By now, most everyone has heard the term "ransomware" and that people, companies, and local governments have been getting hit with it. But what exactly is ransomware?
Ransomware is a specific breed of malware that silently encrypts all the files on your computer or network.
After the encryption process is complete, then dire messages are displayed informing you that all your files are encrypted and that you must pay a ransom to get the decryption keys necessary to unlock them.
In this article, I'll lay out what this malware does, ways to reduce the likelihood of getting it, and ways to mitigate the damage if you do get it.
This article is rather lengthy. I want you to have a pretty solid understanding on ransomware, how it spreads, and how to avoid it.
As usual, some brief history. The first recorded ransomware attack happened way back in 1989 and didn't even involve the internet, which back then wasn't a thing. An AIDS researcher mailed some 20,000 floppy disks to other AIDS researchers all over the world containing what he claimed was information and a questionnaire on how to gauge an individual's risk of contracting AIDS. But also contained on the floppy was malware that would encrypt all the files on the victim's computer. The malware then demanded a $189 payment to be snail-mailed to a PO Box in Panama where upon a second floppy disk containing the decryption program would be mailed to the victim.
Getting payment was always the Achilles heel for ransomware creators. Accepting credit cards, checks, or wire transfers meant the criminal hacker needed a bank account -- not very convenient for a bad guy wanting to stay anonymous. And receiving payment via gift cards* was impractical for larger ransoms. But once Bitcoin became a thing then ransomware really took-off. Bitcoin was a great way to receive absolutely irreversible payment of any size that was for all practical purposes anonymous. Bitcoin technically isn't anonymous at all, but that's another topic.
* Scams involving gift cards are an entire category of its own.
Ransomware generally gives you only a few days or a week or two to pay up. If the bad guys think you're a home user, they may demand a relatively affordable few hundred dollars. But if they believe you're a business or government user, the sky's the limit. Demands in the six-digits are not uncommon. These days, most ransomware gangs are after bigger bucks than what a private individual could afford.
The ransomware encryption itself is industrial grade so trying to reverse engineer or brute-force the decryption is nearly impossible. Your only options are to pay up or restore your data from a good, recent backup. Paying is never a good idea because you're dealing with criminals (duh) and there's no guarantee your files will be decrypted if you do pay.
Even if you wanted to pay, setting up and funding a bitcoin wallet is not easy. Unless you're pretty savvy about these things, you'll almost certainly have to hire a pro to set it up or, more likely, hire a ransomware emergency responder that already has a bitcoin wallet set up just for paying such ransoms (on your behalf).
Ransomware used to only be about the victim's files being encrypted. You paid the ransom (or, better yet, recovered from a backup) and that was it. But for a while now ransomware has been using a double-pronged approach and even a new triple pronged approach that increases the likelihood that victims will cough up a large ransom.
1st prong, encryption (the original threat): Your files are encrypted and you must pay a ransom to get them decrypted. If you have an up-to-date backup, then you likely can avoid making the payment.
2nd prong, extortion (in use for a few years now): Your files are exfiltrated (stolen/uploaded) by the attacker then your copy is encrypted. The attacker demands a ransom not only to decrypt your files, but to promise to not publicly release those same files. In this case, having a backup only protects you from the 1st prong of attack. If you don't pay up, all your data will be openly published for anyone who might find it valuable. If you have client data then that could trigger a data breach reporting requirement.
3rd prong, extortion on steroids (pretty new): In addition to suffering from the 1st and 2nd prongs of attack, this 3rd prong of attack is where the attackers contact the victim's clients and separately extort a ransom from each of them to not openly publish their data.
This 3rd prong of attack is rapidly becoming the norm.
Expanding Base of Attackers
Ransomware attacks used to be launched only by technically savvy criminals who generally developed their own ransomware such as nation state actors. But now these criminal enterprises are offering their ransomware as a paid subscription service to less sophisticated criminals (what we I.T. types call "script kiddies") so they, too, can launch their own ransomware attacks.
You might think endpoint security will prevent that. To be sure, having security (like Malwarebytes, Webroot, etc.) is better than not having security, but the cat and mouse game between ransomware attackers and security companies is never-ending. Ransomware attackers all purchase these same security products so they can tweak their code to evade detection. Very often, the security products are a step or two behind the attackers.
Scope of Infection
Once ransomware finds its way on your computer, some variants will scan your network for other computers and devices to infect. At the very least, it will infect any USB flash drives and hard drives (including backup drives*) that are connected to your computer and any open file server connections. i.e. Files visible to your computer but that live on a server.
* This is why I recommend a backup rotation protocol whereby multiple (at least two) external hard drives are used to backup a computer (servers, usually). Only one backup hard drive is "hot" (plugged-in) at any given time and the rest are cold. The hard drive is swapped each day, a process that takes only a minute. I recommend a backup product called Macrium Reflect, which has a feature to help protect backup drives from ransomware infection.
If you're a company with multiple computers, then depending on the security situation, the ransomware code may invade those computers, possibly infecting every computer on the premises.
Ways of Infection, 4 Common Vectors
1 > Via Email: Malicious Attachments and Web Links
Even today, after all the warnings (like this one), email is still one of the most common ways that ransomware is transmitted. An email may contain an infected attachment or it may contain links to infected websites. The email may have found you at random (regular phishing) or may be targeted to you specifically (spear phishing). Attachments could be a PDF, a Microsoft Office document like Word or Excel, could be a ZIP file (especially if it's encrypted), and other file types. Links often show innocent-looking text, like a well-known website, but then if you hover over the link (do not click) you may see an entirely different website on the browser status bar at the bottom.
Such emails are usually "off" in some way:
Use of words that aren't quite right, odd phrasing, bad grammar, obvious misspellings (not just typos like swapped letters)
Urging you to do something; contains warnings and consequences for ignoring
Asking for information, especially sensitive info, that you aren't generally asked-for
Appears to be from someone you know (spear phishing), might even address you by name or position, and may be requesting that you read something (an attachment or link) that is in any way out of character for the person that is purportedly emailing you. Check the full email address of the sender. Is that the purported sender's real email address? If from a company, is the email from that company's domain (the part of the email address after the @ sign)? Or is it from a public email account that anyone can get for free?
In other words, if the email is not 100% plain and ordinary, if it's not of a nature that's like all the other email you get, then be very suspicious, indeed. Get a co-worker to look at it. Or forward to your I.T. dept or person.
Web links (called URLs) could also lead to infected websites. Again, hover over the link (do not click!) using your mouse and read what the web address is. I know, this is difficult or impossible to do on a mobile device where there is no "hover" ability. If you are on your mobile, then wait till you get to a real computer.
2 > Supply Chain
Imagine a bad actor wanting to poison an entire town, all at once, without having to personally visit each home or business. He might decide that sabotaging the public water supply would be an efficient way to do that. Sneak into the town's treatment plant and dump the poison into the water system. Ug, what a pleasant thought. The computer equivalent of that is called a supply chain attack and it's the newest transmission vector for ransomware.
Instead of trying break into thousands of different company networks, each with their own level of security (ranging from good to bad), what if the bad actors could infiltrate the software vendor used by those same companies? The SolarWinds hack that was discovered in 2020 is one prominent example. SolarWinds makes network and computer management software that's used by tens of thousands of organizations. By infecting the SolarWinds update process for a product called Orion, an estimated 18,000 customers became infected. Those customers included Fortune 500 companies and numerous governments.
Now imagine that same supply chain attack happening to QuickBooks, a product used by ten of millions of companies. Or to Adobe Acrobat. Or Microsoft Office. Both products used by a bazillion customers.
There's very little that an end user company can do to prevent infection via supply chain attack. The reason this attack is so successful is because updates are explicitly trusted by the software they're made for. If the bad actors succeed with infecting the update servers used by a particular software maker (like what happened with SolarWinds) then infection for the customers of that product becomes very easy.
Note, this is absolutely no reason to refuse updates. The chances of suffering from a malware infection or other bug is far higher when running outdated software than the risk of a supply chain attack by getting timely updates -- many of which fix existing vulnerabilities.
But one thing you can do is remove any software that you absolutely do not need. Many computers come with unnecessary vendor bloatware installed. Remove that. Also, don't download software that you don't absolutely need to do your job.
3 > Malicious Advertising -- Malvertising
The websites we visit often have ads -- that's what pays for a lot of otherwise free websites. The ads you see on a website are nearly always placed there by an ad serving company -- not by the owners of the website. In other words... When you visit, say, speedtest.net, you'll see a ton of ads. The web site owner generally doesn't display all those ads themselves. That's too much work. Instead, they allow third party ad serving companies to do the advertising for them. And the web site owner gets paid for allowing that. Profit!
Malvertising is when bad actors purchase legit ad space but then has it display an infected ad (usually a carefully crafted image or video that contains virus code that is downloaded). You don't even have to click on the ad (I mean, really, who clicks on ads anyway?) to be infected.
This approach is popular because the ransomware criminals don't have to breach the website you are visiting which could be locked down really well. They only have to provide an infected ad to the ad serving company which already has a contract with the web site you are visiting. That's a brilliant approach. As with the supply chain attack described above, why break a hole in the back wall when you can walk right in through the front door?
You might think that ad serving companies would do a better job of security so to not allow infected ads on their networks. Well, you'd be wrong. Ad serving companies want their money and the more obnoxious the ad (think spacious auto-playing videos), the more money they make. They aren't too interested in pesky security concerns.
This is why I install uBlock Origin (an excellent and free ad-blocker and privacy filter) on every client computer that I touch. Of course, I explain what I'm doing and why.
It sucks for the legit websites that rely on ad revenue. But my concern is for you, not the well being of the websites you visit.
4 > Drive-by Downloads
This is when you visit a website and a download takes place without your knowledge or consent. As with malvertising described above, usually for this to work, your computer must be vulnerable in some way. That is, having a security issue that's not been discovered or patched. Legit websites don't do this. But the internet is chock full of websites that aren't so legit. You usually find them when aimlessly clicking on Google search results.
Best prevention is to keep your computer and all software updated and install uBlock Origin as recommended above.
Avoiding Malware Infection in the First Place
Cyber-awareness training can help. These are short online courses that help teach employees how to recognize malicious emails, links, attachments, etc. Since user action is still one of the most common ways to get infected with malware then it makes sense to train your users to recognize and avoid it. Periodic refresher courses are a must. They'll cover newer threats and serve as a reminder to be vigilant.
Each computer should have an endpoint security product like Malwarebytes or Webroot and the uBlock Origin browser add-on.
Computers must be allowed to update Windows, browsers, and other software that you use. These updates often contain security patches to fix known vulnerabilities that are being exploited.
Consider adding a company policy disallowing employees from web surfing or checking personal email on company computers. They can use their personal phones for that.
Remove any software that isn't absolutely necessary to perform your job.
Your I.T. or security pro can help with additional measures.
If you do become infected, the level of damage you suffer is determined largely by how well-prepared you were ahead of time. Your data can be lost for many reasons: Fire, flood, theft, hardware failure, etc. Some of the same precautions you'd take for these other insults apply to ransomware as well.
There are many considerations in setting up a proper, ransomware-resistant backup system. You cannot simply plug in a flash drive or hard drive and drag your files over. I can set up an automated, ransomware resistant backup system. I say "resistant", because nothing is a sure-thing. It's another layer of armor.
The time to set up mitigating precautions is now, before it's needed. That's the pre in precaution after all. Backing up and having anti-malware software in place is the cheapest insurance you can buy!
More here on Wikipedia about the AIDS trojan.