What is ransomware?
Ransomware is a type of malicious software (known as malware) that is designed to infect computer systems and encrypt files, in order extort money from the owner. The hacker then holds the computer system to ransom, in return for a sum of money. They may threaten to compromise the security of any sensitive data they obtained, or even threaten to shut down your system in its entirety if the ransom is not paid.
Ransomware can infect a system via a malicious link or attachment in an email (a technique known as phishing). Once opened – either intentionally or unintentionally – the user will generally be presented with a message informing them that their files can only be decrypted when a ransom has been paid. These payments will usually be requested in the form of Bitcoin or other digital currencies that can’t be traced easily.
What does ransomware do?
The aim of ransomware is to render an individual or business’ systems or data inaccessible, until they have met the hacker’s demands. The hacker doesn’t even need to know sophisticated code, as the immediate nature of the threat means that they don’t need to hide what they’ve done for long. In fact, ransomware is often easily picked up by a basic virus scan.
How ransomware spreads
Ransomware can enter a system by enticing the user to click a link or download an attachment in an email; an act which installs the malicious software. Alternatively, they may use an exploit kit – a toolkit that cyber criminals use to identify vulnerabilities in systems so they can enter and distribute malware. From there, the malware begins to encrypt files and infect the device, leaving the user unable to access their own files or systems. A message will often appear announcing that the files will only be decrypted if a ransom is paid. Failure to do so can result in an increased ransom request or the permanent deletion of the encrypted files.
Examples of ransomware
There are a number of different types of ransomware, some more harmful than others. The nature of each remains the same, however: they demand a ransom payment in exchange for the release of your computer system or data.
There are two main categories – crypto ransomware and locker ransomware. Crypto ransomware uses a strong encryption that prevents victims from accessing their files. Without the decryption key that the hacker holds, the user could lose their files. Locker ransomware puts a lock on the user’s computer rather than the files, so they are denied access to their device.
Here are a few of the different examples of ransomware :
- CryptoWall – CryptoWall was initially distributed via exploit kits and emails, however, it has recently been connected with malicious ads and compromised websites. What makes this form of ransomware unique is that it offers victims a free, single-use decryption service on a single file as proof that they have your files, as well as the power to decrypt them. The CryptoWall 4.0 edition even encrypts the file names, to make it harder for the owner to identify what has been encrypted.
- Locky - The Locky ransomware is distributed via an email disguised as an invoice. Once opened, it begins the encryption process. Locky can be distinguished as it renames all files with the ‘.locky’ extension and sets the desktop wallpaper as the ransom message.
- Cerber – Cerber is a particularly malicious form of crypto ransomware. The decryptor is compatible with 12 different languages, meaning the creator could develop an affiliate system, offering ransomware as a service to others. Cerber targets cloud-based Office 365 users through an elaborate phishing campaign.
- CryptoLocker – The original CryptoLocker was shut down in May 2014, however, hackers have widely copied the approach since. Distributed through email attachments, these copycat ransomwares encrypt files and demand money from the user in exchange for a decryption key.
- Jigsaw – Jigsaw can be incredibly serious if you don’t act quickly. The ransomware encrypts your files and then systematically deletes them until the ransom is paid. Over a 72-hour period it will usually delete files on an hourly basis until all of the files have been removed.
- Samas – Samas is potentially one of the most destructive forms of ransomware, working by identifying specific networks that have unpatched servers running JBoss enterprise products. Once it has gained access and spread to numerous hosts, the ransomware is deployed to encrypt files and delete shadow copies. The main victims of Samas attacks have been hospitals, schools and other networks holding sensitive information that could be sold.
What is ransomware?
The average cost of a cyber incident to SMEs is £10k p/year. Is your business vulnerable?
Key statistics from 2019 can help to illustrate the real threat ransomware attacks can pose: • Ransomware costs businesses more than $75 billion (£58.3 billion) per year.
- A new organisation will fall victim to ransomware every 14 seconds in 2019, and every 11 seconds by 2021.
- Ransomware attacks have increased over 97% in the past two years.
- The average ransom demand increased in 2018 to $1,077 (£837).
- Mobile malware, banking malware, and ransomware are the primary threats to expect in 2019.
What is the WannaCry ransom attack?
The WannaCry attack was a global cyber-attack in 2017 that targeted Windows computers around the world. Using hacking tools stolen from the US government, the ransomware exploited a Windows vulnerability and encrypted users’ files in exchange for a bitcoin ransom. The ransomware used a cyber-worm, which meant that it could spread without victim participation. The attack affected 150 countries, with institutions including the NHS being hit significantly.
How to prevent ransomware attacks
Unfortunately, it’s not always possible to prevent ransomware attacks. We’re only human, and some of the most sophisticated ransomwares can be disguised in a highly convincing manner. Plus, some hackers develop methods of getting into your system without the need for phishing.
That said, there are a few things that businesses can do to protect themselves and minimise the chance of falling victim to cybercrime. Here are a few precautionary measures you could take:
Install security software: There are a variety of cyber security solutions that can help to safeguard from a ransomware attack. At a minimum, virus scans and firewalls can offer a level of protection, however, endpoint detection and response, and advanced threat solutions are more effective.
Patch and update software: Always keep your software up to date. Don’t ignore the software updates when the window flashes up on your screen, as these updates could include crucial patches that fix holes in the security of the operating system.
Set up two-factor authentication: Two-factor authentication is offered by lots of programs for optimal security. Rather than just requiring a password, it brings up two levels of security to access an account, e.g. a code that is texted to your mobile. With this in place, the hacker would need access to your phone in order to access the account.
Backup your files: Regularly backing up your files will put you in the best possible position if you were to be hit by a ransomware attack. Store copies in the Cloud or on a portable drive in order to lessen the potential impact on your business if your data were to become encrypted, as these back up copies will still be accessible to you.
Cyber security training: One of the most common ways for ransomware to access your network is via a phishing attack. To avoid this happening, it’s essential that your employees have a level of cyber awareness training so that they are informed on what a ransomware attack is, what to look out for and what to avoid. The crucial point to emphasise is to avoid clicking on unfamiliar links and emails, so provide some ransomware email examples they can look out for.
As part of our cyber and data insurance package, we offer the Hiscox CyberClear Academy - An online interactive suite of cyber security training modules on how to reduce the risk of a cyber incident occurring.
What to do if you get a ransomware email
Knowing what to do after a ransomware attack could make it significantly easier for your business to recover from the ordeal. It can be scary when you discover that your network has been subjected to a cyber-attack, but by keeping your cool and taking a few steps you can minimise the damage.
- If you have cyber insurance, contact your insurance provider to inform them of the ransomware attack. Depending on your policy, your insurer could be able to cover costs of ransom payments, system recovery, business interruption, reputation management and GDPR investigations.
- Determine whether you have been hit by locking or encrypting ransomware. If you can’t get past the ransom note pop-up on your screen, it’s likely to be locking malware. If you can browse your computer but can’t open your files, then you’ve been struck by encrypting malware.
- Disconnect your machine from the network and any other devices or external drives. This will help to restrict the impact of the ransomware infection.
- Take a picture of the ransomware note with the details of the ransom amount and where to send the payment. You want this information to be readily available when you inform the appropriate authorities.
- Research what form of ransomware you have been targeted with. In some cases, it is possible to recover the data using data recovery and decryption software available online. If you don’t have the IT resource to do this in-house, contact a trusted cybersecurity firm.
- File a police report. While they may not be able to assist at this stage, you will need evidence that you have reported the incident if you want to file an insurance claim or lawsuit.
Hiscox offers cyber and data risks insurance that is specially designed to support your business if it experiences a cyberattack or data breach. For more information on cyber security, read our Cyber Readiness Report and other FAQ Guides on Commercial Cyber Security.