Ransomware: Understand what it is and how to prevent it

Ransomware: Understand what it is and how to prevent it

Digital transformation has brought a series of benefits to companies, including the interconnectivity of devices, with the Internet of Things, which increases the number of IPs connected in the business system, and cloud computing, which allows the optimization of companies’ IT infrastructures and enables mobility.

Despite the increase in corporations’ production capacity, these changes also increase the number of access ports to servers, which leads to security risks, such as ransomware attacks.

And why is ransomware getting so much attention? How does this type of attack work? So that you can better understand what ransomware is, its history, infection methods, and the best ways to prevent it, we wrote this post.

We hope that, after reading, you have the necessary foundation to maintain a safer virtual environment!

What is ransomware?

Ransomware is a type of malware that prevents users from accessing their personal files or corporate system files, either by blocking access to the database or through encryption.

In this type of attack, the criminal demands a ransom payment to regain access. The first ransomware variants were developed in the late 1980s and payment was sent via mail. Today, ransomware authors order payment to be sent via cryptocurrency or credit card.

Ransomware on PCs

Anyone can be targeted by ransomware. The most impactful ransomware attacks have affected individuals and businesses, including large corporations, hospitals, airports, and government agencies.

The PC is still the most popular target for ransomware attacks as hackers exploit known vulnerabilities, particularly in the Windows operating system. In May 2017, WannaCry ransomware spread rapidly across the world and attacked more than 100 million users.

WannaCry exploited a known Windows weakness called EternalBlue, a bug that allows hackers to execute code remotely via a Windows file and printer sharing request. Microsoft had released a patch for EternalBlue two months before WannaCry; Unfortunately, many individuals and companies did not update in time to prevent the attack.

EternalBlue dates back to Windows XP, an operating system that Microsoft no longer supports — which is why Windows XP users were hit hardest by WannaCry.

Ransomware on mobile devices

Ransomware attacks on mobile devices are increasing in frequency. Attacks on Android devices grew by 50% between 2016 and 2017. Often, ransomware reaches the Android device through an application from a third-party website; however, we have also seen cases where ransomware has been successfully hidden in seemingly legitimate apps on the Google Play Store.

Ransomware on Apple products

Apple fans are not free from this threat either. In the past, Mac users were generally less susceptible to malware attacks. In 2017, two security companies discovered ransomware and spyware programs specifically targeting Apple users, which were supposed to be developed by software engineers specializing in OS X.

The people who created the malware were even making it available for free on the dark web. Malicious attackers also accessed Mac users’ iCloud accounts and used the Find My iPhone service to lock people out of their computers.

What are the methods used to invade the system?

There are several ways to infect a computer with malware as harmful as ransomware. One of the most common techniques is phishing spam — in which the user receives attachments from unknown sources, which are configured to appear to be trusted files.

Once downloaded and opened, they can take control of a victim’s computer, especially if they have integrated social engineering tools that trick users into allowing administrative access without suspecting the intent behind the authorization request. Some other more aggressive forms of ransomware, such as NotPetya, exploit security holes to invade computers without creating tricks to trick users.

The ransomware attack targets the money, and cybercriminals use the most varied techniques to achieve this goal. The most common and difficult to break is kidnapping via encryption. The most important thing to know is that at the end of the process, files cannot be decrypted without a key made available only by the attacker. The victim receives a notification warning that they must pay an amount in Bitcoin to have the key to decrypt their data.

In some forms of malware, the attacker can create a blocking page that simulates an official notification, coming from a police agency or public prosecutor. Generally, in the message, there is a warning about blocking the victim’s computer due to the alleged presence of pornography or pirated software, demanding the payment of a “fine”.

Another variation that is being widely used is doxware, or leakware, which consists of invading the victim’s hard drive and threatening to leak the internal content.

What are the main types of ransomware?

There are three main types of ransomware, which cause different types of damage, from personal data theft to global crises. Check out what they are below.


Scareware is malicious software that issues a pop-up with a sense of urgency, claiming that a virus has been detected on your computer and that the only way to get rid of it is to pay and purchase software that will solve this problem. The objective is to catch laypeople and thus break into the database.

Most of the time, popups convey a sense of urgency, as if the person’s computer is in danger. It is a simpler technique that does not affect experienced users, after all, a reliable antivirus would not systematically bombard the client with this type of message. Also, stop and think: why would software that you don’t already have monitor your computer for malware? Always be suspicious!

Screen lockers

A screen locker is a type of ransomware that freezes your PC screen. When starting the computer, a window will appear in an alert format, with some warning. The criminal may try to impersonate a law enforcement agency or police, stamping the official seal with a notification, saying that illegal activities have been detected on the computer and you must pay a fine.

Evidently, the Federal Police or Public Prosecutor’s Office would not freeze you from your computer or demand payment for illegal activities if they suspected crimes. They would use legal paths.

In companies, criminals are not so creative, in fact, they use the criticality of blocked data to their advantage to persuade managers. The amount that the company must pay to unlock the computer is established as the unlock key, and the user must make the payment via bitcoin.

Encryption ransomware

This is the heaviest ransomware model, as files are directly encrypted, preventing access and requiring payment to decrypt and resend. The reason this type of ransomware is so dangerous is that, unlike a lock screen or popup, once cybercriminals get your files, no amount of security or system restore software can recover them.

If you don’t pay, you will never have access to the data again, and even if you pay, there is no guarantee that it will be returned.

What are the origins of ransomware?

The first records of ransomware, known as PC Cyborg or AIDS, appeared in 1989. At the time, the malware was used to extort cash from PC users. In this technique, criminals were able to block the “C” directory of computers and demanded payment that had to be made by mail, with an address in Panama. After this payment, a decryption key was sent back to the user.

In 1996, ransomware known as “cryptoviral extortion” was developed by Moti Yung and Adam Young of Columbia University. This malware, developed at the academy, showed all the potential and evolution that modern cryptographic tools would have in the future. Young and Yung presented the first crypto virology attack at the IEEE — Institute of Electrical and Electronics Engineers — security and privacy conference in 1996.

The virus contained the attacker’s public key and encrypted the victim’s files. The malware asked the victim to send asymmetric ciphertext to the attacker to decrypt and return the decryption key — for a fee.

Attackers have gotten creative over the years, demanding nearly untraceable payments, which helps cybercriminals remain anonymous. For example, the notorious Fusob cell phone ransomware requires victims to pay using Apple iTunes gift cards instead of regular currencies like dollars.

Is ransomware a virus?

Most of us are familiar with the term virus and use it to refer to all forms of malware. The truth is that a virus is just a specific type of malware. Other common types include worms, Trojans, spyware, and ransomware. The purpose of each type of malware is different. Worms replicate and slow down your computer’s performance.

Viruses are designed to infect your computer, damage your files, and then spread to new hosts. Trojans want to get a secret backdoor into your computer to access and leak your personal information. There are numerous reasons why cybercriminals create and distribute these types of malware.

With ransomware, the motive is usually pretty straightforward: the attacker wants to make money. Its focus is not on losing or damaging your data, but on making you want the cryptographic key as quickly as possible.

What are the main targets of ransomware?

There are several ways for attackers to target organizations to attempt a ransomware attack. Sometimes it’s a matter of opportunity: for example, attackers may target universities because they tend to have smaller security teams and a large user base who share files a lot, which opens up many security holes, making it easier to penetrate.

Criminals are also always looking for companies that would be willing, for financial or high-risk reasons, to pay a ransom quickly. For example, government bodies or companies in the medical sector have greater urgency in accessing their data.

Those who work with confidential client data, such as law firms, are also more likely to pay to have quick access to this information, as the leakage of a client’s information in these situations, in addition to legal consequences, undermines the entire credibility of the company. company.

But don’t feel safe if you don’t fit into these categories: as we’ve seen, some ransomware spreads automatically and indiscriminately across the Internet, through phishing, pop-ups, and screen blockers, and can target anyone.

How to protect yourself from a ransomware attack?

Considering the flood of ransomware attacks and the cost associated with them, company managers are looking for ways to prevent the spread of this malware. Here’s a quick summary of how to protect your business from malware.

Back up your data

If your company performs regular backups, the impact of an attack like this could be much smaller. It’s important to check your backups to ensure they haven’t been infected, as some types of ransomware are designed to seek out network shares. Thus, you would do well to store data backups on a secure cloud server with high-level encryption and multi-factor authentication.

Keep software up to date

Ransomware often relies on exploit kits to illicitly gain access to a system or network (e.g. GandCrab). As long as the software on your network is up to date, exploit-based ransomware attacks cannot harm you.

On that note, if your company operates on obsolete software, you are at risk of ransomware because software manufacturers are no longer releasing security updates for the program in question.

Understand how the malware network works

The cybercriminals behind Emotet are using the previous banking Trojan as a ransomware delivery vehicle. Emotet relies on spam to infect an end user and gain a foothold in your network. Once on your network, Emotet displays worm-like behavior, spreading from system to system using a list of common passwords. By learning how to identify spam and implement multi-factor authentication, you’ll be one step ahead of cybercriminals.

What have been the impacts of this type of attack in recent years?

Ransomware is a “big business” of crime, as there is a lot of money and the market has expanded rapidly since the beginning of the decade. In 2017, ransomware resulted in losses of US$5 billion, both in terms of ransoms paid and spent and lost time recovering from attacks. This represents a 15x increase from 2015. In the first quarter of 2018, just one type of ransomware software, SamSam, raised $1 million in ransoms.

Some markets are more targeted for ransomware attacks — as they are more likely to pay the ransom. Many high-profile ransomware attacks have taken place at hospitals or other medical companies, which are considered clear targets by criminals: they know that the industry works with lives and these companies are more likely to pay a relatively low ransom to resolve a problem.

It is estimated that 45% of ransomware attacks target medical companies and, consequently, 85% of malware infections in these organizations are ransomware. Another area targeted is the financial services sector, which is literally where the money is. An estimated 90% of financial institutions were targeted by a ransomware attack in 2017.

Ransomware is considered high-risk malware, precisely because, in most cases, it is not detectable by conventional antivirus software. Cybercriminals are constantly improving their algorithms, always focusing on escaping the radar of traditional antiviruses. No matter how structured a company’s digital security is, it will be vulnerable to this type of attack.

Should companies pay the ransom when attacked?

If your system has been infected by malware and you have lost vital data, which cannot be restored by backup, should you pay the ransom?

In theory, most security experts urge companies not to pay attackers, believing that this only encourages hackers to create more ransomware. That said, many organizations that are hit by malware tend to analyze to calculate the damage and understand the cost-benefit, comparing the ransom price with the value of the encrypted data.

Most of the time, attackers charge relatively low prices, usually between $700 and $1,300, a very affordable amount for businesses. Some particularly sophisticated malware detects the country in which the infected computer is running and adjusts the ransom to match the local economy, demanding more from companies in rich countries and less from poor regions.

Discounts are often offered for acting quickly to encourage victims to pay quickly before thinking too much. In general, the price is set so that it is high enough to be worth the criminal’s time but low enough to be cheaper than what the victim would have to pay to restore their computer or reconstruct lost data.

With this in mind, some companies are putting the value of a possible ransom into their security plans: for example, buying Bitcoin without leaving it as a reserve, specifically for ransom payments for data hijackings.

What were the most impactful attacks in the world?

Although ransomware has technically been around since the 1990s, the attack has made the news massively over the past five years, largely due to the availability of untraceable payment methods like Bitcoin. Some of the most devastating attacks are:

  • CryptoLocker, a 2013 attack that launched the modern era of ransomware and infected up to 500,000 machines at its peak;
  • SimpleLocker, the first widespread ransomware attack targeting mobile devices;
  • WannaCry, which spread autonomously from one computer to another using EternalBlue, an exploit developed by the NSA and then stolen by hackers;
  • NotPetya, which also used EternalBlue and may have been part of a Russian-directed cyber attack against Ukraine;
  • Locky, which began spreading in 2016, was “similar in its attack mode to the notorious Dridex banking software.”

Is ransomware on the decline?

Why are security experts getting this impression? Why do you think ransomware attacks are on the decline? In a way, the drop is related to the cybercriminal’s currency of choice: Bitcoin.

Receiving a ransom from a victim has always been difficult, as they may decide not to pay because they have backup copies of the data or do not see a cost-benefit in the relationship between payment and the value of the information. There is also the possibility that victims are not familiar enough with Bitcoin to execute the payment quickly enough.

The decline of ransomware has been accompanied by a rise in so-called crypto malware, which infects a victim’s computer and uses its computing power to create bitcoin, without the owner knowing. This is an interesting route to use someone else’s computing resources to obtain cryptocurrency, which bypasses most difficulties in obtaining a ransom and has become more attractive as a cyber attack as the price of bitcoin increased in late 2017.

With the price of bitcoin falling, the cost-benefit analysis for attackers may encourage them to resume attacks.

We hope that after reading this post, you have a good knowledge base about ransomware attacks. The first step to preventing any attack is knowing it, knowing what the criminals’ objectives are. Then, for better data protection, focus on prevention, and encourage your employees to be suspicious of everything and not to download attachments or files from unknown servers.

Did you like the post? Want to start preventing ransomware attacks? So, see how to do good network monitoring and protect access to the business system.


Leave a Reply

Your email address will not be published. Required fields are marked *