All about ransomware attacks
Ransomware has been in the news quite a bit in 2021. You may have heard stories of attacks on large companies, organizations, or government agencies, or perhaps you as an individual have experienced a ransomware attack on your own device. It’s a significant problem and a scary prospect to have all of your files and data held hostage until you pay up. If you want to know more about this threat, read on to learn about ransomware’s different forms, how you get it, where it comes from, who it targets, and ultimately, what you can do to protect against it.
What is ransomware? Ransomware definition
Ransom malware, or ransomware, is a type of malware that prevents users from accessing their system or personal files and demands ransom payment in order to regain access. While some people might think "a virus locked my computer," ransomware would typically be classified as a different form of malware than a virus. The earliest variants of ransomware were developed in the late 1980s, and payment was to be sent via snail mail. Today, ransomware authors order that payment be sent via cryptocurrency or credit card, and attackers target individuals, businesses, and organizations of all kinds. Some ransomware authors sell the service to other cybercriminals, which is known as Ransomware-as-a-Service or RaaS.
How exactly does a threat actor carry out a ransomware attack? First, they must gain access to a device or network. Having access enables them to utilize the malware needed to encrypt, or lock up, your device and data. There are several different ways that ransomware can infect your computer
How do I get ransomware?
To gain access, some threat actors use spam, where they send an email with a malicious attachment to as many people as possible, seeing who opens the attachment and "takes the bait," so to speak. Malicious spam, or malspam, is unsolicited email that is used to deliver malware. The email might include booby-trapped attachments, such as PDFs or Word documents. It might also contain links to malicious websites.
Another popular infection method is malvertising. Malvertising, or malicious advertising, is the use of online advertising to distribute malware with little to no user interaction required. While browsing the web, even legitimate sites, users can be directed to criminal servers without ever clicking on an ad. These servers catalog details about victim computers and their locations, and then select the malware best suited to deliver. Often, that malware is ransomware.
Malvertising often uses an infected iframe, or invisible webpage element, to do its work. The iframe redirects to an exploit landing page, and malicious code attacks the system from the landing page via exploit kit. All this happens without the user’s knowledge, which is why it’s often referred to as a drive-by-download.
A more targeted means to a ransomware attack is through spear phishing. An example of spear phishing would be sending emails to employees of a certain company, claiming that the CEO is asking you to take an important employee survey, or the HR department is requiring you to download and read a new policy. The term "whaling" is used to describe such methods targeted toward high-level decision makers in an organization, such as the CEO or other executives.
Malspam, malvertising, and spear phishing can, and often do, contain elements of social engineering. Threat actors may use social engineering in order to trick people into opening attachments or clicking on links by appearing as legitimate—whether that’s by seeming to be from a trusted institution or a friend. Cybercriminals use social engineering in other types of ransomware attacks, such as posing as the FBI in order to scare users into paying them a sum of money to unlock their files.
Another example of social engineering would be if a threat actor gathers information from your public social media profiles about your interests, places you visit often, your job, etc., and using some of that information to send you a message that looks familiar to you, hoping you'll click before you realize it's not legitimate.
Encrypting files & demanding a ransom
Whichever method the threat actor uses, once they gain access and the ransomware software (typically activated by the victim clicking a link or opening an attachment) encrypts your files or data so you can't access them, you'll then see a message demanding a ransom payment to restore what they took. Often the attacker will demand payment via cryptocurrency.
Types of ransomware
There are three main types of ransomware, ranging in severity from mildly off-putting to Cuban Missile Crisis dangerous. They are as follows:
Scareware, as it turns out, is not that scary. It includes rogue security software and tech support scams. You might receive a pop-up message claiming that malware was discovered and the only way to get rid of it is to pay up. If you do nothing, you’ll likely continue to be bombarded with pop-ups, but your files are essentially safe.
A legitimate cybersecurity software program would not solicit customers in this way. If you don’t already have this company’s software on your computer, then they would not be monitoring you for ransomware infection. If you do have security software, you wouldn’t need to pay to have the infection removed—you’ve already paid for the software to do that very job.
Upgrade to terror alert orange for these guys. When lock-screen ransomware gets on your computer, it means you’re frozen out of your PC entirely. Upon starting up your computer, a full-size window will appear, often accompanied by an official-looking FBI or US Department of Justice seal saying illegal activity has been detected on your computer and you must pay a fine. However, the FBI would not freeze you out of your computer or demand payment for illegal activity. If they suspected you of piracy, child pornography, or other cybercrimes, they would go through the appropriate legal channels.
This is the truly nasty stuff. These are the guys who snatch up your files and encrypt them, demanding payment in order to decrypt and redeliver. The reason why this type of ransomware is so dangerous is because once cybercriminals get ahold of your files, no security software or system restore can return them to you. Unless you pay the ransom—for the most part, they’re gone. And even if you do pay up, there’s no guarantee the cybercriminals will give you those files back.
Not ones to be left out of the ransomware game, Mac malware authors dropped the first ransomware for Mac OSes in 2016. Called KeRanger, the ransomware infected an app called Transmission that, when launched, copied malicious files that remained running quietly in the background for three days until they detonated and encrypted files. Thankfully, Apple’s built-in anti-malware program XProtect released an update soon after the ransomware was discovered that would block it from infecting user systems. Nevertheless, Mac ransomware is no longer theoretical.
Following KeRanger were Findzip and MacRansom, both discovered in 2017. More recently in 2020, there was what looked like ransomware (ThiefQuest, aka EvilQuest), but it turned out it was actually what is called a "wiper." It pretended to be ransomware as a cover for the fact that it was exfiltrating all your data, and although it encrypted files, it never had a way for users to decrypt them or contact the gang about payments.
It wasn’t until the height of the infamous CryptoLocker and other similar families in 2014 that ransomware was seen on a large scale on mobile devices. Mobile ransomware typically displays a message that the device has been locked due to some type of illegal activity. The message states that the phone will be unlocked after a fee is paid. Mobile ransomware is often delivered via malicious apps, and requires that you boot the phone up in safe mode and delete the infected app in order to retrieve access to your mobile device.
Who do ransomware authors target?
When ransomware was introduced (and then re-introduced), its initial victims were individual systems (aka regular people). However, cybercriminals began to realize its full potential when they rolled out ransomware to businesses. Ransomware was so successful against businesses, halting productivity and resulting in lost data and revenue, that its authors turned most of their attacks toward them. By the end of 2016, 12.3 percent of global enterprise detections were ransomware, while only 1.8 percent of consumer detections were ransomware worldwide. And by 2017, 35 percent of small and medium-sized businesses had experienced a ransomware attack.
Geographically, ransomware attacks are still focused on western markets, with the UK, US, and Canada ranking as the top three countries targeted, respectively. As with other threat actors, ransomware authors will follow the money, so they look for areas that have both wide PC adoption and relative wealth. As emerging markets in Asia and South America ramp up on economic growth, expect to see an increase in ransomware (and other forms of malware) there as well.
What to do if I'm infected
The number one rule if you find yourself infected with ransomware is to never pay the ransom. (This is now advice endorsed by the FBI.) All that does is encourage cybercriminals to launch additional attacks against either you or someone else. However, you may be able to retrieve some encrypted files by using free decryptors.
To be clear: Not all ransomware families have had decryptors created for them, in many cases because the ransomware is utilizing advanced and sophisticated encryption algorithms. And even if there is a decryptor, it’s not always clear if it’s for right version of the malware. You don’t want to further encrypt your files by using the wrong decryption script. Therefore, you’ll need to pay close attention to the ransom message itself, or perhaps ask the advice of a security/IT specialist before trying anything.
Other ways to deal with a ransomware infection include downloading a security product known for remediation and running a scan to remove the threat. You may not get your files back, but you can rest assured the infection will be cleaned up. For screenlocking ransomware, a full system restore might be in order. If that doesn’t work, you can try running a scan from a bootable CD or USB drive.
If you want to try and thwart an encrypting ransomware infection in action, you’ll need to stay particularly vigilant. If you notice your system slowing down for seemingly no reason, shut it down and disconnect it from the Internet. If, once you boot up again the malware is still active, it will not be able to send or receive instructions from the command and control server. That means without a key or way to extract payment, the malware may stay idle. At that point, download and install a security product and run a full scan.
How do I protect myself from ransomware?
Security experts agree that the best way to protect from ransomware is to prevent it from happening in the first place.
While there are methods to deal with a ransomware infection, they are imperfect solutions at best, and often require much more technical skill than the average computer user. So here’s what we recommend people do in order to avoid fallout from ransomware attacks.
The first step in ransomware prevention is to invest in awesome cybersecurity—a program with real-time protection that’s designed to thwart advanced malware attacks such as ransomware. You should also look out for features that will both shield vulnerable programs from threats (an anti-exploit technology) as well as block ransomware from holding files hostage (an anti-ransomware component). Customers who were using the premium version of Malwarebytes for Windows, for example, were protected from all of the major ransomware attacks of 2017.
Next, as much as it may pain you, you need to create secure backups of your data on a regular basis. Our recommendation is to use cloud storage that includes high-level encryption and multiple-factor authentication. However, you can purchase USBs or an external hard drive where you can save new or updated files—just be sure to physically disconnect the devices from your computer after backing up, otherwise they can become infected with ransomware, too.
Then, be sure your systems and software are updated. The WannaCry ransomware outbreak took advantage of a vulnerability in Microsoft software. While the company had released a patch for the security loophole back in March 2017, many folks didn’t install the update—which left them open to attack. We get that it’s hard to stay on top of an ever-growing list of updates from an ever-growing list of software and applications used in your daily life. That’s why we recommend changing your settings to enable automatic updating.
Finally, stay informed. One of the most common ways that computers are infected with ransomware is through social engineering. Educate yourself (and your employees if you’re a business owner) on how to detect malspam, suspicious websites, and other scams. And above all else, exercise common sense. If it seems suspect, it probably is.
How does ransomware affect my business?
GandCrab, SamSam, WannaCry, NotPetya—they’re all different types of ransomware and they’re hitting businesses hard. In fact, ransomware attacks on businesses went up 88% in the second half of 2018 as cybercriminals pivot away from consumer-focused attacks. Cybercriminals recognize big business translates to big payoffs, targeting hospitals, government agencies, and commercial institutions. All told, the average cost of a data breach, including remediation, penalties, and ransomware payouts, works out to $3.86 million.
The majority of ransomware cases as of late have been identified as GandCrab. First detected in January of 2018, GandCrab has already gone through several versions as the threat authors make their ransomware harder to defend against and strengthen its encryption. It’s been estimated GandCrab has already raked in somewhere around $300 million in paid ransoms, with individual ransoms set from $600 to $700,000.
In another notable attack happening back in March of 2018, the SamSam ransomware crippled the City of Atlanta by knocking out several essential city services—including revenue collection and the police record keeping system. All told, the SamSam attack cost Atlanta $2.6 million to remediate.
Considering the spate of ransomware attacks and the tremendous cost associated with them, now is a good time to get smart about protecting your business from ransomware. We’ve covered the topic in great detail previously but here’s a quick gloss on how to protect your business from malware.
- Backup your data. Assuming you have backups available, remediating a ransomware attack is as simple as wiping and reimaging infected systems. You may want to scan your backups to ensure they haven’t been infected, because some ransomware is designed to look for network shares. Accordingly, you’d do well to store data backups on a secure cloud server with high-level encryption and multiple-factor authentication.
- Patch and update your software. Ransomware often relies on exploit kits to gain illicit access to a system or network (e.g. GandCrab). As long as the software across your network is up-to-date, exploit-based ransomware attacks can’t hurt you. On that note, if your business runs on outdated or obsolete software then you’re at risk for ransomware, because the software makers aren’t putting out security updates anymore. Get rid of abandonware and replace it with software still being supported by the manufacturer.
- Educate your end users on malspam and creating strong passwords. The enterprising cybercriminals behind Emotet are using the former banking Trojan as a delivery vehicle for ransomware. Emotet relies on malspam to infect an end user and get a foothold on your network. Once on your network, Emotet shows worm-like behavior, spreading from system to system using a list of common passwords. By learning how to spot malspam and implementing multi-factor authentication, you’re end users will stay one step ahead of cybercriminals.
- Invest in good cybersecurity technology. Malwarebytes Endpoint Detection and Response, for example, gives you detection, response and remediation capabilities via one convenient agent across your entire network. You can also request a free trial of Malwarebytes anti-ransomware technology to learn more specifically about our ransomware protection technology.
What do you do if you’re already a victim of ransomware? No one wants to deal with ransomware after the fact.
- Check and see if there is a decryptor. In some rare cases you may be able to decrypt your data without paying, but ransomware threats evolve constantly with the aim of making it harder and harder to decrypt your files so don’t get your hopes up.
- Don’t pay the ransom. We’ve long advocated not paying the ransom and the FBI (after some back and forth) agrees. Cybercriminals don’t have scruples and there’s no guarantee you’ll get your files back. Moreover, by paying the ransom you’re showing cybercriminals that ransomware attacks work.
Keep up to date on the latest ransomware news in Malwarebytes Labs.
There have been a number of major ransomware attacks in 2021. Read the latest news on ransomware and ransomware attacks from Malwarebytes Labs:
- Ransomware scammers target artists with fake Krita revenue deals
- 3 security lessons from an MSP that survived the Kaseya VSA attack
- FBI warns of ransomware threat to food and agriculture
- How to stay secure from ransomware attacks this Labor Day weekend
- Analysts “strongly believe” the Russian state colludes with ransomware gangs
- Ransomware turncoat leaks Conti data, lifts the lid on the ransomware business
- BlackMatter, a new ransomware group, claims link to DarkSide, REvil
- CNA legal filings lift the curtain on a Phoenix CryptoLocker ransomware attack
- StopRansomware.gov brings together information on stopping and surviving ransomware attacks
- Ransomware’s Russia problem
- SonicWall warns users of “imminent ransomware campaign”
- UPDATED: Thousands attacked as REvil ransomware hijacks Kaseya VSA
- UPDATED: Threat Spotlight: Sodinokibi/REvil ransomware
- Babuk ransomware builder leaked following muddled “retirement”
- Steamship Authority answers question: Who’s the next ransomware victim?
- JBS says it is recovering quickly from a ransomware attack
- Ransomware disrupts food supply chain, Exchange exploitation suspected
- How ransomware gangs are connected, sharing resources and tactics
- PYSA, the ransomware attacking schools
- Ransomware is targeting vulnerable Microsoft Exchange servers
- REvil ransomware’s calling, and it’s not good news
- Ryuk ransomware develops worm-like capability
Lock and Code is Malwarebytes' cybersecurity podcast. Listen to the latest episodes on ransomware:
History of ransomware attacks
The first ransomware, known as PC Cyborg or AIDS, was created in the late 1980s. PC Cyborg would encrypt all files in the C: directory after 90 reboots, and then demand the user renew their license by sending $189 by mail to PC Cyborg Corp. The encryption used was simple enough to reverse, so it posed little threat to those who were computer savvy.
With few variants popping up over the next 10 years, a true ransomware threat would not arrive on the scene until 2004, when GpCode used weak RSA encryption to hold personal files for ransom.
In 2007, WinLock heralded the rise of a new type of ransomware that, instead of encrypting files, locked people out of their desktops. WinLock took over the victim screen and displayed pornographic images. Then, it demanded payment via a paid SMS to remove them.
With the development of the ransom family Reveton in 2012 came a new form of ransomware: law enforcement ransomware. Victims would be locked out of their desktop and shown an official-looking page that included credentials for law enforcement agencies such as the FBI and Interpol. The ransomware would claim that the user had committed a crime, such as computer hacking, downloading illegal files, or even being involved with child pornography. Most of the law enforcement ransomware families required a fine be paid ranging from $100 to $3,000 with a pre-paid card such as UKash or PaySafeCard.
Average users did not know what to make of this and believed they were truly under investigation from law enforcement. This social engineering tactic, now referred to as implied guilt, makes the user question their own innocence and, rather than being called out on an activity they aren’t proud of, pay the ransom to make it all go away.
In 2013 CryptoLocker re-introduced the world to encrypting ransomware—only this time it was far more dangerous. CryptoLocker used military grade encryption and stored the key required to unlock files on a remote server. This meant that it was virtually impossible for users to get their data back without paying the ransom. This type of encrypting ransomware is still in use today, as it’s proven to be an incredibly effective tool for cybercriminals to make money. Large scale outbreaks of ransomware, such as WannaCry in May 2017 and Petya in June 2017, used encrypting ransomware to ensnare users and businesses across the globe.
In late 2018, Ryuk burst onto the ransomware scene with a slew of attacks on American news publications as well as North Carolina's Onslow Water and Sewer Authority. In an interesting twist, targeted systems were first infected with Emotet or TrickBot, two information stealing Trojans now being used to deliver other forms of malware like Ryuk, for instance. Director of Malwarebytes Labs, Adam Kujawa speculates that Emotet and TrickBot are being used to find high-value targets. Once a system is infected and flagged as a good target for ransomware, Emotet/TrickBot re-infects the system with Ryuk.
In 2019, the criminals behind the Sodinokibi ransomware (an alleged offshoot of GandCrab) have started to use managed service providers (MSP) to spread infections. In August of 2019, hundreds of dental offices around the country found they could no longer access their patient records. Attackers used a compromised MSP, in this case a medical records software company, to directly infect upwards of 400 dental offices using the record keeping software.
Also in 2019, Malwarebytes discovered the Maze family of ransomware. According to Malwarebytes' 2021 State of Malware Report, "Maze went beyond holding data hostage—it included an additional threat of publicly releasing swiped data if a ransom went unpaid." Another ransomware gang that first appeared the same year is the REvil, also known as "Sodin" or "Sodinokibi." A sophisticated ransomware gang, REvil uses a Ransomware-as-a-Service (RaaS) model to sell to others who want to use their software to commit ransomware attacks.
In 2020, yet another new family of ransomware named Egregor came on the scene. It's thought to be somewhat of a successor to the Maze ransomware family, as many of the cybercriminals who worked with Maze changed over to Egregor. Similar to Maze, Egregor uses a "double extortion" attack, in which they both encrypt files and steal data from the victim that they threaten to publish online unless the ransom is paid.
While ransomware attacks toward individuals have been a problem for several years, ransomware attacks on businesses, hospitals and health care systems, schools and school districts, local governments, and other organizations have been making headlines in 2021. From Colonial Pipeline to large meatpacker JBS to Steamship Authority, the largest ferry service in Massachusetts, ransomware attackers have shown that they are able and willing to disrupt large companies that provide everyday goods like gasoline, food, and transportation.
Throughout 2021, we have seen headline after headline of large ransomware attacks on major companies and organizations (see the news section above to read about many of them). Mid-year, the US goverment said that ransomware was to be investigated like terrorism, and created the website StopRansomware.gov to bring together information on stopping and surviving ransomware attacks. What will the rest of 2021 and 2022 bring in the ransomware threat landscape? While we don't know, we will be here to keep you informed. Check back to this page for future updates, and follow the Malwarebytes Labs blog for the latest in cybersecurity news.