Ransomware is a type of cybercrime where hackers gain access to a system, shut it down, and demand a ransom (most commonly made through cryptocurrency) to restore access. Users open the door to these attacks by viewing illicit emails, downloading infected applications, or visiting compromised websites.
It’s a type of extortion that’s becoming extremely common due to how lucrative it can be—and how simple it is to implement. In fact, it’s become so streamlined these days that hackers are offering Ransomware-as-a-Service toolkits online that let nearly anybody launch a ransomware attack on their own.
And worst of all, traditional security best practices aren’t enough to stop it. A 2017 report by Sophos Ltd. highlighted these challenges:
- 54 percent of organizations were affected by some type of ransomware in the past year;
- Healthcare organizations were the top target of attacks;
- The median costs of these attacks came out to $100,000 per affected organization;
- Of those affected, 77 percent were running up-to-date endpoint security.
Types of Ransomware
Even though ransomware has been making headlines in the past few years, it’s not a new attack vector. Reports as far back as 1989 describe Trojan viruses (passed through floppy disks!) that attacked and encrypted the root directories of the system. Of course, ransomware has evolved since then into more challenging and disruptive types of attacks.
Locker Ransomware (Lockerware)
This type of ransomware “locks” a computer’s interface while (usually) leaving the underlying system untouched. The hackers will restrict system access but leave just enough functionality to allow their victims to enter financial data into the platform in exchange for the system’s release. Usually, this type of ransomware is paired with a phony “federal authority” interface that makes unsuspecting users believe they violated some law and have to pay a fine as restitution.
Lockerware is old-fashioned these days, and it’s less effective than the newer types of attacks.
Crypto Ransomware (Cryptoware)
Unlike lockerware, cryptoware penetrates deeper into the computer system and encrypts valuable information stored within. Hackers can customize these scripts to locate specific types of data, such as financial information or personal details, and restrict access to them until the user makes payment. Because of this advanced level of infection, cryptoware can be much more difficult to remove than lockerware.
The above two examples are the basic forms, but modern ransomware has evolved beyond these frameworks. These days, most professionally-created ransomware is cryptoware with additional scripts designed to do extra damage.
For example, consider the widely-publicized WannaCry ransomware virus. This attack contains two components: The ransom module itself, and a self-replicated worm that spreads itself to other systems. This self-propagation strategy led to the virus’s spread across 150 countries, including several major businesses such as the UK’s National Health Service.
Next, let’s look at another well-known ransomware virus, Petya. While this attack didn’t infect near as many systems as WannaCry, it had a unique method of rewriting the affected system’s Master Boot Record and implanting a custom boot-loader, an unheard-of concept at the time. This made Petya particularly challenging to remove after it had gained access to the system.
While not ransomware per se, the NotPetya virus is worth mentioning. An offshoot of Petya, this virus looks like ransomware and acts like ransomware—but upon analysis, contains no actual way for users to pay a ransom to the hacker. In essence, this is a type of “data destruction” virus, as the malware is notoriously difficult to remove, and paying the ransom will do nothing to restore system access.
Responding to Ransomware
If your system gets infected, keep the following steps in mind:
- Stay calm and don’t pay the ransom. The hacker has no incentive to restore access after payment is received. In fact, Kaspersky found that one in five small businesses that did pay their ransom never got their data back.
- Identify the affected device, and immediately disconnect it from local networks to prevent spreading the virus.
- Inform your IT department and begin deploying your company’s disaster control strategy.
- Notify local authorities, particularly if you have sensitive customer or patient data at risk.
- Coordinate your data backups if available and begin restoring your system.
- If applicable, begin notifying your patients/clients/customers of potential downtime.
- Work with your IT department and any local cyber forensic teams to determine how the attack happened and what steps should be taken next.
Of course, prevention is far easier, and less expensive, than damage control. Assess your business’s IT assets and make sure you’re prepared for any cyber threats that may come your way.