What Is Ransomware, How It Works, and How You Can Prevent It

When we're talking about cybersecurity it's essential to raise awareness about all kinds of malware and cyber attacks users might confront with in their online journey.

One type of malware that we need to address is known as ransomware.

Even though ransomware attacks have seen a decline over the past years, they can still be a threat to your online security, personal information, files, and money.

In this post, you'll learn everything you must know about ransomware - what is ransomware, how it works, how organizations have been hit by ransomware attacks, and how you can prevent ransomware attacks so you don't become one of the victims.

Ransomware is a type of malware (or malicious software) that, once installed on a computer, will cause harm to the user, usually by encrypting all the data on the device. To gain access back to his files, the user is required by the attacker to pay a ransom.

To get the decryption key necessary for restoring the access to the files, the user is given the instructions on how to pay the ransom. This fee can vary between a couple of hundreds of dollars to thousands, usually requested to be paid in cryptocurrencies.

Because we are talking about cybercriminals, it's needless to say that the promise to get the access back to one's files is not always truthful.

There are more ways in which ransomware software can get access to your computer.

The most common way ransomware is delivered is by using a Trojan disguised as a genuine file attached in an email that the user is tricked into downloading and installing. This technique of using emails as a mean of conducting a cyber attack is known as phishing spam.

Once the malicious software is installed, the attacker is able to take over the victim's computer. Some ransomware software has built-in tools that will trick the victim into providing administrative access, while other ransomware are able to exploit security flaws without requiring any user interaction.

There are several ways in which the ransomware can act once it got into your computer.

Encrypting ransomware

The most common action ransomware will do once it is installed on a computer is to encrypt all, or at least some, of the user's files. If this happens, the user won't have access to the files without the decryption key known only by the attacker. Once the files are encrypted, the user will be shown a message that explains the files are locked down and will only get the access back upon sending an untraceable payment to the attacker, usually in Bitcoins.

The first known malware attack of this kind dates back to 1989 and is known as the AIDS Trojan. The ransomware software encrypted only the names of the files on the computer and hid the files on the hard drive. It then displayed a message requesting the user to renew the license to a certain piece of software. The user was required to send $189 to a mailbox in Panama in the name of the PC Cyborg Corporation in order to receive the repair tool.

Non-encrypting ransomware

Another way ransomware can take action is by locking down one's computer without encrypting the files.

In 2010, nine Russian individuals were arrested because of their connection with the ransomware Trojan know as WinLock. This ransomware software did not use encryption but restricted users access to the system by displaying pornographic images. The attackers asked the victims to send a premium SMS, costing around $10, in return for the code that would give them back the access to the computers. It's reported that the attackers earned over $16 million by scamming numerous users across Russia and surrounding countries.

In some cases, the attacker might claim to be a law enforcement agency so it's less likely for the victim to report the attack. In this case, the attacker claims to shut down the victim's computer because it holds pirated software. The ransom is seen as a fee for the user's "illegal actions".

Leakware (Doxware)

This type of ransomware is a cryptovirology attack that's been invented by Adam L. Young. In a Doxware attack, the attacker does not deny the victim's access to his files. Instead, the cybercriminal steals information from the victim's computer and threatens to publish it online unless a ransom is paid.

Lakware was outlined in the Malicious Cryptography as it follows:

The attack differs from the extortion attack in the following way. In the extortion attack, the victim is denied access to its own valuable information and has to pay to get it back, where in the attack that is presented here the victim retains access to the information but its disclosure is at the discretion of the computer virus.

This type of ransomware attack is less common because finding and stealing sensitive information from one's computer requires more work from the attacker. So encryption ransomware still remains the favorite type of attack.

Mobile ransomware

With the increase in mobile usage, there's no wonder smartphones have also become a target for ransomware attacks. But unlike with PC devices, on mobile devices encrypting ransomware is not the preferred way of operating since the files on smartphones can be easily restored through synchronization.

Mobile ransomware most often targets Android devices because they allow third-party applications to be installed. The ransomware software is usually distributed through APK files and they will attempt to display a blocking message on top of the other apps.

While organizations are most likely to become the target of a ransomware attack, individuals are not immune to these kinds of cyber attacks either.

In some cases, the attackers don't even look for specific targets, but they rather send phishing spam email in bulk, trying to get as many victims as they can. In these cases, they will ask for a small ransom, usually less than $100, so it's an affordable amount for individuals. One of the examples is the WinLock ransomware attack we've talked about above that only asked for a $10 ransom.

When choosing organizations and businesses to target, attackers look at various aspects. They might rely either on how easy it is to get in the organization's system o on how willing the organization will be to pay the ransom.

One example of organizations that are easy to hack into are universities. Because they have a small team for security and the users do a lot of file sharing, they are easy targets for attackers.

In contrast, ransomware attacker might also take into consideration which organizations will be eager to pay the ransom because of the importance of the files their systems hold. One such example is medical facilities. Because losing the medical files would put people's lives in danger and because they rely on having immediate access to the files, they are most likely to pay the ransom quickly. Other examples of such organizations are government agencies and law firms.

But even though organizations holding sensitive files are more at risk of becoming the victim of ransomware attacks, you should still be aware that some ransomware spreads automatically and randomly over the internet so no one is immune to the threat.

There are several steps you can take so you strengthen your security to prevent ransomware attacks. Not only they will diminish ransomware threats, but they'll also boost your online security against other types of attacks.

Keep your operating system up to date - With each update, new security patches are resolved and there will be fewer vulnerabilities for hackers to exploit when they try to get access to your computer. So make sure you're always running the latest version of your operating system.

Use antivirus software - Antivirus software is crucial when we're talking about online security in general. They detect malicious software, including ransomware, the moment they got to your computer and will prevent them from executing. Also, make sure your antivirus software is updated as new malware is created every day and you want its database to recognize as many types of malware as possible.

Back up your files - Backing up your files automatically is a best practice in the world of online security. Especially when we're talking about ransomware. Even though this won't help prevent a malware attack, it will diminish the damage caused by an attack if it happens.

Be aware of what you install - Don't download and install pieces of software you know nothing about, especially if they came as an attachment in a suspicious email or they are uploaded on a website you don't trust.

Learn about online security - Besides the above essential guides for improved security, there are more little steps you can follow to strengthen your online security. Using a firewall, making sure your browser is secure, using a VPN when browsing online, are just a couple of examples of what you can do to stay safe online and keep your data private.

If you become the victim of a ransomware attack, you'll be able to regain control of your computer by rebooting your device to safe mode, installing an antimalware software, scanning for the ransomware software, and restoring your computer to a previous state.

What's worth mentioning is that even if you get back control over your computer, you won't be able to decrypt the files. If the malware is a bit complex, and nowadays it probably is, the only way to decrypt your files is to use the key only the attacker knows.

Becoming the victim of ransomware is a tricky situation. Not only these kinds of attacks put your sensitive files at risk, but there's also the downside that you can't trust criminals to give you back the access to your files even though you decide to pay the ransom.

The best way to deal with ransomware is to prevent a ransomware attack before it happens.

To do so, take into consideration the prevention steps we've talked about in this post.