Overview of ransomware

  • 5 minutes

Ransomware is where a cybercriminal installs software onto your computer to prevent you from using it. They then demand money before you can access your computer again. The ransomware can be installed so that it locks an entire company out of some or all of its systems, or prevents access to certain files. A recent escalation has seen cybercriminals take copies of sensitive data that they threaten to make public should a ransom not be paid.

In this module, you'll also hear the term malware mentioned. Malware is ransomware that is downloaded onto computers or a computer system to prevent access. To summarize, malware locks the computer and, by demanding a ransom, this becomes a ransomware attack.

Another term you might read about or hear in the news is ransomware actors. This refers to the cybercriminals or groups that use ransomware to disrupt and then extort money from individuals or organizations. In this module, we'll use the term cybercriminal.

Ransomware attacks take different forms and can include any or all of the following:

  • Ransomware is downloaded onto a device and extracts data; the cybercriminal then demands a ransom to prevent confidential information being released to the public.
  • Ransomware is downloaded and changes the file names so users can't open files, preventing normal day-to-day jobs being carried out. A ransom is demanded to obtain access to the files.
  • Ransomware is downloaded and encrypts files, locking users out of their computers and making any work impossible, so effectively shutting down a company. A ransom is demanded to allow the company to continue to operate.

The impact on users and companies is significant. For example:

  • Attacks on hospitals can put lives at risk if records can't be accessed.
  • Attacks on healthcare organizations can put lives at risk due to the increasing number of wireless devices that help sustain life, such as heart pacemakers and insulin pumps.
  • An attack on an educational institution can prevent access to important resources.

If you also consider the potential impact of the release of patient or pupil records, or the risk to life, the damage can be devastating for any business or individual that is targeted. The negative publicity surrounding a company that can't trade will have huge financial implications for its reputation.

Companies are faced with stark and difficult decisions. They either pay the ransom and hope they get all their data back, or risk negative implications such as:

  • The loss of valuable data.
  • The loss of reputation/sales/future orders.
  • The risk of a leak of confidential data into the public domain.
  • Potential loss of life if wireless data is disrupted.

It's important to remember that you're dealing with cybercriminals, so there are no guarantees. Often, some data remains inaccessible or is sold on the black market even though a ransom has been paid.

The growth of ransomware as an industry

As the internet has become more accessible, so the potential for installing ransomware has also increased. However the problem isn't new—it started when computers were first used.

1989 – AIDS Trojan

The first recorded ransomware attack occurred as far back as 1989 when 20,000 floppy disks containing a healthcare program for AIDS patients were distributed to attendees at a conference. The disks were infected with malware that only activated after people had used the program 90 times. At that point, the system locked, and a ransom demand was displayed on the screen.

Turn of the century

With the change from dial-up services to broadband, many more people began using the internet, creating new opportunities for cybercriminals to exploit vulnerable individuals and companies. Several notable cases hit the headlines. For example, these actions:

  • Prevented access to files on a user's device and forced them to purchase items at an online store in return for the code to unlock their files.
  • Infected computers when users opened an email attachment that presented as a job application.

2008

The invention of Bitcoin introduced a way for cybercriminals to easily hide money and the number of ransomware cases has steadily increased. The severity of attacks started to increase with whole systems being locked down, instead of just user files.

2012 – ransomware-as-a-service

Within the cybercriminal environment, ransomware started to become available to purchase via a license. This ransomware-as-a-service process meant that cybercriminals without the same degree of technical ability could start launching attacks. This led to an increase in large scale attacks and introduced malware that is still around today, such as CryptoWall and Locky. This malware is constantly evolving, making it harder to detect, and maximizing the impact on the victim.

Current landscape

Extracting money via cyberattacks is now a complete business model, where cybercriminal organizations run large call centers to handle ransom payments. They target large businesses and high-profile individuals to maximize payouts. But small businesses and individuals are still targeted, so no-one is safe from attack. The COVID-19 pandemic has pushed many users to remote working, meaning more companies are at risk as extra traffic goes through the internet. It's vitally important that every business ensures they follow all recommendations to minimize any threat of attack.

As the scale of ransomware and extortion based attacks increases, law enforcement agencies around the world are now starting to take increased interest in tracking down these criminals.