Ransomware is a particularly nasty form of malicious malware that takes over your computer and threatens you with harm by denying you access all your files. The attacker demands a ransom from the victim in return for restoring access to your files when the payment is paid. However, occasionally the cyber criminals take the money and don’t keep to their promise.
When restoring access, victims are shown instructions on how to pay a fee in return for the decryption key. The ransom can range from a few hundred pounds sterling to thousands, usually payable in Bitcoin.
How does ransomware work?
The most common delivery system is phishing spam, that is, email attachments masquerading as a file designed to fool recipients into trusting. If the file is opened the ransomware infects the computer.
Some other types of ransomware exploit security holes to infect computers without needing to trick users. For instance WannaCry and NotPetya ransomware, which went global quickly, used this method.
- Once ransomware infects a computer it encrypts some or all of the user's files
- Files cannot be decrypted without a mathematical key known only by the attacker.
- The user is presented with a message explaining that their files are now are now inaccessible and will only be decrypted if the victim sends an untraceable Bitcoin payment to the attacker.
There are variations on this approach in which the attacker threatens to publicize sensitive data on the victim's hard drive unless a ransom is paid.
But because finding and extracting such information is difficult, encryption ransomware is by far the most common type.
Attackers target organisations and home users based on the perceived ‘success’ rates:
- Some organizations are tempting targets because they are more likely to pay a ransom quickly. For instance, hospitals facilities often need immediate access to their files
- Law firms and other organisations with sensitive data may be willing to pay to keep news of a compromise quiet so as to not commercially damage their reputation
- Home users are regularly targeted through phishing campaigns because attackers know that people don’t want to lose access to all their personal data
- Some ransomware spreads quickly, automatically and indiscriminately across the internet, exploiting vulnerabilities in unprotected systems
- Install good antivirus software like BullGuard Internet Security. Its award-winning triple layer defences detects malicious programs like ransomware as they arrive and also prevents unauthorized applications from executing in the first place
- Keep your operating system patched and up-to-date, to ensure you have fewer vulnerabilities to exploit
- Don't install software or give it administrative privileges unless you know exactly what it is and what it does
- Back up your files, frequently and automatically. If you are infected with ransomware it means you can reduce the damage and avoid paying the ransom because you have copies of all your files.
Should you pay the ransom?
This is the big question. Lots of victims do pay the ransom because they figure it costs less to get their data back than cleaning up their systems. However, large organisations tend not to publicise this.
- Ransomware attackers keep prices relatively low typically between £500 and £1,000 so the costs aren’t prohibitively high for victims
- Some sophisticated ransomware detects the country where the infected computer is running and adjusts the ransom to match that nation's economy
- There are often discounts offered for acting fast to encourage victims to pay quickly
- Ransomware has become so prolific that some UK companies are holding Bitcoin in reserve specifically for ransom payments
- If you are infected make sure you aren't dealing with so-called ‘scareware’ which is designed to simulate ransomware but doesn’t actually encrypt files
- Paying the attackers doesn't guarantee that you'll get your files back. That said, industry analysts estimate that the cyber crooks deliver encryption keys in 70 percent of cases
Ransomware is growing
In the past five years or so ransomware has become increasingly common thanks largely to the availability of untraceable payment methods like Bitcoin and the relative ease with which criminals can steal money while remaining undetected. Some of the most notable ransomware attacks are:
- CryptoLocker infected up to 500,000 machines at its height
- SimpleLocker the first widespread ransomware attack that focused on mobile devices
- WannaCry, which spread autonomously from computer to computer and raced around the world in hours
- NotPetya which was part of a Russian-directed cyberattack against Ukraine
- Locky which started spreading in 2016 was similar to banking malware Dridex