Ransomware is malicious software that infects your computer and displays messages demanding a fee to be paid in order for your system to work again. This class of malware is a criminal moneymaking scheme that can be installed through deceptive links in an email message, instant message or website. It has the ability to lock a computer screen or encrypt important, predetermined files with a password.

After a device is exposed to the malicious code, the ransomware attack proceeds as follows. Ransomware can remain dormant on a device until the device is at its most vulnerable, and only then execute an attack.

1. Infection

Ransomware is covertly downloaded and installed on the device.

2. Execution

Ransomware scans and maps locations for targeted file types, including locally stored files, and mapped and unmapped network-accessible systems. Some ransomware attacks also delete or encrypt any backup files and folders.

3. Encryption

Ransomware performs a key exchange with the Command and Control Server, using the encryption key to scramble all files discovered during the Execution step. It also locks access to the data.

4. User Notification

Ransomware adds instruction files detailing the pay-for-decryption process, then uses those files to display a ransom note to the user.

5. Cleanup

Ransomware usually terminates and deletes itself, leaving only the payment instruction files.

6. Payment

Victim clicks a link in the payment instructions, which takes the victim to a web page with additional information on how to make the required payment. Hidden TOR services are often used to encapsulate and obfuscate these communications to avoid detection by network traffic monitoring.

7. Decryption

After the victim pays the ransom, usually via the attacker’s Bitcoin address, the victim may receive the decryption key. However, there is no guarantee the key will be delivered as promised.

• Never click on unverified links

Avoid clicking links in spam emails or on unfamiliar websites. Downloads that start when you click on malicious links is one way that your computer could get infected.

• Do not open untrusted email attachments

Do not open email attachments from senders you do not trust. Look at who the email is from and confirm that the email address is correct. Be sure to assess whether an attachment looks genuine before opening it.

• Only download from sites you trust

Go to verified, trusted sites if you want to download something. Most reputable websites will have markers of trust that you can recognize. Just look in the search bar to see if the site uses ‘https’ instead of ‘http.’

• Avoid giving out personal data

If you receive a call, text, or email from an untrusted source that asks for personal information, do not give it out. The aim is to lure you into opening an infected attachment or link. Do not let the perpetrators get hold of data that makes their trap more convincing.

• Never use unfamiliar USBs

Never insert USBs or other removal storage devices into your computer if you do not know where they came from.

• Use security software

As cybercrime becomes more widespread, ransomware protection has never been more crucial. Protect your computer from ransomware with a comprehensive internet security solution.

• Backup your data

Should you experience a ransomware attack, your data will remain safe if it is backed up. Make sure to keep everything copied on an external hard drive but be sure not to leave it connected to your computer when not in use. If the hard drive is plugged in when you become a victim of a ransomware attack, this data will also be encrypted.

Locky

Locky is a type of ransomware that was first released in a 2016 attack by an organized group of hackers. With the ability to encrypt over 160 file types, Locky spreads by tricking victims to install it via fake emails with infected attachments. This method of transmission is called phishing, a form of social engineering.

WannaCry

WannaCry is ransomware attack that spread across 150 countries in 2017. Designed to exploit a vulnerability in Windows, it was allegedly created by the United States National Security Agency and leaked by the Shadow Brokers group. WannaCry affected 230,000 computers globally.

The attack hit a third of hospital trusts in the UK, costing the NHS an estimated £92 million. Users were locked out and a ransom was demanded in the form of Bitcoin. The attack highlighted the problematic use of outdated systems, leaving the vital health service vulnerable to attack.

Bad Rabbit

Bad Rabbit is a 2017 ransomware attack that spread using a method called a ‘drive-by’ attack, where insecure websites are targeted and used to carry out an attack. During a drive-by ransomware attack, a user visits a legitimate website, not knowing that they have been compromised by a hacker.

Drive-by attacks often require no action from the victim, beyond browsing to the compromised page. However, in this case, they are infected when they click to install something that is actually malware in disguise. This element is known as a malware dropper.
Bad Rabbit used a fake request to install Adobe Flash as a malware dropper to spread its infection.

Ryuk

Ryuk ransomware, which spread in August 2018, disabled the Windows System Restore option, making it impossible to restore encrypted files without a backup. Ryuk also encrypted network drives.
The effects were crippling, and many organizations targeted in the US paid the demanded ransoms.

Troldesh

The Troldesh ransomware attack happened in 2015 and was spread via spam emails with infected links or attachments.
Interestingly, the Troldesh attackers communicated with victims directly over email to demand ransoms. The cybercriminals even negotiated discounts for victims who they built a rapport with — a rare occurrence indeed.

Jigsaw

Jigsaw is a ransomware attack that started in 2016. This attack got its name as it featured an image of the puppet from the Saw film franchise.
Jigsaw gradually deleted more of the victim’s files each hour that the ransom demand was left unpaid. The use of horror movie imagery in this attack caused victims additional distress.

CryptoLocker

CryptoLocker is ransomware that was first seen in 2007 and spread through infected email attachments. Once on your computer, it searched for valuable files to encrypt and hold to ransom.
Thought to have affected around 500,000 computers, law enforcement and security companies eventually managed to seize a worldwide network of hijacked home computers that were being used to spread Cryptolocker.

Petya

Petya (not to be confused with ExPetr) is a ransomware attack that first hit in 2016 and resurged in 2017 as GoldenEye.
Rather than encrypting specific files, this vicious ransomware encrypts the victim’s entire hard drive. It does this by encrypting the primary file table making it impossible to access files on the disk.

GoldenEye

The resurgence of Petya, known as GoldenEye, led to a global ransomware attack that happened in 2017.
Dubbed WannaCry’s ‘deadly sibling’, GoldenEye hit over 2,000 targets, including prominent oil producers in Russia and several banks.

GandCrab

GandCrab is a rather unsavory ransomware attack that threatened to reveal victim’s porn watching habits.
Claiming to have highjacked users webcam, GandCrab cybercriminals demanded a ransom or otherwise they would make the embarrassing footage public.

• www.kaspersky.com. n.d. What Is Ransomware?. [online] Available at: https://www.kaspersky.com/resource-center/definitions/what-is-ransomware[Accessed 4 December 2020].
• Learning Center. n.d. What Is Ransomware | Attack Types, Protection & Removal | Imperva. [online] Available at: https://www.imperva.com/learn/application-security/ransomware/.[Accessed 4 December 2020].
• www.kaspersky.co.uk. n.d. Tips On How To Prevent Ransomware Attacks. [online] Available at: https://www.kaspersky.co.uk/resource-center/threats/how-to-prevent-ransomware.[Accessed 4 December 2020].
• www.kaspersky.co.uk. n.d. What Are The Different Types Of Ransomware?. [online] Available at: https://www.kaspersky.co.uk/resource-center/threats/ransomware-examples [Accessed 4 December 2020].