Ransomware 101: What, How, and Why
While ransomware isn’t new, many users still find themselves victimized by it without knowing how their device got infected. They could have downloaded ransomware unknowingly by visiting malicious or compromised websites, or it could have been dropped or downloaded into their systems by other malware. Paying the ransom however, does not guarantee that users will regain access to their digital assets.
Ransomware started gaining popularity years ago, and has cashed in on unknowing victims ever since it was first seen between 2005-2006 in Russia. During its initial phase, ransomware hijacks the user’s files by searching for files with certain file extensions, zips them, and overwrites the original file. The methods used have evolved since then, and by 2011, we have started seeing SMS ransomware variants where users with infected systems were prompted to dial a premium SMS number.
Some ransomware have evolved from simple scareware into what we now know as crypto-ransomware, which is a more advanced type of ransomware that goes a step further by encrypting hostaged files. In late 2013, we saw a crypto-ransomware variant called CryptoLocker, which encrypts files and locks the victim's system. Like the previous types of ransomware, CryptoLocker damands payment from the affected users to unlock their encrypted files. CryptoLocker continuously evolves and includes new tactics and methods to avoid early detection.
How does ransomware work?
Generally, the cybercriminal creates a code specifically designed to take control of a computer and hijack files. The files are encrypted so the victim loses access to them. Once executed in the system, the ransomware can either (1) lock the computer screen or (2) encrypt predetermined files. In the first scenario, the infected system will show a full-screen image or notification that prevents victims from using their system unless a fee, or "ransom", is paid. This also shows the instructions on how users can pay for the ransom as a fee to gain back access to the system. The second type of ransomware locks files like documents, spreadsheets and other important files.
The ransom amount varies, ranging from a minimal amount to hundreds of dollars. The attacker still profits no matter how meager the amount, as they make up in the overall numbers of computers they infect. The demand for money is paid via online payment methods. If the user fails to pay, the attacker could create additional malware to further destroy the files until the ransom is paid.
How to prevent being a victim
Ransomware is a particularly sophisticated type of malware, and while knowledgeable professionals might know how to disable it, users can curb the problem by following routine security measures. It’s important to remember that in some cases, recovery without paying the ransom might not be possible, and this is when it becomes necessary to resort to file backups.
Here are a few simple tips on how you can secure yourself from likely attacks:
Backup your files regularly – the 3-2-1 rule applies here: three backup copies of your data on two different media and one of those copies in a separate location.
Bookmark your favorite websites and access only via bookmarks – attackers can easily slip malicious codes into URLs, directing unwitting users to a malicious site where ransomware could be downloaded. Bookmarking frequently-visited, trusted websites will prevent you from typing in the wrong address.
Verify email sources – while this practice could be tricky, it always pays to be extra careful before opening any link or email attachment. To be sure, verify with your contacts prior to clicking.
Update security software – employing security software adds an extra layer of protection from all possible points of infection. Specifically, it prevents access to malicious websites hosting ransomware variants. More importantly, it detects and deletes ransomware variants found in the system.
For screens that have been locked by ransomware, the Trend Micro AntiRansomware Tool 3.0 can be used to resolve the infection from a USB drive.