom if possible.
5. Wipe systems and restore data
Wipe and reinstall operating systems from a clean backup before restoring data. Change all passwords after recovery.
6. Review security controls
Analyze how the infection occurred and update defenses to prevent a repeat occurrence.
Should you pay the ransom?
Paying the ransom is controversial. Potential benefits and risks include:
Potential benefits
- Decryption key release to restore files
- Avoid downtime and business disruption
- Prevent data leakage if stolen
Potential risks
- No guarantee files will be recovered
- Data may still be compromised by malware
- Paying encourages more attacks
- Fines for paying ransoms per OFAC
Victims should carefully weigh these factors against the unique costs of permanent data loss for their situation. There are no easy answers.
Can you decrypt files without paying?
There are a few options to potentially restore files without paying the ransom:
Decryption tools
For some ransomware families like GandCrab, decryption tools are available that may recover files. But most strains have no decryption tools.
Undelete files
If files are simply deleted rather than encrypted, recovery software can help salvage data.
Cloud backups
Backups in cloud storage not infected by ransomware may provide file recovery – if available.
Shadow volume copies
Some Windows systems have point-in-time recovery snapshots to roll back to before an infection.
Forensic analysis
In rare cases, forensic experts may reverse-engineer ransomware and recover keys.
Should ransomware payments be illegal?
There is ongoing debate over whether ransom payments should be illegal. Arguments on both sides include:
Arguments for illegality:
- Paying ransoms bankrolls criminal groups
- Encourages further cybercrime
- Violates legal sanctions in some cases
- Promotes cyber insurance over security
Arguments against illegality:
- Prevents victims from making own choices
- Forces even greater damage onto victims
- Difficult to enforce bans on payments
- Causes reporting challenges and risks
The debate involves weighting ethical and practical concerns. A blanket ban could harm victims, but unrestrained payments also carry risks. Nuanced policy is required.
Ransomware trends and predictions
Experts forecast ransomware evolving in the following ways in coming years:
- More Ransomware-as-a-Service empowering mass attacks
- Deepfakes used to apply social pressure for payment
- Increasingly automated attacks needing less human involvement
- Shifting targets from data encryption to operational disruption
- Expanding ransomware targets to cloud services, mobile and IoT devices
Defenders will need to match ransomware innovation with better security hygiene, layered defenses and diplomacy tactics to discourage attacks.
Key takeaways on ransomware
In summary, these are the crucial facts to understand about file-encrypting ransomware:
- Encryption schemes like AES and RSA are virtually unbreakable
- Phishing, exploits and RaaS make attacks scalable
- Every business sector is a potential target
- Paying the ransom is risky but data loss can be worse
- The highest leverage defense is resilient backups
By tailoring defenses to these realities, organizations and users can build resilience against even sophisticated ransomware attacks.
Conclusion
File-encrypting ransomware remains a severe cyber threat, with professional criminal groups continuously innovating new techniques. Paired with the growth of Ransomware-as-a-Service empowering mass attacks, ransomware campaigns will only grow more sophisticated and disruptive. Users can stay resilient by focusing on security best practices – phishing prevention, patching, access controls and air-gapped backups. But ultimately defeating ransomware will take global cooperation between policymakers, law enforcement, and public and private sector defenders to disrupt underground ransomware markets and infrastructure.
