Ransomware is a type of malware that prevents or limits users from accessing their system, either by locking the system’s screen or by locking the users’ files unless a ransom is paid. More modern ransomware families, collectively categorised as crypto-ransomware, encrypt certain file types on infected systems and forces users to pay the ransom through certain online payment methods to get a decrypt key.
Ransomware attacks are typically carried out using a Trojan that is disguised as a legitimate file that the user is tricked into downloading, or opening when it arrives as an email attachment. However, one high-profile example, the ‘WannaCry worm’, travelled automatically between computers without user interaction.
The two types of ransomware
Encrypting ransomware, which incorporates advanced encryption algorithms. It’s designed to block system files and demand payment to provide the victim with the key that can decrypt the blocked content. Examples include CryptoLocker, Locky, CrytpoWall and more.
Locker ransomware, which locks the victim out of the operating system, making it impossible to access the desktop and any apps or files. The files are not encrypted in this case, but the attackers still ask for a ransom to unlock the infected computer. Examples include the police-themed ransomware or Winlocker.
Some locker versions can even infect the Master Boot Record (MBR). The MBR is the section of a PC’s hard drive which enables the operating system to boot up. When MBR ransomware strikes, the boot process can’t complete as usual and prompts a ransom note to be displayed on the screen. Examples include Satana and Petya families.
Encrypting ransomware is more widespread, and hence, more worrisome.
Ransomware infection and behaviour
Users may encounter this threat through a variety of means. Ransomware can be downloaded onto systems when unwitting users visit malicious or compromised websites. It can also arrive as a payload either dropped or downloaded by other malware. Some ransomware are known to be delivered as attachments from spammed email, downloaded from malicious pages through malvertisements, or dropped by exploit kits onto vulnerable systems.
Once executed in the system, ransomware can either lock the computer screen, or, in the case of crypto-ransomware, encrypt predetermined files. In the first scenario, a full-screen image or notification is displayed on the infected system’s screen, which prevents victims from using their system. This also shows the instructions on how users can pay for the ransom. The second type of ransomware prevents access to files to potentially critical or valuable files like documents and spreadsheets.
Ransomware is considered ‘scareware’, as it forces users to pay a fee (or ransom) by scaring or intimidating them. In this sense, it is similar to FAKEAV malware, but instead of capturing the infected system or encrypting files, FAKEAV shows fake antimalware scanning results to coax users into purchasing bogus antimalware software.
Evolution of ransomware
Cases of ransomware infection were first seen in Russia in 2005. Trend Micro published a report on a case in 2006 that involved a ransomware variant (detected as TROJ_CRYZIP.A) that zipped certain file types before overwriting the original files, leaving only the password-protected zip files in the user’s system. It also created a text file that acted as the ransom note informing users that the files can be retrieved in exchange for $300.
In its earlier years, ransomware typically encrypted particular file types such as DOC, .XLS, .JPG, .ZIP, .PDF, and other commonly used file extensions.
Top targets
Cybercriminals soon realised that companies and organisations were far more profitable than individuals. They went after the bigger targets: police departments, city councils and even schools and, worse, hospitals!
To give you some perspective, nearly 70% of infected businesses opted to pay the ransom and recover their files.