Ransomware has featured prominently in the news over the last few years. Hospitals, municipalities, businesses, law enforcement agencies, individuals and even entire regions of the world have been affected by it. Some have paid the ransom and recovered their computer data; others have lost their data forever.
Ransomware is malicious software that infects a computer similar to a computer virus. A virus may simply destroy all of the data on the computer or use the computer to send unsolicited email. Ransomware takes the attack further by making the data inaccessible by the owner, then demanding payment before returning the data.
Ransomware has a long history, dating back to 198910. Ransomware has varied in the particular method used to prevent access to files from hiding them, replacing them or encrypting them, to simply lying about the files being unavailable. In early versions of ransomware, flaws in the malicious software sometimes allowed the victim to recover their files without paying the ransom. There are two types of modern ransomware – Crypto and Locker:
Ransomware initially started gaining popularity among criminals in Russia. Once it was found to have a lucrative business model, it quickly spread worldwide. Today there are even readymade low-cost ransomware systems that can be purchased for $3912. A would-be cyber-criminal doesn’t need experience or a large investment to begin infecting computers.
Ransomware is now available as a service (RaaS) to allow criminals with little technical knowledge to attack with ease. These services are available in marketplaces on the dark web and some even include online technical support. A firm called RainMakers Lab has two RaaS products called Philadelphia ($389) and Stampado ($39). Other vendor products include RaasBerry which is a subscription model, and Satan which is a free, commission-based product where the owners take a 30% cut of any ransom the criminal user generates13.
So far in 2018, Ransomware threats were found in 39% of malware-related data breaches – double the level as compared to 201714. Ransomware can arrive via several mechanisms. It can be in a malicious email attachment, attached to a phishing email, embedded in a malicious website download or even a web link that can automatically download the ransomware when it is clicked.
Currently, email remains the primary distribution channel for ransomware malware.
Ransomware infections have even been linked to legitimate website advertisements that were poisoned in what is known as a “drive-by” infection15. Some drive-bys require the user to click on something. However if the computer is missing security patches, simply loading an infected advertisement on a web page can start the infection.
In some cases, attackers will rely on vulnerabilities in the user’s system to attack and upload the ransomware malware – for example WannaCry exploiting Windows’ SMB while SamSam exploiting a remote desk top vulnerability.
Once the file-encrypting ransomware is active on a computer, it begins the process of rendering data inaccessible. Unknown to the user, the ransomware encrypts their files. If the user tries to open an encrypted file, the computer will indicate that the file is damaged. Once all of the user’s files are encrypted, the ransomware typically displays a ransom message prominently.
At this point the user is typically given instructions on how to pay the ransom. If the ransom is paid in a timely manner, the criminals say they will provide the user the decryption key necessary to recover their files. The payment is usually some method that is fairly convenient, yet difficult to trace back to the criminals such as wire transfers, pre-paid payment cards, premium cost SMS services or a digital currency such as Bitcoin.
According to Norton Cybersecurity, globally 34% and in the U.S. 64% of victims pay the ransom17. It is important to understand that even if the ransom is paid in the timeframe required, there is no guarantee that the data will be recovered. Some versions of ransomware have flaws that make it impossible to decrypt the data. Others are simply scams where the data is encrypted and the criminals take the money but don’t deliver the decryption key. Yet other versions have “customer service” to provide additional means to recover the data. Criminals know if victims don’t believe they will recover their data, they will stop paying the ransom.
Paying the ransom to recover files does not prevent reinfection with the same or different ransomware and the cycle repeating. In the end, the transaction is with a criminal and the outcome is unpredictable.
To learn more about how OneBeacon Technology Insurance can help you manage online and other technology risks, please contact Dan Bauman, VP of Risk Control for OneBeacon Technology Insurance at email@example.com or 262.623.6558.
1Crowe, Jonathan. (March 2018). “City of Atlanta hit with SamSam ransomware: 5 key things to know.” Barkly. Accessed June 2018. https://blog.barkly.com/atlanta-ransomware-attack-2018-samsam
2Staff Writer. (September 25, 2017). “Total WannaCry losses pegged at $4 billion.” Accessed June 2018. https://www.reinsurancene.ws/total-wannacry-losses-pegged-4-billion/
3Bing, Chris. (June 28, 2017). “Global ransomware attack was meant to be destructive, not collect money.” Cyberscoop. Accessed June 2018. https://www.cyberscoop.com/petya-ransomware-destructive-microsoft-windows-master-boot-record/
4Shoorbee, Zaid. (September 20, 2017). “FedEx attributes $300 million loss to NotPetya ransomware attack.” Cyberscoop. Accessed June 2018. https://www.cyberscoop.com/fedex-attributes-300-million-loss-notpetya-attack/
5O’Brien, Dick. (July 2017). “Internet Security Threat Report Ransomware 2017.” Symantec. Accessed June 2018. https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/istr-ransomware-2017-en.pdf, page 18
6Morgan, Steve. (May 23, 2017). “Ransomware damages rise 15x in 2 years to hit $5 billion in 2017.” Accessed June 2018. https://www.csoonline.com/article/3197582/leadership-management/ransomware-damages-rise-15x-in-2-years-to-hit-5-billion-in-2017.html
7Morgan, Steve. (January 23, 2018). “Top 5 cybersecurity facts, figures and statistics for 2018). Accessed June 2018. https://www.csoonline.com/article/3153707/security/top-5-cybersecurity-facts-figures-and-statistics.html
8Ibid 7. Accessed June 2018
9Ibid 5. page 17. Accessed June 2018
10Wikipedia “Ransomware” Accessed September 2016 https://en.wikipedia.org/wiki/Ransomware
11Ibid 10. Accessed September 2016
12Brenner, Bill. (December 13, 2017). “5 ransomware as a service (RaaS) kits – Sophos Labs investigates. “ Naked Security by Sophos. Accessed June 2018. https://nakedsecurity.sophos.com/2017/12/13/5-ransomware-as-a-service-raas-kits-sophoslabs-investigates/
13Ibid 14. Accessed June 2018
14Nisco, Aliso De. (April 9, 2018). “Ransomware reigns supreme in 2018, as phishing attacks continue to trick employees.” Tech Republic. Accessed June 2018. https://www.techrepublic.com/article/ransomware-reigns-supreme-in-2018-as-phishing-attacks-continue-to-trick-employees/
15Goodin, Dan. (March 15, 2016). “Big-name sites hit by rash of ads spreading crypto ransomware.” ArsTechnica. Accessed June 2018. http://arstechnica.com/security/2016/03/big-name-sites-hit-by-rash-of-malicious-ads-spreading-crypto-ransomware/
16Ransomware – Definition – Trend Micro USA. Accessed June 2018. http://www.trendmicro.com/vinfo/us/security/definition/ransomware#The_Evolution_to_CryptoLocker_and_Crypto-ransomware
17Ibid 5. page 18. Accessed June 2018