Ransomware – when files are held hostage
Ransomware is malware that encrypts access to networks, computers or computer files using screenlockers or file encryptors. Victims of the offence can – at least in theory – remove the encryption by paying a ransom. In simple terms, ransomware kidnaps computers or computer files and demands a ransom in return for the release, i.e. the ability to use the data again.
Ransomware is a portmanteau of ransom and software. In contrast to “conventional” malware, which tries to harm a computer, a user or a network of computers and their users, the intention of ransomware is to extort ransom money.
Alternative terms for ransomware are blackmail software, data hijackers, encryption trojans or crytotrojans.
What types of ransomware exist?
Ransomware can be categorised into two types:
1. screenlocker or locker ransomware
This type of ransomware locks users out of their systems. As a rule, users only see a lock screen or a screen with a ransom demand. The mouse and keyboard are partially enabled to allow payment to the attacker. Lockers do not normally destroy data, but merely prevent users from accessing it. A timer with a deadline is often displayed to urge the victim to pay.
2. file-encrypter or crypto-ransomware
This is the most common type of ransomware. It encrypts the data, information or files on the victim’s device. The victim can usually see the data and even use the system, but cannot access the data due to the encryption. The crypto-ransomware also asks the victim to pay. If the user misses the deadline, all encrypted data is permanently deleted.
Further (sub)variants can be found in the literature:
Leakware attacks – also known as doxware or doxing – threaten companies, authorities and even private individuals with publishing confidential data in public domains.
RAAS, short for “ransomware as a service”, is a business model in which cybercriminals sell or rent ransomware to other potential attackers. Similar to other Software-as-a-Service (SaaS) models, customers can pay to gain access to ransomware without having extensive technical knowledge.
RAAS providers often provide a user-friendly interface or dashboard that allows customers to personalise and customise the ransomware. For example, they can specify which file types should be encrypted, set the ransom and even receive support. Some RAAS offerings also include affiliate programmes where customers receive a share of the ransoms paid that are generated by their use of the ransomware.
RAAS has greatly facilitated the spread of ransomware in recent years, as it allows potential attackers to carry out ransomware attacks without much effort. It has also led to a wider variety of actors being involved in such attacks, as less technically savvy individuals or groups can easily gain access to ransomware.
Tips and precautions against ransomware
There are a number of tips and precautionary measures to protect yourself as an organisation or user against the threat of ransomware. On the one hand, it is important to minimise the attack surface and, on the other, to optimise personal actions.
- Train employees and make them aware of the extreme dangers. Cyber criminals use psychological tools to motivate people to take action. The employee quickly clicks on the link in the email from the boss without first taking a close look at the sender information in the email, for example. If the email only appears to come from the boss, every link click in the email can have far-reaching consequences. Of course, employees should never click on links or attachments in emails from unknown senders.
- Update operating systems and software with the latest patches, but only from sources you know and trust. Outdated applications and operating systems are the target of most attacks.
- 123456 is many things, but it is not a secure password. Use secure passwords and multi-factor authentication.
- Back up your data regularly. Some sources recommend creating 3 copies, using 2 different types of storage for them and storing 1 copy offline. Ideally, you should also back up system images, application software and configurations. It also makes sense to use unalterable backups that can no longer be manipulated or deleted. And also test the recovery process in terms of speed, completeness and costs.
- Restrict the authorisations for installing and running software applications on your computer.
- Set up non-privileged mail accounts for administrators for everyday purposes, which allow them to read emails, surf the Internet, etc., but at the same time limit the effects of clicking on a phishing email.
- Use whitelists of applications that can be run on the network.
- Use spam filters to ideally prevent phishing emails from reaching end users. Authenticate incoming emails to prevent email spoofing.
- Configure firewalls to block access to known malicious IP addresses. And segment your network so that, in the worst case, viruses can only spread in one segment.
- Monitor the system and monitor the logs. Be informed when a new administrator account is created.
It is generally assumed that around 75% of all malware attacks are carried out via phishing. It is therefore particularly important to make employees aware of the dangers and train them in the correct procedures.
Pros & cons: paying a ransom
And what should you do if you have fallen victim to ransomware? Paying a ransom for ransomware is often the subject of controversy. Some advocates argue that paying a ransom is the quickest and easiest way to restore access to encrypted data and resume business operations as quickly as possible. However, there are also numerous risks and ethical concerns associated with this practice.
Here are some arguments in favour of pro ransomware:
- One of the main arguments in favour of paying a ransom is to be able to use the locked files again. Especially if the data and files have a high value for business operations, there is practically no alternative to paying.
- One argument in favour of paying a ransom is that it enables companies to resume operations quickly without having to go without access to the data for long periods of time. Especially for companies whose business activities are heavily dependent on the availability of their data, paying a ransom can be the quickest solution to avoid business interruption.
- Publicly publicised attacks can shake the confidence of customers and investors in a company. By paying the ransom and restoring operations, companies can limit the damage to their image and regain the trust of their stakeholders.
- In some cases, the financial damage of an attack can be limited by paying the ransom. The cost of restoring data and systems and the potential loss of revenue due to business interruption could be higher than the ransom demanded.
And here are some arguments against ransomware:
- There is no guarantee that the attacker will actually release the data after the ransom is paid. Even if the ransom is paid, the encrypted data may remain corrupted or unreadable.
- There is no mechanism to prevent the attacker from repeating the ransom demand. One-off payments could make organisations a repeat target for attacks, as the attackers could see that the victim is willing to pay. Perpetrators do not have to abide by any code of honour or fear unkind judgement from victims.
- The payment of ransom funds criminal activity and helps to ensure that ransomware remains a lucrative source of income for cybercriminals. This can encourage other potential attackers to carry out similar attacks.
It is not easy to make a decision and affected companies or individuals will not find any definitive guidance here. How high is the ransom demand? Is it even legally permissible to pay a ransom? Is there a threat of fines? Situations are often individual, so they also require individual decisions. Contacts such as the Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik – BSI), the Federal Criminal Police Office (Bundeskriminalamt – BKA) or the US Cybersecurity and Infrastructure Security Agency (CISA) recommend on their websites not to comply with ransom demands, but in case of doubt, those affected should seek professional expertise in order to make an individually informed decision.
Questions from the field
Here you will find some questions and answers from the field:
How long has ransomware been around?
The AIDS Trojan disc is considered to be the first ransomware. In 1989, the evolutionary biologist and Harvard graduate Joseph L. Popp sent out 20,000 infected discs with the inscription “AIDS Information Introductory Diskette”. In this way, the ransomware even reached the computers of participants at the World AIDS Conference of the World Health Organisation.
The AIDS Trojan disc replaced a system configuration file and began to encrypt the hard drive after ninety reboots. In order to regain access to their data, the victims were asked to send 189 US dollars by post to the company PC Cyborg in Panama. For this reason, the first ransomware was also known as the PC Cyborg Trojan.
In 2005, the first encryption Trojan TROJ_PGPCODER.A was distributed via the Internet. At the time, the blackmailers demanded several hundred dollars for decryption.
What is the difference between ransomware and malware?
Malware aims to penetrate computer systems and cause damage. Ransomware is a special form of malware that aims to encrypt files on an infected system and then extort a ransom to release the files again.
In addition to ransomware, there are also other types of malware such as spyware, adware, Trojans or viruses. These have different goals and effects, such as collecting personal data and information, stealing personal files, displaying unwanted adverts or damaging files or systems.
In short: ransomware is a type of malware; malware is not always ransomware.
What does software against ransomware do?
Software can help against ransomware in various ways:
To recognise already known ransomware families, there is a simple method: the use of signatures. These signatures identify specific command sequences in the code of a file that are characteristic of a certain group of malware programmes. They can also recognise generic code sequences that indicate typical malicious actions such as compression, encryption and backdoor activity.
Another strategy is to monitor network traffic to prevent the activation of ransomware. This involves blocking access to the control servers. Behaviour-based detection monitors running applications for suspicious activity and aims to recognise the first actions of malware. This also includes the exploitation of security vulnerabilities via manipulated websites.
Characteristic processes can be recognised during the installation of ransomware, such as the creation of configuration files and registry entries. To combat the persistence of ransomware after a system restart, typical autostart mechanisms are recognised and interrupted.
The spread of ransomware via websites is combated by collecting and blocking malicious URLs. The malicious code in the browser data is also checked. In addition, virus scanners check email content at an early stage to prevent malicious emails from being delivered in the first place.
Where can you find expert support in the event of a ransomware attack?
There are numerous offers on the internet from companies that offer data recovery, security checks or the provision of protection software. There are two portals, ID Ransomware and No More Ransom, which offer support.
The BSI provides a catalogue of measures for free download (in German).
The CISA offers five different services (up-to-date information, warnings, bulletins, tips and reports).
In Switzerland, the Reporting and Analysis Centre for Information Assurance MELANI offers help. Among other things, MELANI publishes semi-annual reports on the development of ransomware.
The European Cybercrime Centre – EC3 also offers a lot of useful information.
Impulse to discuss:
“Overlooked. Forgotten. Neglected.” – These three human things are exploited by attackers.
You are welcome to share or link to the content on this page.
Here you can find a video on how to combat ransomware.
Here you will find additional information from our Smartpedia section: