What is ransomware?
Ransomware is a type of malware – or malicious software – designed to infect computer systems and lock files in order to extort money from business owners. As the name suggests, this type of cyber-attack involves holding data and devices to ransom.
As well as putting pressure on system owners to part with their hard-earned cash, hackers may threaten to compromise the security of sensitive data or even shut down systems entirely. This can harm your reputation and client relationships as well as your finances.
There are several ways ransomware can infect a computer – the most common is a phishing attack, which involves clicking a malicious link. Occasionally, criminals also pose as security officials asking the victim to pay a ‘fine’ to regain access. A user will typically be presented with a message stating that their files have been encrypted, alongside instructions for how to transfer money in exchange for a decryption key.
How and why is a ransomware attack performed?
Ransomware attacks are often performed using social engineering, a technique which cyber criminals use to lure users into opening a link or downloading an attachment.
The malicious software can also be installed by using an exploit kit – a toolkit which seeks out vulnerabilities in an organisation’s systems. Another technique is malvertising – whereby ransomware can hide in devious adverts.
The software quickly locks devices or encrypts files, before demanding a ransom – which can amount to thousands of pounds. Ransomware attackers typically ask for payments in Bitcoin or another cryptocurrency, since these are less traceable.
Beyond financial gain, what is the purpose of a ransomware attack? Malicious groups might have ulterior motives for stealing your sensitive data – such as espionage or causing general disruption.
How ransomware works depends on the operating system you’re using. Though initially commonplace on Windows devices, ransomware is no longer a concern reserved for PC users. The first mobile ransomware attacks arrived in 2014 – these are typically delivered through deceitful apps and see the entire device locked.
Apple devices can also fall prey to ransomware. The first attacks aimed at Macs were recorded in 2016 – complex techniques were used so harmful files could run in the background for several days in order to get around Apple’s built-in XProtect system.
Ransomware techniques are ever-changing. For example, a 2020 wave of scams has taken advantage of uncertainty surrounding the Covid-19 pandemic.
Key statistics illustrate the real threat ransomware can pose to businesses, charities and other organisations – after all, this criminal enterprise costs businesses more than £58 billion per year globally.
- The threat is becoming more commonplace. A different organisation falls victim to ransomware every 14 seconds in 2019 and will succumb every 11 seconds by 2021
- Similarly, ransomware attacks increased by more than 97% between 2017 and 2019
- The value of each ransom is also up – in 2019, the sum demanded by hackers was £837 on average, but some breaches cost as much as £100,000 (external link)
- Crises appear to drive the threat level up (external link). During the Covid-19 crisis in 2020, 36% of organisations faced a ransomware attack, compared to just 27% in the previous quarter
Types of ransomware injection
There are several types of ransomware, which vary greatly in terms of techniques used and harm caused. They do have one characteristic in common, though – all variants demand payment in exchange for releasing hijacked files or computer systems.
There are two main categories – crypto ransomware and locker ransomware. Crypto ransomware uses a strong encryption preventing victims from accessing their files. Without a decryption key, businesses faced with this type of attack can permanently lose access to their data.
Locker ransomware instead targets devices, such as PCs, Macs and smartphones, by rendering them unusable. Locker ransomware can sometimes be resolved without paying a ransom, but defeating crypto ransomware tends to be more difficult.
Here are the key types of ransomware to be aware of:
- CryptoWall was initially distributed via exploit kits and emails, but it has recently been linked to fraudulent adverts, too. CryptoWall offers to decrypt a single file as proof the hacker has the power to decrypt your files. Version 4.0 even encrypts file names, which can cause confusion even in companies which run regular back-ups
- Locky is a type of malware which is distributed through emails disguised as invoices – a type of phishing. Once opened, Locky encrypts files, which are renamed with the recognisable ‘.locky’ extension. Locky is also known for displaying its ransom message as the desktop wallpaper
- Cerber is a form of crypto ransomware which operates in 12 different languages. Cerber targets cloud-based Office 365 users via sophisticated phishing emails. It’s an application which uses a ransomware-as-a-service model whereby affiliates can launch attacks with malware created by another hacker
- CryptoLocker was an infamous attack which was shut down in 2014, but hackers have copied the model. You might be wondering what the relationship is between CryptoLocker and the two types of ransomware. CryptoLocker combined both crypto and locker techniques, locking Windows computers and encrypting files for a double hit
- WannaCry is a type of ransomware that encrypts files on Microsoft Windows operating systems so the user cannot access their documents or locks the user out of their computer completely. WannaCry manifests as a cryptoworm - a piece of malware capable of self-replicating and spreading from host to host
- Jigsaw can be incredibly serious if you don’t act quickly. This aggressive type of ransomware deletes files on an hourly basis until the ransom is paid. Within 72 hours, this attack can cause all your data to permanently vanish. It was developed in 2016 and bears imagery derived from the Saw horror franchise
- Samas is a particularly destructive type of ransomware which works by identifying networks with vulnerable servers running JBoss products. Once the software is deployed, it encrypts files and deletes copies – making the situation difficult to reverse. This type of attack can be used to harvest data, so it often targets networks holding sensitive information, such as hospitals
What was the WannaCry ransom attack?
The notorious 2017 WannaCry ransom attack shut down hundreds of thousands of computers around the world. In what is widely considered the worst-ever global cyber-attack, WannaCry brought together the cryptocurrency payment systems and encryption technology first seen in CryptoLocker.
WannaCry targeted Windows computers using tools stolen from the US Government, which meant the malware no longer needed to rely on slow direct mail campaigns. WannaCry was an early cryptoworm, so the malware could clone itself and infect more computers. The result was exponential growth impacting organisations in 150 countries, including the National Health Service in Britain, which lost £92m.
How to prevent ransomware attacks
With technology changing so rapidly, it’s not always possible to prevent ransomware attacks. The extent to which you can protect your business depends on how sophisticated an attack is and whether it requires phishing – many of the ways to prevent ransomware attacks are related to phishing awareness.
That said, other best-practice cyber security techniques can help your business, data and operations to stay protected. Here are some precautionary measures businesses can take:
- Update your devices. Many of the organisations worst-hit by WannaCry were using older devices and outdated operating systems, so investing in new machines every couple of years can help to reduce the risk
- Install security software. Cyber security software makes it harder for malware to take control of your device and encrypt files within it. At a minimum, you should use virus scans and firewalls, but more advanced options include endpoint detection and advanced threat solutions
- Patch and update software. Keep your software strong and protective by running all the recommended updates, since each new version fixes security holes. The idea is to always remain one step ahead of hackers
- Set up multi-factor authentication. To properly secure a device, you need more than just a strong password. Multi-factor authentication checks your identity via phone call or text message, making it much harder for hackers to gain access via your accounts. The more ways you authenticate your identity when logging in, the better
- Back up your files. Since it isn’t always possible to eliminate ransomware attacks, the second-best scenario is having no need to pay the ransom. Regularly backing up your files externally can stand you in great stead should a hacker encrypt files on your main drive
- Protect your personal information. Malicious groups often use personal information – including passwords, answers to security questions and date of birth – to gain access to accounts. Make sure everyone in your organisation follows protocol on protecting their personal information, including senior management, who may be targeted by whaling campaigns (a type of phishing attack)
- Cyber security training. Reduce the likelihood of falling prey to a phishing attack by training your employees in cyber security and awareness. The Hiscox CyberClear Academy provides complimentary training with every cyber insurance package
What to do if you get a ransomware email
What does it mean if you receive a ransomware email – and what should you do? If the worst should happen and you were to discover your systems had been compromised, it’s important to stay calm and avoid making rash decisions.
Receiving such a message usually means your systems have already been compromised, but the following steps can help you to minimise the damage:
- Contact your cyber insurance provider to inform them of the ransomware attack. Depending on your policy, your insurer may cover the cost of ransom payments and system recovery, as well as indirect costs related to business interruption, reputation management and GDPR investigations
- Determine whether you have been hit by locker ransomware or crypto ransomware. The distinction is important, since locker-style attacks which don’t encrypt your files are often easier to resolve. If you can’t get past the ransom note pop-up on your screen, it’s likely locker ransomware. If you can browse your computer but can’t open files, you’ve been struck by encrypting malware
- Disconnect your machine from the network and unplug any other devices or external drives. This can help to restrict the impact of a ransomware infection
- Take a picture of the ransomware note with details of the ransom’s value and payment instructions. You’ll need this information to pass to the relevant authorities
- Investigate the type of ransomware you’ve been hit with. In some cases, it is possible to recover the data using data recovery and decryption software. You can access this through your IT department or a trusted cybersecurity firm
- File a police report. They might not be able to help just yet, but you’ll need evidence of reporting the incident to file an insurance claim or lawsuit
Related guides & FAQs
What is cyber insurance?
Interested in learning more about cyber insurance and how it can help prepare your business for any eventuality? Read our FAQ guide to cyber insurance to find out what’s covered.
What is a SQL injection attack?
SQL stands for structured query language, which is a tool that hackers use to gain access to databases. Read about how it works and the key types with our SQL injection attack FAQs.
What is a phishing attack?
Phishing is a major cause of ransomware attacks – but how much do you know about suspicious links? Read our phishing FAQs to learn more about this type of cyber threat.