Hey, cyberspace traveler.
So you wonder what ransomware is, eh?
You’ve come to the right place.
Here is a simple ransomware definition:
Ransomware is a type of malicious software that blocks users from accessing their data. The malware requires a payment to release the files, usually in cryptocurrency.
That’s more or less every dictionary’s explanation of ransomware. What a dictionary can’t tell you is that this malware is on the rise.
Last year alone, ransomware grew more than any other type of malware. Moreover, more than 4,000 ransomware attacks occur every day.
With that in mind, one thing is sure – ransomware will continue to endanger systems in 2019.
That’s why we need to understand what it is and how it works to be able to protect our devices.
Thankfully, ransomware isn’t invincible, and there are ways to remove it.
But let’s start with the basics.
- What Is Ransomware
- How Does Ransomware Infect a System?
- Types of Ransomware – the Wolves in Sheep’s Clothing
- How to Find out If Your Device Is Infected with Ransomware?
- What to Do If Infected with Ransomware
- How to Remove Ransomware and Recover Your Data in Three Easy Steps
- Ransomware Protection – Can We Immunize Our System Against Ransomware Attacks?
- Final Thoughts
What Is Ransomware
Okay, so we’ve grasped the idea of a ransomware attack.
However, it’s arguably enough, so let’s delve a bit deeper.
Imagine you are a medieval king. While you are away, on a march with your troops, an unfortunate event occurs.
Since your troops are with you, there aren’t many left to guard your castle (lack of antivirus software).
At that exact time, an unknown barbarian king and his army approach your castle. Maybe someone was misled (phishing) and invited him in. Or it was a planned attack.
The enemy’s horsemen bypass your ballista towers (OS patches) and occupy the throne room. Your kingdom’s treasury lies below that very room.
The problem is its riches sparkle behind a massive oak door, sealed with the biggest lock your royal blacksmith could forge. Meanwhile, your messengers alert you of what’s happened.
Naturally, you ride back on your faithful white stallion, a massive golden key swaying on your neck. Once you reach your castle’s gatehouse, an enemy emissary greets you.
He claims the barbarian occupiers will leave your castle if you give them a part of your treasury. Otherwise, they’ll burn the castle down, along with the adjacent buildings.
See, the same happens when a ransomware attack hits a system. Users’ data is held hostage until they pay a ransom.
But it gets worse:
Sometimes even when they pay the ransom, users can’t recover their data. (No one trusts barbarians, right?)
Unfortunately, 17.5% of all infected companies paid the ransom, yet still lost their data.
Be that as it may, many people and organizations still pay cybercriminals to retrieve their data, making ransomware a profitable venture. The expected damage by ransomware is set to reach $11.5 billion in 2019.
That’s some incentive to take care of your digital security.
To reach the Nirvana of online safety, we must start our journey with ransomware’s entry points.
How Does Ransomware Infect a System?
The most common way a ransomware virus (or any other malware) infects a device is through phishing attacks.
They are either spam emails, which prompt users to click on an infected link or contain a malicious attachment.
Social networks are the second most popular phishing channel.
Finally, there’s a method of delivery known as a drive-by download.
It occurs when a visitor clicks on an infected site and thus, unknowingly downloads and installs the malware.
Once it infects a system, it can either encrypt files or block users’ access to them.
There’s a slight difference between the two, depending on the ransomware type, although in both cases users can’t use their data.
Types of Ransomware – the Wolves in Sheep’s Clothing
There are many types of ransomware. Here are the most common ones:
Also known as locker ransomware, this type of malware does precisely what its name suggests.
A fullscreen message denies access to your device, demanding a ransom.
You can’t do almost anything on your device, except communicate with the attacker and pay the demanded amount.
This type of ransomware encrypts users’ files, making them useless. Only after purchasing a decryption key can users access their data.
Since payment is made mostly with Bitcoin, some ransomware even provide articles, explaining what bitcoin is and how to buy it.
Most often, these attacks have a time limit, asking visitors to pay before the deadline, or they lose their files.
Usually, there is a second countdown timer, which increases the ransom.
This type of attack is a little different from typical ransomware.
Not only does this malware encrypt your files, it also threatens to reveal sensitive information publicly.
The word derives from “doxing” – a term used by hackers, which means hacking and publishing sensitive data online.
Doxware is also known as extortionware.
Ever seen this type of message?
“Your computer is/may be infected!”
Followed by a list with at least a dozen infections.
This is a typical scareware message.
This type of malware appears as a warning from a fake antivirus program, which can remove your non-existing infections. When downloaded, however, instead of cleaning your system, it steals the user’s data.
This attack has two consequences. First of all, victims pay for the fake antivirus, sharing their credit card information to a cybercriminal.
Second, they install malware on their device, which could allow threat actors to access your files, spy on your online activities, etc.
This attack may also appear as a message from the FBI, NSA or other similar agency, which claims someone used your computer for malicious purposes (visiting child pornography sites, sending phishing emails, etc.)
To regain access to your device, you must pay a “fine.” Still just another flavor of ransomware, though.
Imagine you are a cybercriminal and you want to launch a ransomware attack. The problem is – you don’t know how to create one.
So what do you do?
You pay someone to use their ransomware.
This is what Ransomware-as-a-Service means.
This scheme is used mostly by novice cybercriminals, which can personalize the chosen ransomeware without having advanced coding skills.
One of the most famous RaaS portals – GandCrab, shut down in June 2019. Its creators claimed their “clients” made $2 billion for one year.
These are the most common types of ransomware attacks.
Now let’s see what happens once they infect a system.
How to Find out If Your Device Is Infected with Ransomware?
Usually, if your device is infected, you’ll know.
Unlike many malware, ransomware attacks are often apparent – you get a big image with a message explaining what has happened and instructions on what to do next.
Not all attacks behave like that, though. For those cases, here are the telltale signs of a ransomware infection:
- You can’t open your files.
This happens when encryption ransomware hits your device. Windows and Mac systems can’t seem to find the programs, which open your files.
- Strange file extensions
We all know the common file extensions – like .jpg, .doc, .exe. But when encryption ransomware is involved, the extensions change, usually with the name of the attack. Let’s say we want to open a file named Picture.jpg. Here’s how different ransomware will change its name:
WannaCry – Picture.jpg.WNCRY or Picture.WCRY
AutoLocky – Picture.jpg.locky
777 – Picture.777
Finally, there are cases where the new extension is random, – or there simply isn’t one.
- There are instructions for a demanded ransom.
Cybercriminals leave a note with every ransomware attack.
This note is usually a text file, located somewhere where you’ll see it. Most often it’s on your desktop, but some attackers leave a note in every folder that contains encrypted files.
So once infected, what should you do?
What to Do If Infected with Ransomware
First of all – don’t pay the ransom right away.
Although these attacks come with a timer, you have enough time to do several things first.
First, you have to determine whether this is a real ransomware attack or a fake one.
If you can get past the ransom note and access your files, it could most likely be scareware attack, and you can go past and remove.
If you can’t access your files, be it because of encryption or lock-screen, here’s what you should do:
First – you need to know which ransomware has infected your system. You can visit ID ransomware or nomoreransom.org. The latter also provides a solution and decryption tools for any of the ransomware families in their database.
If there happens to be a solution for your infection – use it.
If there isn’t, visit the Avast ransomware decryption tools page. Most cybersecurity companies provide such tools – so you can browse the Web to find a remedy.
There are cases where you don’t find one.
Then, you need to disconnect your machine from the network, to contain the infection.
WannaCry, one of the most notorious ransomware attacks in 2017, was able to spread to all connected devices, regardless of the connection type (wired/wireless).
Now it gets tricky.
To Pay, or Not to Pay: That Is the Question
This is the moment to stop and think if you should pay the ransom.
Keep in mind neither of these decisions offers a 100% chance you’ll get your data back.
There are other variables in place as well. Here’s a recent example:
On May 10th, 2019 Urban One suffered a ransomware attack. The company didn’t pay the required ransom, but lost up to $800,000 in revenue. That’s on top of the $500,000 extra they had to pay to restore their system.
So we can add this kind of losses to the equation too.
*Interesting fact – The same amount of money – nearly $800,000 (50 talents of silver) was the ransom Julius Ceaser proposed for himself when Cilician pirates abducted him in 75 BCE. The funny thing is – they wanted 20 talents, but the story goes he laughed at their face and said they should demand 50. Later on, after his release, he got back his 50 talents. Maybe you can guess what happened to the pirates. Need a hint? Crosses were very popular back then.
Anyway, we are back to ransomware.
When you wonder whether you should pay or not, here are the possible scenarios that could happen:
You decide to pay the ransom.
Although most cybercriminals will keep their word and decrypt your files, there isn’t any guarantee they’ll do it. There’s a chance they’ll take your money and leave the system as it is.
That said, if you are going to pay, you can negotiate to lower the demanded amount. Most cybercriminals will agree on a smaller ransom, instead of risking not getting anything at all.
There’s also the fact that you’re rewarding cybercriminals for their illegal efforts. That’s something you can choose to consider or ignore.
You decide not to pay the ransom.
So you know the ransom’s definition and you decide not to negotiate with terrorists.
Here’s how you should proceed:
If you intend to contact the authorities once it’s all over, make screenshots or take pictures of your screen before you continue.
How to Remove Ransomware and Recover Your Data in Three Easy Steps
Keep in mind the next part of this post doesn’t guarantee you’ll save your data.
With that said, here’s what you should do:
Use an antivirus or anti-malware program to remove the infection.
Good examples of such software, which also include ransomware removal are:
You may need to reboot your device in safe mode to be able to remove the ransomware.
If you have a backup on your files – now is the time to be thankful you’ve done it.
If you don’t, you can try to recover your files with a data recovery tool.
See, most encrypting ransomware copy and encrypt your files, then they delete the original ones.
That’s why such a tool may prove efficient.
If this method doesn’t work, try the decryption tools we mentioned earlier – like No More Ransom. Alternatively, type “ransomware decryption tools” in Google and try one (or more) of the results.
If you’ve found a solution, by now you should have a clean system.
Nevertheless, you may be dealing with a new ransomware version, which could prove to be a problem.
If that is the case and you don’t want to pay, you can just give up the files and reinstall the operating system.
Remember the picture you took before you started fighting back?
Now is the time to use it. You should contact the authorities about the ransomware attack. That’s the way to go if you have insurance or want to file a lawsuit. It also helps agencies keep track of these attacks.
Ransomware Protection – Can We Immunize Our System Against Ransomware Attacks?
Like with most malware, prevention from ransomware begins with an up to date operating system.
The same goes for any antivirus/anti-malware software you’re using. If you don’t – it’s a good idea to install one.
There are many anti-ransomware programs available online as well. Such an example is the MalwareBytes anti-ransomware tool.
If you want free ransomware protection – Kaspersky has you covered with a tool of their own.
If you combine these three simple solutions, you’ve done the best you can to ensure your system’s safety.
Anyway, technology alone is not a solution – there’s a human factor involved as well. Aim to avoid clicking on spam emails and browsing shady sites – those are big no-nos in terms of online security.
Last but not least – back up your important files regularly. You can use a cloud-based service, a USB flash drive, or an external hard drive.
Let’s summarize what you need to have the best ransomware protection:
- Up-to-date OS and antivirus/anti-malware.
- Online threat awareness
- A backup of your important files.
I know it could be annoying, especially the backup part, but those are the facts. After all, these three simple tips can save you a ton of headache and up to $1 million in cash.
A ransomware attack isn’t a joke. It denies access to your files, which is a hassle for both individuals and companies.
What’s more, these attacks keep popping up. In 2018, there were 500% more ransomware attacks, compared to 2017.
Luckily, cybersecurity specialists don’t go around playing games on their smartphones all day. Instead, they create new tools and decryptors every day so we can enjoy safer internet.
Stay safe online, dear cyberspace traveler.
What causes ransomware?
Usually, a ransomware attack is delivered via phishing/spam.
According to Statista, in Q2 2018, 66% of all ransomware attacks infected a system via this channel. Almost one-fourth (24%) of infections happened when a user visited a malicious website or clicked on an infected advertisement.
Can you remove ransomware?
In most cases, yes – you can.
As mentioned before, you can successfully remove ransomware if you follow three simple steps.
- Visit No More Ransom to identify the threat.
- Download a ransomware removal tool or anti-malware software to delete the malware.
*In some cases you can uninstall the malware from the control panel/programs.
Although your system is ransomware-free, this act alone doesn’t decrypt your files. Therefore you have two options if you want your data back.
- Use decryption tools to release your data. Or restore your data from a backup file.
How does ransomware attack work?
Knowledge is power.
People often ask, “How does ransomware work,” or “How does it infect my system?”
By knowing the answers to these questions, we can be ready with the appropriate countermeasures.
Since we already know how the infection works, let’s turn our attention to its inner workings.
When ransomware infects a system, it starts encrypting files. Once done, the ransom note is displayed, usually with a timer.
You can view an example of a Petya infection and what it does.
Usually, ransomware gives the user two options:
- Pay the ransom.
Usually, the demanded ransom is in Bitcoin, or another cryptocurrency, because this type of transaction is harder to trace. You can negotiate with the cybercriminal to pay a lower amount.
Be that as it may, your data main remain encrypted even after you’ve paid the ransom. So there’s obviously the other option:
- Don’t pay the ransom.
If you decide you aren’t going to invest your money in criminal organizations, there is a chance of losing your data.
However, if you have a backup in place – it could restore your files.
The other option is to recover your data by any of the means explained in the above paragraphs.
Either way, there is a chance you can lose your files, so you better try not to get infected in the first place.
Which leads us to the next frequently asked question.
What is ransomware protection?
There are a few things you should do to stay safe from a ransomware attack.
- Keep both your OS and antivirus/anti-malware updated.
- Don’t click on spam emails or links/ads from unconfirmed sources.
- Install an anti-ransomware tool.
- If you own a business – educate your employees about online threats.
- Just in case – backup all your valuable data.
What is meant by a ransomware attack?
Ransomware is a type of malware, which either locks a user’s device or encrypts its files. The data is released once the user pays a required ransom.
Usually, cybercriminals demand cryptocurrency to protect their identity.
So what is ransomware in one sentence?
It’s malware which holds users’ device/files hostage demanding a ransom for their release.