What Is Ransomware?

The Neeva Team on 01/24/22

In September 2020, as the pandemic raged and hospitalizations surged, Universal Health Services, a US health care provider with more than 400 facilities, was suddenly locked out of its digital network. The situation spiraled as patients were routed to other emergency rooms, test results were delayed, and lives were endangered.

Ransomware is a digital scourge that poses a threat to you, your data and your devices. It’s essential to learn what it is so you know how to respond.

This wasn’t the result of a power outage. It was deliberate. The facilities had been hit by a ransomware attack in which hackers shut down computer systems and demanded a ransom payment to restore access.

Ransomware is a digital scourge that poses a threat to you, your data and your devices. It’s essential to learn what it is so you know how to respond.

What is ransomware?

Ransomware is extortion software designed to lock you out of your device or encrypt your data until you pay a ransom to the attacker, who may threaten to publish or destroy your information.

Ransomware attacks are profitable and hard to trace, making them a cybercriminal’s weapon of choice. They can target individuals and organizations, including governments, schools, hospitals, and businesses, causing critical disruptions and losses.

All internet-enabled devices are at risk of ransomware, including critical infrastructure. In 2021, one of the largest pipelines in the US was hit by a ransomware attack, forcing its operator, Colonial Pipeline, to halt systems in order to contain the breach, which led to a gasoline shortage. Soon another attack hit the country’s largest meat processor, upsetting meat markets and prompting the White House to issue an open letter warning businesses to take urgent security measures to protect against escalating ransomware attacks.

Ransomware is a form of malware, or malicious software, which is an umbrella term for software designed to harm or exploit a programmable device, server, or network. Verizon’s 2018 Data Breach Investigations Report found ransomware in 39% of identified malware while its 2021 report shows 10% of all data breaches now involve ransomware, which it called “a favorite malware flavor.”

In some cases, just clicking a link or downloading an attachment is enough to let an attacker into your system. From there, ransomware exploits its vulnerabilities to encrypt files, drives, servers, and even other networked computers, with ransomware spreading from system to system, sometimes across an entire organization.

Once files are encrypted, ransomware demands a payment to unlock and recover your data before it’s destroyed—a precarious dilemma for those who haven’t backed up their data. Ransoms generate billions of dollars in payments, sums of which are often paid in untraceable cryptocurrencies, making many attackers hard to track.

The New York Times reports most ransomware attacks today are committed by hackers based in Russia or Eastern Europe, though there are attackers, and gangs of attackers, situated around the globe.

There are two main types of ransomware, each with its own threats:

  • Locker ransomware. Sometimes referred to as a screen locker, this affects basic computer functions and blocks system access with a lock screen.
  • Crypto ransomware. This encrypts individual files or other data on a system, making the data inaccessible without decryption keys.

The history of ransomware

In the late 1980s, criminals began extorting early internet users with the AIDS Trojan, an early form of ransomware that scrambled the names of victims’ files and demanded a ransom. Victims mailed ransom payments to Panama to retrieve the decryption keys. But the method eventually crumbled since the keys could be extracted from the Trojan’s code.

Moti Yung and Adam Young, two researchers from Columbia University, presented the first cryptovirology attack at the 1996 IEEE Security and Privacy conference, showing the world the gravity of online threats. Unlike its predecessors, the virus the former hacker and cryptologist developed didn’t reveal decryption keys to the victim, meaning the attacker held the only keys.

Cryptoviral extortion enabled the first secure data kidnapping attack and proved how much new cryptographic tools had advanced. The discovery was seen as “simultaneously innovative and somewhat vulgar,” the researchers recall. Long before cryptocurrency, their paper predicted attackers would one day demand “electronic money,” foreshadowing today’s billion-dollar industry.

The media began referring to cryptoviral extortion as ransomware, with the first cases reported in Russia in 2005 and quickly spreading across the world, infecting mostly individual users. Targeted attacks increased into the early 2010s, and by 2014 could be observed on mobile devices.

Attackers also turned their attention to businesses. These attacks showed the full potential of ransomware, which could halt productivity, destroy critical data, and yield perpetrators millions of dollars. As Yung and Young had predicted, cryptocurrencies like Bitcoin, Ethereum, and Litecoin gave ransomware an edge, helping attackers remain anonymous.

In 2016, the same year ransomware first affected an Apple operating system, Presbyterian Memorial Hospital in Los Angeles suffered a devastating attack. Hackers seized critical computer systems in labs, pharmacies, and emergency rooms, endangering lives and forcing the hospital to pay $17,000 in ransom money.

The pandemic worsened an already dire situation, as organizations had to accommodate remote working, ransomware gangs targeted overburdened hospitals, and schools adjusted to remote learning. Corporations and many governments, meanwhile, scrambled to lay down basic defenses. Much like COVID-19 itself, ransomware variants kept evolving to skirt preventive technologies.

As the list of targets has grown, so have ransom demands. Ransomware markets have popped up online, allowing authors to sell their services—known as Ransomware-as-a-Service, or RaaS—to other less-tech-savvy hackers. For now, attackers mostly focus on targets in the UK, US, and Canada, though they’ll likely spread farther in coming years.

How ransomware infects devices

One careless click can give an attacker the foothold they need to access your system. Here are three common ways ransomware infects a device:

1. Malspam

Malspam, short for malicious spam, is unsolicited email that spreads malware. To gain access to computer systems, attackers send email blasts with malicious attachments to as many potential victims as possible. Some recipients open the email attachments and follow links to a malicious website, where they inadvertently download malware like ransomware. Be wary of messages from unfamiliar senders and always think twice before opening unsolicited attachments and clicking links.

2. Social engineering

Social engineering exploits human error to trick victims in order to gain access to personal information or protected systems. Online social engineering is becoming more and more innovative. For instance, ransomware attackers posing as law enforcement may allege they’ve found illegal content on your device. In other cases, pop-up ads with false alarms may convince you to download bogus security software that infects your system. Be suspicious of strange notifications.

3. Malvertising

Malvertising, or malicious advertising, spreads malware through online advertising. Attackers put infected ads on legitimate advertising networks, which appear on sites you trust. In some cases, due to browser vulnerabilities, an ad can cause a website to redirect you to another site, so you don’t even need to interact with the ad to fall victim.

Malvertising often uses an invisible webpage element to redirect you to a malicious server, where malware, and often ransomware, can infect your system. These servers sometimes catalog details about your devices and use the information to deliver the most effective kind of infection.

How to avoid ransomware attacks

If you’re online, you’re at risk, but there are ways to protect against ransomware. Basic cautionary measures not only make you a less attractive target, they can help mitigate the damage in the event of an attack. Here’s how to tighten your defenses:

  • Backup data. A backup won’t prevent a ransomware infection, but it will mitigate the risks. If you’re hit, you can wipe your device and reimage it from the backup so you won’t have to reward the attacker by paying a ransom. Consider storing your information in a cloud or on an external hard drive, and make sure the backups aren’t directly accessible from the device where the original data lives—otherwise they risk becoming infected, too. Look for a cloud service that includes high-level encryption and multi-factor authentication, and always disconnect physical hard drives after backing up.
  • Use security software. Ransomware is likely to be detected by security software. Download and install an app that actively scans and blocks malware threats, on computers and mobile devices. Make sure the app runs regular scans, including vulnerability scans, and automatically updates with the latest security patches.
  • Keep software up to date. Ransomware often exploits system vulnerabilities in order to gain access, as evidenced in 2017 by the WannaCry ransomware attack. Update your devices’ operating systems, browser, and apps when possible, or set them to update automatically.
  • Set strong passwords and use multi-factor authentication. Some forms of ransomware spread from system to system using a list of common passwords. Maintain strong, unique passwords for all your accounts and devices, and consider using a password manager to track them. For important online accounts, set up multi-factor authentication.
  • Only download software from trustworthy sources. You can pick up ransomware through malicious apps. Avoid downloading apps from unreliable sites or peer-to-peer networks. The same goes for mobile apps, which should come directly from the App Store or Google Play app  store. Security software should always come from a reputable provider.
  • Stay smart. Stay current on new ransomware threats, as well as how social engineering tactics are evolving. The CISA’s Stop Ransomware website and No More Ransom, a cybercrime initiative, are two great places to start.

How to handle a ransomware attack

Even the best preventative measures can fall short. If you’ve been attacked, here’s how to respond and prevent the infection from spreading throughout your network, though in most cases expert intervention is necessary.

  • Disconnect from the internet. To contain the threat, shut down infected devices and disconnect from the internet. This way, if the malware is still active on reboot, it won’t be able to send or receive instructions from the attacker’s server.
  • Isolate affected devices. Ransomware can spread rapidly throughout your local network. Determine which of your devices are affected and disconnect them from other devices. The sooner you do this, the better, though immediate isolation won’t guarantee the attack hasn’t reached other parts of your network.
  • Identify the ransomware. Determining what kind of ransomware you’ve been hit with can help mitigate the damage. You can find out by visiting sites like No More Ransom, where you can upload encrypted files for a match. You can also look up parts of the ransom note online, which can lead to more information on the variant. Pass on what you’ve learned about the ransomware to others within your network to help them spot signs of infection.
  • Download security software. Running a security scan can help remediate and remove the threat, although you may retrieve your data. Consider also setting up a professional review of your network for potential security upgrades. Attackers often exploit the same vulnerabilities.
  • Contact law enforcement. Forensic experts can help ensure that your system is no longer compromised, as well as gather information to help find stolen data and locate those responsible, although there’s no guarantee since perpetrators usually operate abroad.

These steps won’t work in all cases. Without a backup or a decryption key, your only option may be to reset your system to factory settings and start from scratch—a long and sometimes expensive process. Prevention is the best strategy.

Why you should never pay ransoms

The FBI and most other experts advise against paying the ransom. It emboldens those responsible, potentially motivating more attacks. Some organizations like hospitals may not have a choice, but in most cases there’s no guarantee the attacker will restore your data or device if you pay. Some victims never receive decryption keys after paying—and some receive more ransom demands when they do. Avoid putting a target on your back: Don’t pay.

Ready to protect your online privacy and keep yourself safe from scammers and advertisers? Neeva is the world’s first 100% ad-free, private search engine. We never share or sell your data, and we’re committed to showing you the best results for every search. Try Neeva for yourself at neeva.com.