Ransomware

Ransomware is malware that uses encryption to hold a victim's information at ransom. This type of attack attempts to encrypt a victim's critical data so the victim cannot access files, databases, or applications. The ransom is then demanded in order to resume access. These attacks are not necessarily sophisticated for the attacker to pursue, often requiring minimal skills due in part to the advent of "ransomware as a service," which has seen ransomware developers lease pre-made malware similar to other software products. Often these developers receive a portion of the ransom payments.

In some of these attacks, the attacker might claim to be a law enforcement agency and shut down a victim's computer due to the presence of some software on it and demand a "fine," in part to make victim's less likely to report the attack. Whereas, other types of attacks will choose larger organizations either by opportunity, because the organization might have smaller security teams but do a lot of file sharing, or the organizations may be targeted because they are more likely to pay a ransom faster, such as government agencies or medical facilities that require immediate access to their files.

There are largely three types of ransomware: scareware, screen lockers, and encrypting ransomware.

Scareware often includes security software and tech support scams, including pop-up messages claiming that malware was discovered and the only way to remove it is to pay. If the victim does not pay, they are likely to be bombarded with pop-ups, while the files on the computer are often safe.

Lock-screen ransomware, as it sounds, locks the user out of their computer until a ransom is paid. Often, in these cases, upon startup of a computer a full-size window will appear, often accompanied by an official-looking seal suggesting that illegal activity has been detected on said computer and a "fine" must be paid. Other times these windows will be more direct.

This is the type of ransomware that is most concerning, as this is the type that collects a user's or organization's files and encrypts them before demanding a payment, in order to decrypt and redeliver. Part of the danger of this type of ransomware is that once the files have been compromised, no security software or system can restore or return them. And while often the payment of a ransom the files will be returned, there is no guarantee that they will be, and there is no guarantee the files will not be copied and used for further ransoms.

While there are thousands of varieties, some of the more common attacks in circulation include:

Individuals and organizations are discouraged from paying the ransom as the files are not guaranteed to be released. The FBI has previously advised that if Cryptolocker, Cryptowall, or other sophisticated forms of ransomware are involved, the victim is unlikely to get their data back without paying a ransom. The individuals and organizations can work to prevent ransomware attacks, with the recommended measures to protect computers and networks from ransomware infections including:

• Employ a data backup and recovery plan for all critical information. This includes regular backups to limit the impact of data or system loss to expedite the recovery process. Critical backups also should be isolated from a network for the best protection
• Keep operating systems and software up-to-date with the latest patches. Vulnerable applications and operating systems are the targets of most attacks, and ensuring these are patched to reduce the number of exploitable entry points
• Maintain up-to-date anti-virus software and scan all software downloaded prior to executing
• Restrict users' ability (permissions) to install and run unwanted software applications, and apply the principles of "least privilege" to all systems and services. This can limit the extent to which malware can spread through a network
• Avoid enabling macros from email attachments
• Do not follow unsolicited web links in emails, or phishing schemes

In the case of an individual computer that has been infected by ransomware, there are a few things an individual can do to regain control of the computer. However, as noted above, in the case where an organizations network has been compromised or its files have been encrypted, the process becomes more difficult and expensive. The important steps for an individual include:

• Rebooting the computer to safe mode
• Installing anti-malware software
• Scan the system to find the ransomware program
• Restore the computer to a previous state

These steps can remove malware from a computer and return it to an individuals control, but it cannot decrypt files. Depending on the sophistication of the malware, it can be mathematically impossible to decrypt the files without access to the key held by the attackers.

The primitive pioneer of ransomware was used as early as 1989, in which attackers would blackmail computers. This period saw the "AIDS virus," which was used to extort funds from recipients of the ransomware. The payments were made by mail to Panama, and a decryption key was mailed back to the user.

In 1996, ransomware was more commonly known as "cryptoviral extortion," which was introduced by Moti Yung and Adam Young from Columbia University. The idea illustrated the progression and creation of modern cryptographic tools, with the first attack presented by Young and Yung at the 1996 IEEE Security and Privacy conference. This virus contained the attacker's public key and encrypted the victim's files, before prompting the victim to send asymmetric ciphertext to the attacker to decipher and return the decryption key, for a fee.

In order to remain anonymous, and undetected, attackers have often required payments that are intended to be difficult, if not impossible, to trace. For example, ransomware Fusob required victims to pay using Apple iTunes gift cards instead of normal currencies. The popularity of ransomware attacks has grown with the growth of cryptocurrency, as the transactions of cryptocurrencies are often anonymous and near impossible to track.

However, the first real cases of ransomware were reported in Russia in 2005. Ransomware has since spread globally and continues to prove successful. There was a dramatic increase in ransomware attacks around 2011, and since then antivirus software companies have increasingly focused scanners on ransomware.

Regional differences have also emerged in ransomware attacks. For example, in some regions, incorrect messages about unlicensed applications will be used, notifying the victim that an unlicensed software is installed and prompting the user to make a payment to license the given software. In other regions, the attacks will take the form of false claims about illegal content. However, this latter approach does not work as well in countries where illegal software downloads are common practice. These attacks will claim that they are from law enforcement agencies and that some illegal content has been found on the victim's computer. This message also contains demand for a penalty to be paid.

One of the largest ransomware attacks took place in 2017 and was called WannaCry. The attack affected around 200,000 individuals in roughly 150 countries and were asked to pay their ransoms in Bitcoin.

In September 8, 2021, Olympus was expected to be recovering from a ransomware attack that began in the early morning. The company stated later that it was investigating a potential cybersecurity incident that affected its European, Middle East, and Africa networks. The company's response included suspending data transfers in affected systems and informing relevant external partners while deploying a response team which included forensic security experts.

A ransom note left behind on infected computers claimed to be from the BlackMatter ransomware group. The note included a web address to a site accessible only through the Tor Browser that's known to be used by BlackMatter to communicate with victims. BlackMatter is a ransomware-as-a-service group that was founded as a successor to ransomware groups, including DarkSide. The group is known to rent access to their infrastructure to allow affiliates to launch attacks, and the group typically steals data from a company's network before encrypting it and often threatening to publish the files online if the ransom is not paid.