The term "ransomware" is composed of the word "ransom" and the common term in IT for computer programs "ware". A quick glance at the neologism can already indicate which primary target is being pursued with ransomware: With the help of malicious computer applications, the ransom should be looted from unsuspecting users. More specifically, ransomware restricts access to data and computer systems partially or even completely and access can only be restored by transferring the required ransom. After all, ransomware is nothing more than blackmail - just in digital form.
According to a report by Google, US$ 25 million have been captured through ransomware between the first quarter of 2014 and the second quarter of 2017. As a statistic of the IT company SonicWall points out, 2016 was the year of the ransomware with 638 corresponding attacks "thanks" to Petya and other blackmail Trojans.
Ransomware is not new
A recent example from the US state of Georgia shows how much damage ransomware can inflict: Cybercriminals managed to bring down a large part of Jackson County's public administration with the help of ransomware. The victims paid the required ransom of US$ 400,000 willingly – but only against the background that a long-term failure or the reconstruction of the systems could cost as much or even more. In the past, blackmail trojans such as GoldenEye or WannaCry have also demonstrated the enormous threat ransomware can pose.
Ransomware: One term, two variants
As usual when it comes to distributing malware, ransomware also exploits human and technical misconduct mercilessly – infected email attachments, fake websites, browser vulnerabilities, and server vulnerabilities are just a few examples.
Once you get infected with ransomware, you'll most likely need to be prepared for one of the following two (horror) scenarios:
Scenario 1: Systems are blocked
Most victims of this type of ransomware report a message box that cannot be closed – not even with the help of the Task Manager (because it is also blocked) – and that significantly limits the use of the computer system. The information window informs the parties that the system blockade can only be remedied by heading the ransom note.
Scenario 2: Data is encrypted
In this ransomware scenario (which is much more widespread in practice), the data on the infected system is encrypted, so that access is no longer possible. Not only can the data on the hard drive be affected, but also those on connected storage, such as in the cloud or on servers. The key needed to decrypt the files is only handed out by the hackers in exchange for the required ransom.
In many cases, cybercriminals threaten to block the system in the long term or delete the encrypted data should the police be called in.
Measures against ransomware
To make sure your system does not get infected with ransomware, the anti-ransomware project "No More Ransom" gives some practical tips that we can only agree with:
- Regular backups protect you from unexpected data encryption or losses. Important: Be sure to save your backup copy to external media (preferably both physically and virtually) and then disconnect it from the hardware – otherwise ransomware could also spread over it.
- Automate updates to keep your operating systems and programs up-to-date.
- Use a professional anti-virus software. The so-called heuristic functions, which are now standard in antivirus programs, help detect unknown ransomware and should therefore always be activated.
- In the case of unknown and/or suspicious emails (or other online notifications), you should exercise caution, i.e. instructions, attachments and links should be rather ignored and not opened in such cases.
- If you're using Windows, it's a good idea to enable the Show File Extensions option in the Windows settings to help identify potential ransomware. In particular, "No More Ransom" warns against files with extensions such as ".exe", ".vbs" and ".scr".
- In addition to the aforementioned preventive measures, the German Federal Office for Information Security recommends that employees undergo training and to generally raise awareness of cyber security in the company.
In the event that you have already caught ransomware and your data has been encrypted, the Swiss Reporting and Analysis Centre for Information Assurance MELANI advises you to do the following:
- Immediately disconnect the affected device from all networks – this is the only way to prevent the ransomware from spreading.
- In the next step, reinstall the system and then change all passwords.
- Now you can – if available – restore the backup data back to your system. If you did not make a backup in advance, you should still keep the encrypted data because there are already remedies for many known ransomware, such as "No More Ransom"'s decryption tools.
- Report to the police - even if you were explicitly warned against doing so by the cybercriminals. Because only through the involvement of the authorities further steps can be taken.
- Under no circumstance should you transfer the required ransom. On the one hand, it encourages hackers to continue spreading the ransomware, and on the other hand, paying is no guarantee that you will actually receive the decryption key.
This brings us to the conclusion: Ransomware is definitely not to be taken lightly – after all, it involves the payment of large sums of money. But not only a financial loss must be feared, also the reputation of your enterprise is in danger, if for example third party data are affected by the ransomware. However, with the recommended security measures, you can minimize the likelihood of a ransomware infection.